Register For This Site (To take Volunteer Pledge, Find Accessible Places, Blog Posting)
VOICE OF SPECIALLY ABLED PEOPLE (VOSAP)
GLOBAL PRIVACY POLICY
GDPR | CCPA/CPRA | DPDP Act 2023 | UK DPA 2018 | COPPA | PIPEDA | APA 1988
| Effective Date | Last Updated | Version | Jurisdiction |
|---|---|---|---|
| March 13, 2026 | February 18, 2026 | 2.0 – Global | Global |
Voice of Specially Abled People Inc. (“Voice of SAP,” “VOSAP,” “Company,” “we,” “our,” or “us”) is a California corporation and registered 501(c)(3) non-profit organization currently holding Special Consultative Status with the United Nations Economic and Social Council (ECOSOC). For the purposes of applicable global data protection law:
Registered Address: Voice of Specially Abled People Inc., 22734 Stagg St. West Hills, CA 91304, United States of America
Privacy Contact: privacy@voiceofsap.org
General Contact: info@voiceofsap.org
Website: https://www.voiceofsap.org
Protection Officer / Grievance Officer: Nimish Sevak – Grievance@voiceofsap.org
Voice of SAP is committed to protecting your privacy and processing your personal data in a lawful, fair, and transparent manner. This Privacy Policy explains how we collect, use, store, transfer, and protect your personal data in connection with our mission of empowering Specially Abled People (Persons with Disabilities) through accessibility, assistive devices, surgical interventions, employment, education, and healthcare programs.
We comply with applicable data protection laws worldwide, including but not limited to: the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); the EU General Data Protection Regulation 2016/679 (“GDPR”); the UK General Data Protection Regulation and Data Protection Act 2018 (“UK DPA 2018”); the Indian Digital Personal Data Protection Act, 2023 (“DPDP Act”) and its Rules, 2025; the Children’s Online Privacy Protection Act (“COPPA”); Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); and Australia’s Privacy Act 1988.
Given the sensitive nature of disability-related data, we implement enhanced safeguards and apply the highest applicable standards of data protection across all jurisdictions in which we operate. We do not sell your personal data to any third party, under any circumstances.
3.1 What This Policy Covers
This Privacy Policy governs the collection, use, storage, transfer, and processing of personal data through all Voice of SAP touchpoints, including:
3.2 Who This Policy Applies To
This Privacy Policy applies to all individuals whose personal data we process, including: website visitors and mobile app users; volunteers and pledge-takers; donors and event participants; applicants for assistive devices; beneficiaries of VOSAP programs; and any other person who interacts with the Platform.
3.3 What This Policy Does Not Cover
This Privacy Policy does not apply to: (a) information collected by third parties through websites, applications, or services linked from or accessible through the Platform, which are governed by their own privacy policies; or (b) anonymized or aggregated data that cannot reasonably be used to identify any individual.
3.4 Territorial Scope
This Privacy Policy applies globally. If you access the Platform from the European Economic Area (“EEA”), the United Kingdom, India, California, or any other jurisdiction with specific data protection laws, you are entitled to the additional protections described in the jurisdiction-specific sections of this Policy. Where there is a conflict between the general provisions and a jurisdiction-specific provision, the provision offering greater protection to the data subject shall prevail.
The following definitions apply throughout this Privacy Policy:
We collect the following categories of personal data depending on your interaction with the Platform:
| Category | Examples | Legal Classification |
|---|---|---|
| Identity Data | Full name, date of birth, gender, photograph, government-issued ID (UDID, ration card, voter ID — where legally required) | Personal Data |
| Contact Data | Postal address, email address, telephone/mobile number, WhatsApp number | Personal Data |
| Disability & Health Data (Health-Related Information) | Type and nature of disability, disability certificate, medical records, assistive device requirements, disability percentage | Sensitive / Special Category Data (GDPR Art. 9; DPDP Act §4) |
| Financial Data | Donation amounts, transaction records; credit/debit card details (not stored by VOSAP, processed by PCI-DSS certified processors only) | Personal Data / Sensitive PI (CCPA) |
| Device & Technical Data | IP address, browser type, operating system, device identifiers, GPS location data, camera/photo access data | Personal Data |
| Usage Data | Pages visited, time on Platform, click patterns, accessibility ratings submitted, search queries | Personal Data |
| Communication Data | Emails, chat logs (Tawk.To), call recordings (Simple2Call), WhatsApp messages, SMS/OTP records | Personal Data |
| Volunteer Data | Pledge details, project participation, availability, skills, general location, public display name | Personal Data |
| Account Data | Username, password (hashed), registration date, account preferences, SNS account connections (Facebook, Google) | Personal Data |
| Verification Data | OTP records, call verification logs, BPA staff verification notes, Salesforce CRM records | Personal Data |
6.1 HIPAA Applicability – Legal Opinion
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. § 1320d et seq., and its implementing regulations at 45 C.F.R. Parts 160 and 164, apply to “Covered Entities”, healthcare providers that transmit health information electronically, health plans, and healthcare clearinghouses, and to their “Business Associates.”
VOSAP is NOT a HIPAA Covered Entity. VOSAP does not provide clinical healthcare services, process insurance claims, or act as a healthcare clearinghouse. Accordingly, HIPAA’s Privacy Rule and Security Rule do not apply directly to VOSAP. However, VOSAP collects disability and health-adjacent data which constitutes:
These frameworks impose obligations at least as protective as HIPAA in several respects. VOSAP voluntarily applies HIPAA-equivalent standards to all health-related data as a matter of best practice and mission integrity.
6.2 Enhanced Safeguards for Health-Related and Disability Data
VOSAP processes disability and health data only for the following specified purposes: assistive device application processing; needs assessment and eligibility determination; program matching and service delivery; and statutory reporting obligations. All such data is subject to:
If VOSAP ever engages third-party healthcare providers or entities qualifying as HIPAA Covered Entities in service delivery, VOSAP will execute Business Associate Agreements (BAAs) as required and update this Policy accordingly.
Given our mission of empowering Specially Abled People, we necessarily process disability and health condition data. We process such data only where:
All sensitive personal data is subject to enhanced protections including access restrictions, encryption, segregated storage, enhanced audit logging, and specific retention limits set out in Section 13.
8.1 Directly from You
When you browse the Platform, create an account, submit an assistive device application, make a donation, take a volunteer pledge, register for an event, rate accessibility of a location, or communicate with us via email, phone, WhatsApp, or the Platform’s chatbot.
8.2 Through Automated Means
We collect device and technical data automatically when you use the Platform, through cookies, pixels, web beacons, and similar technologies. See Section 17 (Cookie Policy) for full details.
8.3 Location Data
We collect precise GPS location data when you use the Platform to photograph and rate places for accessibility, or to take a volunteer pledge. This data is collected only when you expressly grant location permissions through your device settings. You may withdraw this permission at any time through your device settings.
8.4 Telephonic Verification and Call Recording
When you apply for an assistive device, our verification partner (Blind People’s Association, “BPA“) may contact you by telephone to verify your application. These calls may be routed through our telecommunications provider, Simple2Call, and may be recorded. You will be notified at the beginning of each call that recording may occur and will have the opportunity to object. If you object, an alternative verification method may be arranged. This process complies with California Penal Code §632 (two-party consent), the Indian Telegraph Act 1885, the Information Technology Act 2000, and the EU ePrivacy Directive 2002/58/EC.
The Blind People’s Association is an Ahmedabad, India-based non-governmental organisation with over seven decades of experience in disability rehabilitation and social welfare. VOSAP has engaged BPA to conduct telephonic verification of assistive device applications submitted by applicants located in India. BPA’s role is strictly limited to verification of Indian applicant eligibility for assistive device programmes; BPA has no access to data relating to VOSAP beneficiaries outside India, and no access to any data category other than that required for assistive device application verification. BPA staff access applicant records exclusively through purpose-restricted access to VOSAP’s centralised Salesforce CRM system; no physical documents, files, or data extracts are transferred to BPA at any time. This access is granted only in respect of applications for which the applicant has provided prior explicit consent to verification by BPA
8.5 WhatsApp Communications
We use WhatsApp Business Platform (operated by Meta Platforms, Inc.) to communicate with applicants and beneficiaries regarding application status updates, verification, and program communications. Messages sent via WhatsApp are processed by Meta in accordance with Meta’s privacy policy, in addition to this Privacy Policy. WhatsApp communications are stored in our CRM system (Salesforce) for record-keeping. For opt-out instructions, including the immediate “STOP” mechanism and processing timelines for other channels, see Section 11.3.
8.6 Through Third-Party Sources
If you connect your account to a third-party social networking service (e.g., Facebook, Google), we may receive your name, profile picture, age range, language, email address, and friend list. You may disconnect such services at any time through your Account Settings. We may also receive referral data from partner organizations or government agencies where relevant to service delivery.
We process personal data only where we have a lawful basis. The bases applicable to each processing purpose are set out below:
| Purpose of Processing | Legal Basis (GDPR Art. 6 / UK GDPR) | DPDP Act Basis |
|---|---|---|
| Account registration and management | Performance of contract (Art. 6(1)(b)) | Consent (§6) |
| Assistive device application processing | Legitimate interests (Art. 6(1)(f)) / Consent (Art. 6(1)(a)) | Consent (§6) |
| Processing disability / health data | Explicit consent (Art. 9(2)(a)) / Substantial public interest (Art. 9(2)(g)) | Explicit consent (§4(2)) |
| Donation processing | Performance of contract (Art. 6(1)(b)) | Consent (§6) |
| Volunteer management | Legitimate interests (Art. 6(1)(f)) | Consent (§6) |
| Email, SMS, WhatsApp communications | Consent (Art. 6(1)(a)) / Legitimate interests (Art. 6(1)(f)) | Consent (§6) |
| Call recording for verification | Consent (Art. 6(1)(a)) | Consent (§6) |
| Website analytics and cookies | Consent for non-essential; Legitimate interests for essential | Consent (§6) |
| Legal compliance and fraud prevention | Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f)) | Legitimate uses (§7) |
| Tax and financial record-keeping | Legal obligation (Art. 6(1)(c)) | Legitimate uses (§7) |
Under CCPA/CPRA: California law does not require a formal “legal basis” in the GDPR sense. VOSAP processes personal information only for the business purposes disclosed in this Privacy Policy and does not sell or share personal information for cross-context behavioral advertising.
We process your personal data for the following specific, explicit, and legitimate purposes:
11.1 Call Recording – Purpose and Legal Basis
Telephonic communications between Voice of SAP (or its verification partner BPA) and applicants may be recorded through our telecommunications provider, Simple2Call. Call recordings are made for: (a) verifying the identity and eligibility of assistive device applicants; (b) quality assurance and staff training; (c) fraud prevention and dispute resolution; and (d) maintaining an auditable record of the verification process.
11.2 Consent and Notice
A recorded announcement is played at the beginning of each call informing you that the call may be recorded. By continuing the call, you provide your consent to the recording. If you do not wish to be recorded, please indicate this at the outset and an alternative verification method will be arranged (e.g., in-person verification or written correspondence). This disclosure complies with:
11.3 WhatsApp Business Platform
We use WhatsApp Business Platform (Meta Platforms, Inc.) to communicate application status, verification updates, and program communications with applicants. When you communicate with us via WhatsApp, your messages are processed by Meta under their Business Terms and Privacy Policy. We store WhatsApp communications in Salesforce CRM for record-keeping. You may opt out of WhatsApp communications at any time by sending “STOP“, which will take effect immediately. Alternatively, you may email privacy@voiceofsap.org. Email-based opt-out requests will be processed within ten (10) business days.
11.4 Retention of Communications
Call recordings are retained for a maximum of sixty (60) months from the date of recording, after which they are securely and irreversibly deleted. WhatsApp communication logs are retained for thirty-six (36) months, consistent with our program dispute resolution requirements.
Voice of SAP does not sell, trade, or share your personal data with any third party for their own marketing, advertising, or commercial purposes. We do not engage in cross-context behavioral advertising. We share personal data only with the categories of recipients described below, subject to appropriate contractual safeguards, including Data Processing Agreements (DPAs) under GDPR Article 28 and equivalent Service Provider agreements under CCPA §1798.140(ag).
