Data, Trust & The Discipline Of Restraint

Privacy Policy.

How Sikhiyas collects, uses, retains, and protects the personal information of applicants, cohort participants, families, subscribers, and partner-institution contacts. The disposition is restraint by default — we collect only what we need to operate, hold it for only as long as it is genuinely required, share it with no third party for marketing purposes, and treat the institutional discipline of data protection as part of the same ethic that runs across the rest of Sikhiyas's work.

I. Who We Are

Sikhiyas — formal name in legal and institutional documents: Sikhiyas — Sikh International Youth in Active Seva — is a youth-formation programme operated from the EduCARE Kangra campus in Himachal Pradesh, India. The data controller for the purposes of this policy is the Sikhiyas Communications Office, with editorial responsibility held by the Directors. Contact details for privacy-related correspondence are at the end of this page.

II. What We Collect

Sikhiyas collects the following categories of personal data, only in the contexts named:

From Applicants And Their Families

• Identifying informationName, date of birth, country of residence, nationality, and contact details of the applicant and (for under-18 applicants) the parent or guardian
• Application contentWritten application, references, supporting documents, prior education and employment history, language proficiencies, the disclosures the applicant chooses to make in selection conversation
• Family informationFor under-18 applicants, contact details and basic context for the parent-embedded Saath arrangement; for older applicants, family contact information for emergency purposes
• Health and medical informationWhere relevant for cohort safety — disclosed by the applicant or family, with explicit consent, and used only for the purposes for which it was disclosed
• Financial informationWhere relevant for scholarship band assessment, basic financial-circumstance information disclosed by the applicant or family, with explicit consent. Bank account details and payment information are processed by our payment processor (see Section IV) and not retained by Sikhiyas itself.

From Cohort Participants

• Cohort engagement recordsMentor reports, placement progress notes, the participant's own written reflections, performance and assessment material relevant to the certification
• Field operational dataLocation and contact information during placement, for safety and emergency purposes only
• Photograph and image dataLimited and consent-based — see Section VI for the institutional commitments on participant imagery

From Subscribers

• Email address and brief contextThe email address subscribed to receive Sikhiyas publications, plus the short note on professional or personal context provided at subscription

From Website Visitors

• Standard server logsIP address, browser type, pages visited, time of visit — held briefly for security and technical-debugging purposes
• No tracking cookiesSikhiyas does not deploy advertising tracking cookies, third-party analytics that build cross-site profiles, or behavioural-advertising integrations. Where minimal anonymous analytics are used (for understanding which pages are read), they are configured to respect Do-Not-Track settings and are not associated with any individual visitor

III. How We Use Your Data

The data described above is used only for the operational purposes of running Sikhiyas. Specifically:

• To process applicationsIncluding selection-conversation arrangements, reference checks, scholarship band determination, written offers, and the administrative work of cohort matriculation
• To run cohortsIncluding placement matching, mentor pairing, family liaison, certification, and the day-to-day operational requirements of the cohort itself
• To send subscribed publicationsPatrons Letter, Directors' Notes, Field Dispatches, Wisdom Map essays — only to subscribers who have explicitly subscribed, and only in those formats
• To respond to enquiriesPress, partnership, applicant family, scholarship, alumni, and general institutional correspondence
• To meet legal and regulatory obligationsIncluding India's regulatory framework for non-profit and educational institutions, tax compliance, and any legal disclosure required by competent authority

Sikhiyas does not use applicant or participant data for: marketing to third parties, behavioural advertising, donor-prospect profiling, sale or rental of contact information to any third party for any purpose, or any use not specified above. These commitments are non-negotiable.

IV. Third-Party Processors

Sikhiyas uses a small number of third-party services to operate. Each is named below, with a brief note on what it processes and the relevant safeguards.

• Email service providerFor sending the Patrons Letter, Directors' Notes, and other subscriber publications. Subscriber email addresses are held with the provider under standard data-processing agreements. The provider does not have permission to use the data for any purpose other than delivering Sikhiyas's emails.
• Payment processorFor receiving cohort fees and accommodation deposits. Payment card and bank account information is processed directly by the payment processor under PCI-DSS standards; Sikhiyas does not see, store, or have access to full payment card details. Receipt records (transaction reference, amount, date) are held by Sikhiyas for tax and audit purposes.
• Web hosting providerFor the operation of this website. Server logs are held briefly as described above; no personal data beyond the application form submissions is held on the web server.
• Cloud document storageFor internal Sikhiyas working documents (cohort records, mentor reports, certification material). Held with major cloud providers under appropriate data-processing agreements, with access restricted to relevant Sikhiyas staff and reviewed at least annually.

Specific named providers are available on request from the Privacy Office. We do not publish the specific provider names on the open web because this information is operationally sensitive (it would assist anyone seeking to compromise Sikhiyas's data infrastructure) but it is provided to anyone with a genuine professional interest.

V. Retention

Sikhiyas holds data for limited periods, calibrated to the legitimate purpose for which it was collected.

• Unsuccessful applicationsHeld for one year after the relevant cohort cycle, then deleted. The one-year retention enables the applicant to re-apply with reference to their prior application; after that, deletion is the default.
• Successful applications and cohort recordsHeld for the duration of the cohort plus seven years afterwards, for certification purposes (the certificate's verification window is seven years), then archived in anonymised form.
• Alumni recordsBasic alumni status (name, cohort year, current contact details for those who wish to remain in contact) is held for as long as the alumnus wishes, with annual contact-confirmation. Alumni who wish to be removed from records have this honoured immediately.
• Subscriber emailsHeld until the subscriber unsubscribes, plus 30 days for record purposes.
• Press and partnership correspondenceHeld for three years from the date of last correspondence.
• Financial recordsHeld for the period required by the relevant Indian regulatory framework, currently seven years.
• Server logsHeld for 30 days, then automatically deleted.

