Privacy Policy - Madhunandan Association

Section 01

Who We Are

Madhunandan Association is a Section 8 non-profit company engaged in social services, humanitarian research, educational support, and community development. M-Board is our internal member governance platform built by our own IT department, hosted on our own infrastructure, and operated exclusively for our members and governing body.

Madhunandan Association is the sole data controller for information processed through its public website, M-Board, M-Chat, and related digital assets. We do not operate as a commercial product or Software-as-a-Service provider. These digital assets exist to serve our community, not to monetise data.

General website visitors are covered by the public-facing commitments in this policy. M-Board remains an internal, member-only platform; platform-specific controls apply only to known members or governing staff admitted through an explicit onboarding process.

Section 02

Data We Collect

We collect information in three ways: data you provide directly, data generated by your use of the platform, and technical data required to keep sessions secure.

Category	What we collect	Why
Account Identity	Full name, username, email address, employee / member ID, department, phone (optional), profile photo (optional), biography (optional)	To identify you within the platform and route communications correctly
Authentication	Hashed password (bcrypt, never plain-text), 2FA OTP tokens (transient, auto-expired), remember-me token (hashed)	To secure your account and verify your identity on login
QR Login	One-time QR token or short code, target app (M-Board or M-Chat), approver member ID, requesting device IP & user-agent, session approval/denial/revocation timestamps, and chat-only session-token hash where the standalone M-Chat app is approved. No camera image or video is ever transmitted or stored - QR scanning is processed entirely on your device.	To let a trusted member securely authorise a browser or standalone M-Chat login without sharing their password, and to let them revoke that session later
Session & Device	IP address, browser user-agent, session identifier, last activity timestamp, device fingerprint (for multi-device management), trusted-device metadata, app scope (M-Board or M-Chat), service-worker scope, and push-device registration metadata where you enable push on a device	To maintain your secure session, separate M-Board and M-Chat device records correctly, and allow you to review or revoke active devices
Participation	Election eligibility records, poll participation flags (yes/no), proposal submissions and votes, event registrations, file uploads and accesses	To operate governance processes, track eligibility, and maintain records of decisions
Messaging	Conversation type and membership, message text, sender and recipient/conversation IDs, timestamps, replies, edits, deletion markers, pins, reactions, delivery status, read status, typing/presence signals, and conversation-list previews	To run live direct, group, broadcast, mini-chat, and standalone M-Chat conversations, show message state accurately, and maintain conversation history for association work
Chat Media & Attachments	Images, files, audio, video, voice notes, GIF selections, link-preview metadata, original file name, MIME type, file size, duration, storage path/public URL where applicable, and attachment metadata	To send, preview, retry, download, and manage media shared inside conversations
Chat Location & Calls	Only when you choose to use these features: selected/current/live location coordinates, accuracy, timestamps, expiry/stop state, nearby-place search context, map links, and Google Meet call metadata such as meeting title, status, time, and join URL	To let members share a place, share live location for a limited time, search nearby places, or create/join chat calls
Files & Documents	File metadata (name, size, type, upload date, uploader ID), file content, access logs, sharing relationships	To provide secure file management and sharing within the association
Notifications	Notification delivery records, read status, type, target (individual / department / all), chat push previews, push delivery status, FCM token hash/token, app scope, platform/browser metadata, permission status, and service-worker scope where enabled	To deliver and track internal governance and chat communications across in-app, M-Board PWA, and M-Chat PWA push channels
Grievance & Feedback	Submission content, category, target authority, timestamp, resolution status. If anonymous: no identity is stored or linkable	To route and resolve member feedback for good governance (coming soon)
Audit Logs	Action type, entity affected, timestamp, IP address, risk level, outcome	For security monitoring, accountability, and governance integrity
Member Profiles	Governance roles, board/body titles, voting status, responsibilities, domain responsibility, profile summary, areas of expertise, areas of interest, qualifications (degree, institution, specialisation), official email & phone (visibility-controlled), designation, sort order, publication status	To maintain verified public-facing governance profiles in the Member Directory visible to members and, where published, to the public
Preferences	Notification preferences, push-notification device preferences, and UI preferences	To personalise your experience on the platform and respect your device-level notification choices
Local Device Storage	Browser or PWA storage may keep drafts, cached conversation/message snapshots, cached media previews, upload retry data, and settled-outbox records on your own device. This local cache is not collected by the server unless you send or sync the content.	To make chat load faster, recover drafts, and safely retry interrupted sends without duplicate messages

