Privacy Policy
Society: RAHMA FOUNDATION Registration number: MPM/159/2026 Office address: Pattarnadakavu, Ananthavoor P.O, Thirunavaya, Malappuram Dist, Kerala, India, Pin - 676301 Email: rahmafoundation.info@gmail.com Phone: +91 95263 33533 Effective date: June 3, 2026 Last updated: June 3, 2026 Version: 1.0
This Privacy Policy explains how RAHMA FOUNDATION ("Rahma," "we," "us," or "our") collects, uses, shares, stores, and protects personal data when you use Rahma's website, registration portal, mobile application, support channels, member services, and related digital services.
Rahma is a society registered in Kerala. The functioning of the Society is subject to the provisions of The Kerala Societies Registration Act, 2025.
1. Scope
This Privacy Policy applies to members, applicants, nominees, linked members, authorized representatives, staff users, public visitors, and other persons who interact with Rahma digital services.
This Policy covers:
- rahma-kmcc.com and public pages, including registration, support, privacy, terms, and virtual ID pages.
- The Rahma mobile application for members.
- Member registration, membership history, membership renewal, receipts, benefit requests, documents, profile photo updates, notifications, gallery, welfare information, contact-office information, and support requests.
- Backend systems, databases, cloud storage, Firebase services, analytics, diagnostic tools, payment processors, and other service providers used to operate Rahma services.
This Policy does not replace Rahma's membership rules, welfare-scheme rules, official records, applicable laws, or any separate notices given at the time of a specific service.
2. Definitions
For this Privacy Policy:
- App means the Rahma mobile application.
- Website means rahma-kmcc.com and related public web pages operated for Rahma services.
- Digital services means the App, Website, registration portal, support pages, APIs, notifications, and related systems.
- Member means a person recorded or applying to be recorded in Rahma's membership system.
- Applicant means a person submitting a registration request.
- Nominee means a person submitted or recorded as a nominee, beneficiary, or related contact under Rahma membership records.
- Linked member means a spouse or other member linked to a primary member record where Rahma rules permit such linkage.
- Benefit request means a welfare benefit request submitted, viewed, verified, processed, approved, rejected, paid, or recorded through Rahma systems.
- Membership renewal means renewal of membership validity, including renewal quotes, renewal orders, payment status, receipts, and related accounting records.
- Personal data means information relating to an identified or identifiable person.
- Processing means collecting, recording, storing, using, sharing, updating, deleting, or otherwise handling personal data.
- Data Fiduciary means the entity that determines the purpose and means of processing personal data under applicable Indian data protection law. Rahma is the Data Fiduciary for the personal data described in this Policy, except where a third-party service independently determines its own processing.
3. Information we collect
We collect personal data needed to operate Rahma services, maintain official records, process membership and benefit workflows, communicate with users, and meet legal and operational obligations.
3.1 Membership and identity information
We may collect and process:
- Name, family name, father's name, gender, marital status, date of birth, and age-related eligibility information.
- Phone number, WhatsApp number, email address, postal address, pincode, ward, panchayath, mandalam, district, and country code.
- Membership code, membership status, registration status, KMCC number, member validity dates, linked-member status, approval status, verification status, blocked or deceased status, and member history.
- Profile photo, identity-document type, identity-document images, document number, and document metadata.
- Firebase user identifier and authentication-related member identifier.
3.2 Registration information
When you submit a registration request through the Website or mobile WebView, we may collect:
- Phone number and country code.
- Identity-document front and back images.
- Profile photo.
- Name, family name, date of birth, gender, marital status, father's name, WhatsApp number, email address, KMCC number, and Emirates/location details where submitted.
- Address, pincode, ward, mandalam, and panchayath details.
- Nominee details, including nominee name, relationship, share percentage, and contact information.
- Spouse or linked-member details where submitted, including name, phone, family name, date of birth, gender, father's name, profile photo, and identity documents.
