This Privacy Policy (“Privacy Policy”) describes the policies and procedures about the processing of your personal data undertaken by Blue Pencil Strategies Private Limited­­­­ (“Company”, “we”, “us” and “our”), a company incorporated under Companies Act, 2013, having its Registered Office located at Kagalwala House, Plot No. 175, CST Road, Kalina, Santacruz East, Mumbai 400098 when you use our website and the mobile application (collectively, the “Platform”).

 

The terms “user”, “you” and “your” refer to anyone who uses the Platform. For the purposes of this Privacy Policy, (i) the term “personal data” shall mean all data that you provide through which the Company may identify you including but not limited to your name, mobile number, and email-ID; (ii) the term “data fiduciary” shall mean the entity that controls the purpose and means through which the Company processes your information and which is responsible for compliance with applicable laws with respect to your personal data. Further, all capitalised terms in this Privacy Policy shall have the same meaning as ascribed to such terms under the Company’s Terms available here.

 

Please read this Privacy Policy before using the Platform or submitting any personal data on ­the Platform. This Privacy Policy is a part of and is incorporated within and must be read with the Company’s Terms. It is hereby clarified that this Privacy Policy applies to all processing of personal data by the Company of any user who has been onboarded by the Company on the Platform in line with the Terms.

 

In case of any conflict between the privacy policies of such IOs/Donors and Investors and this Privacy Policy, the terms of this Privacy Policy shall prevail. Where the Company processes your personal data on behalf of such IOs/Donors and Investors, the Company merely acts in the capacity of a ‘data processor’ whereas the IOs/Donors and Investors who authorise the Company to process your personal data act in the capacity of a ‘data fiduciary’. The Company typically acts in the capacity of a data fiduciary only for the purposes of the Services provided by it directly.

 

 

By using the Platform and the Services, you agree and consent (obtained through checkboxes, OTP, explicit agreements, etc. on the Platform) to the processing of your personal data by the Company either by itself directly or on behalf of IOs/Donors and Investors. If you do not agree with the Privacy Policy or the Terms, please do not use, or access the Platform.

 

We may occasionally update this Privacy Policy and the Terms and such changes as may be posted on the Platform and shared over email to appropriate user communities on a best effort basis. If we make any significant changes to this Privacy Policy, the same shall be displayed on the Platform, your willingness to continue use of the Platform or provide information on the Platform will be considered as consent. Your continued use of Services after we publish or send a notice about our changes to this Privacy Policy shall constitute your consent to the updated Privacy Policy and its Terms. However, where required under applicable laws, you may be required to provide your consent to such amended Privacy Policy through checkboxes, OTP, explicit agreements, etc. on the Platform.

 

 

This Platform is owned by the Company. We are committed to protecting and respecting your privacy. Processing of your personal data by the Company either in the capacity of a data fiduciary (for the purposes of the Services) or as a data processor on behalf of IOs/Donors and Investors shall be done in compliance with applicable data protection laws in India such as Information Technology Act, 2000 and rules thereunder, and the Digital Personal Data Protection Act, 2023 (as applicable).

 

 

4.1       Personal data that we Process as a data fiduciary: We may collect, use, process, store, and transfer the following kinds of information about you for the purposes of rendering our Services in the capacity of a data fiduciary.

 

(a)        For onboarding of Donors and Investors on the Platform and any other third-party Uses deemed necessary by the Company- Name, Email Address, Contact Number and any other information collected for a Program on the Platform or for in any manner engaging with the Company.

 

(b)       For onboarding of IOs on the Platform - Name, Email Address, Contact Number and any other information collected for a Program on the Platform or for in any manner engaging with the Company.  

 

(c)        For onboarding of Validators on the Platform - Name, Email Address, Contact Number and any other information collected for a Program on the Platform or for in any manner engaging with the Company.  

 

(d)       Please note that the Company may use your personal data for the purposes of recommending suitable Programs to participants and vice-versa for the optimum utilization of the Platform by various IOs/Donors and Investors and the participants onboarded onto the Platform.

