Privacy Policy

VOICE OF SPECIALLY ABLED PEOPLE (VOSAP)

GLOBAL PRIVACY POLICY

Effective Date	Last Updated	Version	Jurisdiction
March 13, 2026	February 18, 2026	2.0 – Global	Global

SECTION 1 — DATA CONTROLLER / DATA FIDUCIARY IDENTIFICATION

Voice of Specially Abled People Inc. (“Voice of SAP,” “VOSAP,” “Company,” “we,” “our,” or “us”) is a California corporation and registered 501(c)(3) non-profit organization currently holding Special Consultative Status with the United Nations Economic and Social Council (ECOSOC). For the purposes of applicable global data protection law:

EU General Data Protection Regulation (GDPR) and UK GDPR: Voice of SAP is the Data Controller responsible for the processing of your personal data.
Indian Digital Personal Data Protection Act, 2023 (DPDP Act): Voice of SAP is the Data Fiduciary responsible for the processing of your personal data.
California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA): Voice of SAP is the Business that determines the purposes and means of processing personal information.

Registered Address: Voice of Specially Abled People Inc., 22734 Stagg St. West Hills, CA 91304, United States of America

Privacy Contact: privacy@voiceofsap.org

General Contact: info@voiceofsap.org

Website: https://www.voiceofsap.org

Protection Officer / Grievance Officer: Nimish Sevak – Grievance@voiceofsap.org

SECTION 2 – OUR COMMITMENT TO PRIVACY

Voice of SAP is committed to protecting your privacy and processing your personal data in a lawful, fair, and transparent manner. This Privacy Policy explains how we collect, use, store, transfer, and protect your personal data in connection with our mission of empowering Specially Abled People (Persons with Disabilities) through accessibility, assistive devices, surgical interventions, employment, education, and healthcare programs.

We comply with applicable data protection laws worldwide, including but not limited to: the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); the EU General Data Protection Regulation 2016/679 (“GDPR”); the UK General Data Protection Regulation and Data Protection Act 2018 (“UK DPA 2018”); the Indian Digital Personal Data Protection Act, 2023 (“DPDP Act”) and its Rules, 2025; the Children’s Online Privacy Protection Act (“COPPA”); Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); and Australia’s Privacy Act 1988.

Given the sensitive nature of disability-related data, we implement enhanced safeguards and apply the highest applicable standards of data protection across all jurisdictions in which we operate. We do not sell your personal data to any third party, under any circumstances.

SECTION 3 – SCOPE AND APPLICABILITY

3.1 What This Policy Covers

This Privacy Policy governs the collection, use, storage, transfer, and processing of personal data through all Voice of SAP touchpoints, including:

the Voice of SAP website (https://www.voiceofsap.org);
the Voice of SAP mobile application (Voice of SAP: VoSAP);
the assistive device application and fulfilment process;
telephonic verification calls (which may be recorded: see Section 11);
WhatsApp Business communications;
email, SMS, and OTP communications; and
any other digital or physical touchpoint through which we collect personal data (collectively, the “Platform”).

3.2 Who This Policy Applies To

This Privacy Policy applies to all individuals whose personal data we process, including: website visitors and mobile app users; volunteers and pledge-takers; donors and event participants; applicants for assistive devices; beneficiaries of VOSAP programs; and any other person who interacts with the Platform.

3.3 What This Policy Does Not Cover

This Privacy Policy does not apply to: (a) information collected by third parties through websites, applications, or services linked from or accessible through the Platform, which are governed by their own privacy policies; or (b) anonymized or aggregated data that cannot reasonably be used to identify any individual.

3.4 Territorial Scope

This Privacy Policy applies globally. If you access the Platform from the European Economic Area (“EEA”), the United Kingdom, India, California, or any other jurisdiction with specific data protection laws, you are entitled to the additional protections described in the jurisdiction-specific sections of this Policy. Where there is a conflict between the general provisions and a jurisdiction-specific provision, the provision offering greater protection to the data subject shall prevail.

SECTION 4 – DEFINITIONS

The following definitions apply throughout this Privacy Policy:

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1), CCPA §1798.140(v), and DPDP Act §2(t).
“Sensitive Personal Data” or “Special Category Data” means personal data revealing racial or ethnic origin, health data, disability status, biometric data, or other categories requiring enhanced protection under GDPR Article 9, CCPA §1798.140(ae), or DPDP Act §4(2).
“Processing” means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, transfer, erasure, or destruction.
“Data Subject” means the identified or identifiable natural person to whom personal data relates.
“Data Processor” means a third party that processes personal data on behalf of Voice of SAP pursuant to a written agreement (Data Processing Agreement or equivalent).
“Consent” means any freely given, specific, informed, and unambiguous indication of the Data Subject’s agreement to the processing of their personal data.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996. Note: VOSAP is not a HIPAA Covered Entity. See Section 6 for full analysis.
“You” or “User” means any individual who accesses or uses the Platform (including the website at https://www.voiceofsap.org and the mobile application “Voice of SAP or Voice of SAP: VoSAP”)
Personally Identifiable Information (“PII”): Information that identifies or can reasonably identify an individual, such as name, email address, phone number, postal address, or IP address
Protected Health Information (“PHI”): Individually identifiable health information relating to a person’s health condition, healthcare services, or payment for healthcare, as regulated under HIPAA.
Health-Related Information: Information about a user’s disability, medical condition, or physical needs collected in connection with assistive device applications and related services.