The registration portal may temporarily store form progress in browser session storage so that you can continue the registration flow during the same browser session. After successful submission, the registration flow clears the stored session data.
3.3 Nominee, spouse, and linked-member information
We may collect or display nominee, spouse, linked-member, dependent, family, or beneficiary information where Rahma's rules require or permit it. If you submit information about another person, you must have lawful authority or consent to do so.
3.4 Benefit request information
For benefit requests, we may collect and process:
- Benefit category, request number, request status, requested member, requesting member, panchayath, verification status, approval status, and request history.
- Date of death where relevant to a death-related benefit request.
- Bank account number, bank account holder name, bank name, bank branch, payment method, cheque number, cheque date, payment reference, payment date, approved amount, approved date, notes, documents, journal references, and related audit data.
- Uploaded supporting documents and file metadata.
3.5 Membership renewal, receipt, and payment information
For membership renewal and related payment workflows, we may collect and process:
- Renewal target type, target membership code, payer member, target member, selected member, linked-unit details, locked quote information, renewal amount, currency, campaign or standard classification, validity dates, business date, business timezone, order status, expiry time, payment mode, payment references, provider status, provider payload, receipt status, and receipt file information.
- Receipt number, receipt year, payment mode, payment reference, payment amount, date, receipt PDF metadata, membership reference, journal reference, and accounting records.
When a third-party payment processor is used, complete payment instrument details, such as full card numbers, CVV, net-banking credentials, UPI PINs, or bank passwords, are handled by the payment processor, bank, UPI participant, card network, wallet provider, or payment service provider. Rahma receives only the information needed to record, reconcile, verify, refund, or dispute the transaction.
3.6 Device, usage, notification, and diagnostic information
When you use the App or Website, we or our service providers may collect:
- Device type, device name, operating system, app version, browser information, network information, IP address, user agent, and usage logs.
- Firebase Cloud Messaging token, Firebase installation identifier, notification topic subscriptions, notification delivery information, and notification inbox data.
- Analytics, performance, crash, and diagnostic data used to monitor stability, diagnose errors, and improve services.
- Upload progress and file-transfer metadata for direct-to-cloud uploads.
3.7 Support and communication information
We may collect information you provide through phone, email, support requests, complaints, account deletion requests, payment disputes, benefit queries, or other communications, including supporting screenshots, transaction references, documents, and correspondence history.
4. How we use personal data
We use personal data for the following purposes:
- To verify identity, authenticate members, and secure user access.
- To process registration, membership verification, membership approval, membership renewal, linked-member records, nominee records, and member history.
- To display member profile, virtual ID, ID card, membership validity, receipts, linked-member details, nominees, gallery, welfare information, contact-office information, and notifications.
- To submit, verify, process, approve, reject, pay, audit, and report benefit requests.
- To generate and maintain receipts, ID cards, PDFs, journals, transactions, ledgers, reports, and other official records.
- To upload, store, retrieve, sign, validate, and display documents, profile photos, benefit documents, receipt files, ID cards, banners, gallery media, and welfare documents.
- To process membership renewal payments, receive payment status updates, reconcile transactions, investigate failed or disputed transactions, and process refunds or adjustments where applicable.
- To send OTPs, transactional alerts, renewal updates, receipt updates, benefit updates, security notices, support responses, service updates, and legal notices.
- To operate, secure, monitor, debug, improve, and maintain the App, Website, backend systems, and related services.
- To prevent fraud, misuse, unauthorized access, payment abuse, document misuse, identity misuse, and security incidents.
- To comply with applicable law, lawful requests, audit obligations, financial record-keeping, dispute resolution, and society governance requirements.
We do not sell personal data. We do not use personal data for third-party advertising sales.
5. Legal basis and lawful grounds
Rahma processes personal data on lawful grounds available under applicable law, including:
- Your consent, where required.
- Processing necessary to provide membership, registration, benefit, renewal, payment, receipt, support, and communication services requested by you or governed by Rahma's official records and rules.
