About Activities Timeline Partners

Privacy Policy

Version & Effective Date - v1.0 | 15 October 2025

Controller / Data Fiduciary - Cyber Buddha Techno Legal Private Limited

Scope - www.hashtagsuraksha.com only.

This Site functions as a public-information hub; MyGov remains the system of record for all participation workflows (registrations, attempts, submissions, evaluation, certificates, and any recognition or prizes).

1. Overview & Applicability

1.1 Purpose - This Privacy Policy describes how Cyber Buddha Techno Legal Private Limited, as the Data Fiduciary for the website www.hashtagsuraksha.com, collects, uses, shares and safeguards personal data. The website serves a public interest purpose by promoting cyber safety for teenagers and directs all participation activities to MyGov. This Policy provides clear notice of our practices and the choices available to users and guardians.
1.2 Who this Policy applies to - This Policy applies to visitors to the website, including teenagers, parents and guardians, educators, prospective sponsors and donors, and any member of the public who accesses resources such as e‑books, activity packs and the operating system safety guide, or who views pages that may display embedded content from third party platforms.
1.3 What is out of scope - All participation workflows, including registrations, quiz attempts, reel link submissions, evaluation, certificates and any recognition or prizes, are conducted on MyGov and are governed by MyGov’s own terms and privacy notices. Paperback purchases made on Amazon.in are governed by Amazon’s policies. This Policy does not apply to those independent platforms.
1.4. Legal alignment - Our practices are aligned with applicable Indian law and guidance, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 as amended, and the CERT-In Directions dated 28 April 2022, to the extent relevant to a public website.

2. Roles and Definitions

2.1. Our role - TCyber Buddha Techno Legal Private Limited acts as the Data Fiduciary for interactions on the website www.hashtagsuraksha.com. We determine the purposes and means of processing personal data collected through the website.
2.2. Data processors - We engage service providers to process personal data on our behalf and under our instructions. They are bound by confidentiality and security obligations and may not use personal data for their own purposes.
The following terms are used in this Policy. They are concise and should be read in the context of Indian law.
2.3. Amazon.in - The e-commerce platform operated by Amazon Seller Services Private Limited, which handles paperback purchases independently of this website.
2.4. Child or Minor - An individual below 18 years of age.
2.5. Consent - A free, specific, informed and unambiguous indication of the Data Principal’s agreement to processing, given by a clear affirmative action.
2.6. Data Fiduciary - The entity that determines the purpose and means of processing personal data. For this website, Cyber Buddha Techno Legal Private Limited.
2.7. Data Principal - The individual to whom the personal data relates.
2.8. Data Processor - A person or entity that processes personal data on behalf of the Data Fiduciary and under its instructions.
2.9. MyGov - The Government of India platform that administers registrations, submissions, evaluation, certificates and any recognition or prizes for Hashtag Suraksha, and is the system of record for participation.
2.10. Personal Data - Any data about an individual who is identifiable by or in relation to such data, directly or indirectly.
2.11. Processing - An operation or set of operations performed on personal data, including collection, recording, organisation, storage, use, disclosure, transmission, retrieval, erasure or destruction.
2.12. Site - The public information website at www.hashtagsuraksha.com.
2.13. Sponsor or Donor Interest - An enquiry expressing interest in sponsorship or donations submitted through the website or by email.
2.14. United Services Institution of India or USI - The CSR partner that administers eligibility for tax deductions, issues receipts and manages related compliance for sponsorships or donations; this website does not accept donations or issue receipts.
2.15. User-Generated Content or UGC - Publicly available content hosted on third party platforms that may be displayed on this website through embeds.

3. What we collect

3.1. Identifiers - We may collect basic identifiers such as name and email address. If a form requires it, we may also collect a mobile number and the name of a school or organisation.
3.2. Download controls - To fulfil downloads and deter misuse, we record the timestamp of the request, the file name delivered, and control metadata such as a unique link or watermark string.
3.3. Communications - We process the content of emails and forms that you send to us, including sponsor or donor interest.
3.4. Telemetry - Our systems generate server logs, page events and error logs. Cookies and similar technologies are used as described in the Cookies section of this Policy.
3.5. Payments - We do not collect or process payment data on this website. Paperback purchases occur on Amazon.in and are governed by Amazon’s policies.

4. Why we collect (purposes) and legal basis

4.1. Content delivery - We process personal data to deliver downloads you request, operate unique or expiring links, apply rate limiting, and deter misuse or redistribution.
4.2. Legal basis - Consent given at the point of request and performance of the requested service. Certain abuse-prevention controls are also supported as legitimate uses for security and fraud or misuse prevention.
4.3. Information and communication - We use contact details and the content of enquiries to respond, provide essential notices related to your request, and keep a minimal record of the interaction.
4.4. Sponsor or donor interest - We receive and route expressions of interest to the United Services Institution of India so that eligibility, receipts and compliance can be administered by USI.
4.5. Site reliability, security and improvement - We generate and review logs and aggregate analytics to maintain availability, investigate errors, protect against abuse, and improve discoverability and accessibility of content.
4.6. Legal and compliance - We act on valid takedown notices, preserve evidence where required, cooperate with lawful requests, and align with CERT-In expectations on logging, time synchronisation and incident reporting for a public website.