SECTION 5 – CATEGORIES OF PERSONAL DATA WE COLLECT

We collect the following categories of personal data depending on your interaction with the Platform:

Category	Examples	Legal Classification
Identity Data	Full name, date of birth, gender, photograph, government-issued ID (UDID, ration card, voter ID — where legally required)	Personal Data
Contact Data	Postal address, email address, telephone/mobile number, WhatsApp number	Personal Data
Disability & Health Data (Health-Related Information)	Type and nature of disability, disability certificate, medical records, assistive device requirements, disability percentage	Sensitive / Special Category Data (GDPR Art. 9; DPDP Act §4)
Financial Data	Donation amounts, transaction records; credit/debit card details (not stored by VOSAP, processed by PCI-DSS certified processors only)	Personal Data / Sensitive PI (CCPA)
Device & Technical Data	IP address, browser type, operating system, device identifiers, GPS location data, camera/photo access data	Personal Data
Usage Data	Pages visited, time on Platform, click patterns, accessibility ratings submitted, search queries	Personal Data
Communication Data	Emails, chat logs (Tawk.To), call recordings (Simple2Call), WhatsApp messages, SMS/OTP records	Personal Data
Volunteer Data	Pledge details, project participation, availability, skills, general location, public display name	Personal Data
Account Data	Username, password (hashed), registration date, account preferences, SNS account connections (Facebook, Google)	Personal Data
Verification Data	OTP records, call verification logs, BPA staff verification notes, Salesforce CRM records	Personal Data

SECTION 6 – HIPAA ANALYSIS AND HEALTH-RELATED DATA

6.1 HIPAA Applicability – Legal Opinion

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. § 1320d et seq., and its implementing regulations at 45 C.F.R. Parts 160 and 164, apply to “Covered Entities”, healthcare providers that transmit health information electronically, health plans, and healthcare clearinghouses, and to their “Business Associates.”

VOSAP is NOT a HIPAA Covered Entity. VOSAP does not provide clinical healthcare services, process insurance claims, or act as a healthcare clearinghouse. Accordingly, HIPAA’s Privacy Rule and Security Rule do not apply directly to VOSAP. However, VOSAP collects disability and health-adjacent data which constitutes:

Special Category Personal Data under GDPR Article 9 (data concerning health);
Sensitive Personal Information under CCPA §1798.140(ae);
Sensitive Personal Data under DPDP Act §4(2); and
Special Category Data under UK GDPR Article 9.

These frameworks impose obligations at least as protective as HIPAA in several respects. VOSAP voluntarily applies HIPAA-equivalent standards to all health-related data as a matter of best practice and mission integrity.

6.2 Enhanced Safeguards for Health-Related and Disability Data

VOSAP processes disability and health data only for the following specified purposes: assistive device application processing; needs assessment and eligibility determination; program matching and service delivery; and statutory reporting obligations. All such data is subject to:

Explicit, informed, and documented consent prior to collection;
Role-based access controls limiting access to authorized personnel only;
Encryption at rest (AES-256 or equivalent) and in transit (TLS 1.2 or higher);
Segregated storage with enhanced audit logging;
Strict retention limits (see Section 13); and
A prohibition on use for behavioral advertising, profiling, or any commercial purpose.

If VOSAP ever engages third-party healthcare providers or entities qualifying as HIPAA Covered Entities in service delivery, VOSAP will execute Business Associate Agreements (BAAs) as required and update this Policy accordingly.

SECTION 7 – SENSITIVE PERSONAL DATA – PROCESSING CONDITIONS

Given our mission of empowering Specially Abled People, we necessarily process disability and health condition data. We process such data only where:

GDPR/UK GDPR: You have given explicit consent (Art. 9(2)(a)); processing is necessary for substantial public interest (Art. 9(2)(g)); or necessary for health or social care purposes (Art. 9(2)(h)).
DPDP Act: You have given explicit consent before any sensitive personal data is processed (§4(2)).
CCPA/CPRA: You have been given notice and provided consent, or processing is necessary for a permitted business purpose.

All sensitive personal data is subject to enhanced protections including access restrictions, encryption, segregated storage, enhanced audit logging, and specific retention limits set out in Section 13.

SECTION 8 – HOW WE COLLECT YOUR PERSONAL DATA

8.1 Directly from You

When you browse the Platform, create an account, submit an assistive device application, make a donation, take a volunteer pledge, register for an event, rate accessibility of a location, or communicate with us via email, phone, WhatsApp, or the Platform’s chatbot.

8.2 Through Automated Means

We collect device and technical data automatically when you use the Platform, through cookies, pixels, web beacons, and similar technologies. See Section 17 (Cookie Policy) for full details.

8.3 Location Data

We collect precise GPS location data when you use the Platform to photograph and rate places for accessibility, or to take a volunteer pledge. This data is collected only when you expressly grant location permissions through your device settings. You may withdraw this permission at any time through your device settings.

