Privacy Policy
Last updated: April 10, 2026
This policy is aligned with the Digital Personal Data Protection Act, 2023 (India).
1. Who we are
Sevastack is a multi-tenant SaaS platform operated by NaviByte Innovations for Indian NGOs, Trusts, and Foundations. Under the DPDP Act 2023:
- Data Fiduciary: Each NGO organization using Sevastack determines the purpose of data processing for their donors, volunteers, and employees.
- Data Processor: Sevastack (NaviByte Innovations) processes data on behalf of NGO organizations as per their instructions.
2. Personal data we collect
| Category | Data fields | Purpose |
|---|---|---|
| Donor data | Name, email, phone, PAN, address | Donation receipts, 80G certificates, Form 10BD/10BE |
| Volunteer data | Name, email, phone, DOB, address, skills, emergency contact | Volunteer coordination, safety |
| Employee data | Name, PAN, Aadhaar, bank details, salary | Payroll, PF/ESI/TDS compliance |
| User accounts | Name, email, password (hashed) | Authentication, platform access |
| Payment data | Amount, payment method, Razorpay IDs | Donation processing (card details NOT stored) |
3. Lawful basis for processing (DPDP Sections 6-7)
- Consent (S.6): Donor and volunteer data collected via public forms with explicit consent checkbox.
- Legal obligation (S.7(b)): Donor PAN for 80G receipts and Form 10BD (Income Tax Act requirement).
- Employment contract (S.7(a)): Employee data for payroll, PF/ESI/TDS filing.
- Performance of contract (S.7(c)): User account data for platform access per Terms of Service.
- Legitimate interest (S.7(d)): Audit logs with IP addresses for security monitoring.
4. Your rights (DPDP Sections 11-14)
As a data principal, you have the following rights:
- Right to access (S.11): Request a copy of all personal data held about you.
- Right to correction (S.11): Request correction of inaccurate or incomplete data.
- Right to erasure (S.12): Request deletion of your personal data (subject to legal retention requirements).
- Right to data portability: Export your data in machine-readable format.
- Right to grievance redressal (S.13): File a complaint about data handling practices.
- Right to withdraw consent (S.6(6)): Withdraw consent at any time for non-mandatory processing.
To exercise these rights: Submit a data request or file a grievance. Organizations must respond within 30 days.
5. Consent management
We collect explicit consent via checkbox on all public-facing forms (donation, volunteer registration). Consent is recorded with timestamp, method, and purpose. You can withdraw consent for non-mandatory processing at any time by contacting the NGO or our DPO at .
Note: Consent cannot be withdrawn for legally mandated processing (e.g., 80G receipt generation with PAN — required by Income Tax Act).
6. Data retention (DPDP S.8(7))
| Data type | Retention period | Basis |
|---|---|---|
| Donor records | 7 years after last donation | Income Tax Act (80G records) |
| Donation records | 8 years | IT Act S.149 (assessment reopening) |
| Volunteer records | 3 years after last activity | Operational need |
| Employee records | 8 years post-exit | PF/ESI/TDS requirements |
| Audit logs | 5 years | Security and accountability |
Automated cleanup runs daily. NGO organizations can configure retention periods within legal minimums.
7. Security safeguards (DPDP S.8)
- Encryption: AES-256 encryption for sensitive fields (PAN, Aadhaar, bank details). HTTPS/TLS for all data in transit.
- Access control: Role-based access (RBAC) with 5 permission levels. Sensitive data masked in UI.
- Authentication: Passwords bcrypt-hashed. Google OAuth supported.
- Audit trail: All data operations logged with user ID, IP address, and timestamp.
- Rate limiting: Protection against brute-force and spam on all public endpoints.
- Multi-tenancy: Data logically isolated per organization — no cross-tenant access.
8. Third-party processors (DPDP S.8(2))
| Processor | Purpose | Location |
|---|---|---|
| AWS S3 | Document storage | India (Mumbai) |
| Neon (PostgreSQL) | Primary database | Singapore |
| Razorpay | Payment processing | India |
| Resend | Transactional email | US |
| Vercel | Application hosting | Global (edge CDN) |
Under DPDP S.16, personal data may be transferred outside India unless restricted by Central Government notification. We monitor government notifications and will update accordingly.
9. Children's data (DPDP S.9)
Sevastack does not target children as users. Volunteer registration requires users to be 18 years or older (verified via date of birth). We do not knowingly collect personal data from individuals under 18 without guardian consent.
10. Breach notification (DPDP S.8(6))
In the event of a personal data breach, we will notify the Data Protection Board of India and affected data principals without unreasonable delay. Notification will include the nature of the breach, data affected, and remedial measures taken.
11. Data Protection Officer
For any privacy-related inquiries, data requests, or grievances:
Data Protection Officer
Email:
NaviByte Innovations, Pune, Maharashtra, India
12. Changes to this policy
We may update this Privacy Policy periodically. Material changes will be notified via email to registered users. Continued use of Sevastack after changes constitutes acceptance. Previous versions are available upon request.