5. Children’s data and age gate

5.1. Model - Interactions by individuals under 18 that transmit personal data through the website, such as a download request or an enquiry form, must be undertaken with parent, guardian, or school authorisation. The website is designed as a public information resource and the collection of children’s data is limited to what is necessary for the requested action.
5.2. Age verification - To uphold programme integrity and child safety norms the organisers may request proof of age at a later date. This right is further described in the Terms of Use and operates independently of any process that runs on MyGov.
5.3. Advertising and design - We do not use children’s data for targeted advertising. We avoid dark pattern interfaces in consent and choice design, and we present information in a manner that is understandable to young users and their guardians.
5.4. Remediation - If personal data of a minor was submitted without appropriate authorisation, we will act in good faith to delete such data and to limit any further processing once we are notified or otherwise become aware of the situation.

6. Disclosures and sharing

6.1. Processors - We use service providers to operate the website and to support communications and analytics. They act on our instructions and are bound by confidentiality and security obligations.
- Hosting and content delivery network:
- Email and Messaging services:
- Analytics vendor:
6.2. USI - Sponsor or donor interest submitted through the website or by email is routed to the United Services Institution of India. USI administers eligibility for any tax deductions, issues receipts and manages related compliance. This website does not accept donations or issue receipts.
6.3. Public authorities - We may disclose personal data where required by law, in response to lawful requests, to investigate or respond to security incidents, or to protect the rights, safety or security of users or the website.
6.4. Independent platforms - MyGov and Amazon.in operate their own platforms and receive personal data directly from users on those platforms. We do not push personal data from this website to MyGov or Amazon by default.

7. Retention and disposal

7.1. General rule - We retain personal data only for as long as it is necessary for the purpose for which it was collected, for limited follow up that a reasonable user would expect, and to deter misuse or repeated abuse of download links. When the retention period ends, the data is deleted or irreversibly anonymised in accordance with this section.
7.2. Downloads and enquiries - Records created to deliver downloads or to respond to enquiries, including sponsor or donor interest, are retained for a limited period that enables fulfilment, reasonable correspondence and audit for misuse deterrence.
7.3. Operational and security logs - System and security logs are retained for the period prescribed by applicable directions and guidance, including those issued by CERT In.
7.4. Legal holds and disputes - Where a request, investigation or dispute requires preservation, relevant records may be retained beyond the standard period until the matter is closed and the retention is no longer required in law.
7.5. Deletion and anonymisation - When data reaches the end of its retention period and is not subject to a legal hold, it is deleted or irreversibly anonymised. Deletion covers primary systems and, within a reasonable time frame, routine backups. Anonymisation removes direct and indirect identifiers so that the data can no longer be linked to an individual.
7.6. Processor alignment - Service providers that act as data processors are required to apply retention and deletion that is consistent with our instructions and this Policy, and to provide confirmation of destruction or anonymisation upon request.

8. Security measures

8.1. Transport security - The website uses HTTPS with modern TLS configurations. Cookies that are essential for session integrity are set with appropriate attributes. We prefer secure defaults and disable outdated protocols and ciphers.
8.2. Access governance - Administrative access is restricted to authorised personnel on a least privilege basis. Strong authentication and role based controls are applied and reviewed periodically.
8.3. Logging and monitoring - Core actions, administrative events and security relevant signals are logged. Logs are protected from tampering and are reviewed on a risk based cadence to detect misuse or anomalous activity.
8.4. Vulnerability management - We assess the website and supporting services for vulnerabilities on a scheduled cadence and after material changes. Findings are triaged and remediated according to severity. Penetration testing is conducted at intervals that are proportionate to a public information site.
8.5. Secure development - Changes are promoted through controlled environments with peer review and automated checks where feasible. Secrets are managed in secure stores and rotated on a defined schedule.
8.6. Backups and continuity - Content and configuration that are necessary to restore essential service are backed up. Restoration is tested periodically to confirm integrity. Recovery objectives are proportionate to a public information site.
8.7. CERT In alignment - We maintain relevant logs, synchronise system time with industry standard time sources and cooperate with incident reporting within notified timelines to the extent applicable to a public website. Where an incident meets reporting thresholds, we will follow the applicable process under the CERT In Directions dated 28 April 2022.
8.8. Third party processors - Service providers acting as data processors are required to implement technical and organisational measures that are at least equivalent to those in this section and to notify us without undue delay of any security incident affecting data they process for us.
8.9. Security contact and responsible disclosure - Security concerns or suspected vulnerabilities may be reported to the Grievance Officer listed in this Policy.

9. Rights of data principals

9.1. Overview - You may exercise rights under Indian law in relation to personal data that we process through this website. These rights are subject to identity verification, technical feasibility and lawful limits.
9.2. Access - You may request a summary of personal data that we hold about you in connection with this website, together with the categories of sources and purposes of use where applicable.
9.3. Correction - You may request correction or completion of inaccurate or incomplete personal data.
9.4. Erasure - You may request deletion of personal data where it is no longer necessary for the stated purpose or where consent has been withdrawn, subject to lawful retention requirements, evidence preservation and legal holds.
9.5. Withdrawal of consent - Where processing relies on consent, you may withdraw consent for the specific activity. Withdrawal does not affect processing performed before the withdrawal and may limit our ability to provide the requested resource.
9.6. Grievance and review - You may submit a grievance regarding our handling of personal data. If you remain dissatisfied after our response, you may pursue remedies available in law, including complaint to the Data Protection Board of India where applicable.
9.7. How to make a request - Submit your request by email to the Grievance Officer using the contact in this Policy. Please specify the right you wish to exercise, the context in which the data was provided and any identifiers that will help us locate your records.
9.8. Identity verification - To protect users against unauthorised access, we may ask you to verify identity through email confirmation, a one time code or other reasonable checks before acting on a request. Where a request is made on behalf of a minor, we may ask for proof of authority.
9.9. Timelines - We will acknowledge requests within the grievance acknowledgement window and aim to provide a substantive response within the grievance resolution window unless a different statutory period applies.
9.10. Lawful limits - We may refuse or restrict a request where the law permits or requires us to do so, for example where disclosure would adversely affect the rights of another person, where deletion would conflict with a legal obligation, where records must be retained for security, audit or incident investigation, or where identity cannot be reasonably verified.
9.11. Scope limits - Rights requests apply only to data that we process through this website. Data you provide on independent platforms such as MyGov or Amazon.in must be requested from those platforms under their policies.

10. Grievances and contact

10.1. Grievance Officer and DPO - The Grievance Officer and Data Protection Officer is Kamaljeet Kaur Muni. The contact email for notices and complaints is kamaljeet.muni@adrey.in
10.2. Acknowledgement and disposal - We will acknowledge a grievance within twenty four to seventy two hours and we aim to dispose of it within fifteen days, or within any different period required by law.
10.3. Escalation - If you remain dissatisfied after our response, you may pursue remedies available in law, including a complaint to the Data Protection Board of India where applicable.

11. Cookies

11.1. Overview - This website uses cookies and similar technologies to support essential functions, maintain security and understand aggregate usage so that content can be improved over time.
11.2. Categories - Two categories are used on this website. Strictly necessary cookies are required for core functions such as secure delivery of pages and rate limiting. Analytics cookies are used to generate aggregate insights about visits and navigation.
11.3. Cookie Notice - Details of cookie types, the names of analytics vendors, retention periods and opt out controls are set out in the Cookie Notice at www.hashtagsuraksha.com/cookiepolicy
11.4. Browser controls - Most browsers allow you to block or delete cookies. Blocking strictly necessary cookies may impair basic functions of the website. If you clear cookies, any preferences you have set may need to be re applied.
11.5. Signals - Where technically feasible we will honour browser level controls as described in the Cookie Notice.

12. Cross border transfers

12.1. Default location - We intend to host and process data for this website in India. This includes production systems and routine backups that are necessary to provide a public information site.
12.2. Use of content delivery and infrastructure providers - If a provider uses distributed infrastructure or a content delivery network and this results in limited technical transfers outside India, we will apply contractual and technical safeguards that are consistent with the Digital Personal Data Protection Act, 2023 and any rules made under it.
12.3. Notice of destination and protections - Where a cross border transfer becomes necessary beyond transient delivery, we will provide a notice that states the destination jurisdiction, the purpose of the transfer, the categories of data affected and the safeguards that apply, such as confidentiality obligations, encryption in transit and at rest, and restrictions on onward disclosure.
12.4. Compliance with future rules - If transfer conditions or restrictions are notified under law after the effective date of this Policy, we will align with those requirements and update this section with a clear explanation of their effect on our operations.

13. USI and donations path

13.1. Scope - This website captures expressions of interest in sponsorships or donations. It does not accept donations, process payments or issue receipts.
13.2. Routing - Sponsor or donor interest submitted through the website or by email is routed to impact@hashtagsuraksha.com so that it can be coordinated with the United Services Institution of India.
13.3. Role of USI - The United Services Institution of India administers eligibility for any tax deductions, issues receipts and manages related compliance. Records created by USI are governed by USI’s own policies.

14. Automated decision making and profiling

14.1. No automated decisions - We do not carry out automated decision making that produces legal effects or similarly significant effects for users of this website.
14.2. Analytics - Any analytics performed are limited to aggregate insights used to improve content discoverability, reliability and accessibility. They are not used to make individual decisions about users.

15. Changes to this Policy

15.1. Versioning and effective date - The version number and effective date appear at the top of this Policy.
15.2. Material changes - Where updates materially affect your rights or the way we handle personal data, we will provide a clear notice on the website before the change takes effect.

16. Order of precedence and governing law

16.1. Precedence - If there is a conflict between this Privacy Policy and the Terms of Use, this Privacy Policy controls for matters relating to the processing of personal data and the Terms of Use control for all other matters.
16.2. Governing law and jurisdiction - This Privacy Policy is governed by the laws of India. Any disputes arising from or in connection with this Policy are subject to the exclusive jurisdiction of the courts at Mumbai, Maharashtra.