8.4 Telephonic Verification and Call Recording

When you apply for an assistive device, our verification partner (Blind People’s Association, “BPA“) may contact you by telephone to verify your application. These calls may be routed through our telecommunications provider, Simple2Call, and may be recorded. You will be notified at the beginning of each call that recording may occur and will have the opportunity to object. If you object, an alternative verification method may be arranged. This process complies with California Penal Code §632 (two-party consent), the Indian Telegraph Act 1885, the Information Technology Act 2000, and the EU ePrivacy Directive 2002/58/EC.

The Blind People’s Association is an Ahmedabad, India-based non-governmental organisation with over seven decades of experience in disability rehabilitation and social welfare. VOSAP has engaged BPA to conduct telephonic verification of assistive device applications submitted by applicants located in India. BPA’s role is strictly limited to verification of Indian applicant eligibility for assistive device programmes; BPA has no access to data relating to VOSAP beneficiaries outside India, and no access to any data category other than that required for assistive device application verification. BPA staff access applicant records exclusively through purpose-restricted access to VOSAP’s centralised Salesforce CRM system; no physical documents, files, or data extracts are transferred to BPA at any time. This access is granted only in respect of applications for which the applicant has provided prior explicit consent to verification by BPA

8.5 WhatsApp Communications

We use WhatsApp Business Platform (operated by Meta Platforms, Inc.) to communicate with applicants and beneficiaries regarding application status updates, verification, and program communications. Messages sent via WhatsApp are processed by Meta in accordance with Meta’s privacy policy, in addition to this Privacy Policy. WhatsApp communications are stored in our CRM system (Salesforce) for record-keeping. For opt-out instructions, including the immediate “STOP” mechanism and processing timelines for other channels, see Section 11.3.

8.6 Through Third-Party Sources

If you connect your account to a third-party social networking service (e.g., Facebook, Google), we may receive your name, profile picture, age range, language, email address, and friend list. You may disconnect such services at any time through your Account Settings. We may also receive referral data from partner organizations or government agencies where relevant to service delivery.

SECTION 9 – LEGAL BASIS FOR PROCESSING

We process personal data only where we have a lawful basis. The bases applicable to each processing purpose are set out below:

Purpose of Processing	Legal Basis (GDPR Art. 6 / UK GDPR)	DPDP Act Basis
Account registration and management	Performance of contract (Art. 6(1)(b))	Consent (§6)
Assistive device application processing	Legitimate interests (Art. 6(1)(f)) / Consent (Art. 6(1)(a))	Consent (§6)
Processing disability / health data	Explicit consent (Art. 9(2)(a)) / Substantial public interest (Art. 9(2)(g))	Explicit consent (§4(2))
Donation processing	Performance of contract (Art. 6(1)(b))	Consent (§6)
Volunteer management	Legitimate interests (Art. 6(1)(f))	Consent (§6)
Email, SMS, WhatsApp communications	Consent (Art. 6(1)(a)) / Legitimate interests (Art. 6(1)(f))	Consent (§6)
Call recording for verification	Consent (Art. 6(1)(a))	Consent (§6)
Website analytics and cookies	Consent for non-essential; Legitimate interests for essential	Consent (§6)
Legal compliance and fraud prevention	Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f))	Legitimate uses (§7)
Tax and financial record-keeping	Legal obligation (Art. 6(1)(c))	Legitimate uses (§7)

Under CCPA/CPRA: California law does not require a formal “legal basis” in the GDPR sense. VOSAP processes personal information only for the business purposes disclosed in this Privacy Policy and does not sell or share personal information for cross-context behavioral advertising.

SECTION 10 – PURPOSES OF PROCESSING

We process your personal data for the following specific, explicit, and legitimate purposes:

Processing and fulfilling assistive device applications, including identity verification, needs assessment, and device delivery.
Managing volunteer registrations, pledges, and project assignments.
Processing financial donations and issuing tax receipts.
Communicating program updates, event invitations, and organizational news.
Operating and improving the Platform, including accessibility ratings features.
Conducting telephonic verification of applicants through our partner BPA.
Recording calls for quality assurance, training, dispute resolution, and fraud prevention.
Providing customer support via email, WhatsApp, Tawk.To chatbot, and telephone.
Complying with applicable laws, regulations, and government requests.
Conducting internal analytics and research using de-identified or aggregated data only.
Preventing fraud, unauthorized access, and security threats.
Sharing data with government portals and partner organizations for assistive device fulfilment under statutory obligation.
Sending OTP verification codes and communicating application status updates.

SECTION 11 – CALL RECORDING, COMMUNICATION MONITORING, AND WHATSAPP

11.1 Call Recording – Purpose and Legal Basis

Telephonic communications between Voice of SAP (or its verification partner BPA) and applicants may be recorded through our telecommunications provider, Simple2Call. Call recordings are made for: (a) verifying the identity and eligibility of assistive device applicants; (b) quality assurance and staff training; (c) fraud prevention and dispute resolution; and (d) maintaining an auditable record of the verification process.