   

4.2       Personal data that we Process as a data processor: We may collect, use, process, store, and transfer the following kinds of information about you on behalf of IOs/Donors and Investors in the capacity of a data processor.

 

(a)        For onboarding volunteers/employees of IOs/Donors and Investors or other third-party Users for the purposes of Programs through the Platform - Name, Email Address, Contact Number and any other information collected for a Program on the Platform or for in any manner engaging with the Company. 

 

(b)       For onboarding participants for Programs through the Platform - Name, Age, Number of Family Members, Date of Birth, Gender, Address, Contact Number, Education Qualification, Ownership of House / Type of Household, Ownership Land, Size of Land Holding in Acres (Owned / Leased / Irrigated), Type cattle owned, Current Occupation, Household Annual Income (Agriculture and Others), Geo Location, Photo or such other information as may be deemed necessary by the relevant IO/Donors and Investors for the purposes of the Program for which such participants have been onboarded through the Platform.  

 

(c)        Proposes prescribed by IOs/Donors and Investors as data fiduciaries – The Company may collect and process such information as may be instructed by IOs/Donors and Investors based on the consent provided by you to the Pprivacy policy of such IOs/Donors and Investors.

 

4.3       How we use your personal data:  

 

(a)        We use the personal data mentioned under paragraph 4.1 above: (i) to provide and improve the Services and features on the Platform; (ii) to enhance your experience by providing you with relevant suggestions; (iii) to resolve disputes and troubleshoot problems; (iv) to help promote a safe service on the Platform and protect the security and integrity of the Platform, the Services and the users; (v) to detect, prevent and protect us and you from any errors, fraud and other criminal or prohibited activity on the Platform; (vi) to enforce and inform about our Terms; (vii) to communicate important notices or changes in the Services provided by the Company, use of the Platform and the Terms which govern the relationship between you and us; (viii) for research and analysis purpose; (ix) prevention, detection, or investigation, including of cyber incidents, prosecution, and punishment of offences; and (x) protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.

 

(b)       We use the personal data mentioned under paragraph 4.2 above for the purposes prescribed to us by IOs/Donors and Investors who are data fiduciaries for the purposes of such personal data. The Company processes such personal data strictly as a data processor and in accordance with the documented instructions provided by the respective IOs/Donors and Investors as data fiduciaries. The Company expressly disclaims all liabilities, obligations, and responsibilities as a data fiduciary with respect to such processing. Please note that our use of such personal data is also dependent on the purposes consented by you through the privacy notices provided by such IOs/Donors and Investors over the Platform. The Company does not determine the purposes or means of processing such personal data and has no control over, or responsibility for, the content, accuracy, or compliance with applicable laws of such privacy notices. The Company does not warrant or guarantee that any privacy notice provided by IOs/Donors and Investors complies with applicable data protection laws, and the Company shall not be liable for any non-compliance by such IOs/Donors and Investors with their obligations as data fiduciaries under applicable law.

    

5.1       Information you provide us or we receive from other sources We collect your information including your personal data mentioned above for the purposes outlined above both in the capacity as a data fiduciary and as a data processor in the following manner.  

(a)        We may collect information directly from you, with your consent, when you provide it to us.

(b)        We may collect personal data that you voluntarily provide to us when registering on our Platform, filling out forms, subscribing to our Services, or contacting us. This information is not limited to your personal data like contact information, demographic information, financial information, etc., or preference/claim-based information collected during a Program.  

(c)        We may also receive information about you from third parties, such as verification agencies /subscriptions, social media platforms, analytics providers, and payment processors or from other business interactions, public databases; API partners and social media platforms.

 

5.2       Information we collect through Automatic Data Collection Technologies  

(a)        When you visit our Platform, some information is automatically collected. This may include information such as the type of mobile device, Operating System (OS) running on your device, Internet Protocol (IP) address, unique user ID, access times, device type, and language. We also collect information about how you use our products or Services.

(b)        We automatically collect purchase or content use history, which we sometimes aggregate with similar information from other customers to create features such as Top Rated, High Confidence, etc.

