Privacy Policy

1. Introduction and purpose

Retain Smilez (“we”, “us”, “our”, the “Organisation”) is committed to protecting the privacy, confidentiality and security of personal information that we collect and process while delivering charitable, medical and community services (eye care, community kitchens, education, livelihood, awareness and related programs). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, how long we retain it, with whom we share it, and the rights of individuals whose data we hold. Our practices follow Indian legal obligations including the Digital Personal Data Protection Act, 2023 and other sectoral rules applicable to healthcare providers, tax and foreign-fund reporting. MeitY+1

This Policy applies to: visitors to our website and digital channels; donors and funders; patients and beneficiaries; volunteers, interns and staff; partner organisations and suppliers. By interacting with Retain Smilez (visiting our site, donating, volunteering, attending a camp, or receiving services) you consent to the collection/use of personal data as described here.

2. Key definitions (short)

• Personal data / personal information — any information that identifies a natural person (name, contact details, ID numbers, medical information, images).

• Data Principal — the individual whose personal data is processed (donor, patient, volunteer, employee, website visitor).

• Data Fiduciary — Retain Smilez when we determine purpose/means of processing.

• Processing — any collection, storage, use, disclosure, transfer, retention or deletion of personal data.

3. Categories of personal data we collect (and examples)

A. Patients / clinical beneficiaries

• Identity & contact: name, age, address, phone, guardian details.

• Clinical data: medical history, diagnoses, prescriptions, test results, surgical records, images (fundus photos, slit-lamp photos), vision scores, follow-up notes.

• Consent & insurance details, referral and emergency contact information.

Why: clinical care, safe treatment, surgery planning, follow-up and rehabilitation. Clinical information is handled with elevated safeguards and clinical confidentiality. eSanjeevani+1

B. Donors & funders

• Identity & contact, PAN (for Indian donors if required), donation amount, transaction metadata (payment gateway reference), employer (for CSR), donation designation and tax receipt details.

Why: process contributions, issue tax receipts (80G / finance compliance), bookkeeping, reporting and donor stewardship. (Financial/receipt records are retained for statutory & audit purposes.) IndiaFilings+1

C. Volunteers, interns, staff & suppliers

• Identity details, qualification/resume, references, background checks (where role requires), emergency contact, bank details (stipend / reimbursement), attendance & performance notes.

Why: placements, onboarding, payments, programme management, safety checks and compliance.

D. Website users & visitors

• Cookies/analytics data (IP, device/browser data, page views), contact forms (name, email, query), newsletter preferences, voluntary uploads.

Why: operate/secure website, measure outreach impact, respond to enquiries.

E. Beneficiary / community datasets (program reporting)

• Socio-economic profiles, household data, anonymised health or screening results, survey responses; photographs or video for outreach (only with explicit consent).

Why: programme delivery, needs assessment, impact reporting and (when anonymised) research/advocacy.

4. Lawful basis for processing & legal obligations

We rely primarily on consent for communications, fundraising and non-clinical uses. For service delivery and legal compliance (tax obligations, FCRA reporting, clinical records, medico-legal needs), we process personal data as necessary to perform our charitable and clinical functions, fulfill statutory obligations, or where certain “legitimate uses” under the Indian Digital Personal Data Protection Act apply. The DPDP Act establishes rights for individuals and requires transparent notices and grievance mechanisms; where the law permits, we may process data for compliance, safety, vital interests (medical emergencies), and other lawful purposes. MeitY+1

Special note (health data): health/clinical information is treated with heightened safeguards. Even where DPDP’s wording does not separately label categories, Retain Smilez treats medical/biometric information as particularly sensitive and requires explicit informed consent for non-care uses (publicity, research, third-party marketing). IJLT+1

5. How we collect personal data

• Directly from you: forms, camp registration, clinic intake, donation forms, job/internship applications, email/phone communications.

• From third parties: partner NGOs, hospitals we refer to/from, payment processors (transaction confirmation), government databases (where legally required for verification), or public sources when permitted.

• Automatically: website cookies and analytics tools (see “Cookies” below).