11.2 Consent and Notice

A recorded announcement is played at the beginning of each call informing you that the call may be recorded. By continuing the call, you provide your consent to the recording. If you do not wish to be recorded, please indicate this at the outset and an alternative verification method will be arranged (e.g., in-person verification or written correspondence). This disclosure complies with:

California Penal Code §632 (two-party / all-party consent state);
Indian Telegraph Act, 1885 and Information Technology Act, 2000;
EU ePrivacy Directive 2002/58/EC and applicable Member State implementations; and
UK Investigatory Powers Act 2016 and PECR 2003.

11.3 WhatsApp Business Platform

We use WhatsApp Business Platform (Meta Platforms, Inc.) to communicate application status, verification updates, and program communications with applicants. When you communicate with us via WhatsApp, your messages are processed by Meta under their Business Terms and Privacy Policy. We store WhatsApp communications in Salesforce CRM for record-keeping. You may opt out of WhatsApp communications at any time by sending “STOP“, which will take effect immediately. Alternatively, you may email privacy@voiceofsap.org. Email-based opt-out requests will be processed within ten (10) business days.

11.4 Retention of Communications

Call recordings are retained for a maximum of sixty (60) months from the date of recording, after which they are securely and irreversibly deleted. WhatsApp communication logs are retained for thirty-six (36) months, consistent with our program dispute resolution requirements.

SECTION 12 – DATA SHARING AND THIRD-PARTY PROCESSORS

Voice of SAP does not sell, trade, or share your personal data with any third party for their own marketing, advertising, or commercial purposes. We do not engage in cross-context behavioral advertising. We share personal data only with the categories of recipients described below, subject to appropriate contractual safeguards, including Data Processing Agreements (DPAs) under GDPR Article 28 and equivalent Service Provider agreements under CCPA §1798.140(ag).

12.1 Authorized Third-Party Data Recipients

Recipient	Purpose	Data Shared	Safeguards
Blind People’s Association (BPA), India	Verification of assistive device applications; field assessment	Applicant identity, contact, disability data, and application records (access to VOSAP’s centralised CRM system only; no physical documents or files are transferred to BPA). Access is limited to Indian applicant records only, granted solely for the purpose of verifying assistive device applications, and only with the beneficiary’s prior consent	Data Processing Agreement; confidentiality obligations; DPDP Act compliance
Simple2Call (Telecoms Provider)	Call routing, recording, and WhatsApp integration for verification	Phone numbers, call recordings, call metadata, WhatsApp logs	DPA; encryption in transit; defined retention periods
Salesforce Inc. (CRM)	Storing and managing applicant, volunteer, donor, and communications records	All applicant, volunteer, and donor data categories	Salesforce DPA; SOC 2 Type II certified; EU SCCs
Meta Platforms Inc. (WhatsApp Business)	Application status notifications and verification communications	Phone numbers, message content	WhatsApp Business Terms; Meta DPA; EU-US Data Privacy Framework
Payment Processors (Stripe, PayPal)	Processing financial donations	Name, transaction amount; payment card details processed directly by processor (not stored by VOSAP)	PCI-DSS Level 1 certified; processor DPAs
Cloud Hosting Providers	Hosting Platform infrastructure and databases	All data stored on the Platform	SOC 2 / ISO 27001 certified; DPAs; encryption at rest
Government Authorities / Portals (India)	Assistive device fulfilment; UDID portal integration; scheme compliance	Applicant identity, disability data, application details	Statutory obligation; government data protection standards
Analytics Providers	Website and app usage analytics	Anonymized / pseudonymized usage and device data	Standard Contractual Clauses; data minimization
Tawk.To (Chat Service)	Live chat customer support on the Platform	Name, email, chat content	Processor DPA; defined data retention limits
Mailchimp (Email Marketing Platform)	Sending newsletters, program updates, and donor communications via email to subscribers who have opted in	Name, email address, subscription preferences, and email engagement data (open rates, clicks)	Standard Contractual Clauses; data transferred only to opted-in subscribers; GDPR Art. 6(1)(a) consent basis; CAN-SPAM Act and CASL compliance

12.2 Other Required Disclosures

We may also disclose personal data: (a) to comply with any court order, law, or legal process, including government or regulatory requests; (b) to enforce or apply our Terms and Conditions; (c) where necessary to protect the rights, property, or safety of Voice of SAP, our users, or the public; or (d) with your prior, documented consent.

SECTION 13 – DATA RETENTION

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Upon expiry of the applicable retention period, personal data is securely deleted or anonymized. You may request earlier deletion at any time, subject to our legal obligations (see Section 14).