(c)        The information about your usage of the Platform, including crash logs and usage statistics.

(d)        Information about the location of your device, including geolocation information.

(e)        By using this Platform after accepting this Privacy Policy, you are agreeing that we may advertise your feedback on the Platform and other marketing materials.

(f)         If you opt to receive marketing correspondence from us, subscribe to our mailing list or newsletters, enter into any of our competitions or provide us with your details at networking events, we may use your personal data under legitimate use to provide you with details about our goods, services, business updates and events.

(g)         When using our mobile applications, we collect additional information including device identifiers, precise geolocation data (with appropriate permissions), mobile network information, mobile operating system version, device settings, and application usage metrics. This information is necessary for the proper functioning of our services, security measures and to provide location-based features where applicable. You may manage location permissions through your device settings, though limiting access may affect functionality.

 

 

6.1       Information about the user is an important part of our business and we take due care in handling any information that is collected. We may disclose information (including your personal data) that we process in the capacity of a data fiduciary, as described in this Privacy Policy, in the following ways:

 

(a)        General Information Disclosure: We share your personal data with your consent or to complete any transaction or provide any product or service you have requested or authorized. We also share data with our affiliates, subsidiaries and other related Companies, with vendors working on our behalf.

(b)        We may employ other companies and individuals to perform functions on our behalf. The functions include fulfilling orders for products or services, delivering packages, sending postal mail and e-mail, removing repetitive information from customer lists, providing marketing assistance, providing search results and links (including paid listings and links), processing payments, providing access to financial intermediaries for delivering financial services, transmitting content, scoring credit risk, and providing customer service.

(c)        Service Providers: Where necessary, we may share your personal data with third-party service providers as needed to perform their functions but may not use it for other purposes. Further, they must process the personal data in accordance with this Privacy Policy and as permitted by applicable data protection laws.

(d)        Legal Purposes: We disclose your account and other personal data to comply with the law including but not limited to any regulatory or governmental requests or for the purpose of a business deal (or negotiation of a business deal) involving the sale or transfer of all or a part of our business or assets (business deals may include, for example, any merger, financing, acquisition, divestiture, or bankruptcy transaction or proceeding) .

(e)        Consent: We may share your information in any other circumstances where we have your explicit consent.

 

6.2       With respect to the personal data that we process in the capacity of a data processor of IOs/Donors and Investors, we will share/disclose your personal data in the manner as prescribed by such IOs/Donors and Investors.

 

6.3       You also hereby acknowledge and agree that we may share your participation history across Programs with IOs/Donors and Investors for the purposes of fraud prevention, duplication detection, and Program eligibility verification. Such sharing is necessary for maintaining the integrity of the Platform and preventing fraud across Programs. By using the Platform, you explicitly consent to such sharing. This cross-Program data sharing is limited to verification of participation status and distribution of benefits, and does not include sharing of sensitive personal data collected for specific Programs such as your medical or financial records etc. The Company retains the right to analyze aggregated participation data across multiple Programs to improve service delivery, ensure equitable distribution of benefits, detect patterns of potential misuse, and enhance the overall Program experience. You acknowledge that this cross-Program analysis is fundamental to the Platform's operations and a condition of your participation.

 

7.1       With respect to the processing of personal data as a data fiduciary, we take due care to protect all data on the Platform. Technical measures are in place to prevent unauthorized or unlawful access to data and against accidental loss or destruction of, or damage to your personal data. The employees who are dealing with personal data have been trained to protect personal data from any illegal or unauthorized usage. For all personal data that we process on behalf of IOs/Donors and Investors as a data processor, the concerned IOs/Donors and Investors are at all times liable and have the obligation to ensure compliance with applicable data protection laws.

 

7.2       We have implemented appropriate electronic, and procedural safeguards in connection with the collection, storage, and disclosure of personal data.

