Privacy Policy

1.1 Crashfree India (“Crashfree India”, “we”, “us”, or “our”) is a public-interest initiative operated under Vision Zero Trust, working towards systemic improvements in road safety, policy reform, research, and victim support across India.

1.2 In the course of its activities, Crashfree India collects, processes, and manages personal data of various stakeholders including participants, volunteers, experts, employees, partners, government officials, and members of the public.

1.3 This Privacy Policy sets out how Crashfree India:

• 1.3.1 collects and processes personal data;
• 1.3.2 uses and discloses such data;
• 1.3.3 stores and secures such data;
• 1.3.4 ensures data security;
• 1.3.5 complies with the Digital Personal Data Protection Act, 2023 (“DPDP Act”);
• 1.3.6 protects the rights of individuals (“Data Principals”).

1.4 Crashfree India acts as a Data Fiduciary in respect of personal data processed under this Policy.

For the purposes of this Privacy Policy:

• 2.1 “Personal Data” means any data about an individual who is identifiable by or in relation to such data.

• 2.2 “Data Principal” means the individual to whom the personal data relates, including, without limitation:

  • 2.2.1 research participants (including crash victims and legal heirs);
  • 2.2.2 volunteers, interns, and subject matter experts;
  • 2.2.3 stakeholders, partners, and collaborators;
  • 2.2.4 government officials and institutional representatives;
  • 2.2.5 employees, candidates, and consultants;
  • 2.2.6 users of Crashfree India’s digital platforms and tools.
• 2.3 “Data Fiduciary” means the entity that determines the purpose and means of processing personal data. For the purposes of this Policy, Vision Zero Trust (operating Crashfree India initiative) is the Data Fiduciary.
• 2.4 “Processing” means any operation performed on personal data including collection, recording, organisation, structuring, storage, use, disclosure, dissemination, analysis, or deletion.
• 2.5 “Research Participant” means any individual who provides data or information in connection with Crashfree India’s research studies, surveys, interviews, fieldwork, or policy initiatives, including crash victims, legal heirs, and other stakeholders.
• 2.6 “Volunteer / Participant” means any individual who engages with Crashfree India in its programs, events, field initiatives, or community activities, whether on a voluntary or compensated basis.
• 2.7 “Stakeholder” means any individual or entity, including experts, institutions, government authorities, NGOs, partners, or collaborators, who interacts or engages with Crashfree India in connection with its initiatives.

3.1 This Privacy Policy applies to all personal data collected, received, or otherwise processed by Crashfree India in connection with the design, implementation, and operation of its initiatives relating to road safety, research, policy development, stakeholder engagement, and associated activities. This includes personal data processed for purposes such as conducting research studies, undertaking policy and advocacy initiatives, engaging with stakeholders and partners, administering on-ground programs and field activities, supporting victim assistance and compensation-related efforts, managing employment and people operations, operating digital platforms and reporting tools, and maintaining records for administrative, financial, audit, compliance, and governance purposes.

3.2 This Privacy Policy also extends to any current or future initiatives, programs, or activities undertaken by Crashfree India that involve the processing of personal data in furtherance of its objectives.

3.3 Personal data may be collected through various channels including surveys, interviews, research instruments, application or participation forms (online or offline), contracts and agreements, digital platforms and tools, email and other communications, publicly available sources, government or institutional data, and third-party collaborations or partnerships.

4.1 Registered Address: Crashfree India (Vision Zero Trust), FB/B-1, Extension First Floor, Mohan Cooperative Industrial Estate, New Delhi, Delhi - 110044.

4.2 Crashfree India acts as the Data Fiduciary responsible for determining the purposes and means of processing personal data.

5.1 The table below sets out an indicative and non-exhaustive list of categories of personal data that may be collected, received, or otherwise processed by Crashfree India in connection with its existing and future initiatives, programmes, projects, platforms, and activities. Such data is processed only to the extent necessary for legitimate purposes including research, policy development, stakeholder engagement, operations, financial management, compliance, and governance.

6.1 Crashfree India processes personal data in accordance with the provisions of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and applicable laws. The processing of personal data is undertaken only where there exists a lawful basis, as set out below.