Data Category	Retention Period	Legal Basis for Retention
Non-Transactional Account Data (username, profile preferences, accessibility settings, saved configurations, display name)	Deleted within thirty (30) days of verified account closure or valid erasure request. No post-deletion retention applies.	Performance of contract during account lifetime
Transactional Account Data with Legal Retention Requirements (donation history, application submission records, compliance documentation, fraud logs, dispute records, audit trails)	Retained for the applicable statutory limitation period (typically 3–7 years depending on jurisdiction)	Legal obligation; fraud prevention; defense of legal claims
Account registration data	Duration of account + 3 years after deletion	Legitimate interests; contractual records
Assistive device application data	5 years from date of application or fulfilment	Program records; audit requirements; DPDP Act §8(7)
Disability and health data	5 years from date of collection or last interaction	Program records; legal obligations
Donation and financial records	7 years from transaction date	Tax obligations (IRC §6501; Indian Income Tax Act; UK HMRC)
Call recordings	12 months from date of recording	Quality assurance; dispute resolution
WhatsApp and communication logs	36 months from date of communication	Program records; dispute resolution
Volunteer data	Duration of relationship + 2 years	Legitimate interests; program records
Website analytics / cookies	Maximum 13 months	GDPR / ePrivacy requirements
OTP and verification data	6 months from verification	Security; fraud prevention
AML / financial compliance records	5 years (Bank Secrecy Act); 7 years (IRS)	US federal law
FCRA records (India)	As required under FCRA Rules, 2011	India Foreign Contribution (Regulation) Act 2010
Backup systems	Per above schedules + 90-day rolling backup cycle	Technical necessity; disaster recovery

SECTION 14 – YOUR RIGHTS AS A DATA SUBJECT

You have specific enforceable rights regarding your personal data under applicable law. Voice of SAP honours these rights across all jurisdictions as part of our commitment to global best practices. To exercise any right, contact privacy@voiceofsap.org with the subject line “Data Subject Rights Request.” We will verify your identity before processing any request.

14.1 Rights Under EU GDPR and UK GDPR

Right of Access (Art. 15 GDPR): Obtain confirmation of whether we process your personal data and receive a copy.
Right to Rectification (Art. 16): Have inaccurate personal data corrected without undue delay.
Right to Erasure / Right to Be Forgotten (Art. 17): Request deletion where data is no longer necessary, consent is withdrawn, or there is no overriding legitimate ground. The Right to Erasure does not apply where retention of personal data is necessary to comply with legal obligations, prevent fraud, resolve disputes, defend legal claims, meet tax or accounting recordkeeping requirements, or satisfy statutory audit requirements. In such cases, the retained data will be restricted from active processing and maintained solely for compliance or legal defense purposes. Where erasure is requested, VOSAP will delete non-transactional account data promptly. However, data subject to statutory retention requirements (including financial records, fraud-prevention logs, and regulatory documentation) will be retained strictly to the extent required under applicable law.
Right to Restriction of Processing (Art. 18): Restrict processing where accuracy is contested or processing is unlawful.
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
Rights Related to Automated Decision-Making (Art. 22): Not to be subject to solely automated decisions producing legal or similarly significant effects.
Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77): Lodge a complaint with your local supervisory authority (see Section 27).

14.2 Rights Under CCPA / CPRA (California Residents)

Right to Know (§1798.100): Know what categories and specific pieces of personal information we collect, use, and disclose.
Right to Delete (§1798.105): Request deletion of personal information, subject to exceptions.
Right to Correct (§1798.106): Request correction of inaccurate personal information.
Right to Limit Sensitive Personal Information (§1798.121): Limit our use of sensitive personal information to purposes strictly necessary for service delivery.
Right to Non-Discrimination (§1798.125): Not to receive discriminatory treatment for exercising CCPA rights.
Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We may require proof of authorization.

14.3 Rights Under India DPDP Act 2023

Right to Access Information (§11(1)): Obtain a summary of personal data being processed and the processing activities.
Right to Correction and Erasure (§11(2)-(3)): Correction of inaccurate or misleading data, completion of incomplete data, and erasure of data no longer necessary.
Right of Grievance Redressal (§11(4)): Have grievances relating to data processing addressed by our Grievance Officer at Grievance@voiceofsap.org
Right to Nominate (§11(5)): Nominate an individual to exercise your rights in the event of your death or incapacity.
Right to Withdraw Consent (§6(6)): Withdraw consent at any time; we will cease processing within a reasonable period unless retention is required by law.

14.4 Response Timeframes

We will respond to data subject rights requests within: 30 days for GDPR/UK GDPR requests (extendable by Sixty (60) days for complex requests, with notice); forty-five (45) days for CCPA requests (extendable by forty-five (45) days with notice); and within a reasonable period as defined under DPDP Act Rules for Indian users. If we deny a request, we will provide the reasons and inform you of your right to appeal or lodge a complaint with the relevant supervisory authority.

SECTION 15 – DECLARATION OF NON -SALE OF PERSONAL INFORMATION

VOSAP does not sell personal information as defined under California Civil Code §1798.140(ad), and does not share personal information for cross-context behavioral advertising as defined under §1798.140(ah). We have not sold or shared personal information in the preceding twelve (12) months, and we have no current intention to do so. Because no sale or sharing occurs, no opt-out mechanism is required or provided under §1798.120 or §1798.135 of California Civil Code. This declaration constitutes VOSAP’s compliance with those provisions.

SECTION 16 – CONSENT MANAGEMENT

Under DPDP Act §6 and DPDP Rules, 2025 (Rule 4), and consistent with GDPR consent requirements, we provide mechanisms for you to give, manage, review, and withdraw your consent at any time.

You may manage your consents through: (a) the Platform’s Account Settings; (b) the cookie consent banner displayed on first visit to our website; (c) by emailing privacy@voiceofsap.org with subject line “Consent Management Request”; or (d) through any Consent Manager registered with the Data Protection Board of India once such infrastructure is constituted under DPDP Rules, 2025, Rule 4.

Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent to certain essential processing activities may result in some services being unavailable to you. We will clearly inform you of any such consequences at the time of your withdrawal request.

16.1. Data Retained Notwithstanding Withdrawal of Consent

Notwithstanding a valid withdrawal of consent or a request for erasure, Voice of SAP is required or entitled under applicable law to retain certain categories of personal data. A withdrawal request does not and cannot override the following retained data categories:

Audit and Compliance Records: Transaction records, assistive device application records, donation records, and related correspondence retained for audit purposes pursuant to applicable statutory obligations (including US federal and state tax law, India’s Income Tax Act 1961, FCRA compliance records, and equivalent obligations in other jurisdictions). Retention period: as required by applicable law, typically 5–7 years from the relevant financial year.
Legal Proceedings and Dispute Resolution: Any data that is the subject of, or reasonably anticipated to be relevant to, litigation, arbitration, regulatory investigation, or other legal proceedings will be retained for the duration of such proceedings and any applicable limitation period thereafter, pursuant to GDPR Article 17(3)(e), CCPA §1798.105(d), and equivalent provisions.
Government and Regulatory Reporting Obligations: Data submitted to or required by Government authorities, UDID portals, FCRA reporting, IRS/FBAR requirements, or any other mandatory regulatory body cannot be recalled or deleted following submission, as such retention is imposed by law and is not within VOSAP’s unilateral control.
Call Recordings Retained for Verification and Fraud Prevention: Call recordings retained within the sixty (60) month retention window specified in Section 11.4 for the purpose of verifying assistive device applications, preventing fraudulent claims, and maintaining an auditable record of beneficiary verification processes. These recordings constitute operational audit records and are exempt from consent-based erasure requests pursuant to GDPR Article 17(3)(b) and (e).

16.2 Effect of Withdrawal on Ongoing Services

Where a withdrawal of consent relates to data that is necessary for the delivery of a service you are currently receiving (for example, an in-progress assistive device application), Voice of SAP will notify you prior to ceasing that service that withdrawal will result in discontinuation. We will provide you with a minimum of fourteen (14) days’ notice to allow you to reconsider or make alternative arrangements, except where immediate cessation is required by law. Where consent withdrawal relates solely to marketing or non-essential communications (such as newsletters via Mailchimp), such withdrawal will be processed within ten (10) business days and will not affect your eligibility for VOSAP programs or services.

SECTION 17 – COOKIE POLICY AND TRACKING TECHNOLOGIES

When you visit our Platform, we use cookies and similar tracking technologies. In compliance with the EU ePrivacy Directive (2002/58/EC), UK Privacy and Electronic Communications Regulations 2003 (PECR), and applicable data protection laws, we obtain clear, affirmative, prior opt-in consent before deploying any non-essential cookies or tracking technologies.

Cookie Type	Purpose	Consent Required
Strictly Necessary	Essential for Platform operation (session management, security, load balancing)	No, Exempt from consent where permitted by law. Legal basis: ePrivacy Directive Art. 5(3) (EEA/UK); DPDP Act §7(a) legitimate uses (India — processing necessary to provide a service explicitly requested by the user); and equivalent provisions under applicable law in other jurisdictions
Analytics / Performance	Understanding usage patterns, page views, traffic sources (e.g., Google Analytics)	Yes, prior opt-in consent required globally. Legal basis: GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3) (EEA); UK GDPR / PECR (UK); DPDP Act §6 (India); and equivalent applicable laws in other jurisdictions.
Functionality	Remembering language preferences, accessibility settings, login status	Yes, prior opt-in consent required globally. Legal basis: GDPR Art. 6(1)(a); UK GDPR / PECR; DPDP Act §6; and equivalent laws.
Marketing / Advertising	Not currently used. VOSAP does not serve advertisements.	N/A

You may manage cookie preferences through our cookie consent banner, through your browser settings, or through your device’s privacy settings. We do not deploy non-essential cookies to any user, anywhere, without prior opt-in consent. This is a uniform global standard applied by VOSAP irrespective of the user’s jurisdiction. It satisfies the requirements of the DPDP Act 2023 §6 (India), GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3) (EEA), UK GDPR and PECR (UK), and equivalent applicable laws in all other jurisdictions.

SECTION 18 – CHILDREN’S DATA AND MINORS (COPPA COMPLIANCE)

VOSAP is deeply committed to protecting the privacy of children and minors. The Platform is not directed to children under the age of thirteen (13) years. We do not knowingly collect personal information from children under thirteen (13) years of age without verifiable parental consent, in compliance with COPPA, 15 U.S.C. §§ 6501- 6506, and FTC regulations at 16 C.F.R. Part 312.

Jurisdiction	Minimum Age Without Parental Consent	Applicable Law
United States	13 years	COPPA; CCPA
European Union	16 years (or lower per Member State, minimum 13)	GDPR Article 8
United Kingdom	13 years	UK DPA 2018 §9; Age Appropriate Design Code
India	18 years	DPDP Act §9
All other jurisdictions	Age of digital consent under local law; 13 years if none specified	Applicable local law

Under DPDP Act §9: We do not process personal data of children (persons under Eighteen (18) years in India) without verifiable parental consent. We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children. We do not process data in any manner that may cause detrimental effects to the well-being of a child.