 

7.3       We take reasonable steps to help protect your personal data. The information is stored in an AES -256-bit encrypted form, and personal sensitive data is hashed which is non-retrievable. The infrastructure is protected by firewalls and access is controlled through authorized Multi-Factor Authentication in an effort to prevent the loss, misuse, and unauthorized access, disclosure alteration and destruction. It is your responsibility to protect your usernames and passwords to help prevent anyone from accessing or abusing your accounts and services. You should not use or reuse the same passwords you use with other accounts as your password for our services.

 

7.4       It is important for you to protect against unauthorized access to your password and your devices, and applications. Be sure to sign off when you finish using a non-personal device.

 

7.5       Information you provide to us is shared on our secure servers. We have implemented appropriate physical, technical and organizational measures designed to secure your information against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to personal data to those employees, agents, contractors, and other third parties that have a legitimate business need for such access.

 

7.6       Information collected from you will be stored for such period as required to complete the transaction entered into with you or such period as mandated under the applicable laws from the date of information collected from you. The Company may decide to delete the information in line with the data retention protocol as set out in this Privacy Policy Suo moto post the mandatory period prescribed under applicable laws without any notification to the data principal, following established protocols under applicable laws. In the event, the data principal requests for deletion of his/her personal data either directly or indirectly through an IO registered on the Platform, then the same will be executed by the Company within reasonable time. However, the Company reserves the right to mask all such personal data of a user for data analytics that allows the Company to improve experiences or provide new services on the Platform. In such a scenario, the user may have to register afresh on the Platform to receive Services from the Company.

7.7    The Company shall not be liable for any failure to protect personal data resulting from circumstances beyond its reasonable control, including but not limited to acts of God, war, terrorism, riots, natural disasters, pandemics, or government actions. While we implement reasonable security measures, we cannot guarantee absolute protection against sophisticated or unprecedented security threats. In the event of such force majeure circumstances, we will make commercially reasonable efforts to mitigate any damage and will notify affected users as appropriate under applicable law.

 

8.1       We may use cookies, pixel tags, web beacons, mobile device IDs, flash cookies and similar files or technologies to collect and store information with respect to your use of the Services and third-party websites in accordance with the applicable laws.

 

 

8.2       A pixel tag (also called a web beacon or clear GIF) is a tiny graphic with a unique identifier, embedded invisibly on a webpage (or an online ad or email), and is used to count or track things like activity on a webpage or ad impressions or clicks, as well as to access cookies stored on users’ computers. We may include web beacons in e-mail messages or newsletters to determine whether the message has been opened and for other analytics.

 

8.3       To modify your cookie settings, please visit your browser’s settings. By using our Services with your browser settings to accept cookies, you are consenting to our use of cookies in the manner described in this section.

 

8.4       We may also allow third parties to provide audience measurement and analytics services for us, to serve advertisements on our behalf across the Internet, and to track and report on the performance of those advertisements. These entities may use cookies, web beacons, SDKs, and other technologies to identify your device when you visit the Platform and use our Services, as well as when you visit other online sites and services.

 

8.5       Please see our Cookie Policy here for more information regarding the use of cookies and other technologies described in this section, including regarding your choices relating to such technologies. The Cookie Policy shall form a part of and shall be read harmoniously with this Privacy Policy. By accepting this Privacy Policy, you also agree to be bound by the Company’s Cookie Policy and agree to the Company’s use of cookies to track you before and after you sign up on the Platform.

 

 

When you sign up for an account, you are opting in to receive emails from the Platform. You can log in to manage your email preferences or you can follow the ‘unsubscribe’ instructions in commercial email messages but note that you cannot opt out of receiving certain administrative notices, service notices, or legal notices from us.

 

 

10.1     If you wish to withdraw your consent for the processing (including regarding processing of your personal data by us or by any third-party), use and disclosure of your personal data in the manner provided in this Privacy Policy. For the personal data as mentioned in paragraph 4.1 above, where the Company is the data fiduciary, please write to us at support@tashi.in. Please note that we may take time to process such requests, and your request shall take effect no later than 30 (thirty) calendar days from the receipt of such requests, after which we will not use your personal data for any processing unless required by us to comply with or legal obligations. Upon withdrawal of consent, we will cease processing your personal data except to the extent necessary to: (i) comply with legal obligations; (ii) resolve disputes; (iii) enforce our terms and agreements; or (iv) otherwise permitted by applicable law. Withdrawal of consent is not retroactive and will not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal of consent may impact our ability to provide you with some or all of our Services, and in such cases, we may need to terminate your access to the Platform We may not be able to offer you any or all Services upon such withdrawal of your consent. Any processing of your personal data undertaken prior to withdrawal of consent shall remain valid and lawful. The withdrawal of consent shall not affect our right to retain certain personal data in anonymized or aggregated form that no longer identifies you.