12.1 Authorized Third-Party Data Recipients
| Recipient | Purpose | Data Shared | Safeguards |
|---|---|---|---|
| Blind People’s Association (BPA), India | Verification of assistive device applications; field assessment | Applicant identity, contact, disability data, and application records (access to VOSAP’s centralised CRM system only; no physical documents or files are transferred to BPA). Access is limited to Indian applicant records only, granted solely for the purpose of verifying assistive device applications, and only with the beneficiary’s prior consent | Data Processing Agreement; confidentiality obligations; DPDP Act compliance |
| Simple2Call (Telecoms Provider) | Call routing, recording, and WhatsApp integration for verification | Phone numbers, call recordings, call metadata, WhatsApp logs | DPA; encryption in transit; defined retention periods |
| Salesforce Inc. (CRM) | Storing and managing applicant, volunteer, donor, and communications records | All applicant, volunteer, and donor data categories | Salesforce DPA; SOC 2 Type II certified; EU SCCs |
| Meta Platforms Inc. (WhatsApp Business) | Application status notifications and verification communications | Phone numbers, message content | WhatsApp Business Terms; Meta DPA; EU-US Data Privacy Framework |
| Payment Processors (Stripe, PayPal) | Processing financial donations | Name, transaction amount; payment card details processed directly by processor (not stored by VOSAP) | PCI-DSS Level 1 certified; processor DPAs |
| Cloud Hosting Providers | Hosting Platform infrastructure and databases | All data stored on the Platform | SOC 2 / ISO 27001 certified; DPAs; encryption at rest |
| Government Authorities / Portals (India) | Assistive device fulfilment; UDID portal integration; scheme compliance | Applicant identity, disability data, application details | Statutory obligation; government data protection standards |
| Analytics Providers | Website and app usage analytics | Anonymized / pseudonymized usage and device data | Standard Contractual Clauses; data minimization |
| Tawk.To (Chat Service) | Live chat customer support on the Platform | Name, email, chat content | Processor DPA; defined data retention limits |
| Mailchimp (Email Marketing Platform) | Sending newsletters, program updates, and donor communications via email to subscribers who have opted in | Name, email address, subscription preferences, and email engagement data (open rates, clicks) | Standard Contractual Clauses; data transferred only to opted-in subscribers; GDPR Art. 6(1)(a) consent basis; CAN-SPAM Act and CASL compliance |
12.2 Other Required Disclosures
We may also disclose personal data: (a) to comply with any court order, law, or legal process, including government or regulatory requests; (b) to enforce or apply our Terms and Conditions; (c) where necessary to protect the rights, property, or safety of Voice of SAP, our users, or the public; or (d) with your prior, documented consent.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Upon expiry of the applicable retention period, personal data is securely deleted or anonymized. You may request earlier deletion at any time, subject to our legal obligations (see Section 14).
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Non-Transactional Account Data (username, profile preferences, accessibility settings, saved configurations, display name) | Deleted within thirty (30) days of verified account closure or valid erasure request. No post-deletion retention applies. | Performance of contract during account lifetime |
| Transactional Account Data with Legal Retention Requirements (donation history, application submission records, compliance documentation, fraud logs, dispute records, audit trails) | Retained for the applicable statutory limitation period (typically 3–7 years depending on jurisdiction) | Legal obligation; fraud prevention; defense of legal claims |
| Account registration data | Duration of account + 3 years after deletion | Legitimate interests; contractual records |
| Assistive device application data | 5 years from date of application or fulfilment | Program records; audit requirements; DPDP Act §8(7) |
| Disability and health data | 5 years from date of collection or last interaction | Program records; legal obligations |
| Donation and financial records | 7 years from transaction date | Tax obligations (IRC §6501; Indian Income Tax Act; UK HMRC) |
| Call recordings | 12 months from date of recording | Quality assurance; dispute resolution |
| WhatsApp and communication logs | 36 months from date of communication | Program records; dispute resolution |
| Volunteer data | Duration of relationship + 2 years | Legitimate interests; program records |
| Website analytics / cookies | Maximum 13 months | GDPR / ePrivacy requirements |
| OTP and verification data | 6 months from verification | Security; fraud prevention |
| AML / financial compliance records | 5 years (Bank Secrecy Act); 7 years (IRS) | US federal law |
| FCRA records (India) | As required under FCRA Rules, 2011 | India Foreign Contribution (Regulation) Act 2010 |
| Backup systems | Per above schedules + 90-day rolling backup cycle | Technical necessity; disaster recovery |
You have specific enforceable rights regarding your personal data under applicable law. Voice of SAP honours these rights across all jurisdictions as part of our commitment to global best practices. To exercise any right, contact privacy@voiceofsap.org with the subject line “Data Subject Rights Request.” We will verify your identity before processing any request.
