Purpose
This Data Retention Policy explains how long Laraware Welfare Foundation ("LWF") retains different categories of personal and organisational data, and how data is securely disposed of when it is no longer needed. This policy supports our compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Income-tax Act, 1961, the Companies Act, 2013, and other applicable laws.
Scope
This policy applies to all personal data and organisational records held by LWF in digital or physical form, across all systems and storage media.
Retention Schedule
| Data Category | Examples | Retention Period | Legal Basis |
|---|---|---|---|
| Donation records | Receipts, donor details, payment confirmations, 80G certificates | 7 years after the end of the financial year | Income-tax Act, 1961; Companies Act, 2013 |
| Financial accounts | Bank statements, ledgers, vouchers, audit reports | 8 years after the end of the financial year | Companies Act, 2013 (Section 128) |
| Employee/volunteer records | Contracts, contact details, attendance, performance records | 3 years after end of engagement | Legitimate interest; statutory requirements |
| Beneficiary records | Names, contact details, programme participation records | 5 years after last interaction | Legitimate interest; programme accountability |
| Contact / enquiry forms | Name, email, message content | 1 year | Legitimate interest |
| POSH / grievance records | Complaint files, investigation reports, IC decisions | 7 years | POSH Act, 2013 |
| Website analytics data | Anonymised usage statistics | 26 months | Legitimate interest |
| Cookies | Session and preference cookies | As per Cookie Policy (up to 2 years) | Consent |
| Board minutes and resolutions | Meeting minutes, signed resolutions | Permanent | Companies Act, 2013 |
| FCRA records (if applicable) | Foreign contribution receipts and utilisation | 6 years | FCRA, 2010 |
Review of Retained Data
Data holdings will be reviewed annually. Data that has reached the end of its retention period and is no longer required for any ongoing legal, operational, or audit purpose will be securely disposed of.
Secure Disposal
- Digital data: Securely deleted or overwritten using appropriate software tools. Cloud-stored data will be deleted from all backup locations.
- Physical records: Shredded or incinerated. Records containing sensitive personal data will not be placed in general waste.
Exceptions
Data may be retained beyond the standard retention period where:
- It is required for ongoing or anticipated litigation, regulatory investigation, or audit
- A specific legal obligation requires longer retention
- The data principal has specifically requested longer retention and LWF has legitimate grounds
Data Subject Rights
Under the DPDP Act, 2023, you may request erasure of your personal data before the end of the retention period. Requests are subject to LWF's legal obligations to retain certain records. To make a request, contact our DPO:
Data Protection Officer: Rahul Tiwari
Email: dpo@larawarefoundation.com
Phone: +91-9936622020
Responsibility
The DPO is responsible for maintaining and enforcing this policy. All staff and volunteers handling data are responsible for following it in their day-to-day work.
Review
This policy is reviewed annually and updated to reflect changes in applicable laws and Foundation data practices.