Data Principal Rights Management

v1.0 · major · Effective 14-04-2026 · Version history

This document provides implementation details for the account deletion and consent management procedures outlined in our Terms and Conditions "Terms" and "Privacy Policy" of the Blue Pencil Strategies Private Limited (“Company”). All actions taken under these procedures are governed by the comprehensive legal framework established in those documents. In case of any inconsistency, the Terms and Conditions and Privacy Policy shall prevail. For complete details on your rights, our obligations, and the legal framework governing our relationship please review our full Terms and Privacy Policy.

Key Rights of Data Principals:

1. Right to Access Information:

Data principals can request a summary of their personal data being processed, the processing activities, and the identities of all data fiduciaries and processors with whom the data has been shared.

1.1 Steps to access information: *
A. If no access to device is available:
a. Request Field Agent to Correct / Complete relevant data for a specific program
b. Field Agent logs in and selects specific Data Principal Name
c. Click on kebab menu and select “View Profile Data”
d. View Data

B. Alternatively, if access is available to device:
a. Log in to Lekha Via Web (lekha.tashi.in) / Mobile app giving Tashi ID
b. Select Program from landing page
c. Go to My Profile
d. View Information collected.

1.2 To protect your privacy and rights under applicable data protection laws in India, you will be asked to verify your identity through a code sent to your registered mobile number or email.

2. Right to Correction, Completion:

Individuals can request the correction of inaccurate data, completion of incomplete data, or updating of personal data.

2.1 Steps for correction:
a. Request Field Agent to Correct / Complete relevant data for a specific program
b. Field Agent logs in and selects specific Data Principal Name
c. Click on kebab menu and select “Edit Profile Data”
d. Field Agent enters OTP
e. Make corrections and Submit
f. Approver to approve ticket after checking with Data Principal

2.2 To protect your privacy and rights under applicable data protection laws in India, you will be asked to verify your identity through a code sent to your registered mobile number or email.

3. Deletion and Erasure of Account through Mobile Application

Data principals can withdraw their consent at any time, from a program.

3.1 Steps to withdraw (self)
a. Log in
b. Go to Settings
c. Select Delete Account - > Withdraw
d. Provide Reason and enter the OTP sent to the registered phone number
e. Approver to approve ticket after checking with Data Principal
f. Receive notification

3.2 Steps for Erasure or Deletion
a. If you are part of any active program, you must withdraw from the program before initiating Delete Account request. For full erasure from platform, repeat steps 3.1 a-to-f for ALL active programs
b. Click on “Delete”
c. Provide reason and confirm
d. Enter OTP
e. Data Principal will no longer have access to platform and data will be anonymized as per the law.

3.3 To protect your privacy and rights under applicable data protection laws in India, you will be asked to verify your identity through a code sent to your registered mobile number or email.

3.4 Deletion of Account request from platform will also be treated as an exercise of your right to withdrawal of consent from platform under applicable data protection laws.)

3.5 If you are part of any active program, you must withdraw from the program before initiating Delete Account request. Your withdrawal request will be reviewed by the Implementation Organisation(s) (IO/IOs). You will be notified of the outcome.

3.6 If your withdrawal request is approved, data processing for the specified purpose will be permanently halted.

3.7 If you are not in an active program, your account will be deactivated and flagged for deletion. Unless instructed otherwise by the relevant IO/IOs, your data will be retained only for a period as defined in the Terms and Conditions and Privacy Policy of the Company, to allow for contractual, audit or legal compliance, as permitted under applicable laws. After this, the account may be permanently deleted.

3.8 You will receive a confirmation 48 hours before your deletion request has been processed, subject to audit, legal and contractual exceptions.

4. Right to Grievance Redressal:

Data principals can raise complaints with the Data Fiduciary through an accessible mechanism (e.g., email, helpline)

4.1 Steps for grievance redressal:
a. Log in to Lekha Via Mobile app giving Tashi ID
b. From landing page, go to Settings -> Consent
c. Select specific Program
d. View Grievance Officer details
e. Contact by email / phone for any concerns

4.2 If your request to withdraw your consent is declined by the IO/IOs and you believe the decision was incorrect or unfair, you can reach out to your dedicated IO personnel and submit a formal grievance to the IO/IOs. The Company acts on behalf of the IO/IOs in fulfilling rights of Data Principals and executes only formally issued instructions received from them under applicable data protection laws.

4.3 The Platform has been built such that the request for enforcing the right to Access personal data/ right to seek Deletion can be provided to the Data Principals by the data collectors (i.e., volunteers/employees of IOs) whom the Implementation Organization has engaged for this specific purpose who can therefore, assist the Data Principals to access or delete their data. For this purpose, such data collectors i.e., volunteers/employees of IOs shall be considered a nominee duly authorized by the Data Principal.

4.4 Assisted Withdrawal of Participant through Vayam: * Assistant (IO engaged) Logs in to Vayam
a. Select the Program that has the participant enrolled
b. Select the participant. Select ‘Remove from Program’ from Kebab menu
c. Provide ‘Reason for Withdrawal’ and confirm withdrawal from the program.
d. Approver to approve ticket after checking with Data Principal
e. Receive notification

4.5 To protect your privacy and rights under applicable data protection laws in India, you will be asked to verify your identity through a code sent to your registered mobile number or email.

4.6 This request will be treated as an exercise of your right to withdraw consent under applicable laws. The Company will act in accordance with applicable laws, ensuring that all relevant data processing ceases unless retention is required under applicable law or valid program contract.

4.7 You may withdraw your consent at any time. However, doing so may affect your continued participation in the program or access to services or benefits that depend on the data for which consent was previously given.

4.8 Data already processed before withdrawal will not be reused for any new purposes and will be retained only as necessary for legal, audit, contractual or programmatic obligations as per applicable laws.

4.8.1 If you are part of an active program, your withdrawal request will be sent to the respective Implementation Organisation(s) (IO/IOs). You will be notified of the outcome.

4.8.2 If your request is approved, data processing for the specified purpose will be permanently halted.

4.8.3 If your request to withdraw your consent is declined by the IO/IOs and you believe the decision was incorrect or unfair, you can reach out to your dedicated IO personnel and submit a formal grievance to the IO/IOs. The Company acts on behalf of the IO/IOs in fulfilling rights of Data Principals and executes only formally issued instructions received from them under applicable data protection laws.

4.8.4 In rare cases where the IO/IOs fail to respond despite formal reminders, the Company may escalate the issue internally and take appropriate action within 90 calendar days, to uphold your data rights, in line with applicable laws.

4.8.5 You will receive a confirmation once your withdrawal of consent has been processed, subject to audit, legal and contractual exceptions.

4.9 Your request and our response will be logged securely for compliance and audit purposes as required by applicable data protection laws and the Company’s Privacy Policy