Privacy
Version 1 (draft, pending legal review) · effective from launch · last updated July 2026
This notice explains, in plain language, what personal data CanvasCode collects, why, and what rights you have. It is written to meet India’s Digital Personal Data Protection Act 2023 (DPDP Act) and its 2025 Rules, with additional protections we adopt voluntarily for visitors elsewhere (GDPR-grade hygiene). CanvasCode is currently in the process of legal registration in India; until the entity is registered, the co-founders are the responsible contact for everything on this page. It stands on its own — you don’t need to read anything else for it to make sense.
What we collect, and why
Exactly these, nothing else — three interest forms, a pledge form, and a contact form. No form on this site requires an account. Every form field also carries its own one-line “why we ask” right where you answer it — that line is the field’s notice.
- Children’s-organization interest: organization name and type; city and state; a website or social link; your name, role, email, and optional phone; how many children you could nominate (a range); whether staff could act as coordinators; what support you’re looking for; and an optional note. If what you need is outside our scope, we keep your details only with your explicit consent, to contact you if that changes. Purpose: starting a partnership conversation.
- Company & foundation interest: organization name, type, and website; your name, role, and email; what you can offer; an optional indicative scale; your timeline; and an optional note. Purpose: coming to the first conversation with a concrete proposal.
- Mentor interest: your name and email; LinkedIn URL; city and timezone; profession; skills; languages; whether you’ve mentored or taught young people before (and a short note if yes); what draws you to this work; hours a month you can give; and your acknowledgement of verification and safeguarding training. Purpose: verifying who you are and matching you well.
- Pledges: name, email, country, intended range, and your note. Purpose: telling you when giving opens. No payment details exist on this site — we take no payments.
- Contact messages: your email and message. Purpose: replying.
We collect no analytics identifiers, no advertising data, and set no third-party tracking cookies. Anonymous, cookieless page counts (Vercel Analytics) are the only measurement on this site. We never sell or rent personal data, and we run no ads.
Children’s data — the strict rules
This website collects no children’s data. Every form here is for adults — organizations, companies, and mentors. When the program runs, its records are kept through the partner institution, on the program’s paper kit, and only after the lawful guardian’s consent is recorded with the consenting guardian’s identity documented (DPDP Act Section 9(1) and Rule 10; for children in child care institutions, the lawful guardian is determined under the Juvenile Justice Act). Our standing commitments for any future digital handling of children’s data:
- No tracking, no behavioural monitoring, no targeted advertising, no profiling — prohibited by DPDP Section 9(3), and by us regardless.
- Data minimization by default: no more identity than the program strictly needs, and never a child’s photograph on this site.
- Guardians may withdraw consent, review the child’s data, or ask for erasure at any time via the partner institution or directly at the contact below.
Legal bases
Under the DPDP Act we process data with your consent, given by the clear act of submitting a form, for the specified purpose stated on that form. Under GDPR (for visitors in the EU/UK) our bases are consent, steps you request prior to a possible agreement (interest forms), and legitimate interests (responding to messages, keeping the site secure). Children’s program data rests on the guardian’s verifiable consent plus our safeguarding obligations. Withdrawing consent is as easy as giving it — one email to the address below.
Where your data lives, and who processes it
Our processors, each bound by a data-processing agreement:
- Vercel — website hosting and cookieless analytics (global edge network).
- MongoDB Atlas — database (region pinned; encrypted at rest).
- Resend — transactional email (hosted internationally).
Data crosses borders as part of this hosting — our processors run on international infrastructure; DPDP Section 16 permits transfers except to restricted countries, and for EU/UK visitors our processors provide standard contractual clauses. We apply the same protections wherever the data sits: encryption in transit and at rest, role-based access control, access logging, and backups.
How long we keep things
- Contact messages: up to 24 months, then deleted.
- Pledges: until giving opens plus 24 months, then deleted or anonymized.
- Interest submissions: kept up to 24 months after our last exchange — a not-now is not a never — then deleted, and always erased sooner on request. Out-of-scope submissions we keep with your consent stay until you withdraw it or we contact you.
- Children’s program records: the duration of enrolment plus a defined archival period agreed with the partner and guardian — and erased earlier on guardian request. A child’s own portfolio is theirs; when they leave, they take it.
When a purpose is served or consent is withdrawn, we erase the data.
Your rights
You may ask for: a summary of your data and how it has been processed; correction, completion, or updating; erasure; and you may nominate a person to exercise these rights for you if you are unable to. To exercise any of these, email hello@canvascode.org from the address you used with us — that address is the identifier we need. EU/UK visitors additionally have GDPR rights to portability, restriction, objection, and to complain to their supervisory authority.
Grievances
Our grievance contacts are the co-founders, reachable at hello@canvascode.org (a named Grievance Officer will be published here upon registration). We acknowledge within 48 hours and resolve within 15 days — and in every case within 30 days, well inside the DPDP Rules’ outer limit. If you are unsatisfied, you may escalate to the Data Protection Board of India after our process completes.
If something goes wrong
If a data breach affects you, we will tell you without delay, in plain language — what happened, what it means for you, and what we are doing — and notify the Data Protection Board of India within the required 72 hours.
Housekeeping
This notice is available in English; an accurate translation into an Eighth Schedule language is available on request. When we change this notice we update the date above and note material changes on the updates page. Questions about processing: hello@canvascode.org.