6.2 Consent: Crashfree India processes personal data based on the consent of the Data Principal, where such data is:

• 6.2.1 provided directly by individuals through surveys, interviews, research participation, or program involvement;
• 6.2.2 submitted through forms, applications, agreements, or other documentation (whether online or offline);
• 6.2.3 shared for the purpose of participation in initiatives, events, consultations, or stakeholder engagements;
• 6.2.4 provided for the purpose of receiving payments, honorariums, reimbursements, or other benefits;
• 6.2.5 submitted through digital platforms, tools, or communication channels operated by Crashfree India.

6.2.6 Such consent is intended to be free, specific, informed, unconditional, and unambiguous, in accordance with the DPDP Act.

6.2.7 Where personal data is provided by an individual in connection with a particular activity or engagement, such provision shall be deemed to indicate consent for processing to the extent reasonably necessary for such activity, unless otherwise specified.

6.3 Legitimate Uses under Applicable Law: Crashfree India may process personal data without explicit consent where such processing is permitted under the DPDP Act or other applicable laws, including for purposes such as:

• 6.3.1 undertaking research, analysis, and public interest initiatives relating to road safety, policy development, and systemic improvements;
• 6.3.2 processing publicly available data or data obtained through lawful means, including from government authorities or institutional sources;
• 6.3.3 prevention, detection, and investigation of fraud, misuse, or unlawful activities;
• 6.3.4 compliance with applicable legal, regulatory, audit, or reporting requirements;
• 6.3.5 processing necessary for employment-related purposes, including recruitment, onboarding, payroll, and workforce management;
• 6.3.6 internal administrative, operational, and governance functions, including record-keeping and program management;
• 6.3.7 coordination with government authorities, institutional partners, and stakeholders in furtherance of Crashfree India’s objectives.

6.3.8 Such processing is undertaken in a manner consistent with applicable law and limited to what is necessary for the relevant purpose.

6.4 Voluntary Provision of Data: Where individuals or entities voluntarily provide personal data to Crashfree India:

• 6.4.1 such data may be processed for the purposes for which it has been provided, including research, participation, collaboration, or engagement activities;
• 6.4.2 Crashfree India may rely on such voluntary provision as a valid basis for processing, to the extent permitted under applicable law;
• 6.4.3 individuals are expected to ensure that the information provided is accurate and that they are duly authorised to share such information, where it relates to third parties.

6.5 Contractual and Operational Necessity: Personal data may be processed where necessary for:

• 6.5.1 entering into or performing agreements, including with employees, interns, volunteers, consultants, vendors, and partners;
• 6.5.2 administering programs, projects, or initiatives involving participants or stakeholders;
• 6.5.3 processing payments, reimbursements, or financial transactions;
• 6.5.4 managing relationships and obligations arising from contractual or quasi-contractual arrangements.

6.6 Legal and Regulatory Obligations: Crashfree India may process personal data where such processing is necessary to:

• 6.6.1 comply with applicable laws, regulations, court orders, or directions issued by competent authorities;
• 6.6.2 maintain statutory records, financial accounts, and audit documentation;
• 6.6.3 respond to lawful requests from government or regulatory bodies;
• 6.6.4 establish, exercise, or defend legal rights.

7.1 Crashfree India may, in the course of its activities, process personal data relating to individuals below the age of eighteen (18) years (“Minors”), particularly in the context of research studies, community engagement, or road safety initiatives involving affected individuals or beneficiaries.

7.2 In such cases:

• 7.2.1 personal data of Minors is processed only where necessary and relevant for the specific purpose, including research, documentation, or public interest initiatives;
• 7.2.2 where required under applicable law, such data is collected with the consent of a parent or lawful guardian, or through authorised representatives;
• 7.2.3 data collection is limited to what is reasonably necessary, and excessive or unrelated information is not sought;
• 7.2.4 Crashfree India does not undertake tracking, behavioural monitoring, profiling, or targeted decision-making in relation to Minors;
• 7.2.5 any use of such data, including in research outputs or publications, is undertaken with appropriate safeguards, including anonymisation or de-identification wherever feasible.

7.3 Crashfree India relies on the representations made by individuals or representatives submitting such data regarding their authority to do so and does not independently verify such authorisation in all cases.

