Privacy
Policy

We may collect the following categories of personal data:

• Identity Information: Name, email address, phone number, and profile information when you register, volunteer, or contact us.
• Donation Information: Name, email, donation amount, and payment details processed through our payment gateway. We do not store credit card or bank account numbers on our servers.
• Teacher/User Accounts: Login credentials, device information, progress data, notes, and bookmarks for the Project Sahitya Teacher Portal (web application).
• Communication Data: Contact form submissions, volunteer applications, partner school applications, newsletter subscriptions, and RSVP information.
• Student Screening Data: Collected by authorized teachers through the Project Sahitya Teacher Portal during literacy assessments. This includes: student names (stored encrypted), date of birth, and gender; assessment scores for letter recognition, phonemic awareness, sight reading, and engagement; AI-generated lesson plans linked to individual assessments; and consent records retained for 3 years. Student names and dates of birth are encrypted at rest. Anonymized, aggregated data may be used in academic research with the consent of the school and, where required, parents or guardians.
• Usage Data: Anonymized analytics, page views, and interaction data to improve our services.

Under the DPDP Act 2023, we process your personal data based on the following lawful grounds:

• Consent (Section 6): We obtain your explicit consent before collecting personal data through our forms. Each form includes a mandatory consent checkbox. You may withdraw consent at any time by contacting us.
• Legitimate Uses (Section 7): We may process data without explicit consent where permitted by law, such as responding to your voluntary enquiries, fulfilling donation transactions you initiated, or complying with legal obligations.

We use the collected information for the following purposes:

• To provide and maintain our educational services, including the Project Sahitya Teacher Portal and curriculum delivery.
• To process donations and issue tax receipts where applicable.
• To communicate with you about our programs, events, newsletters, and organizational updates.
• To manage volunteer and partner school applications.
• To improve our website, Teacher Portal, and educational content based on usage patterns.
• To ensure the security and integrity of our platform, including device verification and content protection.

Our website uses cookies and similar technologies. When you first visit, a cookie consent banner allows you to accept all cookies or limit usage to necessary cookies only.

Essential cookies (always active):

• Supabase session cookies (sb-*): Used for user authentication and session management. These are strictly necessary for the admin dashboard and any logged-in functionality.
• Cloudflare cookies (__cf_bm, __cflb): Set by Cloudflare for bot protection, security, and performance. These are necessary for the website to function securely.
• Cloudflare Turnstile cookies (cf_clearance): Used for CAPTCHA verification on forms to prevent spam and abuse.
• Cookie consent preference (sahitya-cookie-consent): Stored in localStorage to remember your cookie preference.

Analytics cookies (optional):

• Cloudflare Web Analytics: Privacy-first analytics that do not use client-side state (no cookies) and do not track individuals. Only loaded if you accept all cookies.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specific retention periods are:

• Contact form submissions: Retained for up to 2 years after the enquiry is resolved, then deleted.
• Volunteer and partner applications: Retained for up to 3 years to manage ongoing relationships, or deleted upon request.
• Donation records: Retained for a minimum of 8 years as required by Indian tax and accounting regulations (Income Tax Act, 1961).
• Newsletter subscriptions: Retained until you unsubscribe. Unsubscribed email addresses are kept in a suppression list for 1 year to prevent re-subscription.
• RSVP records: Retained for 1 year after the event date, then deleted.
• User accounts (Project Sahitya Teacher Portal): Retained while the account is active. Deleted within 90 days of account deletion request.
• Security and audit logs: IP addresses are stored in our audit logs for security monitoring and compliance purposes. Audit logs are retained for 2 years, after which they are deleted.

We implement industry-standard security measures to protect your personal data:

• All data is transmitted over HTTPS with TLS encryption.
• Database access is restricted with role-based access controls.
• Password data is hashed and never stored in plain text.
• Sensitive student data (names and dates of birth) is encrypted at rest using AES-256 symmetric encryption before being stored in the database.
• Rate limiting and CAPTCHA verification are used to prevent abuse of our forms.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure.

Our website and services are hosted using the following infrastructure providers:

• Cloudflare Workers: Application hosting. Our web server runs on Cloudflare's globally distributed edge network.
• Supabase Cloud: PostgreSQL database and authentication service hosted on AWS infrastructure (United States, Virginia region).
• Cloudflare: CDN, DNS, and DDoS protection. Edge servers are globally distributed.
• Cloudflare R2: Object storage for uploaded media files, served via media.projectsahitya.org.

