Last updated: 11 May 2026
Effective from: 11 May 2026
Previous version: 13 August 2024 (superseded by this version)
This Privacy Policy ("Policy") describes how One Point Networks LLP ("Donateazy", "we", "us", or "our"), the operator of Donateazy.com and the related cloud software platform (collectively, the "Service"), collects, uses, discloses, retains, and protects personal data.
This Policy applies to:
By accessing or using the Service, you confirm that you have read and understood this Policy. Where the law requires consent for specific processing activities, we will obtain that consent separately.
This Policy is published in accordance with:
Donateazy plays two different roles depending on whose data is being processed:
(a) When we are a Data Fiduciary. For data of our Customers (NGO administrators, finance staff, and other users who register on the Service), website visitors, and prospects, Donateazy is the Data Fiduciary — that is, we determine why and how that data is processed.
(b) When we are a Data Processor. When a Customer uses the Service to collect, store, or process data of their Donors, Beneficiaries, volunteers, or other persons, the Customer is the Data Fiduciary and Donateazy is the Data Processor acting on the Customer's instructions. The Customer's own privacy policy governs how that data is collected from those individuals and the purposes for which it is used. Donateazy processes such data only as instructed by the Customer and as needed to deliver the Service.
If you are a Donor and have questions about how a particular NGO uses your data, please contact that NGO directly.
Depending on how you interact with the Service, we may collect the following categories of personal data:
3.1 Account and profile data
Name, email address, mobile number, password (stored as a salted hash), organisation name, designation, address, profile picture, and similar identifiers you provide while signing up or configuring your account.
3.2 KYC and verification data (for Customers)
PAN, GSTIN, 12A / 80G registration details, NGO Darpan ID, bank account information, cancelled cheque or bank verification documents, and authorised signatory details — to the extent required to onboard you, verify your eligibility, and enable disbursements.
3.3 Donor data (collected by Customers using the Service)
Donor name, email, mobile number, postal address, PAN (where required for 80G tax-receipt issuance), donation amount, donation purpose, frequency, and donor messages. This data is collected by the Customer and processed by Donateazy on the Customer's behalf.
3.4 Beneficiary data
If a Customer uses the Service to maintain Beneficiary records, the Customer may upload information such as Beneficiary name, contact details, demographic information, photographs, case notes, or other programme-related data. Such data is processed by Donateazy solely on the Customer's instructions.
3.5 Payment and transaction data
We do not store full card numbers, CVV, UPI PINs, or net-banking credentials on our servers. Payments are processed through our payment partner, Razorpay Software Private Limited ("Razorpay"). We receive transaction metadata such as Razorpay payment ID, order ID, transaction status, amount, payment method type, and a masked / tokenised representation of the instrument from Razorpay.
3.6 Technical and device data
IP address, browser type and version, operating system, device identifiers, time zone, referrer URL, language preferences, and pages visited.
3.7 Usage and log data
Records of your interactions with the Service: features accessed, actions taken, timestamps, error logs, and API request logs.
3.8 Communications data
Email correspondence, support tickets, chat transcripts, call recordings (where applicable and with notice), and feedback you submit.
3.9 Cookies and similar technologies
See Section 12 (Cookies and Tracking Technologies) below.
We do not knowingly collect data relating to caste, religion, sexual orientation, biometric data, genetic data, or other categories that may be classified as sensitive personal information under Indian law, unless a Customer specifically uploads such data using the Service for the Customer's own purposes, in which case the Customer remains responsible for the legality of such collection.
We collect personal data:
We process personal data for the purposes listed below. Where the DPDP Act applies, the legal basis is your consent unless a "legitimate use" under Section 7 of the DPDP Act applies (such as for compliance with law or in response to a medical emergency).
| Purpose | Categories of data used | Legal basis |
|---|---|---|
| Creating and managing your Donateazy account | Account, KYC | Consent / performance of agreement |
| Providing the Service, including hosting your campaigns, processing donations, and generating reports | Account, Donor, Beneficiary, Transaction | Consent / performance of agreement |
| Processing payments and issuing donation receipts | Donor, Transaction, PAN | Consent / legal obligation (Income Tax Act, 1961 — Section 80G) |
| Generating and storing donation receipts and Form 10BD/10BE filings | Donor, PAN, Transaction | Legal obligation |
| Customer support and grievance handling | Account, Communications | Consent / legal obligation |
| Sending service-related communications (e.g., billing, security, policy updates) | Account, Communications | Performance of agreement / legitimate use |
| Sending marketing emails, newsletters, and product updates | Account, Usage | Consent (opt-in; you can withdraw any time) |
| Fraud prevention, abuse detection, and information security | Technical, Usage, Transaction | Legitimate use / legal obligation |
| Analytics and improving the Service | Technical, Usage (aggregated wherever possible) | Consent |
| Responding to law enforcement requests, court orders, regulatory queries | All as applicable | Legal obligation |
| Defending or pursuing legal claims | All as applicable | Legitimate use |
We share personal data only as set out below. We do not sell personal data to anyone.
6.1 Service providers and sub-processors. We engage trusted third parties to operate parts of the Service. Currently this includes:
Each of these providers is contractually obligated to protect personal data and use it only for the purposes we authorise.