8.1 Crashfree India may share, transfer, or disclose personal data, strictly to the extent necessary and proportionate for the purposes outlined in this Privacy Policy, with the following categories of recipients:

• 8.1.1 Government Authorities and Regulatory Bodies: Including law enforcement agencies, police departments, courts, tribunals, transport authorities, and other governmental or statutory bodies, where such disclosure is required for compliance with applicable laws, in response to lawful requests or directions, or in connection with research collaborations and public interest initiatives.
• 8.1.2 Research Collaborators and Institutional Partners: Including academic institutions, research organisations, subject matter experts, civil society organisations, and implementation partners engaged in joint studies, consultations, pilot projects, or policy initiatives. Such sharing may include structured datasets, insights, or limited personal data, where necessary and appropriately safeguarded.
• 8.1.3 Service Providers and Technology Partners: Including third-party vendors providing services such as cloud storage, data hosting, analytics, software tools, IT infrastructure, communication systems, payment processing, and technical support. Such entities may process personal data on behalf of Crashfree India under contractual arrangements.
• 8.1.4 Professional Advisors and Consultants: Including legal advisors, auditors, accountants, compliance professionals, and other consultants engaged for advisory, governance, audit, or regulatory purposes.
• 8.1.5 Vendors, Contractors, and Operational Partners: Including entities engaged for programme execution, fieldwork, logistics, surveys, documentation, or implementation support, where sharing is necessary for operational purposes.
• 8.1.6 Other Third Parties (Where Applicable): Where data sharing is required to facilitate collaborations, partnerships, funding arrangements, or institutional engagements, subject to appropriate safeguards.

9.1 Crashfree India retains personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required under applicable law, regulatory, or audit obligations. Once such purposes are fulfilled, the data will be securely deleted or anonymized.

9.2 Data Principals may request withdrawal of consent or deletion of their personal data by contacting the Grievance Officer using the details provided in this Policy. Crashfree India will review such requests and respond within a reasonable timeframe.

9.3 Crashfree India may retain certain information where required to comply with legal obligations, regulatory requirements, or legitimate operational interests.

10.1 Crashfree India implements reasonable security safeguards to protect personal data from unauthorized access, misuse, loss, or disclosure.

10.2 Security measures may include:

• 10.2.1 encrypted storage systems;
• 10.2.2 role-based access controls;
• 10.2.3 secure server environments;
• 10.2.4 restricted internal access to personal data;
• 10.2.5 staff confidentiality obligations;
• 10.2.6 periodic security reviews.

11.1 Under the DPDP Act, Data Principals are entitled to the following rights:

• 11.1.1 Right to Access Information: To obtain information about personal data processed by Crashfree India.
• 11.1.2 Right to Correction and Erasure: To request correction of inaccurate personal data or deletion where appropriate.
• 11.1.3 Right to Grievance Redressal: To lodge complaints regarding misuse or improper processing of personal data.
• 11.1.4 Right to Nominate: To nominate another individual to exercise their rights in the event of death or incapacity.

11.2 Individuals submitting personal data must ensure:

• 11.2.1 information provided is accurate;
• 11.2.2 documents submitted are authentic;
• 11.2.3 updates are provided when personal information changes.

11.3 Providing false information may lead to rejection of applications.

12.1 Personal data is primarily processed and stored within India. Where international data transfers occur, Crashfree India will ensure compliance with applicable laws and adequate safeguards.

13.1 Crashfree India processes personal data based on information:

• 13.1.1 voluntarily provided by individuals, stakeholders, or participants; and/or
• 13.1.2 obtained from third-party sources, including government authorities, public records, institutional datasets, or other lawful sources.

13.2 In the course of its activities, Crashfree India may rely on data originating from multiple external sources, including but not limited to:

• 13.2.1 police records, FIR data, and enforcement datasets;
• 13.2.2 RTI responses and government disclosures;
• 13.2.3 stakeholder submissions and field inputs;
• 13.2.4 publicly available datasets, reports, and publications.

13.3 Such data may be subject to limitations inherent to its source, including variations in accuracy, completeness, timeliness, or format. While reasonable care is exercised in processing and using such data:

• 13.3.1 Crashfree India relies on the representations, disclosures, and records provided by the relevant sources;
• 13.3.2 it does not independently verify all data obtained from third-party or public sources;
• 13.3.3 outputs, insights, or analyses generated may be dependent on the quality and completeness of underlying data.

