Privacy Policy
01 Who We Are
Donateazy ("Donateazy", "we", "us") is a company based at Bengaluru, Karnataka, India.
In relation to the data of our own registered users (NGO administrators), we act as a Data Controller, meaning we determine the purposes for which that data is processed.
In relation to donor data that NGOs store in the platform, we act as a Data Processor. We process that data on behalf of the NGO, which is the Data Controller for that data.
This policy explains what data we collect, why we collect it, who we share it with, and what rights you have.
02 Data We Collect
We collect the following categories of data:
| Category | What it includes |
|---|---|
| NGO registration data | Legal name, PAN, registration type (trust/society/Section 8), 80G and 12A certificate details, FCRA registration number, registered address, contact phone and email |
| Admin user data | Name, email address, phone number, hashed password (we never store your password in plain text) |
| Donor data (on behalf of NGOs) | Donor name, email, phone, PAN (when provided for 80G receipts), donation amount, payment reference ID, donation date, campaign |
| Usage data | Pages visited, features used, browser type, IP address, session duration |
| Communications | WhatsApp messages sent through the platform are logged for compliance and audit purposes |
03 Why We Collect It
We collect and process data for the following purposes:
- To provide the platform: account management, donation processing, receipt generation, CRM functionality
- Statutory compliance: generating legally required 80G receipts, producing 10BD exports, and enabling FCRA contribution tracking
- Service communications: sending you important notifications about your account, payment confirmations, and feature updates. These are service emails, not marketing.
- Platform improvement: we use aggregate, anonymised analytics to understand how the platform is used and to identify areas for improvement. This data cannot be linked back to individual users or organisations.
- Legal obligations: we may be required to retain certain records under the Income Tax Act 1961, FCRA, and other applicable Indian laws.
04 Who We Share Data With
We do not sell, trade, or share your data with third parties for marketing or advertising. We share data only as described below:
- Razorpay (payment processing). Donation payment data is handled by Razorpay Software Private Limited in accordance with their own privacy policy. Razorpay is PCI-DSS compliant.
- Hosting provider: our platform is hosted on servers located in India. Your data does not leave the country.
- WhatsApp / Meta: when your NGO uses our platform to send WhatsApp receipts or thank-you messages to donors, the message content is transmitted through Meta's WhatsApp Business API. Only the specific message content is shared, not your full donor database.
- Income Tax authorities: we will disclose data if required to do so by a court order, statutory authority, or applicable law. We will notify you if we are legally permitted to do so.
All third-party service providers we use are bound by confidentiality obligations and are only permitted to use data for the purpose for which it was shared.
05 Data Residency
All data is stored on servers located in India, specifically on AWS ap-south-1 (Mumbai). We do not transfer your data outside India.
We comply with the Digital Personal Data Protection Act 2023 (DPDPA 2023) and the Information Technology Act 2000 and the rules made under it.
06 How Long We Keep Data
| Data type | Retention period |
|---|---|
| Account and organisational data | Duration of active account + 7 years after closure (required by Indian tax law) |
| Donation records and 80G receipts | 7 years from the date of donation |
| Admin user data | Duration of account + 1 year |
| Anonymised usage analytics | Retained indefinitely (cannot be linked to individuals) |
When retention periods expire, data is securely deleted or permanently anonymised.
07 Your Rights Under DPDPA 2023
Under the Digital Personal Data Protection Act 2023, you have the following rights in relation to your personal data:
- Right to access: you can request a copy of the personal data we hold about you
- Right to correction: you can ask us to correct any inaccurate or incomplete data
- Right to erasure: you can request deletion of your data. Note that some data must be retained under Indian tax and charity law even if you request deletion.
- Right to data portability: you can export your data in CSV or PDF format at any time from within the platform. You can also request a full export by contacting us.
- Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time.
To exercise any of these rights, email us at legal@donateazy.com. We will respond within 30 days.
08 Donor Data Rights
If you are a donor whose personal information has been collected by an NGO using the Donateazy platform, that NGO is the Data Controller for your data.
To access, correct, or delete your data, please contact the NGO directly. Donateazy processes donor data only on the instructions of the NGO and cannot independently action requests related to donor data without the NGO's involvement.
If you have concerns about how your data is being handled and cannot reach the NGO, you may contact us and we will try to assist.
09 Cookies
We use only functional cookies, specifically cookies required for session management and CSRF (cross-site request forgery) protection. These cookies are strictly necessary for the platform to work and cannot be disabled.
We do not use advertising cookies, tracking cookies, or any cookies that monitor your activity across other websites.
10 How We Protect Your Data
- Passwords are stored as cryptographic hashes. We never store or see your actual password
- Sensitive data (PAN numbers, bank account details) is encrypted at rest
- All data in transit is protected by HTTPS/TLS encryption
- Access to our production systems is restricted to authorised staff on a need-to-know basis, protected by multi-factor authentication
- We conduct regular security reviews of our platform and infrastructure
If we become aware of a data breach that is likely to affect your rights, we will notify you and the relevant authorities as required by law.
11 Children
The Donateazy platform is intended for use by registered organisations and their authorised staff. It is not designed for or directed at anyone under the age of 18.
We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at legal@donateazy.com and we will delete it promptly.
12 Changes to This Policy
We may update this Privacy Policy from time to time. For significant changes, we will notify registered users by email at least 14 days before the changes take effect. The updated policy will be posted on this page with a revised "Last updated" date.
We encourage you to review this page periodically.
13 Contact Us / Data Protection Officer
If you have any questions about this Privacy Policy, or wish to exercise your data rights, please contact: