Privacy Policy | Mïam Charitable Trust

Document: Privacy Policy & Notice to Data Principals · Version: 2.0 · Effective: 1 January 2026 · Last updated: 9 May 2026

This Privacy Policy is issued by Mïam Charitable Trust ("MIAM", "we", "our", "us"), a registered public charitable trust having its registered office at Andheri West, Mumbai 400053, India. We act as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") in respect of personal data we collect through this website, our donation channels, and our programmes.

This Notice describes, in plain language, what personal data we collect from you (the "Data Principal"), why we collect it, how we use and protect it, and the rights you have. Please read it carefully. If you do not agree with this Policy, please do not use the website or share personal data with us.

1. Personal Data We Collect

We collect only the personal data that is necessary for the specified purposes set out in clause 2. The categories include:

Identity & contact data — full legal name, email address, phone number, postal address, country.
KYC / regulatory data — Aadhaar number and a photograph or scan of the Aadhaar card, collected at the point of donation as part of donor identity verification (KYC). Aadhaar data is used only for (a) verifying that the Donor is a real, identifiable Indian resident, (b) defending against fraud, chargebacks, and false-claim complaints, and (c) issuing 80G receipts where applicable. We never publicly display, publish, or share your Aadhaar number, and we mask it to "XXXX-XXXX-1234" in all internal views except where the full number is required to respond to a lawful authority.
Tax data — PAN (for 80G receipts), passport / FCRA details (for foreign Donors where applicable).
Donation data — Donation amount, designation (e.g. Education, Animal Welfare), bank or UPI reference number, date and time of transaction. We do not store full credit-card numbers, CVV, OTPs, or net-banking passwords; these are handled directly by the relevant bank or payment processor.
Consent record — IP address, user-agent string, timestamp, page URL, version of the Terms / Privacy Policy you accepted, the explicit checkboxes you ticked, and a SHA-256 hash of the document text shown to you. This record is retained as legal evidence of your informed consent under the IT Act, 2000 and the Indian Evidence Act, 1872.
Volunteer / partnership data — skills, availability, organisation, role, and other information you submit through volunteer or partnership forms.
Communications — content of emails, contact-form messages, WhatsApp messages, and other correspondence you send us.
Technical data — non-identifying browser type, operating system, device class, and pages visited, used solely for security and aggregate analytics.

We do not deliberately collect "sensitive" data such as caste, religion, biometric data, sexual orientation, or political opinion. Please do not include such data in messages to us.

Aadhaar & the Aadhaar Act, 2016. Provision of Aadhaar to the Trust is voluntary in the sense that you may decline to donate; however, where you choose to donate through the Trust's online channels, KYC verification is mandatory under our internal policy and the data-protection / anti-money-laundering norms applicable to charitable organisations. The Aadhaar number you provide is stored in encrypted-rest form on our server, the card image is held in a directory that denies all direct internet access (served only over an authenticated administrative channel), and access is restricted to the Trustees and the Grievance Officer. We will never use your Aadhaar for biometric authentication with UIDAI; we do not operate as an "Authorised User Agency".

2. Purposes & Lawful Basis

We process your personal data only for the following purposes, each of which is supported by your express consent under §6 of the DPDP Act, except where another lawful ground applies:

To process your Donation and credit it to the appropriate programme;
To issue 80G / 80GGA tax-exemption receipts and meet our reporting obligations to the Income Tax Department, NITI Aayog, FCRA authorities, and our auditors;
To verify the lawfulness of a Donation and to defend against fraud, money-laundering, or unauthorised-transaction claims (legitimate use under §7 DPDP Act);
To respond to your enquiries, volunteer applications, partnership proposals, or grievance complaints;
To send you periodic programme updates and newsletters, only if you opt in; you may withdraw at any time;
To maintain the security, integrity, and audit trail of our website and accounting systems;
To comply with applicable law and respond to lawful directions from courts, regulators, or law-enforcement agencies.

3. Consent & Withdrawal

Where we rely on consent, we obtain it through clear, affirmative action — for example, ticking a checkbox on the donation form. You may withdraw consent at any time by emailing the Grievance Officer (clause 11). Withdrawal:

does not affect the lawfulness of processing carried out before withdrawal;
does not require us to delete data that we are required to retain by law (e.g., Donation records for income-tax purposes);
may mean we can no longer provide certain services (e.g., issue an 80G receipt).