13.4 Individuals and entities providing data are expected to ensure that:

• 13.4.1 the information shared is accurate and up to date;
• 13.4.2 they are duly authorised to share such information, including where it relates to third parties.

13.5 Crashfree India implements reasonable technical and organisational safeguards to protect personal data, including access controls, secure storage, and restricted processing. However:

• 13.5.1 no system, platform, or method of transmission or storage can be entirely free from risk;
• 13.5.2 external factors, including cyber threats, system failures, or third-party dependencies, may affect data security or availability.

13.6 To the extent permitted under applicable law, Crashfree India shall not be responsible for:

• 13.6.1 inaccuracies, omissions, or inconsistencies in data originating from third-party or public sources;
• 13.6.2 any unauthorised access, disclosure, alteration, or loss of data arising from circumstances beyond its reasonable control;
• 13.6.3 disruptions, delays, or failures in systems, platforms, or services used in the processing of data;
• 13.6.4 any reliance placed by third parties on data, insights, or outputs generated by Crashfree India.

14.1 Crashfree India collects and processes personal data primarily based on the consent of the Data Principal or, where applicable, their parent or lawful guardian, except where processing is permitted under applicable law.

14.2 By submitting an application or providing personal data to Crashfree India through its website, application forms, or other communication channels, the Data Principal confirms that:

• 14.2.1 the personal data provided is accurate and complete;
• 14.2.2 they consent to the collection, use, storage, and processing of such personal data for the purposes described in this Privacy Policy; and
• 14.2.3 where the personal data relates to a minor, such information is submitted with the consent of the minor’s parent or lawful guardian.

14.3 Consent obtained by Crashfree India is intended to be free, specific, informed, unconditional, and unambiguous, in accordance with the Digital Personal Data Protection Act, 2023.

14.4 Processing of Personal Data of Minors

14.4.1 Where an application includes personal data of a student below eighteen (18) years of age (“Minor”), such data must be submitted by or with the authorization of the Minor’s parent or lawful guardian. By submitting such information, the parent or guardian confirms that they are legally authorized to provide consent on behalf of the Minor.

14.4.2 Crashfree India processes personal data of Minors only for purposes related to evaluation, verification, communication, and disbursement, and limits such collection to information necessary for administering the program.

14.4.3 Crashfree India relies on the representations made by applicants or guardians regarding authorization to submit such data and shall not be liable for any unauthorized submission, inaccurate information, or lack of valid consent provided by applicants, parents, guardians, or any third party.

14.4.4 Data principals or parents/guardians may withdraw consent by contacting Crashfree India; however, such withdrawal may affect the processing of the application or continuation of benefits.

15.1 Crashfree India’s website may use cookies and similar technologies to enhance user experience and improve website functionality.

15.2 Cookies may be used to:

• 15.2.1 remember user preferences;
• 15.2.2 analyse website traffic and usage patterns;
• 15.2.3 improve the performance and functionality of the website.

15.3 Users may control or disable cookies through their browser settings.

15.4 However, disabling cookies may affect the availability or functionality of certain features of the website.

16.1 Crashfree India has established a grievance redressal mechanism to address concerns relating to personal data processing.

16.2 Data Principals may contact the Grievance Officer for:

• 16.2.1 queries regarding this Privacy Policy;
• 16.2.2 requests for access or correction of personal data;
• 16.2.3 withdrawal of consent;
• 16.2.4 complaints regarding misuse of personal data.

16.4 Crashfree India will acknowledge and address complaints within the timelines prescribed under applicable data protection laws.

17.1 Crashfree India reserves the right to update or modify this Privacy Policy from time to time in order to reflect:

• 17.1.1 changes in applicable laws or regulations;
• 17.1.2 updates to programs or operational practices;
• 17.1.3 improvements to privacy safeguards.

17.2 Any updates to this Privacy Policy will be published on Crashfree India website and will become effective upon publication unless otherwise stated. Individuals are encouraged to review this Privacy Policy periodically to stay informed about how their personal data is protected.