We do not collect: payment information, advertising identifiers, behavioural advertising data, background location tracking, or any data not directly relevant to running the association's governance and communication platform. Location is collected only when you actively use a chat location feature.

Section 03

How Your Data Is Used

Every piece of data collected has a specific, documented purpose. We do not use data for any purpose beyond those listed below.

Platform operation authenticate users, manage sessions, display the correct dashboard and features for each role.
Governance processes manage elections, polls, proposals, and voting eligibility. Record decisions and outcomes as part of the association's official record.
Communications deliver internal notifications, run live chat in M-Board, mini chat, and M-Chat, support media sharing, read/delivery state, push alerts, and member discussions.
Event management register members for events, manage capacity, and communicate event details.
File management store, organise, and provide secure access to documents shared within the association.
Security detect and respond to unauthorised access attempts, enforce session limits, support 2FA, and maintain an audit trail.
Accountability maintain audit logs so that administrative actions can be reviewed by authorised personnel, ensuring no misuse of power.
Member Directory display admin-verified public profiles for governing members in the team directory. Contact details within profiles are subject to the visibility setting chosen per profile and are never shown beyond what has been explicitly permitted.
Good governance route grievance and feedback submissions to the appropriate authority, track resolution, and uphold member rights (coming soon).

Your data is never used for commercial profiling, marketing, sale to third parties, behavioural advertising, research unrelated to association operations, or any purpose beyond those listed above.

Section 04

Anonymity & Confidentiality

Anonymity is a design principle, not a setting. Where M-Board promises anonymity, it is enforced at the data layer not just the display layer.

Elections & Polls your participation is recorded as a boolean flag (voted / not voted) to prevent double-voting. Your actual vote (the choice you made) is stored separately with no link to your identity. Not even database administrators can join these two records to identify how you voted.
Anonymous Feedback & Grievances (coming soon) when you choose to submit anonymously, no user ID, session token, IP address, or any other identifiable metadata is stored with your submission. The anonymity is absolute and irreversible even the governing authority receiving the submission cannot determine who sent it.
Named submissions where you submit feedback or grievances with your identity, your name is visible only to the specific authority the submission is routed to, and only for the purpose of resolution.

Anonymity on M-Board is technically enforced. We do not rely on administrative policy alone to protect anonymous submissions. The architecture prevents identification it cannot be overridden by any administrator action.

Section 05

Data Storage & Security

Core M-Board member, governance, file, chat, session, and audit data is stored on servers controlled by Madhunandan Association. Standalone M-Chat uses the same protected chat records and Node chat service as M-Board, but keeps a separate /chat/ login cookie and app-scoped push registration so each installed app can be managed independently.

For supported web push notifications, the platform uses Firebase Cloud Messaging / Firebase Installations as a narrowly scoped external delivery service to register a device, maintain a push token, and deliver browser or PWA notifications to that device. Optional chat features may also contact Google Maps/Places, Google Photos, Google Drive, Google Meet/Calendar, or Giphy only when you choose to use those features. These services are not used for advertising, analytics, profiling, or general data hosting by us.

The following security measures are in place on the platform:

Passwords are hashed using bcrypt with a suitable cost factor. Plain-text passwords are never stored or logged.
CSRF protection is enforced on every form submission and AJAX request via rotating, session-bound tokens.
Sessions are cryptographically signed, server-side, with automatic expiry and idle-timeout enforcement.
Two-Factor Authentication (2FA) via email OTP is available to all members and is enforced for privileged roles.
Input sanitisation and prepared SQL statements prevent injection attacks across all data entry points.
File uploads are validated against MIME type and size limits. Files are stored outside the public web root with access token gating.
Audit logging records security-relevant events with IP address, timestamp, and risk classification.
Transport security all communication between your browser and the server is encrypted in transit via HTTPS/TLS.
Database backups are encrypted and stored on-premises. Backup access is restricted to the IT department.