Parents and legal guardians may exercise any data subject right on behalf of their child, including the right to access, correct, or delete the child’s personal data. If you become aware that we have collected personal data from a child without appropriate consent, please contact privacy@voiceofsap.org immediately. We will delete such data as soon as possible upon verification.

VOSAP does not conduct behavioral advertising directed at Minors. We do not share a Minor’s personal information with third parties for commercial or marketing purposes. Where a Minor with a disability is applying for assistive devices, additional parental consent documentation will be required.

SECTION 19 – INTERNATIONAL DATA TRANSFERS

Voice of SAP operates globally. Your personal data may be transferred to, stored in, and processed in countries other than the country in which it was collected, including the United States of America and India. These countries may have data protection laws that differ from the laws of your jurisdiction.

19.1 Transfers from the EEA / UK

Where we transfer personal data from the EEA or UK to third countries lacking an adequacy decision (including the United States), we rely on the following approved safeguards: (a) EU Standard Contractual Clauses (2021/914) with applicable modules; (b) UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs; (c) EU-US Data Privacy Framework (where applicable to certified recipients); or (d) your explicit consent after being informed of the possible risks under GDPR Article 49(1)(a).

19.2 Transfers from India

Where we transfer personal data from India, we comply with DPDP Act §16 and any restrictions notified by the Central Government of India. We ensure that recipient countries or organizations maintain a standard of data protection equivalent to the DPDP Act.

19.3 Transfer Impact Assessments

In compliance with the Schrems II decision (Case C-311/18) and applicable regulatory guidance, we conduct Transfer Impact Assessments to evaluate whether the laws and practices of the recipient country provide an essentially equivalent level of protection. You may request a copy of relevant transfer safeguards by contacting privacy@voiceofsap.org.

SECTION 20 – DATA SECURITY

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in compliance with GDPR Article 32, DPDP Act §8(4), and industry best practices. Our security measures include:

Encryption: Personal data encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
Access Controls: Role-based access controls (RBAC) limiting data access to authorized personnel on a need-to-know basis.
Multi-Factor Authentication: Required for all administrative access to data processing systems.
Network Security: Firewalls, intrusion detection/prevention systems, and continuous network monitoring.
Vendor Security: All third-party data processors are contractually required to maintain equivalent security standards (SOC 2 Type II, ISO 27001, or equivalent).
Regular Audits: Periodic security audits and vulnerability assessments of our Platform and systems.
Staff Training: Regular data protection and security training for all employees and volunteers who handle personal data.
Physical Security: Data centers with physical access controls, surveillance, and environmental protections.
Incident Response: Documented incident response procedures for detecting, containing, and recovering from security incidents.
Payment Security: VOSAP does not store credit card or payment card data. All payment transactions are processed exclusively by PCI-DSS Level 1 certified processors (Stripe, PayPal).

No method of transmission over the internet is completely secure. While we employ commercially reasonable means to protect your personal data, we cannot guarantee absolute security. In the event of a security incident, we will notify you and relevant supervisory authorities as required by applicable law (see Section 21).

SECTION 21 – DATA BREACH NOTIFICATION

In the event of a personal data breach, we will comply with all applicable notification obligations:

GDPR (Art. 33-34): Notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to data subjects. Where the breach is likely to result in high risk, notify affected individuals without undue delay.
CCPA (Civil Code §1798.82): Notify affected California residents in the most expedient time possible and without unreasonable delay.
DPDP Act (§8(6)): Notify the Data Protection Board of India and affected data principals in the manner prescribed by DPDP Rules.
UK GDPR (Art. 33-34): Notify the ICO within 72 hours and affected individuals where required.
Australian Privacy Act (NDB Scheme): Notify the OAIC and affected individuals where required.

Breach notifications will include: the nature of the breach; the categories and approximate number of data subjects and personal data records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.

SECTION 22 – AUTOMATED DECISION-MAKING AND PROFILING

Voice of SAP does not currently engage in solely automated decision-making (including profiling) that produces legal effects or similarly significantly affects you, within the meaning of GDPR Article 22. All decisions regarding assistive device eligibility, volunteer approval, or program participation involve meaningful human review.

If we introduce any automated decision-making processes in the future, we will: (a) inform you of the existence of such processing and its logic; (b) explain the significance and envisaged consequences; and (c) provide you with the right to obtain human intervention, express your point of view, and contest the decision, consistent with GDPR Article 22(3).

SECTION 23 – OTP VERIFICATION AND IDENTITY VERIFICATION

When you apply for an assistive device through our Platform, we use One-Time Password (OTP) verification to confirm your identity. Providing your mobile phone number is mandatory for this process. Your phone number is used to: (a) send OTP verification codes; (b) communicate application status updates via SMS; (c) facilitate telephonic verification by our partner BPA; and (d) ensure secure access to your application records.

By providing your mobile number, you expressly consent, in compliance with the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, to receive automated SMS messages from VOSAP. Message and data rates may apply. You may opt out of non-essential SMS messages at any time by texting STOP or contacting privacy@voiceofsap.org . Opting out will not affect OTP codes necessary for account and application security.