14.1 Rights Under EU GDPR and UK GDPR
14.2 Rights Under CCPA / CPRA (California Residents)
14.3 Rights Under India DPDP Act 2023
14.4 Response Timeframes
We will respond to data subject rights requests within: 30 days for GDPR/UK GDPR requests (extendable by Sixty (60) days for complex requests, with notice); forty-five (45) days for CCPA requests (extendable by forty-five (45) days with notice); and within a reasonable period as defined under DPDP Act Rules for Indian users. If we deny a request, we will provide the reasons and inform you of your right to appeal or lodge a complaint with the relevant supervisory authority.
VOSAP does not sell personal information as defined under California Civil Code §1798.140(ad), and does not share personal information for cross-context behavioral advertising as defined under §1798.140(ah). We have not sold or shared personal information in the preceding twelve (12) months, and we have no current intention to do so. Because no sale or sharing occurs, no opt-out mechanism is required or provided under §1798.120 or §1798.135 of California Civil Code. This declaration constitutes VOSAP’s compliance with those provisions.
Under DPDP Act §6 and DPDP Rules, 2025 (Rule 4), and consistent with GDPR consent requirements, we provide mechanisms for you to give, manage, review, and withdraw your consent at any time.
You may manage your consents through: (a) the Platform’s Account Settings; (b) the cookie consent banner displayed on first visit to our website; (c) by emailing privacy@voiceofsap.org with subject line “Consent Management Request”; or (d) through any Consent Manager registered with the Data Protection Board of India once such infrastructure is constituted under DPDP Rules, 2025, Rule 4.
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent to certain essential processing activities may result in some services being unavailable to you. We will clearly inform you of any such consequences at the time of your withdrawal request.
16.1. Data Retained Notwithstanding Withdrawal of Consent
Notwithstanding a valid withdrawal of consent or a request for erasure, Voice of SAP is required or entitled under applicable law to retain certain categories of personal data. A withdrawal request does not and cannot override the following retained data categories:
16.2 Effect of Withdrawal on Ongoing Services
Where a withdrawal of consent relates to data that is necessary for the delivery of a service you are currently receiving (for example, an in-progress assistive device application), Voice of SAP will notify you prior to ceasing that service that withdrawal will result in discontinuation. We will provide you with a minimum of fourteen (14) days’ notice to allow you to reconsider or make alternative arrangements, except where immediate cessation is required by law. Where consent withdrawal relates solely to marketing or non-essential communications (such as newsletters via Mailchimp), such withdrawal will be processed within ten (10) business days and will not affect your eligibility for VOSAP programs or services.
When you visit our Platform, we use cookies and similar tracking technologies. In compliance with the EU ePrivacy Directive (2002/58/EC), UK Privacy and Electronic Communications Regulations 2003 (PECR), and applicable data protection laws, we obtain clear, affirmative, prior opt-in consent before deploying any non-essential cookies or tracking technologies.
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Essential for Platform operation (session management, security, load balancing) | No, Exempt from consent where permitted by law. Legal basis: ePrivacy Directive Art. 5(3) (EEA/UK); DPDP Act §7(a) legitimate uses (India — processing necessary to provide a service explicitly requested by the user); and equivalent provisions under applicable law in other jurisdictions |
| Analytics / Performance | Understanding usage patterns, page views, traffic sources (e.g., Google Analytics) | Yes, prior opt-in consent required globally. Legal basis: GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3) (EEA); UK GDPR / PECR (UK); DPDP Act §6 (India); and equivalent applicable laws in other jurisdictions. |
| Functionality | Remembering language preferences, accessibility settings, login status | Yes, prior opt-in consent required globally. Legal basis: GDPR Art. 6(1)(a); UK GDPR / PECR; DPDP Act §6; and equivalent laws. |
| Marketing / Advertising | Not currently used. VOSAP does not serve advertisements. | N/A |
You may manage cookie preferences through our cookie consent banner, through your browser settings, or through your device’s privacy settings. We do not deploy non-essential cookies to any user, anywhere, without prior opt-in consent. This is a uniform global standard applied by VOSAP irrespective of the user’s jurisdiction. It satisfies the requirements of the DPDP Act 2023 §6 (India), GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3) (EEA), UK GDPR and PECR (UK), and equivalent applicable laws in all other jurisdictions.