6.2 Customers. Donor and Beneficiary data is shared with the Customer (NGO) on whose behalf the data was collected.
6.3 Government, regulators, and law enforcement. We may disclose personal data when required to do so under applicable law, court order, or regulatory direction, including in response to lawful requests under the DPDP Act, the Income Tax Act, the Foreign Contribution (Regulation) Act, 2010 ("FCRA"), or the Code of Criminal Procedure / Bharatiya Nagarik Suraksha Sanhita.
6.4 Professional advisors. Our auditors, lawyers, accountants, and insurers, on a confidential basis.
6.5 Business transfers. In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the successor entity, subject to this Policy.
6.6 With your consent. In any other case, only with your specific consent.
The Service is hosted on virtual private server infrastructure provided by GoDaddy, located in Singapore. As a result, personal data processed through the Service — including Customer account data, Donor data, Beneficiary data (where uploaded by Customers), and transaction metadata — is stored and processed on servers located outside India, in Singapore.
Singapore has its own data-protection regime under the Personal Data Protection Act, 2012 (Singapore), which prescribes obligations on organisations handling personal data within Singapore.
Our payment partner Razorpay primarily processes payment information on infrastructure located in India.
Other sub-processors (such as email-delivery, analytics, and support tools) may also process personal data in jurisdictions outside India. We disclose categories of such sub-processors in Section 6.
When personal data is transferred outside India, we ensure that:
If the Central Government, acting under the DPDP Act, restricts transfers to Singapore or any other specific country or territory, we will adapt our arrangements accordingly and notify affected users where required.
We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by law. Indicative retention periods:
| Category | Retention period |
|---|---|
| Account and profile data | For the duration of your subscription, plus up to 24 months after closure, after which it is deleted or anonymised (subject to longer retention obligations below). |
| Donation and transaction records, donation receipts, 80G filings | At least 8 years from the end of the relevant financial year, to comply with the Income Tax Act, 1961 and rules made thereunder. |
| KYC documents for Customers | For the duration of the engagement, plus the period prescribed under applicable law. |
| Marketing preferences and consent records | Until consent is withdrawn, plus the period needed to evidence such withdrawal. |
| Server logs and security logs | Up to 12 months, except where retained longer for incident investigation. |
| Backups | Up to 90 days in rolling backup cycles before secure deletion. |
| Support tickets and correspondence | Up to 36 months from closure of the ticket. |
We may retain personal data for longer where required to comply with a legal obligation, defend legal claims, or maintain integrity of public records.
For inactive accounts, please refer to the Inactive User Accounts policy in our Terms of Service.
We implement and maintain reasonable security practices and procedures consistent with the SPDI Rules (including ISO/IEC 27001-aligned controls) and the security standards required under the DPDP Rules. These include, among others:
Despite these measures, no system can be guaranteed to be fully secure. You are responsible for keeping your account credentials confidential and notifying us promptly of any suspected unauthorised access at support@donateazy.com.
Subject to applicable law and once the relevant provisions of the DPDP Act are in force, you have the following rights in relation to your personal data:
To exercise any of these rights, please email support@donateazy.com with the subject line "Data Principal Request". We may need to verify your identity before responding. We will respond within the timelines prescribed under applicable law.
If you are a Donor or Beneficiary, please raise such requests with the relevant Customer (NGO) in the first instance, since they are the Data Fiduciary for your data. We will assist the Customer in responding to your request.
Where we rely on your consent to process personal data, we obtain it through clear opt-in mechanisms on the Service (e.g., tick-box, sign-up confirmation, or in-product prompts). You can withdraw consent at any time by:
If you withdraw consent, we will stop the relevant processing. However, this may affect our ability to provide certain features of the Service, and withdrawal will not require us to delete data we are required to retain by law (such as donation records).
We use cookies and similar technologies on Donateazy.com and within the Service. Cookies fall into the following categories:
You can manage cookie preferences through the cookie banner on our website and through your browser settings. Disabling certain cookies may affect functionality.
The Service is not directed at children under 18. We do not knowingly collect personal data of children except where:
We do not undertake behavioural tracking, targeted advertising, or profiling directed at children. If you believe a child has provided personal data to us without verifiable parental consent, please contact us at support@donateazy.com and we will take steps to delete it.
In the event of a personal data breach, we will:
The Service may contain links to third-party websites, plug-ins, or applications. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party services before providing personal data to them.
In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act:
Grievance Officer: Junaid Khan
Email: support@donateazy.com
Phone: 080-41621214
Address: [Insert registered office address of One Point Networks LLP]
Working hours: Monday to Friday, 10:00 AM to 6:00 PM IST (excluding public holidays)
We acknowledge complaints within 24 hours and aim to resolve them within 15 days of receipt, in accordance with the Intermediary Guidelines.
If you are not satisfied with the response, you may approach the Data Protection Board of India once the relevant provisions of the DPDP Act are in force, or any other authority designated under applicable law.
We may update this Policy from time to time to reflect changes in law, technology, or our business. When we make material changes, we will:
Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes. If you do not agree to the changes, you may close your account before they take effect.
If you have questions, comments, or concerns about this Policy or our data-protection practices, please contact:
One Point Networks LLP
Attn: Privacy / Grievance Officer
[Insert registered office address]
Email: support@donateazy.com
Phone: 080-41621214
This Policy is governed by the laws of India. Any dispute arising out of or in connection with this Policy will be subject to the exclusive jurisdiction of the courts at Bengaluru, Karnataka.
End of Privacy Policy