Your phone number will not be shared with third parties except as required for verification, application processing, service delivery, or as explicitly disclosed in Section 12 of this Privacy Policy.

SECTION 24 – DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)

In compliance with GDPR Article 35, and as recommended under the DPDP Act, Voice of SAP conducts Data Protection Impact Assessments (“DPIAs”) for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects.

Given that VOSAP processes special category data (disability and health data) at scale, with cross-border transfers involving telephonic monitoring and government portal integration, we maintain DPIAs for our core processing operations. DPIAs are reviewed at least annually, and whenever there is a material change in processing activities, technology systems, or applicable law.

SECTION 25 – LINKS TO THIRD-PARTY SERVICES

The Platform may contain links to third-party websites and services (e.g., Stripe and PayPal for payment processing), some of which may be co-branded with our logo. These third-party services are not operated by VOSAP. We do not control and are not responsible for third-party content or privacy practices. Any personal information you provide to them is not covered by this Privacy Policy. We strongly encourage you to review the privacy and legal policies of all third-party services you access through or in connection with the Platform.

SECTION 26 – CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last Updated” date. For material changes to how we process your personal data, we will: (a) post a prominent notice on the Platform home page; (b) notify you by email to the address associated with your account; and (c) where required by applicable law (including GDPR and DPDP Act), obtain your renewed consent before implementing changes that affect the legal basis or scope of processing.

Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Privacy Policy, except where renewed consent is required under applicable law, in which case we will provide you with a clear mechanism to provide or withhold that consent.

SECTION 27 – DATA PROTECTION OFFICER AND GRIEVANCE OFFICER

In compliance with GDPR Article 37 and DPDP Act §8(10) read with DPDP Rules, 2025 (Rule 5), Voice of SAP has designated the following officer to handle all data protection inquiries, rights requests, and grievances:

Name	Nimish Sevak
Role	Data Protection Officer / Grievance Officer
Organization	Voice of Specially Abled People Inc.
Email	Grievance@voiceofsap.org
Response Time	Within 72 hours of receipt
Responsibilities	Data subject rights requests; grievances; regulatory liaison; DPIAs; organizational compliance oversight

SECTION 28 – SUPERVISORY AUTHORITIES AND COMPLAINT MECHANISMS

If you are unsatisfied with our response to your data protection inquiry or believe your rights have been infringed, you have the right to lodge a complaint with the relevant supervisory authority:

Jurisdiction	Authority	Contact
European Union	Data Protection Authority in your EU Member State (e.g., CNIL – France; BfDI – Germany; DPC – Ireland)	See EDPB website: edpb.europa.eu
United Kingdom	Information Commissioner’s Office (ICO)	ico.org.uk \| 0303 123 1113
India	Data Protection Board of India (once constituted under DPDP Act §18)	As notified by the Central Government of India
California, USA	California Privacy Protection Agency (CPPA) / California Attorney General	cppa.ca.gov \| oag.ca.gov/privacy
Australia	Office of the Australian Information Commissioner (OAIC)	oaic.gov.au
Canada	Office of the Privacy Commissioner of Canada	priv.gc.ca
Other jurisdictions	Relevant national data protection authority	Contact us at privacy@voiceofsap.org for guidance

SECTION 29 – CONTACT US

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us through any of the following channels:

Privacy & Legal Inquiries	privacy@voiceofsap.org (subject: as applicable)
Data Subject Rights Requests	privacy@voiceofsap.org (subject: “Data Subject Rights Request“)
Consent Management	privacy@voiceofsap.org (subject: “Consent Management Request“)
General Inquiries	info@voiceofsap.org
Website	https://www.voiceofsap.org
Registered Address	Voice of Specially Abled People Inc., 22734 Stagg St. West Hills, CA 91304, United States of America

NOTE: To opt out of receiving communications from Voice of SAP (phone calls, emails, texts, WhatsApp messages, or postal mail), please email privacy@voiceofsap.org with the subject line “Opt-Out Request” specifying which channels you wish to opt out of. Please note: (a) To opt out of WhatsApp messages specifically, send “STOP” directly via WhatsApp — this takes effect immediately. (b) To opt out of all other communication channels (phone calls, emails, SMS, postal mail), email us with subject line “Opt-Out Request” specifying the channel(s), and we will process your request within 10 (ten) business days.

SECTION 30 – LANGUAGE OF THE POLICY

This Policy is provided in English; translations are for convenience only and the English version prevails in case of conflict.

SECTION 31 – ACCESSIBILITY OF THIS POLICY

This Policy is designed to be accessible, including compatibility with screen readers and other assistive technologies. If you need it in an alternative format (e.g., large print, audio, Braille), contact us at privacy@voiceofsap.org

SECTION 32 – GOVERNING LAW

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of California, United States of America, without regard to its conflict of law provisions.

However, where you are located in the EEA, UK, India, or any other jurisdiction with mandatory data protection laws, nothing in this Privacy Policy shall limit your rights under those laws. In the event of a conflict between this Privacy Policy and applicable mandatory data protection law, the mandatory law shall prevail. The rights set out in this Privacy Policy are in addition to, and not in substitution for, your rights under applicable local law.