- Processing necessary for legitimate organizational purposes, including system security, fraud prevention, service improvement, audit, and dispute handling, where permitted by law.
- Processing necessary to comply with legal, financial, accounting, regulatory, tax, court, government, law-enforcement, or society-governance obligations.
Where Indian digital personal data protection law applies, Rahma will handle digital personal data in accordance with the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025, and phased implementation requirements applicable at the relevant time.
6. Sharing of personal data
We may share personal data only where necessary and lawful, including with:
- Authorized Rahma office bearers, staff, committee members, agents, volunteers, administrators, auditors, and representatives who need access for Rahma services or official records.
- Backend, hosting, cloud, database, storage, file-signing, email, notification, analytics, performance, crash-reporting, security, and support service providers.
- Firebase services for phone authentication, messaging, Firestore notification inboxes, installations, analytics, performance monitoring, crash diagnostics, and remote configuration.
- AWS services for S3 storage, signed upload and download URLs, photo validation, document extraction, generated receipt files, ID-card files, uploaded documents, profile photos, banners, gallery media, and related file metadata.
- Payment processors, banks, card networks, UPI participants, wallet providers, payment aggregators, and other payment-service providers where needed for membership renewal payment processing, reconciliation, refund, fraud prevention, or dispute handling.
- Apple App Store, Google Play Store, mobile operating systems, device platforms, mobile networks, and browser providers according to their own terms and privacy policies.
- Legal advisers, auditors, accountants, insurers, banks, regulators, government authorities, courts, law-enforcement agencies, and dispute resolution bodies where necessary.
- Other persons where you authorize or direct the sharing.
Third-party providers may process personal data under their own privacy policies where they act as independent controllers or fiduciaries.
7. App permissions and device access
The App may request permissions needed for its features:
| Permission or access | Purpose |
|---|---|
| Internet access | Required for login, member profile, registration WebView, membership history, benefit requests, renewal, receipts, gallery, notifications, support, and API calls. |
| Push notifications | Used for transactional and service notifications. You can disable this in device settings, but you may miss important updates. |
| Photos or media library | Used to select or upload profile photos, benefit documents, or other permitted media. |
| Document picker | Used to select files such as benefit documents or other supporting documents. |
| Firebase authentication and messaging identifiers | Used for phone authentication, notification delivery, app installation identity, and service diagnostics. |
The App does not request precise real-time location permission in the current mobile permission configuration. Address, panchayath, mandalam, country, and related location fields may still be collected as part of registration or member records.
8. Cookies, session storage, and similar technologies
The Website may use cookies, browser storage, analytics tags, and similar technologies to operate pages, remember form progress, support registration, measure usage, and maintain security.
The registration portal uses browser session storage for form progress, phone number, and nominee data during registration. Session storage can remain in your browser until it is cleared by the application, by you, or by the browser.
The App may use device identifiers, Firebase identifiers, push tokens, analytics SDKs, performance monitoring, crash reporting, and local state required for normal mobile operation.
9. File uploads and cloud storage
Rahma uses signed URLs so that files can be uploaded directly to cloud storage. Some file categories, such as profile, gallery, and general files, may be stored with public-read access where required for display. Other categories, including member documents, benefit request documents, and receipt files, are intended to be private and may be accessed through signed URLs or authenticated services.
Signed upload URLs are time-limited. File metadata may include S3 key, bucket, region, file name, file type, public URL where applicable, and the related member, benefit request, transaction, banner, gallery item, receipt, or ID-card record.
10. Data retention
We retain personal data for as long as necessary for the purposes described in this Policy, including:
- Membership administration and official society records.
- Registration, renewal, benefit request, nominee, linked-member, receipt, accounting, audit, and dispute records.
- Legal, financial, tax, accounting, regulatory, and reporting obligations.
- Fraud prevention, security monitoring, grievance handling, and dispute resolution.
- System logs, diagnostics, crash reports, analytics, and support records for operationally reasonable periods.