Section 06

Who Can See What Access Control

Access to data on M-Board is strictly role-based. Your role determines what you can see, do, and manage. No role has unrestricted access to all data.

Role	Can see	Cannot see
Member	Their own profile, their own votes (not choices), elections/polls/proposals/events they are eligible for, their own files and shared files, their own notifications, their own sessions, and chat conversations where they are a participant	Other members' private data, how anyone voted, private chats or groups they are not part of, admin logs, system settings
Department Representative	Department member profiles (within their dept), department-level elections and events, department notification broadcast tools, department files, and department/group conversations only where they are authorised participants or managers	Other departments' private data, individual vote choices, private direct chats or groups they are not part of, platform-wide administration tools, system audit logs
Administrator	Platform configuration, user account management, audit logs, system health, election/event/proposal management, broadcast notifications, and chat administration metadata needed to operate the service	Individual vote choices (anonymity is system-enforced and cannot be overridden), anonymous submission identities, and private chat content outside a documented governance or security investigation process

Administrators have broad platform management access, but anonymity guarantees are not administrator-bypassable. The system enforces this at the data schema level there is no privileged query that can reveal how an individual voted or who submitted an anonymous grievance.

Section 07

Member Directory & Public Profiles

The Member Directory (m_profiles) is a governance feature that allows the association to maintain verified, structured public profiles for its governing members. Profiles are created and published exclusively by administrators members cannot self-publish.

Admin-controlled publication only administrators can create, edit, and publish a member profile. A profile exists in draft or archived state until an administrator explicitly publishes it. Members may view their own profile in draft form from their Profile Management page.
What is publicly visible when a profile is published, the following are visible to the public (guests and members alike): full name, governance roles and body titles, responsibilities, domain responsibility, profile summary, areas of expertise and interest, and qualifications. No contact details are shown publicly by default.
Contact visibility controls each profile has a configurable contact visibility setting: Hidden (never shown), Available on Request (displayed as a note, no detail), or Public (shown to logged-in members only never to guests). Contact details are never shown to unauthenticated visitors regardless of setting.
Governance data governance roles, voting status, board memberships, and body affiliations are displayed on published profiles as part of the association's commitment to transparency in leadership. This data reflects the member's official role within the association's governance structure.
Member-only detail logged-in members see the full profile including: employee ID, user type, designation, joining date, all governance detail, and contact information (subject to visibility setting). Guests see a reduced public-safe subset with a prompt to sign in for full access.
Right to review your own profile every member can view their published profile exactly as it appears in the directory, from the "My Public Profile" tab in Profile Management. If you believe any information is inaccurate, you may request a correction from the IT department or an administrator.
Removal & archiving profiles can be unpublished or archived by an administrator at any time. An archived profile is immediately removed from the public directory. The underlying data is retained according to our data retention policy for governance record purposes.

Member profile data published in the directory represents your official governance role within the association it is not personal social-media-style information. Publication is a deliberate, administrator-controlled act aligned with the association's transparency obligations. If you have concerns about any data in your published profile, contact the IT department immediately.

Section 08

Messaging & Discussions

Messaging is available inside the main M-Board chat overlay, mini chat, the M-Board chat page, and the standalone M-Chat PWA. These entry points use the same protected conversation records and realtime chat service. M-Chat has its own login cookie and push registration, but it does not create a separate copy of your conversations.

