Privacy Policy

Iqwat Foundation (“Iqwat,” “we,” or “our”) is a community-funded, not-for-profit movement for the global Kashmiri Pandit community. The personal information you share with us — when you join our mailing list, donate, or get in touch — is treated as a trust. This page explains what we collect, why, who else sees it, and what you can do about it.

1. Scope of this policy

This Privacy Policy applies to iqwat.com and its subdomains operated by the Foundation for public communication, the lead-gen modal, and the donation flow. The Iqwat mobile app (available on the App Store and Google Play) is governed by its own Privacy Policy, published within the app stores and inside the app. If you use both, both policies apply to the respective context.

2. Personal data we collect

2.1 When you fill the “Join Iqwat” form

• Full name
• Email address
• Mobile number with country code
• Country of residence
• Areas of interest (Conclave attendance, sponsorship, volunteering, etc.)
• Your self-declaration that you are a Kashmiri Pandit (a community-scope marker, not a legal claim)
• Timestamp of submission and source page
• The IP address from which you submit (used for rate-limiting; not retained long-term)

2.2 When you make a donation

• Full name, email, mobile number with country code
• The donation amount you choose
• A Razorpay payment identifier and order identifier (no card numbers, CVVs, OTPs, UPI handles, or netbanking credentials are ever seen by Iqwat — all of that is handled by Razorpay)
• Whether the payment succeeded, failed, or was abandoned
• The IP address from which you submit the donation

2.3 What we never see or store

We do not see your card number, expiry, CVV, OTP, UPI PIN, or netbanking password. Those are entered directly into Razorpay’s payment iframe and handled by Razorpay under PCI-DSS compliance. We only receive a payment identifier confirming the transaction.

3. How we use your data

• Lead-gen submissions are forwarded to our Google Sheet (managed by the Foundation operations team) and used to keep you posted about Conclaves, programmes, and opportunities to participate. We will not spam you. You can unsubscribe at any time.
• Donation data is used to (i) create the Razorpay order, (ii) verify the payment signature server-side after Razorpay returns to us, (iii) record the donation in our internal Donations Sheet for reconciliation and 80G receipt issuance, (iv) email you the receipt, and (v) comply with statutory record-keeping obligations under Indian law.
• Operational data (IP address, timestamp, error logs) is used to rate-limit abusive traffic, debug issues, and improve security.

4. Legal basis under the DPDPA

Under the Digital Personal Data Protection Act, 2023 (India), we process your data on the following legal grounds:

• Consent — you tick the agreement checkbox when you submit a form or donate.
• Legitimate use — for the specified purpose for which you voluntarily shared the data (e.g., processing a donation you initiated).
• Compliance with law — for tax, audit, and statutory record-keeping obligations applicable to Section 8 companies and 80G-certified entities.

5. Who we share data with

We share your personal data only with the third-party service providers required to make the website and donation flow work. None of them are permitted to use your data for their own marketing.

• Razorpay Software Private Limited — payment processing for donations. Razorpay receives your name, email, phone, and the amount, and processes the payment instrument you choose. Their policy: razorpay.com/privacy.
• Google LLC (Google Workspace + Apps Script + Sheets) — hosts our mailing list and donation log. Data is stored within our Foundation-controlled Google Workspace tenant.
• Vercel Inc. — hosts iqwat.com. Server logs may include IP address and request metadata briefly for operational diagnostics.
• Resend, Inc. — sends transactional emails (donation receipts, retry emails). They process your email address to deliver the email and do not retain content beyond standard delivery logs.
• GoDaddy Inc. (registrar) and Cloudflare, Inc. (Turnstile) — domain services and bot-protection. Turnstile processes a brief, anonymous signal to verify you are not a bot.
• Upstash, Inc. — short-term rate-limit counters keyed by anonymised IP.

We may also disclose data when required by Indian law, by a court order, or to defend ourselves against legal claims — but we will not do so on a casual request, and we will push back on overbroad requests where lawful.