4. Sharing of Personal Data

We do not sell, rent, or trade your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

Service providers (Data Processors) — bankers, payment gateways, email-delivery platforms, cloud-hosting providers, accounting software vendors, and IT support, all bound by confidentiality and data-protection obligations;
Government authorities — Income Tax Department, NITI Aayog, FCRA cell, Reserve Bank of India, Financial Intelligence Unit, Cyber Crime Cell, banking ombudsman, and courts, where required by law or to verify the lawfulness of a Donation;
CSR / programme partners — only where you have given a separate, specific consent (e.g., to be acknowledged in a donor wall);
Auditors and legal advisers — bound by professional confidentiality;
Successors — in the unlikely event the Trust is restructured, merged, or dissolved, your data may be transferred to the lawful successor entity, subject to the same protections.

We do not transfer personal data outside India except where the recipient is in a country notified by the Central Government as permitted under the DPDP Act, or where such transfer is necessary to fulfil a Donation made via an international payment channel.

5. Retention

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law:

Donation records and 80G receipts — eight (8) years from the end of the relevant financial year, as required by income-tax record-keeping rules;
Aadhaar number and Aadhaar card image — eight (8) years from the date of the Donation, in line with KYC and income-tax record-keeping norms; deleted thereafter unless retention is required by a specific statutory direction or pending dispute;
Consent logs — eight (8) years from the date of consent, as legal evidence;
Volunteer applications — until twelve (12) months after the engagement ends;
Newsletter subscriptions — until you unsubscribe;
Website analytics — aggregated and de-identified within thirty (30) days.

After the retention period expires, we either delete the data or anonymise it irreversibly.

6. Your Rights as a Data Principal

Under the DPDP Act, you have the following rights, exercisable by writing to the Grievance Officer:

Right to access — obtain confirmation of whether we are processing your data and a summary of the data and processing activities;
Right to correction & updation — request that we correct inaccurate or incomplete data;
Right to erasure — request deletion of your data, subject to overriding legal obligations (e.g., tax records);
Right to grievance redressal — escalate any concern through our internal grievance mechanism (clause 11) and, if unresolved, to the Data Protection Board of India;
Right to nominate — designate another individual to exercise your rights in the event of your death or incapacity.

We will respond to a verified request within fifteen (15) working days. We may ask you to verify your identity to protect against impersonation.

7. Security Measures

We implement reasonable technical and organisational safeguards proportionate to the sensitivity of the data we hold, including TLS encryption in transit, access controls, password hashing, server-side input validation, audit logging of administrative actions, and physical security of paper records. No system is perfectly secure, however, and we will notify the Data Protection Board and affected Data Principals of any reportable personal-data breach as required by the DPDP Act.

8. Cookies & Tracking

This website uses minimal first-party cookies necessary to support session-based features (e.g., the language switcher, the admin login). We do not use third-party advertising or cross-site tracking cookies. You can disable cookies through your browser; some features may not work correctly.

9. Children

Our website and donation channels are not directed at persons under eighteen (18) years of age. We do not knowingly collect personal data from children, and we do not knowingly accept Donations from children. If you believe a child has provided personal data or made a Donation, please contact the Grievance Officer immediately so we can delete the data and reverse the Donation where lawful.

10. Cooperation with Authorities

The Trust will cooperate with lawful enquiries by the Reserve Bank of India, the Financial Intelligence Unit, the Cyber Crime Cell, the Income Tax Department, the Ministry of Home Affairs, and other competent authorities, including by producing Donation records, identity details, IP logs, and consent records to verify that a Donation was lawfully made and to defend against false-fraud claims.

11. Grievance Officer

In accordance with §10 of the DPDP Act and Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer:

Mïam Charitable Trust — Grievance Officer
Andheri West, Mumbai 400053, Maharashtra, India
Email: miamcharitabletrust@gmail.com
Phone: +91 70211 94920
Hours: Monday–Friday, 10:00–18:00 IST

The Grievance Officer will acknowledge receipt within seventy-two (72) hours and aim to resolve the grievance within fifteen (15) working days. If you remain dissatisfied, you may approach the Data Protection Board of India.

12. Changes to this Policy

We may update this Policy to reflect changes in law, our practices, or our programmes. The version and "Last updated" date at the top of this page identify the current version. Material changes will be highlighted on the website and, where practicable, notified to active Donors.

13. How to Contact Us

Mïam Charitable Trust
601, 6th Floor, Remi Commercio, Opp Yash Raj Studio,
Andheri West, Mumbai 400053, Maharashtra, India
Phone: +91 70211 94920
Email: miamcharitabletrust@gmail.com

Acknowledgement. By using this website or making a Donation, you acknowledge that you have read this Privacy Policy and that you understand how your personal data will be processed.