We minimize collection to only what is necessary for the stated purpose and explain required fields at point of collection.

6. How we use and share personal data (purposes)

We use personal data for the following core purposes:

Clinical & caregiving: provide and coordinate medical treatment (screening, cataract surgery, spectacles, hearing aids), referrals and follow-up care. Clinical data can be shared only with treating clinicians, referral hospitals, diagnostic labs and authorised clinical partners. eSanjeevani

Donations & finance: process donations, issue receipts (80G where applicable), comply with tax and audit requirements and issue utilization certificates for donors and CSR partners. Financial data is shared with auditors, banks and statutory authorities as required. IndiaFilings

Program delivery & operations: schedule beneficiaries, run community kitchens, deliver livelihoods and education programs, manage volunteers and staff.

Communications & fundraising: with consent, we send newsletters, impact reports and appeals. Donors may opt out at any time.

Reporting & compliance: file returns and reports required by law (Income Tax returns, Form 10BD/10BE/FC-4 for 80G/FCRA or other statutory filings), respond to lawful requests by courts, regulators or law enforcement. Ministry of Home Affairs+1

Research & monitoring: anonymised or aggregated data may be used for internal monitoring, impact evaluation or research; identifying information is removed unless explicit consent for identifiable research use is given.

Third-party processors: we engage vetted processors (payment gateways, cloud hosts, analytics, labs, courier partners). These partners process personal data on our instruction under contracts that require confidentiality and security.

7. Cross-border transfers and third parties

Retain Smilez may use service providers located in India and abroad (cloud services, payment gateways, analytics). Under the DPDP Act transfers outside India are permitted subject to government restrictions (the law empowers the government to restrict transfers to specific jurisdictions). When personal data is transferred outside India we use contractual safeguards, limit the fields transferred, and require providers to maintain adequate security. If the law later requires localisation or additional safeguards, we will implement them. DPDPA+1

8. Retention periods — how long we keep different categories of data

We follow legal minimums and sector best practice while keeping only what we need:

• Clinical/patient records: minimum 3 years from the last date of treatment for in-patient records (medical authorities’ guidance). Medico-legal cases, surgical complications or where law requires — records will be retained longer as necessary. nmc.org.in+1

• Financial & donation records: at least 8 years (or longer where tax/FCRA audits require) to meet Income Tax and audit obligations. BCAS+1

• Volunteer & HR records: generally 8 years after end of engagement (longer where legal or operational needs require).

• Website logs & analytics: minimal retention for operational and security uses (periods vary from days to up to 24 months depending on purpose; visitors can control cookies or opt-out where provided).

• Research / anonymised data: retained as long as ethically required; identifiable elements removed at the earliest practical moment.

When retention periods expire we securely delete, anonymise or archive personal data consistent with law and operational need.

9. Security measures & organisational safeguards

We apply industry-standard technical and organisational measures to protect data, including: encryption in transit and at rest where feasible; strong access controls and role-based permissions; regular backups; secured servers; vetted third-party contracts with confidentiality and security covenants; staff training on information security and patient confidentiality; and routine internal audits. For payment processing we use PCI-compliant gateways so Retain Smilez does not store raw card details on our servers.

We continuously review security and will enhance measures as new threats appear.

10. Data breach response & notification

If a personal data breach occurs that may cause harm or risk to individuals, Retain Smilez will follow an incident response process: contain the breach, assess scope, notify affected individuals and authorities as required, and remediate. Under India’s DPDP framework and draft rules, data fiduciaries are required to notify affected Data Principals and the Data Protection Board; draft guidance proposes early reporting timelines to the regulator (e.g., proposals reference a 72-hour notification window for significant breaches). We will follow statutory breach-notification obligations and keep affected persons informed. JD Supra+1

11. Children & vulnerable groups

We give special protection to children and persons with diminished capacity. Where children’s personal data is collected (e.g., school screenings, immunisation drives) we obtain parental or guardian consent. We do not target children for direct fundraising or marketing. The DPDP Act specifies additional protections for children and vulnerable persons — Retain Smilez follows heightened safeguards when working with such groups. MeitY

12. Patient stories, photographs & publicity material

We use images and stories to document impact and to support fundraising/awareness. We obtain written, informed consent before publishing identifiable patient images or stories. Consent is voluntary and may be withdrawn; if withdrawn we will make reasonable efforts to remove material from our channels. (Removal from third-party caches or re-shared content may not be fully in our control.) We will never publish clinical images that identify a person without explicit consent.

