Privacy Policy

Last updated: August 23, 2025

BrainStation India Foundation (BSIF) Effective date: 23 August 2025

BrainStation India Foundation (“BSIF”, “we”, “us”, “our”) respects your privacy. This policy explains what personal data we collect, why we collect it, how we use and share it, and the choices you have. It applies to our website, forms, events, donation pages, and communications (collectively, the “Services”).

The Privacy Policy set forth here is intended to tell you how we collect, use, protect and distribute such information. By engaging with BrainStation India Foundation through our website and mobile applications, you give us your consent to the use of information that is collected as described in this Privacy Policy.

Our Privacy Policy does not apply to services offered by third-parties linked to us, and it does not cover information practices used by third-parties offering tools, links, ads or other services.

Legal status & registered office: BrainStation India Foundation, CIN: U80900MH2021NPL360018, Section 8 (not-for-profit) company under the Companies Act, 2013.

Registered office: 303 Gokul Arcade, A Wing, Sahar Road, Vile Parle East, Mumbai – 400057, Maharashtra, India.

Quick Summary

• We collect only what we need (identity/contact, application/donation details, basic analytics).
• We never store card numbers/CVV; payments go through PCI-DSS compliant gateways under RBI tokenization.
• You can opt out of non-essential cookies and unsubscribe from emails anytime.
• You can access, correct, or delete your data; we respond within set timelines.
• We are a Section 8 not-for-profit; funds and data are handled responsibly and transparently.

1. The Data We Collect

We collect the minimum data necessary for stated purposes:

• Identity & contact: name, email, phone, address, organisation, role/designation.
• Donor/transaction data: donation amount, mode, date/time, payment status, receipt details (we do not store full card numbers or CVV).
• Program participation: age/standard (for students), school/college, interest areas, application answers, event registrations, feedback.
• Scholarship applications (Power to Dream): applicant and parent/guardian details, school info, income/need documentation (only where required and lawful).
• Financial literacy & startup programs: session registrations, assessments, certificates, mentor/mentee pairing data.
• Communications: emails, messages, support queries, survey responses.
• Usage & device data: pages viewed, timestamps, approximate location, IP address, device/browser identifiers, cookie IDs, and similar analytics signals.
• Social media interactions: information you share with us via platform messages/comments; we do not collect your friends/followers lists. Sensitive data: We avoid collecting sensitive personal data. If exceptional program needs require it (e.g., household income proofs for scholarships), we collect only what’s necessary, with explicit consent and access restrictions.

2. How We Use Your Data (Purpose & Lawful Basis)

We process data only for specific, clear purposes and lawful bases under the Digital Personal Data Protection Act, 2023 (DPDPA):

• Provide Services & run programs, process applications, register participants, issue certificates, coordinate events. Basis: consent; voluntary submission.
• Donations & receipts, compliance (accounting, audit, CSR reporting). Basis: legal obligation; legitimate use.
• Scholarship administration (eligibility, disbursal, progress tracking). Basis: consent; legitimate use in public/charitable interest.
• Communications (program updates, receipts, impact reports, newsletters). Basis: consent; opt-out anytime.
• Improvement & security (analytics, troubleshooting, fraud prevention). Basis: legitimate use; consent where required (e.g., non-essential cookies).
• Legal & regulatory (respond to lawful requests, dispute resolution). Basis: legal obligation. You may withdraw consent at any time (see Section 10), which will not affect processing already done lawfully.

3. Children’s Privacy (Under 18)

• We require verifiable parental/guardian consent before collecting personal data of children for any program (e.g., scholarship applications).
• We do not engage in targeted advertising to children, nor do we profile children for marketing.
• Parents/guardians can access, correct, or request deletion of a child’s data (see Section 10).
• Where feasible, we age-gate forms and verify consent via contact details provided by the guardian or the school.

4. Cookies & Similar Technologies

We use cookies and similar technologies to operate and improve our website.

• Strictly necessary (security, page navigation).
• Analytics (understand usage, improve content).
• Functionality (remember preferences). We obtain consent for non-essential cookies. You can change preferences anytime via Manage Cookies on our site or your browser settings. You can read our Cookie Policy here (link).

5. Payments & Security (RBI Tokenization)

Online donations/payments are processed by PCI-DSS-compliant payment gateways. In line with RBI tokenization guidelines, BrainStation India Foundation does not store card numbers or CVV. Payment credentials are handled by the gateway/network using tokens. We receive limited transaction metadata to issue receipts and meet compliance.

6. Sharing & Processors

We do not sell personal data. We share data only with:

• Service providers (processors): secure hosting, email/SMS delivery, analytics, payment gateways, event tools—bound by confidentiality and data-processing terms.
• Partners/Institutions: strictly for program delivery (e.g., host colleges/schools, mentorship platforms) and only with appropriate safeguards/consents.
• Regulators/Authorities: when required by law.
• Professional advisors/auditors: for compliance and governance. Where third parties act on our behalf, they process data only per our instructions and applicable law.

7. International Transfers

Some processors (e.g., email, analytics, CDNs) may store or process data outside India. We use reputable providers and implement contractual/technical safeguards. If the Government of India notifies any transfer restrictions or designated countries under DPDPA, we will comply and, where required, seek fresh consent.

8. Data Retention

We keep personal data only as long as needed for the stated purposes or as required by law:

• Donations/financial records: typically 8 years (tax/audit).
• Program records (non-financial): typically 3–5 years after last interaction, unless longer is required by grant/CSR terms.
• Analytics logs/cookies: typically 12–18 months. When retention ends, we delete or irreversibly anonymise data using secure methods.

9. Security Measures

We employ administrative, technical, and physical safeguards, including:

• Encryption in transit (HTTPS/TLS) and at rest where applicable.
• Role-based access control, least-privilege, need-to-know principles.
• Secure configurations, patching, malware protection, and backups.
• Vendor due diligence and contractual controls with processors.
• Incident response: In case of a data breach, we will investigate, mitigate, and notify affected individuals and authorities as required by law.

10. Your Rights & Choices

Subject to applicable law, you may:

• Access your data and request a copy.
• Correct inaccurate or incomplete data.
• Delete data that is no longer necessary or if consent is withdrawn.
• Withdraw consent for processing/communications at any time.
• Opt-out of non-essential cookies/analytics.
• Lodge a grievance with our Grievance Officer (see below). Where supported, you may also submit requests through an approved Consent Manager under DPDPA. We aim to acknowledge requests within 48 hours and respond within 30 days.

11. Donor & Sponsor Transparency

• We issue receipts for every donation and maintain audited accounts annually.
• Donation/utilisation reports may be shared with donors/CSR partners as agreed.
• We use donor information solely for receipting, statutory compliance, and impact/engagement communications (opt-out available).
• We do not publish personal donor details without consent.

12. Third-Party Links & Social Media

Our site may link to third-party websites or social platforms. Their privacy practices are independent of BrainStation India Foundation. Please review their policies before sharing data. When you contact us via social media, we receive only the information you choose to provide directly to us.

13. Changes to This Policy

We may update this policy to reflect legal, technical, or operational changes. If updates materially change how we process your data, we will take appropriate steps to notify you (e.g., prominent notice on the website and, where required, seek renewed consent). Last updated date will always be shown at the top.

14. Contact & Grievance Redressal

Grievance Officer (DPDPA): Name: Email: Phone: Postal: BrainStation India Foundation, 303 Gokul Arcade, A Wing, Sahar Road, Vile Parle East, Mumbai – 400057 For general queries contact us (link)

Contact Us

If you have any questions about this Privacy Policy, You can contact us:

• By email: connect@brainstationindia.com