VOSAP is deeply committed to protecting the privacy of children and minors. The Platform is not directed to children under the age of thirteen (13) years. We do not knowingly collect personal information from children under thirteen (13) years of age without verifiable parental consent, in compliance with COPPA, 15 U.S.C. §§ 6501- 6506, and FTC regulations at 16 C.F.R. Part 312.
| Jurisdiction | Minimum Age Without Parental Consent | Applicable Law |
|---|---|---|
| United States | 13 years | COPPA; CCPA |
| European Union | 16 years (or lower per Member State, minimum 13) | GDPR Article 8 |
| United Kingdom | 13 years | UK DPA 2018 §9; Age Appropriate Design Code |
| India | 18 years | DPDP Act §9 |
| All other jurisdictions | Age of digital consent under local law; 13 years if none specified | Applicable local law |
Under DPDP Act §9: We do not process personal data of children (persons under Eighteen (18) years in India) without verifiable parental consent. We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children. We do not process data in any manner that may cause detrimental effects to the well-being of a child.
Parents and legal guardians may exercise any data subject right on behalf of their child, including the right to access, correct, or delete the child’s personal data. If you become aware that we have collected personal data from a child without appropriate consent, please contact privacy@voiceofsap.org immediately. We will delete such data as soon as possible upon verification.
VOSAP does not conduct behavioral advertising directed at Minors. We do not share a Minor’s personal information with third parties for commercial or marketing purposes. Where a Minor with a disability is applying for assistive devices, additional parental consent documentation will be required.
Voice of SAP operates globally. Your personal data may be transferred to, stored in, and processed in countries other than the country in which it was collected, including the United States of America and India. These countries may have data protection laws that differ from the laws of your jurisdiction.
19.1 Transfers from the EEA / UK
Where we transfer personal data from the EEA or UK to third countries lacking an adequacy decision (including the United States), we rely on the following approved safeguards: (a) EU Standard Contractual Clauses (2021/914) with applicable modules; (b) UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs; (c) EU-US Data Privacy Framework (where applicable to certified recipients); or (d) your explicit consent after being informed of the possible risks under GDPR Article 49(1)(a).
19.2 Transfers from India
Where we transfer personal data from India, we comply with DPDP Act §16 and any restrictions notified by the Central Government of India. We ensure that recipient countries or organizations maintain a standard of data protection equivalent to the DPDP Act.
19.3 Transfer Impact Assessments
In compliance with the Schrems II decision (Case C-311/18) and applicable regulatory guidance, we conduct Transfer Impact Assessments to evaluate whether the laws and practices of the recipient country provide an essentially equivalent level of protection. You may request a copy of relevant transfer safeguards by contacting privacy@voiceofsap.org.
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in compliance with GDPR Article 32, DPDP Act §8(4), and industry best practices. Our security measures include:
No method of transmission over the internet is completely secure. While we employ commercially reasonable means to protect your personal data, we cannot guarantee absolute security. In the event of a security incident, we will notify you and relevant supervisory authorities as required by applicable law (see Section 21).
In the event of a personal data breach, we will comply with all applicable notification obligations:
Breach notifications will include: the nature of the breach; the categories and approximate number of data subjects and personal data records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.
Voice of SAP does not currently engage in solely automated decision-making (including profiling) that produces legal effects or similarly significantly affects you, within the meaning of GDPR Article 22. All decisions regarding assistive device eligibility, volunteer approval, or program participation involve meaningful human review.
If we introduce any automated decision-making processes in the future, we will: (a) inform you of the existence of such processing and its logic; (b) explain the significance and envisaged consequences; and (c) provide you with the right to obtain human intervention, express your point of view, and contest the decision, consistent with GDPR Article 22(3).
When you apply for an assistive device through our Platform, we use One-Time Password (OTP) verification to confirm your identity. Providing your mobile phone number is mandatory for this process. Your phone number is used to: (a) send OTP verification codes; (b) communicate application status updates via SMS; (c) facilitate telephonic verification by our partner BPA; and (d) ensure secure access to your application records.
By providing your mobile number, you expressly consent, in compliance with the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, to receive automated SMS messages from VOSAP. Message and data rates may apply. You may opt out of non-essential SMS messages at any time by texting STOP or contacting privacy@voiceofsap.org . Opting out will not affect OTP codes necessary for account and application security.
Your phone number will not be shared with third parties except as required for verification, application processing, service delivery, or as explicitly disclosed in Section 12 of this Privacy Policy.
In compliance with GDPR Article 35, and as recommended under the DPDP Act, Voice of SAP conducts Data Protection Impact Assessments (“DPIAs”) for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects.