Conversation access - direct messages are visible to the people in that chat. Group, public group, private group, department, and broadcast conversations are visible according to their membership and role rules.
Message records - we store the message, sender, conversation, timestamps, reply/edit/delete state, reactions, pins, delivery state, read state, and the recent-message preview needed for the conversation list.
Realtime status - typing, online/presence, delivery, and read indicators are used to show what is happening in the chat. Message delivery and read records are kept so the chat state stays accurate across devices.
Media and voice - images, files, audio, video, GIFs, and voice notes are stored only when you send them. Microphone access is requested only when you choose to record a voice note, and the recording is not sent unless you send it.
Location sharing - current location, selected places, nearby-place search, and live location are used only when you choose those actions. Live location is limited to the selected duration or until stopped/expired.
External chat actions - if you choose Google Photos, Google Drive, Google Meet, Maps/Places, or GIF search, the relevant service may receive the information needed for that action. Only media, links, meeting details, or location information you choose to share become part of the chat record.
Local drafts and retry cache - your browser or installed PWA may keep drafts, conversation snapshots, media previews, and interrupted upload retry data on your own device so chat remains fast and failed sends can recover safely.
No general message surveillance - administrators do not browse private messages as a normal management function. Private chat content is accessed only if a formal, documented governance or security investigation requires it and the appropriate authority approves it.

Section 09

Notifications

Notifications on M-Board and M-Chat are internal association communications, including governance notices and chat alerts. They are not marketing, promotional, or automated spam. They may be delivered inside the platform and, on supported devices where you enable it, through browser or PWA push notifications.

Notifications may be targeted to an individual, a department, or broadcast to all members.
Notification read status is tracked so the governing body can confirm important communications have been seen.
Chat push notifications may include the sender name, conversation or group name, a message snippet, attachment type, avatar/icon, and a deep link so the correct chat opens.
M-Board and M-Chat push registrations are stored separately by app scope so installing one app, the other app, or both does not confuse delivery or logout controls.
Push notifications may include device-level presentation data such as icon, badge, poster image, tag, and deep link where supported by the browser or operating system.
You can configure your notification preferences in your profile settings to control which categories you receive, and you can enable or disable push for the current device from your profile preferences where supported.
Notifications with an expiry date are automatically purged from your inbox after expiry.
Only authorised roles (administrators and department representatives within their scope) may send notifications.
Push notifications also depend on your browser or device permission settings. Denying browser notification permission prevents push delivery even if in-platform notifications remain available.

Section 10

Files & Documents

The file management module allows members to upload, organise, and share documents within the association. All files are stored on our own servers.

Files you upload are accessible to you and to any member you explicitly share them with.
File access is token-gated direct URL access without a valid, time-limited token is not possible.
File access events are logged (who accessed which file and when) for security and accountability.
Administrators can see file metadata (name, size, uploader, sharing status) for platform management, but file content is only accessible if the administrator is a designated recipient.
File uploads are restricted to permitted MIME types and a maximum size of 10 MB per file to prevent misuse.

Section 11

Audit Logs & Accountability

M-Board maintains a comprehensive audit trail of security-relevant and governance-relevant actions. This is a feature of good governance not surveillance.

Logged events include: login and logout, profile updates, password changes, votes cast (participation only, not choices), election and proposal management, file actions, 2FA events, and administrative actions.
Each log entry records: action type, entity affected, timestamp, IP address, and risk level classification.
Members can view their own recent activity log in their Profile → Activity History.
Full audit logs are accessible only to platform administrators and only for legitimate security or governance purposes.
Audit logs cannot be deleted or modified by any user, including administrators, to ensure integrity of the governance record.

Section 12

Two-Factor Authentication & Sessions

M-Board uses email-based OTP (one-time password) for two-factor authentication. Members can manage their active sessions and connected devices directly from their profile. QR Login is an additional optional feature allowing a trusted member to authorise a temporary session on a secondary device.

2FA OTP tokens are single-use, time-limited, and automatically expired. They are never stored in recoverable form after use.
Active sessions are listed in your profile, showing device, browser, IP address, and last activity. You can terminate any individual session or all sessions with a single click.
Remember-me tokens are stored as secure, hashed values. If you suspect your remember-me token is compromised, you can revoke all sessions from your profile.
Sessions expire automatically after a period of inactivity, regardless of remember-me status, as a security measure.
IP addresses associated with your sessions are retained in logs for the duration defined in our data retention policy.
QR Login sessions are time-limited and set by the approving member from 15 minutes to a custom maximum of 30 days. The session is automatically revoked on expiry. The approving member can also revoke it at any time from the QR Login Manager. When revoked, the other device is signed out within seconds.
QR Login data stored: the one-time token, approver ID, requesting device IP and user-agent, chosen duration, and approval timestamp. All QR session records are retained according to our standard data retention policy and visible to the approving member in their session history.
Chain-session prevention: a session created via QR login is flagged internally as a limited-privilege session. The platform blocks any attempt to use such a session to approve another QR login. Only a full credential-based session can authorise new QR access. This flag is stored in the server-side session and is never transmitted to the client.
Active Devices tab: the QR Login Manager displays all currently active sessions on your account, including device name, browser, IP address, last-seen time, and whether the session was created via QR or credentials. You can revoke any individual session instantly. This data is fetched live from the server on request and is only visible to you.
Session audit log: a paginated history of all QR-related events approvals, denials, and logouts is available in the Past Sessions tab of the QR Login Manager. Each entry records the event type, device details, IP address, and timestamp. This log is accessible only to the account owner and is retained in accordance with our data retention policy.
Camera access the QR scanner requests access to your device camera only when you click "Approve New Device Login." The camera stream is processed entirely on your device using the browser's native APIs. No image, frame, or video data is ever uploaded, transmitted, or stored by M-Board.
Camera permission is always optional. You can deny the camera permission and use the manual short-code entry instead. Denying camera access has no effect on any other platform functionality.

QR Login is a convenience feature not a requirement. It is designed for scenarios such as Smart TVs, shared computers, or kiosks where entering a password is impractical. Your password never leaves your trusted device under any circumstances.

Section 13

Grievance & Feedback Coming Soon

The Grievance & Feedback module is designed from the ground up to be a safe, fair, and confidential channel for every member. Privacy is not optional it is structurally built in.

Anonymous submissions when you choose anonymous, absolutely no identifying data (user ID, IP address, session token, browser fingerprint, or timestamp) is associated with the submission content. Anonymity is permanent and irrevocable.
Named submissions your identity is disclosed only to the authority designated to resolve the matter. It is not shared with other members.
Status tracking anonymous submitters receive a system-generated reference token at submission time. Using this token, they can check the resolution status without identifying themselves.
No retaliation by design because anonymous submissions are architecturally unlinkable, no governing authority can take retaliatory action against the submitter.
Routing & retention submissions are retained only for the duration required to resolve and document the governance action taken. Resolved submissions are archived, not deleted, as part of the association's governance record.

Section 14

Third Parties & External Services

M-Board does not sell, rent, or disclose member data to third parties for commercial, advertising, or profiling purposes. Where an external service is used, it is limited to narrowly defined technical delivery functions required by the platform.

No commercial third-party data sharing takes place. There are no analytics trackers, advertising networks, or social-media integrations embedded for profiling members. External services are used only for specific product functions you enable or choose, such as push delivery, maps/places, GIF search, Google Photos or Drive import, and Google Meet calls.

The platform loads fonts (Google Fonts) and icon libraries (Font Awesome via CDN) for display purposes. These are client-side resources your browser requests them directly. These providers receive your IP address as a consequence of the HTTP request, which is standard web behaviour and outside our control. No account or identity data is transmitted to these services.

If you enable push notifications, Firebase / Google receives the technical data required to create and deliver push messages to your browser or installed web app, such as a push token, browser or app-instance identifiers, and related delivery metadata. We use this only for notification delivery and device-level push control.

If you use chat location features, Google Maps/Places may receive the coordinates, place-search text, map request, or route/open-map request needed to show a map, search nearby places, or open directions. We do not use location for background tracking or advertising.

If you choose Google Photos, Google Drive, or Google Meet from chat, those Google services handle the account authorisation and the selected picker, file, media, or meeting action. Only the items, links, meeting details, or media you decide to send are stored in M-Board chat. Google Meet call audio/video is handled by Google Meet, not recorded or stored by M-Board.