6. International data transfers

Some of our service providers (Vercel, Resend, Cloudflare, Upstash) are headquartered outside India and may process data in the United States, the European Union, or other jurisdictions. The DPDPA permits cross-border transfers to countries not specifically restricted by the Government of India. Where applicable, we rely on the provider’s Standard Contractual Clauses or equivalent safeguards.

7. How long we keep your data

• Lead-gen submissions — retained for as long as you are on our mailing list, plus 12 months after unsubscribe (so we don’t re-add you accidentally), or until you request deletion.
• Donation records — retained for at least 8 years from the financial year of donation, as required by the Income Tax Act and statutory audit obligations for 80G-certified Section 8 companies.
• Server access logs and rate-limit counters — purged within 30 days.

8. Security

We protect your data with industry-standard technical and organisational measures, including HTTPS for all traffic, hardened security headers, server-side signature verification of payments, encrypted storage of secrets, multi-factor authentication on admin accounts, and least-privilege access controls. No system is ever 100% secure, but we treat your data as carefully as our own. If we discover a breach affecting your data, we will notify the Data Protection Board of India and affected users without undue delay as required by the DPDPA.

9. Your rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate or outdated information
• Withdraw your consent for future processing (e.g., unsubscribe from emails)
• Request deletion of your data, subject to our legal record-keeping obligations
• Nominate another person to exercise these rights on your behalf in the event of your incapacity or death (as permitted by the DPDPA)
• Lodge a complaint with the Data Protection Board of India

To exercise any of these rights, email privacy@iqwat.com from the email address associated with your account. We will respond within 30 days.

10. Children

iqwat.com is intended for users 18 years and older. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe a minor has submitted information through our site, please email privacy@iqwat.com and we will delete it promptly.

11. Cookies and tracking

iqwat.com uses the bare minimum of cookies — only those required for the site to function (e.g., short-lived session cookies set by our hosting provider). We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking. If we add privacy-first analytics in the future (we are considering Plausible, which is cookieless and GDPR-compliant out of the box), we will update this section.

12. SMS communications (Iqwat App)

The iqwat.com website itself does not send SMS messages. SMS communications are sent only to users of the separate Iqwat mobile application (available on the App Store and Google Play), and only for transactional purposes — primarily one-time-password (OTP) verification and account security notifications.

This section is published on the website for transparency and to satisfy US carrier compliance requirements (A2P 10DLC) for our SMS delivery partner. The detailed SMS practices governing the App live in the Iqwat App Privacy Policy. The summary below mirrors what is in the App at the point of opt-in.

• Opt-in: during App registration, users actively check a consent checkbox labelled “I agree to receive SMS messages from Iqwat for OTP verification and account-related notifications. Message and data rates may apply.” The checkbox is not pre-selected.
• Message types: OTP for registration, OTP for login, OTP for sensitive account changes, and security/account notifications. We do not send promotional SMS based on this consent.
• Frequency: 1–3 OTP messages per active month for a typical user, with occasional service notifications.
• Cost: standard message and data rates from the user’s mobile carrier may apply.
• Opt-out: reply STOP to any message. Reply HELP for assistance. Or email contactus@iqwat.com.
• SMS partners: Twilio Inc. for US and certain international jurisdictions; an Indian DLT-registered SMS gateway for India.

See the Iqwat App Privacy Policy, Section 5, for the complete SMS terms — including specifics for US recipients under A2P 10DLC.

13. Updates to this policy

We may update this policy from time to time to reflect changes in the law, our services, or our practices. The “Last updated” date at the top of this page will always reflect the most recent version. Material changes will be notified by email to members of our mailing list before they take effect.

14. Grievance officer

In accordance with the DPDPA and the Information Technology Act, 2000, the contact details of our designated grievance officer are:

• Name: Aditya Kalla
• Designation: Chief Convener, Iqwat Foundation
• Email: privacy@iqwat.com
• Postal: Enkay Tower, First Floor, Plot No. B & B1, Vanijya Nikunj, Udyog Vihar Phase V, Gurugram, Haryana 122016, India

We aim to acknowledge all grievances within 48 hours and resolve them within 30 days.