Commitment to Lawful and Responsible Data Processing

3(HREE) Trust is an irrevocable Public Charitable Trust established for public charitable purposes. The Trust recognises that personal data forms part of an individual’s identity and dignity and therefore undertakes to process such data strictly in accordance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and all applicable rules framed thereunder. Personal data is collected, stored, used and shared only for legitimate, lawful and clearly defined charitable purposes connected with donations, volunteer engagement, beneficiary coordination, statutory compliance, financial accountability, and website administration. The Trust does not collect data for commercial exploitation, profiling, or unrelated secondary purposes.

Nature and Scope of Personal Data Collected

The Trust may collect personal information, including name, address, email address, phone number, donation history, volunteer details, beneficiary information, and identification details, as required by statutory mandates such as the Income Tax Act, 1961, or the Foreign Contribution Regulation Act, 2010, for implementing charitable activities. Sensitive data is collected only where legally required, including for identity verification, anti-money laundering screening, financial audit compliance, or FCRA reporting obligations. All collection is proportionate and limited to what is necessary for the stated purpose.

Lawful Basis of Processing and Consent Standards

Processing of personal data is undertaken strictly on recognised lawful grounds. These include explicit and informed consent provided by the individual, compliance with statutory obligations imposed on the Trust under applicable laws, performance of activities voluntarily initiated by the donor, a volunteer, or a beneficiary, and legitimate purposes directly connected with the Trust’s charitable objectives. Consent is obtained through clear affirmative action such as form submission, donation confirmation or volunteer registration. Silence, inactivity or pre-selected options do not constitute consent. Individuals retain the right to withdraw consent at any time by written communication to the Trust. Upon such withdrawal, processing shall cease unless retention is required by law, such as financial record preservation mandated under tax or FCRA regulations.

Rights of Data Principals

Every individual whose personal data is processed by the Trust has the statutory right to seek confirmation regarding the processing of their data, request correction of inaccurate or incomplete information, request erasure where retention is not legally mandated, nominate another person to exercise their rights in accordance with the law, and file a grievance. Requests must be submitted in writing and may be subject to reasonable identity verification to prevent fraudulent claims. The Trust shall respond within the timelines prescribed under applicable law.

Data Retention and Storage Limitation

Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected or to comply with statutory retention requirements. Donation records may be preserved in accordance with accounting standards and tax laws. Foreign contribution records are maintained in compliance with FCRA requirements. Volunteer and beneficiary data is retained only for operational continuity and lawful documentation. Once retention is no longer required, data shall be securely deleted or anonymised.

Protection of Children’s Data

Where charitable initiatives involve children, personal data of minors is processed only with verifiable parental or lawful guardian consent and strictly to the extent necessary for legitimate charitable implementation. The Trust does not knowingly engage in profiling, behavioural monitoring or targeted communication directed at children.

Security Safeguards and Risk Mitigation

The Trust implements reasonable security practices as required under Indian law. These include administrative controls, restricted access protocols, secure payment gateways, encrypted communication channels where feasible, internal confidentiality obligations, and financial audit oversight. While absolute security cannot be guaranteed in any digital environment, the Trust exercises due diligence to prevent unauthorised access, misuse, alteration or disclosure.

Cross-Border Transfers

Where personal data may be transferred outside India, such transfer shall occur only in compliance with the Digital Personal Data Protection Act, 2023 and applicable Government notifications. The Trust shall ensure that cross-border transfers do not undermine statutory safeguards applicable to Data Principals.

Personal Data Breach Notification

In the event of a personal data breach that is likely to cause harm, the Trust shall notify the appropriate authority and affected individuals in accordance with statutory requirements. Internal corrective measures shall be undertaken promptly to mitigate impact and prevent recurrence.

Grievance Redressal Mechanism

Any grievance relating to personal data processing may be addressed to 3hree.trust@gmail.com. The Trust shall acknowledge and respond to grievances within reasonable timelines consistent with statutory obligations. Escalation mechanisms under applicable law remain available to Data Principals.

Limitation of Liability

To the maximum extent permitted under Indian law, the Trust shall not be liable for indirect, incidental, consequential or unforeseeable damages arising from lawful data processing activities. Nothing in this clause shall exclude liability where such exclusion is impermissible under statute.