 

10.2     If in relation to the personal data mentioned in paragraph 4.2 above where the IO/Donor and Investor is the data fiduciary, please contact the respective IO/Donor and Investor. As a data processor, we will undertake the necessary steps to fulfil your request for withdrawal of your consent based on the instructions of the data fiduciary (i.e., the respective IO/Donor and Investor). The Company shall not be independently liable for any delay or failure to process your withdrawal request if the relevant data fiduciary fails to provide appropriate instructions. If we do not receive any instruction from the relevant data fiduciary to undertake the necessary steps to effect the withdrawal of your consent within a period of 30 (thirty) business days from the date of your request, we will, in the interest of upholding your rights undertake the necessary steps to enforce your request. However, the Company reserves the right to notify the relevant data fiduciary of such actions taken independently, and the Company makes no guarantees regarding the actions that the data fiduciary may take thereafter. You acknowledge that the Company's processing of such withdrawal of consent does not release the data fiduciary from its own obligations under applicable law.

 

The Services are not intended for users under the age of 18 (eighteen), unless permitted under applicable laws (“Permissible Age”). If you are under the age of 18 (eighteen) or the age of majority in the jurisdiction in which you reside, you may only use our Platform with the verifiable consent of your parent or legal guardian. We do not knowingly collect any personal data from users or market to or solicit information from anyone under the Permissible Age. If we become aware that a person submitting personal data is under the Permissible Age, we will delete the account and any related information from or about a user under the Permissible Age, please contact us at support@tashi.in.

 

The Services may contain links to third-party websites (like diagnostic tools such as Sentry). Your use of these features may result in collection, processing or sharing of information about you, depending on the feature. Please be aware that we are not responsible for the content or privacy practices of other websites or services which may be linked on our Platform. We do not endorse or make any representations about third-party websites or services. Our Privacy Policy does not cover the information you choose to provide to or that is collected by these third parties. We strongly encourage you to read such third parties’ privacy policies.

You can close your account by visiting your profile settings page on our website/ application. We will remove your public Programs from view, but we may retain information about you for the purposes authorized under the Privacy Policy unless prohibited by law. Thereafter, we will either delete your personal data or de-identify it so that it is anonymous and not attributed to your identify.

 

14.1     We strive to provide you with choices regarding the personal data you provide to us. You can also make choices about the collection and processing of your personal data by us. You can access your personal data and opt-out of certain Services provided by the Us. You can set your browser or mobile device to refuse all or some browser cookies, or to alert you when cookies are being sent. In some cases, your ability to control and access to your personal data will be subject to applicable laws.

 

14.2     You may opt-out of receiving promotional emails from us by following the instructions in those emails. If you opt-out, we may still send you non-promotional emails, such as emails about our ongoing business relationship. You may also send requests about your preferences, changes and deletions to your personal data including requests to opt-out of sharing your personal data with third parties by sending an email to the email address provided at the bottom of this document.