If you search for GIFs, the GIF search provider may receive the search term or technical request needed to return GIF results. The selected GIF becomes part of the chat only when you send it.

We may be required to disclose specific data if compelled by a valid legal order under Indian law. In such cases, we will comply only with the minimum data required by the order and will notify affected members to the extent permitted by law.

Section 15

Data Retention

We retain data only for as long as it is needed for the purpose for which it was collected, or as required by our governance obligations.

Data Type	Retention Period	Reason
Member profile (published)	Duration of publication; archived on membership end or admin action	Governance transparency record
Member profile (draft/archived)	Until deleted by administrator	Administrative continuity
Active member account	Duration of membership	Platform access
Account after membership ends	6 months (anonymised after 12 months)	Governance record continuity
Election & poll records	Indefinite (governance archive)	Official association records
Proposal records	Indefinite (governance archive)	Official association records
Session logs (IP, device)	90 days	Security monitoring
Audit logs	2 years	Security & governance accountability
2FA OTP tokens	Purged on use or within 10 minutes	Security transient by design
Notification records	Until expiry date or 1 year	Communication record
Push notification device tokens	While active on the device/app scope, then until revoked, replaced, or cleaned up after inactivity or delivery failure	Device-specific push delivery and control
Chat conversations and messages	Duration of the conversation or until removed under platform rules and governance retention needs	Association communication continuity
Chat media and attachments	Until the related message, conversation, or file is deleted under platform rules and retention needs	Conversation context and shared-document continuity
Live location sessions	Active only until the selected duration ends, you stop sharing, or the session expires; message/session metadata may remain with the conversation record	Temporary location sharing and conversation context
Local chat drafts and retry cache	On your own device until sent, cleared, logged out, or removed by browser/PWA storage cleanup	Draft recovery and interrupted-send retry
Google Meet call metadata	As part of the related conversation history and call record, subject to platform retention; Google may separately retain Meet/Calendar data under its own terms	Call joining, audit context, and conversation continuity
Files	Until deleted by owner or admin	Document management
Grievance submissions	Resolution + 1 year	Governance accountability

Section 16

Your Rights Over Your Data

As a member of Madhunandan Association using M-Board, you have the following rights in relation to your personal data. Many of these can be exercised directly within the platform; others require a request to the IT department.

Access

View your profile, activity history, and session list directly in your account settings.

Correction

Update inaccurate profile information directly in Profile Management at any time.

Portability

Request a structured export of your personal data. Submit a request to the IT department.

Deletion

Request deletion of your account and associated data, subject to governance record retention obligations.

Session Control

Revoke any active session or all sessions instantly from your profile's device management panel.

Enquiry

Ask any question about how your data is handled. We will respond within 7 working days.

Certain data cannot be deleted on request specifically, governance records (election outcomes, proposal decisions, audit logs) which form part of the association's official records and are necessary for accountability. Your identity within these records may be anonymised upon a validated request, subject to the governing body's approval.

Section 17

Changes to This Policy

We may update this Privacy Policy when the platform gains new features, when legal requirements change, or when our data practices are revised.

When we make a material change one that affects your rights or how your data is handled we will notify all members via an in-platform notification and update the "Last reviewed" date at the top of this page. Continued use of M-Board after notification constitutes acceptance of the revised policy.

Minor corrections (grammar, clarity, formatting) will be made without notification and will not change the effective date. All changes are governed by the association's IT Policy Committee and ratified where required by the governing board.

Section 18

Contact & Concerns

If you have a question, concern, or request related to this Privacy Policy or your personal data across Madhunandan Association digital assets, please contact us through official association channels.

Data & Privacy Enquiries

For data access requests, deletion requests, corrections, or any privacy concern please reach out via the official association email. We aim to respond within 7 working days. For urgent security concerns, mark your email [URGENT PRIVACY].

contact@madhunandan.org.in

Madhunandan Association is committed to good governance, confidentiality, and transparency. This policy is a living document that reflects our ongoing commitment to treating member data with the respect and care it deserves. If something in this policy is unclear, please ask we will clarify it.

Privacy Policy &Data Governance