Rahma systems use soft-delete patterns for many operational records. This means that some records may be marked deleted or inactive while retained in the database for audit, recovery, reconciliation, legal, or operational reasons.
When retention is no longer required, we will delete, anonymize, archive, or restrict personal data in a manner appropriate to the data type, applicable law, and Rahma's official record requirements.
11. Security
We use reasonable technical and organizational safeguards to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. These safeguards may include:
- Authentication through Firebase Phone Auth for member-facing services and backend-issued access tokens for staff/admin services.
- Role-based access controls for staff/admin workflows.
- Backend authorization checks for protected routes.
- Time-limited signed URLs for upload and download operations.
- Secure transmission over HTTPS where services are deployed over HTTPS.
- Service monitoring, diagnostics, crash reporting, and security review processes.
- Internal access limits based on role, need, and operational responsibility.
No internet or electronic storage system is completely secure. You are responsible for keeping your device, OTPs, login session, payment credentials, and communication channels secure.
12. Your rights and choices
Subject to applicable law and Rahma's lawful retention obligations, you may request:
- Access to personal data held about you.
- Correction or update of inaccurate or incomplete personal data.
- Deletion or restriction of personal data where permitted.
- Withdrawal of consent where processing is based on consent.
- Information about how your personal data is processed.
- Grievance redressal for privacy or data-processing concerns.
We may need to verify your identity before acting on a request. We may decline, limit, or delay a request where retaining or processing data is necessary for official records, membership administration, legal compliance, accounting, audit, dispute resolution, fraud prevention, or another lawful purpose.
13. Account and data deletion requests
You may request deletion of your Rahma digital account or related personal data through the account deletion request form.
Deletion of a digital account or app access does not automatically cancel membership, erase official society records, delete payment or receipt records, remove benefit request records, remove nominee or linked-member records, or waive obligations that Rahma must retain or enforce under applicable law and official rules.
After receiving a verified deletion request, Rahma will review the request and delete, deactivate, anonymize, restrict, or retain data according to applicable law, society records, operational requirements, and lawful retention needs.
14. Children's privacy
Rahma digital services are intended for members, applicants, nominees, authorized representatives, and persons who can lawfully provide information under applicable rules. If personal data of a minor is submitted as part of nominee, family, dependent, linked-member, or other records, the person submitting it must have lawful authority or guardian consent where required.
If you believe a minor's personal data has been submitted without proper authority, contact Rahma using the details in this Policy.
15. International access and transfers
Rahma services may be accessed by users in India, the United Arab Emirates, and other locations. Personal data may be stored, processed, or accessed in India or other jurisdictions where Rahma's service providers, cloud infrastructure, payment processors, Firebase services, app stores, or support systems operate.
Where applicable law requires safeguards for cross-border processing or transfer, Rahma will apply the required safeguards according to the relevant law and service-provider arrangements.
16. Third-party links and services
Rahma digital services may link to or depend on third-party websites, payment interfaces, app stores, banks, UPI applications, wallet applications, device platforms, social media, or other services. Their privacy practices are governed by their own policies. Rahma is not responsible for third-party practices except where applicable law makes Rahma responsible.
17. Changes to this Privacy Policy
Rahma may update this Privacy Policy from time to time to reflect changes in law, services, technology, payment systems, membership processes, or operational requirements.
When we update this Policy, we will update the "Last updated" date. Material changes may also be communicated through the Website, App, email, notification, or another reasonable channel where required.
18. Contact and grievance information
For privacy questions, data requests, account deletion requests, complaints, or grievances, contact:
RAHMA FOUNDATION Pattarnadakavu, Ananthavoor P.O, Thirunavaya, Malappuram Dist, Kerala, India, Pin - 676301 Registration number: MPM/159/2026 Email: rahmafoundation.info@gmail.com Phone: +91 95263 33533
Rahma will review requests and grievances in good faith and respond in accordance with applicable law and operational requirements.