We use the following third-party services to operate our platform. Each service has its own privacy policy governing data handling:

• Razorpay: Payment processing for donations. Razorpay handles all financial transactions and is PCI DSS compliant. We do not store payment card details. Razorpay is based in India.
• Resend: Transactional email delivery for newsletters, confirmations, and notifications. Resend processes your email address and name to deliver emails on our behalf. Resend is based in the United States.
• Cloudflare Turnstile: CAPTCHA service for bot protection on our forms. Turnstile collects device and browser information to verify human users.
• Upstash Redis: Rate limiting service to prevent abuse. Only anonymized identifiers (IP hashes) are stored temporarily.
• Sentry (sentry.io): Error monitoring and performance tracking. Receives error data including request metadata and IP addresses when application errors occur. Sentry is based in the United States. See: sentry.io/privacy.
• OpenRouter (AI Processing): Student screening assessment data (encrypted names, demographics, and scores) may be processed by AI models via OpenRouter for automated report generation. This data is used solely to generate educational assessment reports.

Some of our infrastructure and third-party services are hosted outside India. Specifically:

• Our application server (Cloudflare Workers) runs on a globally distributed edge network. Our database (Supabase) is hosted in the United States.
• Resend (email delivery) and Upstash (rate limiting) process data in the United States.
• Cloudflare operates a global network; your data may be cached at edge servers in various countries.

By consenting to this Privacy Policy, you acknowledge and agree to the transfer of your data to these jurisdictions. We ensure that all cross-border transfers comply with the requirements of the DPDP Act 2023 and that appropriate safeguards are in place with each service provider.

Project Sahitya's mission centres on children aged 5-10 in rural India. We take children's privacy extremely seriously and comply with Section 9 of the DPDP Act 2023:

• We do not collect personal data directly from children through our website. Our digital services (website and Project Sahitya Teacher Portal) are designed for adults — teachers, volunteers, and donors.
• Any data related to student outcomes or progress is collected and managed by authorized teachers through the Project Sahitya Teacher Portal, with appropriate parental or guardian consent obtained by the partner school.
• Student information used in our impact reports and testimonials is anonymized or shared with explicit verifiable consent from parents or guardians.
• We do not perform any tracking, behavioural monitoring, or targeted advertising directed at children.

As a Data Principal, you have the following rights regarding your personal data:

• Right to Access (Section 11): You may request a summary of your personal data that we process, and information about how it is being processed.
• Right to Correction (Section 12): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Section 12): You may request deletion of your personal data, subject to legal retention obligations (e.g., donation records required for tax compliance).
• Right to Withdraw Consent (Section 6): You may withdraw your consent for data processing at any time. For newsletters, use the unsubscribe link in any email. For other data, contact us using the details below.
• Right to Grievance Redressal (Section 13): You may raise concerns or complaints about our data processing practices. We will respond within 30 days.
• Right to Nominate: You have the right to nominate another person to exercise your data rights on your behalf in the event of your death or incapacity.

To exercise any of your data rights, you may:

• Export your data: Use our data export tool to download all personal data we hold about you.
• Delete your data: Use our data deletion tool to permanently erase your personal data from our systems.
• Email us at contact@sahitya.org.in with the subject line “Data Rights Request.”
• Use our contact form and mention “Data Rights Request” in your message.

Please include in your request:

• Your full name and the email address associated with your data.
• A description of the specific right you wish to exercise (access, correction, deletion, or withdrawal of consent).

We will verify your identity and respond to your request within 30 days. If we cannot fulfil your request due to legal obligations (e.g., tax record retention), we will inform you of the reasons.

Project Sahitya does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals. No decisions about your eligibility, access to services, or any other matter are made solely by automated processing of your personal data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the “Last updated” date at the top of this page.
• For significant changes, we will notify newsletter subscribers via email and display a prominent notice on our website.
• If changes affect the basis on which we process your data, we will seek fresh consent where required.

We encourage you to review this page periodically to stay informed about how we protect your data.

As a small nonprofit organization, Project Sahitya is not required to appoint a formal Data Protection Officer under the DPDP Act 2023. However, we take data protection seriously and have designated a point of contact for all privacy-related matters.

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have any concerns regarding your data, please contact us: