Privacy Policy
Effective Date: 13 May 2021 | Last Updated: 13 May 2026 | Version: 2.0
Compliant with DPDP Act 2023 (India) | GDPR (UK/EU) | PIPEDA (Canada) | PDPA (Singapore/Thailand) | COPPA (USA)
1. Introduction
EducatetoSave ("we", "our", "us") operates www.EducatetoSave.com, a platform dedicated to financial literacy and savings education. We are committed to protecting the personal data of all Data Principals (users) in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the rules framed thereunder.
We also recognise that donors contributing from the United States, United Kingdom, European Union, Canada, Singapore, Ireland, and Thailand may be subject to additional privacy regulations in their respective jurisdictions. This Policy is designed to meet or exceed those requirements as applicable.
By accessing or using our platform, you acknowledge that you have read and understood this Policy.
2. Key Definitions (as per DPDP Act, 2023)
- Data Principal: The individual to whom the personal data relates (i.e., you, the user).
- Data Fiduciary: EducatetoSave, which determines the purpose and means of processing personal data.
- Personal Data: Any data about an individual who is identifiable by or in relation to such data.
- Processing: Automated operations performed on personal data including collection, storage, use, sharing, transfer, or deletion.
- Consent: A free, specific, informed, unconditional, and unambiguous indication of the Data Principal's agreement to process their personal data.
- Significant Data Fiduciary (SDF): A classification by the Central Government based on volume and sensitivity of data processed. We will update this Policy immediately if so designated.
3. Personal Data We Collect
3.1 Data Provided Directly by You
- Full name, email address, mobile number
- Date of birth and gender (for personalised content)
- Financial goals, savings targets, and income bracket (voluntarily shared)
- Login credentials (passwords stored in encrypted/hashed form only)
- Communication preferences and feedback
- Data provided verbally over telephone, captured by our staff on your behalf (see Section 5.3)
3.2 Data Collected Automatically
- IP address, browser type, device identifiers
- Pages visited, time spent, click-through data
- Location data (city/state level, only with consent)
- Cookies and similar tracking technologies (see Section 11)
3.3 Data We Do NOT Collect
We do not intentionally collect Sensitive Personal Data such as financial account numbers, biometric data, or health records unless explicitly required for a specific service and separately consented to by you. We do not collect data from children under 18 without verifiable parental or guardian consent (see Section 8).
4. Lawful Basis for Processing
Under the DPDP Act, 2023, we process your personal data only on the following lawful bases:
- Consent (Section 6): We obtain your free, specific, informed, and unambiguous consent before collecting personal data. Consent is sought separately for each distinct purpose.
- Legitimate Uses (Section 7): Processing may occur without consent for compliance with legal obligations, court orders, or where required for medical emergencies or public health purposes as specified under the Act.
For donors in the UK/EU, our lawful basis under the UK GDPR / EU GDPR is: (a) consent for marketing communications; (b) legitimate interests for fraud prevention and platform security; and (c) legal obligation for tax and accounting records.
You have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
5. Purpose of Processing Personal Data
5.1 Online Data Collection
We collect and process your personal data only for specified, clear, and lawful purposes, including:
- Account creation, authentication, and management
- Delivering personalised financial literacy content and savings tools
- Sending transactional communications (account alerts, updates)
- Sending promotional communications (only with explicit consent)
- Improving platform functionality, performance, and user experience
- Responding to your queries, grievances, or feedback
- Complying with applicable legal and regulatory obligations
- Fraud prevention, security monitoring, and audit purposes
5.2 Purpose Limitation
We will NOT use your data for any purpose other than those disclosed herein or for which you have given consent. If we intend to use your data for a new purpose, we will seek fresh consent before doing so.
5.3 Telephonic Data Collection — Consent Procedure
Where donors choose to share personal data over the telephone and our staff complete registration on their behalf, the following consent procedure is strictly observed:
- Prior to or at the start of the call, a link to this Privacy Policy and a digital consent form is dispatched to the donor's email address.
- Data entry into our systems does not commence until the donor has digitally accepted the consent form. No personal data is processed during the interim period.
- The consent timestamp, method of acceptance (email link), and staff member ID are recorded and retained as a verifiable consent audit trail.
- Where email is unavailable, a verbal consent declaration is recorded with the donor's knowledge and a written confirmation is dispatched within 2 hours.
6. Storage and Access Control for Photographs
All photographs of individuals — including beneficiary students and donors — are stored exclusively on private, access-controlled infrastructure. We are committed to the following standards:
- Photographs are stored on private cloud storage (e.g., AWS S3 or equivalent) with access restricted to authenticated and authorised users only.
- No photographs are hosted via publicly accessible links, public cloud drive shares, or any storage medium that permits unauthenticated access or third-party indexing by search engines.
- Access to photographs of minor beneficiaries is restricted to verified donors who have been authenticated on the platform.
- Signed, time-limited URLs are used where technically applicable to ensure photographs cannot be distributed beyond their intended audience.
7. Your Rights as a Data Principal
The DPDP Act, 2023 grants you the following rights, which you may exercise by writing to [email protected]
7.1 Right to Access Information (Section 11)
You have the right to obtain a summary of personal data being processed, the identities of all Data Fiduciaries and Data Processors with whom your data has been shared, and any other information as prescribed.
7.2 Right to Correction and Erasure (Section 12)
You may request correction of inaccurate or incomplete personal data, or erasure of personal data that is no longer necessary for the purpose for which it was collected or where consent has been withdrawn.
7.3 Right to Grievance Redressal (Section 13)
You have the right to have your grievances addressed by our Grievance Officer within 30 days of receipt, and in the manner prescribed under the Act.
7.4 Right to Nominate (Section 14)
You may nominate another individual to exercise your rights in the event of your death or incapacity.
7.5 Right to Withdraw Consent
You may withdraw consent at any time through your account settings or by contacting us. Note that withdrawal may affect your ability to use certain features of the platform.
7.6 Additional Rights for UK/EU Donors (GDPR)
If you are resident in the UK or European Union, you additionally hold the right to data portability, the right to object to processing based on legitimate interests, and the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant EU Data Protection Authority).
8. Processing of Children's Personal Data
In compliance with Section 9 of the DPDP Act, 2023:
- We do not knowingly collect personal data from children (persons under 18 years of age) without verifiable parental or guardian consent.
- Before processing any child's data, we obtain verifiable consent from a parent or lawful guardian. This consent is documented, timestamped, and retained as part of our compliance records.
- We will not process personal data of children in a manner detrimental to their well-being, or track or behaviourally monitor children.
- If you believe a child has provided us with personal data without appropriate consent, please contact us immediately at [email protected]. We will action deletion promptly upon verification.
9. Sharing of Personal Data
9.1 Data Processors
We may engage third-party Data Processors (e.g., cloud hosting providers, email service providers, analytics platforms) who process data on our behalf, strictly under a valid contract that requires them to maintain confidentiality and implement appropriate security measures in accordance with Section 8(2) of the DPDP Act.
9.2 Other Disclosures
- Legal Compliance: Where required by law, court order, or government authority.
- Protection of Rights: To protect the rights, property, or safety of EducatetoSave, its users, or the public.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to equivalent data protection obligations on the successor entity.
9.3 No Sale of Personal Data
We do not sell, rent, or trade your personal data to any third party for their marketing or commercial purposes, under any circumstances.
10. Cross-Border Transfer of Personal Data
We primarily store and process data within India on AWS infrastructure. To the extent any personal data is transferred outside India, such transfers are made only to countries or territories notified as permissible under Section 16 of the DPDP Act, 2023, with appropriate contractual safeguards in place.
10.1 UK and European Union Donors
Transfers of personal data relating to UK or EU residents to India or other third countries are conducted on the basis of Standard Contractual Clauses (SCCs) as approved under the EU GDPR, or the UK International Data Transfer Agreement (IDTA) as applicable. Copies of these safeguards are available upon request.
10.2 Canadian Donors
For donors resident in Canada, data processing and any cross-border transfer is conducted in a manner consistent with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
10.3 Singapore and Thailand Donors
For donors resident in Singapore and Thailand, we comply with the Personal Data Protection Act 2012 (PDPA, Singapore) and the Personal Data Protection Act B.E. 2562 (PDPA, Thailand) respectively, including applicable cross-border transfer restrictions under those frameworks.
10.4 United States Donors
As a charitable organisation (nonprofit entity), EducatetoSave does not fall within the definition of a "business" under the CCPA/CPRA or similar state-level consumer privacy statutes. Notwithstanding this exemption, we voluntarily commit to the following standards for all US donors:
- Transparency: We will clearly disclose what personal data we collect from US donors, the purposes for which it is used, and with whom it is shared.
- Access and Correction: US donors may request access to or correction of their personal data at any time by contacting [email protected].
- Deletion: US donors may request deletion of their personal data, subject to any retention obligations required by law.
- No Sale of Data: We do not sell, rent, or share US donor personal data with third parties for commercial or marketing purposes.
- Opt-Out of Marketing: US donors may opt out of marketing communications at any time via the unsubscribe link in any email or by contacting us directly.
Additionally, we strictly comply with COPPA requirements: we do not knowingly collect personal data directly from children under 13 without verifiable parental consent (see also Section 8).
11. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to enhance user experience and analyse traffic. Non-essential tracking scripts are blocked from executing until you have granted consent through our Cookie Consent Manager.
- Essential Cookies: Required for the website to function properly. Cannot be disabled.
- Analytics Cookies: Help us understand how users interact with our platform. Enabled only with your prior consent.
- Marketing / Tag Manager Cookies: Used for personalised advertising and tag management. Enabled only with explicit consent.
You may manage or withdraw cookie preferences at any time through your browser settings or our Cookie Consent Manager on the website.
For visitors from the UK, EU, and Canada, our Cookie Consent Manager complies with the requirements of the UK PECR, the EU ePrivacy Directive, and applicable Canadian anti-spam legislation (CASL).
12. Data Retention
We retain personal data only for as long as necessary to fulfil the stated purpose, comply with applicable law, or resolve disputes. The following specific retention schedules apply:
| Data Category | Retention Period |
|---|---|
| Donor account data | 7 years after last donation (for statutory accounting compliance) |
| Student / beneficiary data | Duration of active sponsorship, then deleted or anonymised within 12 months of sponsorship completion |
| Contact / query data | 6 months from date of query resolution |
| Telephonic consent records | Duration of donor relationship + 3 years for audit purposes |
| Server / access logs | 90 days, then automatically purged |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised in accordance with Section 8(7) of the DPDP Act.
13. Security of Personal Data
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:
- AES-256 encryption for data at rest; TLS 1.2+ for data in transit
- Access controls and role-based permissions with least-privilege principles
- Private, access-controlled storage for all photographs and sensitive media
- Annual Web Application Penetration Tests (WAPT) conducted by qualified third-party security vendors
- Quarterly automated vulnerability scanning using industry-standard tools
- Regular employee training on data protection and privacy obligations
- A responsible disclosure programme — report vulnerabilities to [email protected]
In the event of a Personal Data Breach, we will notify the Data Protection Board of India and affected Data Principals within the prescribed timeframes (72 hours where required under applicable law including GDPR).
14. Anti-Fraud and Donor Safety
EducatetoSave is aware that charitable platforms may be targeted by fraudulent actors. We are committed to protecting our donors and beneficiaries from such risks.
14.1 Official Communication Channels
EducatetoSave will ONLY contact donors through the following verified channels:
- Official email from @educatetosave.com domain addresses
- Notifications within your authenticated donor account on www.EducatetoSave.com
- Telephone calls from registered numbers published on our official website
We will NEVER solicit donations, payment details, or personal information through unofficial channels including social media direct messages, WhatsApp, or third-party fundraising pages not listed on our official website.
14.2 Reporting Suspected Fraud
If you receive a communication that you suspect is fraudulent or an impersonation of EducatetoSave, please report it immediately to [email protected]. Do not share any personal or financial information with the suspected fraudulent party.
14.3 Donor Communication Policy
All outbound donor communications are dispatched exclusively from verified organisational accounts. Any request for payment or personal data arriving outside the channels described in Section 14.1 should be treated as suspicious and reported to us without acting on the request.
15. Grievance Redressal
If you have any concerns, complaints, or wish to exercise your rights under this Policy or the DPDP Act, 2023, please contact our Grievance Officer:
| Field | Details |
|---|---|
| Role | Grievance Officer, EducatetoSave |
| [email protected] | |
| Security / Fraud Reports | [email protected] |
| Response Time | Within 30 days of receipt of complaint |
If you are not satisfied with our response, you may approach the Data Protection Board of India, established under Section 18 of the DPDP Act, 2023. UK/EU residents may additionally escalate to their local Data Protection Authority (e.g., the ICO in the United Kingdom).
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by:
- Posting a prominent notice on our website with a revised effective date;
- Sending an email notification to all registered users; and/or
- Seeking fresh consent where required by law.
Your continued use of our platform after such notification constitutes acceptance of the revised Policy. Prior versions of this Policy are available upon written request.
17. Governing Law and Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and any rules or regulations framed thereunder. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in India, without prejudice to the rights of UK/EU residents to bring claims before their local supervisory authorities.