VI. Photographs And Images

The institutional discipline on participant photography is the most participant-protective element of this policy and is worth stating directly.

• Sikhiyas does not photograph cohort participants, alumni, Sikhiyasis, Friends & Allies, or Solidarity Scholarship recipients without explicit written consent obtained separately from the cohort or scholarship relationship.
• Where images are taken (campus events, public Wisdom Map gatherings, the annual Sangat), participants are notified in advance and may decline to be photographed without any institutional consequence. Group photographs are framed where possible to include only those who have not declined.
• Consented photographs are held internally for institutional purposes and are not provided to journalists, partner institutions, or external parties without separate, fresh consent specific to that use.
• Participants may withdraw photograph consent at any time, with the request honoured within 30 days for any image still in active institutional use. Images already published in archived materials cannot always be retracted, and this is named honestly when consent is sought.
• Children under 18 are photographed only with both parental and child consent, and even then only in supervised group contexts.

VII. Children's Privacy

Sikhiyas operates a small Under-18 cohort track, described on the Under-18 page, with parent-embedded Saath arrangements throughout. The data-protection commitments for under-18 applicants and participants are at the same standard as for adult cohort participants, with the following additional commitments:

• Parental consent at every stageFor all data collection, photograph permissions, and any institutional contact
• No marketing of any kindTo under-18 applicants or participants, ever, in any form
• Restricted internal accessUnder-18 records are accessible only to a small named set of Sikhiyas staff with relevant safeguarding training
• Right to deletion on requestBy the parent or, after 18, by the now-adult former participant, with full deletion honoured within 30 days of request

VIII. International Transfers

Sikhiyas is operated from India, where its primary data infrastructure is located. Applicants and participants from the UK, EU, US, Canada, Australia, and other jurisdictions should be aware that:

• Personal data is transferred to and processed in India in connection with the institution's operations
• India's Digital Personal Data Protection Act 2023 provides a substantive framework for personal data protection that is broadly aligned with major international standards
• Where data is transferred from the UK, EU, or other jurisdictions with adequacy or transfer requirements, Sikhiyas relies on the appropriate transfer mechanisms (standard contractual clauses where applicable, explicit consent, and the legitimate-interest framework where the legal basis applies)
• Applicants who require specific transfer documentation (for institutional employer compliance, for example) can request it through the Privacy Office

IX. Your Rights

Subject to the legal framework applicable to your jurisdiction, you have rights with respect to your personal data held by Sikhiyas:

• Right of accessYou may request a copy of the personal data Sikhiyas holds about you, provided in a readable format, within 30 days of request
• Right of correctionYou may request correction of any factual inaccuracy in your held data, with corrections made within 30 days of request
• Right of deletionYou may request deletion of your data, subject to the retention requirements set out in Section V (some records, such as financial records during their statutory retention period, cannot be deleted on request but will be deleted at the end of the retention period)
• Right of portabilityWhere data has been provided to Sikhiyas by you and is held by Sikhiyas in a structured format, you may request its provision in a portable format
• Right to objectTo specific uses of your data, including the right to unsubscribe from any communication at any time
• Right to complainTo Sikhiyas directly via the Privacy Office, and where Sikhiyas's response does not resolve the concern, to the relevant data-protection authority in your jurisdiction

To exercise any of these rights, write to privacy@sikhiyas.org with the request and sufficient information to identify your records. We do not require notarised identification or disproportionate documentation; a clear identifying email from the address Sikhiyas has on file is generally sufficient.

X. Security

Sikhiyas applies operational and technical safeguards proportionate to the data we hold:

• Access controlsPersonal data is accessible only to Sikhiyas staff whose role requires it, with access reviewed at least annually
• EncryptionData in transit is encrypted using current standards; data at rest is stored on systems with appropriate access controls and (for the most sensitive categories) encryption at rest
• Staff trainingAll Sikhiyas staff with data access receive privacy and safeguarding training as part of induction
• Breach notificationIn the event of a personal data breach affecting any individual whose data Sikhiyas holds, the affected individuals will be notified directly within 72 hours of the breach being identified, unless an applicable legal framework requires a different timeline
• Periodic reviewThe privacy and security practices set out in this policy are reviewed at least annually, with documented changes and the version date updated below

XI. Changes To This Policy

This policy will be updated as Sikhiyas's operational practices evolve, as the legal frameworks change, and as institutional practice matures. Material changes — for example, the introduction of new data categories, additional third-party processors, or changes to retention periods — will be notified to subscribers and current cohort participants in writing at least 30 days before they take effect, with a clear summary of what has changed. Non-material changes (clarifications, formatting improvements, contact-detail updates) may be made without specific notification but will always be reflected in the version date below.

XII. Contact

• Privacy Officeprivacy@sikhiyas.org
• Postal addressAvailable on request from the Privacy Office, for those who require correspondence in physical form
• Response timeRoutine privacy enquiries acknowledged within five working days; substantive responses within 30 days, in line with the major data-protection frameworks

Effective date: [TO BE SET ON FIRST PUBLICATION]
Last reviewed: [TO BE SET ON FIRST PUBLICATION]
Version: 1.0 (initial draft, pre legal-counsel review)