13. Cookies, analytics & marketing communications

Our website uses cookies and similar technologies to improve functionality, measure traffic and provide a better user experience. Some cookies are essential (site security, forms), others are for analytics (page visits) or optional marketing. You may control cookies via your browser settings; we provide an opt-out for non-essential cookies on the website.

For marketing and fundraising emails, we obtain consent and provide an easy unsubscribe option in every message.

14. Your rights & how to exercise them

Under the DPDP Act, Data Principals have rights including (where applicable):

• access to the personal data we hold about you;

• correction, completion and updating of inaccurate or incomplete data;

• erasure (subject to legal retention requirements);

• withdrawal of consent where consent was the basis for processing;

• grievance redressal with the Organisation and escalation to the Data Protection Board where unresolved; and

• nomination of an individual to exercise your rights in event of death/incapacity. MeitY+1

How to make a request or complaint: write to our Data Protection Officer (DPO) at dpo@retainsmilez.org or mail to our registered office address (published on our site). Provide your name, contact details, a clear description of the request, and any supporting documents. We will acknowledge and process requests in line with the law; requests that require identity verification may require additional ID.

If you are not satisfied with our response you may escalate to the Data Protection Board of India or other competent authority as provided by law.

15. Sharing data for research or with partners (ethics & anonymisation)

We may collaborate with clinical, academic or NGO partners on research and programme evaluations. Identifiable personal data is shared only with explicit consent or where laws permit; where possible we share anonymised / de-identified datasets and ethical approval is obtained for research involving identifiable data. All partner agreements include data protection clauses.

16. Third parties — payment processors, analytics, cloud vendors

We use reputable third-party providers to process payments, host data, analyse traffic or provide cloud storage. These providers act as data processors and are contractually required to protect data, process only on our instruction, and follow confidentiality & security standards. We carefully vet processors, perform periodic audits, and restrict cross-border flows consistent with law.

17. Obligations for donors, volunteers and partners

When you donate, volunteer or partner with Retain Smilez you represent that any information you provide is accurate and that you have lawful authority to provide it. Donors requiring receipts must provide accurate PAN/ID information where required by tax rules. Volunteers must inform us of any health conditions that could affect their placement; some roles require background checks for safety of beneficiaries.

18. Changes to this Privacy Policy

We may revise this Privacy Policy from time to time to reflect legal updates, operational changes or new programs. Material changes will be posted with a revised “Last updated” date. Continued use of our services after posting indicates acceptance of the revised policy.

19. Contact, grievance & DPO details

Data Protection Officer (DPO)
Email: dpo@retainsmilez.org
Postal: Compliance Officer / DPO, Retain Smilez, [Registered Address on website]
General enquiries & complaints: info@retainsmilez.org

You may also contact our grievance redressal team via the address listed on our website; we commit to acknowledge and investigate grievances promptly and transparently.

20. Legal compliance & governance commitments (summary)

• We comply with India’s Digital Personal Data Protection Act, 2023 and applicable DPDP rules (notice, consent, grievance redressal and other fiduciary duties). MeitY

• Clinical data and record-keeping follow National Medical Commission / medical ethics guidance (minimum record retention & confidentiality obligations). nmc.org.in

• Financial & donation record retention and donor receipts comply with Income Tax / 12A/80G rules and FCRA when foreign funds are received (reporting and audit obligations). IndiaFilings+1

• We aim to follow the Ministry of Health’s EHR standards and best practices where we digitise clinical records. eSanjeevani

• We maintain a documented breach response plan and follow statutory notification processes (draft rules propose time-bound notifications to regulators and affected persons).