Given that VOSAP processes special category data (disability and health data) at scale, with cross-border transfers involving telephonic monitoring and government portal integration, we maintain DPIAs for our core processing operations. DPIAs are reviewed at least annually, and whenever there is a material change in processing activities, technology systems, or applicable law.
The Platform may contain links to third-party websites and services (e.g., Stripe and PayPal for payment processing), some of which may be co-branded with our logo. These third-party services are not operated by VOSAP. We do not control and are not responsible for third-party content or privacy practices. Any personal information you provide to them is not covered by this Privacy Policy. We strongly encourage you to review the privacy and legal policies of all third-party services you access through or in connection with the Platform.
We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last Updated” date. For material changes to how we process your personal data, we will: (a) post a prominent notice on the Platform home page; (b) notify you by email to the address associated with your account; and (c) where required by applicable law (including GDPR and DPDP Act), obtain your renewed consent before implementing changes that affect the legal basis or scope of processing.
Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Privacy Policy, except where renewed consent is required under applicable law, in which case we will provide you with a clear mechanism to provide or withhold that consent.
In compliance with GDPR Article 37 and DPDP Act §8(10) read with DPDP Rules, 2025 (Rule 5), Voice of SAP has designated the following officer to handle all data protection inquiries, rights requests, and grievances:
| Name | Nimish Sevak |
| Role | Data Protection Officer / Grievance Officer |
| Organization | Voice of Specially Abled People Inc. |
| Grievance@voiceofsap.org | |
| Response Time | Within 72 hours of receipt |
| Responsibilities | Data subject rights requests; grievances; regulatory liaison; DPIAs; organizational compliance oversight |
If you are unsatisfied with our response to your data protection inquiry or believe your rights have been infringed, you have the right to lodge a complaint with the relevant supervisory authority:
| Jurisdiction | Authority | Contact |
|---|---|---|
| European Union | Data Protection Authority in your EU Member State (e.g., CNIL – France; BfDI – Germany; DPC – Ireland) | See EDPB website: edpb.europa.eu |
| United Kingdom | Information Commissioner’s Office (ICO) | ico.org.uk | 0303 123 1113 |
| India | Data Protection Board of India (once constituted under DPDP Act §18) | As notified by the Central Government of India |
| California, USA | California Privacy Protection Agency (CPPA) / California Attorney General | cppa.ca.gov | oag.ca.gov/privacy |
| Australia | Office of the Australian Information Commissioner (OAIC) | oaic.gov.au |
| Canada | Office of the Privacy Commissioner of Canada | priv.gc.ca |
| Other jurisdictions | Relevant national data protection authority | Contact us at privacy@voiceofsap.org for guidance |
For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us through any of the following channels:
| Privacy & Legal Inquiries | privacy@voiceofsap.org (subject: as applicable) |
| Data Subject Rights Requests | privacy@voiceofsap.org (subject: “Data Subject Rights Request“) |
| Consent Management | privacy@voiceofsap.org (subject: “Consent Management Request“) |
| General Inquiries | info@voiceofsap.org |
| Website | https://www.voiceofsap.org |
| Registered Address | Voice of Specially Abled People Inc., 22734 Stagg St. West Hills, CA 91304, United States of America |
NOTE: To opt out of receiving communications from Voice of SAP (phone calls, emails, texts, WhatsApp messages, or postal mail), please email privacy@voiceofsap.org with the subject line “Opt-Out Request” specifying which channels you wish to opt out of. Please note: (a) To opt out of WhatsApp messages specifically, send “STOP” directly via WhatsApp — this takes effect immediately. (b) To opt out of all other communication channels (phone calls, emails, SMS, postal mail), email us with subject line “Opt-Out Request” specifying the channel(s), and we will process your request within 10 (ten) business days.
This Policy is provided in English; translations are for convenience only and the English version prevails in case of conflict.
This Policy is designed to be accessible, including compatibility with screen readers and other assistive technologies. If you need it in an alternative format (e.g., large print, audio, Braille), contact us at privacy@voiceofsap.org
This Privacy Policy shall be governed by and construed in accordance with the laws of the State of California, United States of America, without regard to its conflict of law provisions.
However, where you are located in the EEA, UK, India, or any other jurisdiction with mandatory data protection laws, nothing in this Privacy Policy shall limit your rights under those laws. In the event of a conflict between this Privacy Policy and applicable mandatory data protection law, the mandatory law shall prevail. The rights set out in this Privacy Policy are in addition to, and not in substitution for, your rights under applicable local law.