 

For the personal data as mentioned in paragraph 4.1 above, where the Company is the data fiduciary, you may (i) correct or update any information, including your personal data; (ii) ask for a summary of your personal data processed by us; (iii) ask for the identities of all other third-party entities with whom the your personal data has been shared, along with a description of the personal data so shared, except when such sharing is pursuant to a written request by such entity pursuant to a valid legal order including, but not limited to, court orders, warrants, subpoenas, or requests from government authorities that are authorized by law  for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences; (iv) nominate any individual, in a manner prescribed by applicable laws who shall, in the event of your death or incapacity, exercise your rights in accordance with applicable law in India; and (v) appoint a consent manager in line with applicable laws. For enforcing any of the rights mentioned above, you may reach out to us at support@tashi.in.  If you intend to enforce any rights mentioned above in relation to the personal data mentioned in paragraph 4.2 above where the IO/Donor and Investor is the data fiduciary, please contact the respective IO/Donor and Investor. As a data processor for such personal data, we will undertake the necessary steps to fulfil your request based on the instructions of the data fiduciary (i.e., the respective IO/Donor and Investor). If we do not receive instructions from the relevant data fiduciary on taking necessary actions to enforce your request within 30 (thirty) business days, we will, in the interest of upholding your rights undertake the necessary steps to enforce your request.    

16.1     For all personal data processed by the Company shall be retained for the period specified below and shall be destroyed promptly at the end of that period. All such actions shall be governed by this Privacy Policy and shall be undertaken as per the authorization of the designated officer of the IO/Donor and Investor or the Company (where it acts as a data fiduciary). All personal data received on the Platform may be retained unless you withdraw your consent in the manner as set out in this Privacy Policy or as soon as it is reasonable to assume that the specified purpose for collection of personal data is no longer being served, whichever is earlier. Notwithstanding anything contained herein, the Company shall retain your personal data for legal and compliance reasons in line with the applicable laws.  

 

16.2     The designated officer (of the Company – where it is the data fiduciary) shall assume and complete a ‘Data Deletion and Destruction Command’ as per process at the completion of the dedicated time schedule for retention of personal data collected by it or provided to Company to process on its behalf. The period for which information shall be retained by the Company will depend on the following factors:   

 

                i.              On the duration of the relevant Program;

 

              ii.              Discontinuation of the Platform (as per our Company policies regarding discontinuation of the usage of the Platform and handling and management of the information);  

 

             iii.              For any personal data of IOs/Donors and Investors processed by the Company, a period of 3 (three) years from the date of last transaction on the Platform and for any personal data processed by the Company on behalf of IOs/Donors and Investors, such period as may be prescribed by such IOs/Donors and Investors. In the absence of a specified retention period from IOs/Donors and Investors, such data will be retained for the duration of the relevant Program, but no later than 90 (ninety) days from the end date of the Program (whichever is earlier) unless there’s a written agreement to the contrary between the Company and IO/ Donor and Investor; or

 

             iv.              Without any prejudice, to the governing and applicable laws prevailing in India.

 

16.3     You can also request your IO/Donor and Investor for erasure of your personal data on the Platform. Upon receiving instructions from your IO/Donor and Investor for erasure of your personal data, we will erase your personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. In case you are a representative of an IO/Donor and Investor or where the Company is acting in the capacity of a data fiduciary, you can directly request us for erasure of your personal data by contacting us through the following mail ID: support@tashi.in

 

16.4     Upon receiving your request for erasure of your personal data, we will erase your personal data in accordance with this Privacy Policy, unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force.

 

16.5     In the event of accidental loss of any information, we shall not be responsible for such loss, nor shall it be liable for recreating such loss in any manner. A recovery plan can be prepared based on discretion of the Company and/or the relevant data fiduciaries. 

 

17.1     If you have any queries or grievances, complaints or concerns relating to the processing/ usage of information or this Privacy Policy, you may email the Data Protection Officer (as and when the same is instituted)/ Grievance Officer whose details are provided below:

 

Name: Reshma Sanyal

Email: support@tashi.in

 

17.2     By lodging a complaint, you agree to provide complete support to the Grievance Officer and such reasonable information as may be sought by them from you. We shall aim to resolve the complaints as soon as possible.

 

17.3     In the event you have exhausted your opportunity of redressing your grievances with respect to your personal data through the Grievance Officer, you may raise your concern to the Data Protection Board of India in the manner prescribed under applicable laws in India.

 

17.4    While you have the right to raise complaints with both Company and the Data Protection Board of India (as and when the same is instituted). Please note, registering of false or frivolous complaints with the Data Protection Board is a punishable offence.