This Privacy Policy explains what personal data Diaspora Dreams collects, why we collect it, how we use it, who we share it with, and the rights you have over it. It is written to comply with the UK General Data Protection Regulation, the EU GDPR, India's Digital Personal Data Protection Act 2023, the California Consumer Privacy Act, and equivalent rules in Canada and Australia.

If something here is unclear, write to us at privacy@diasporadream.com. We answer all privacy enquiries.

1. Who we are

Diaspora Dreams is an editorial publication for the Indian diaspora, available at diasporadream.com. For the purposes of data-protection law, Diaspora Dreams is the data controller for the personal data described in this policy — meaning we are the ones who decide how and why your data is used.

Editorial enquiries: see our contact page.
Privacy enquiries: privacy@diasporadream.com.

2. What data we collect and why

The site collects four kinds of personal data, each tied to a specific purpose:

• Newsletter signup — your email address, when you voluntarily subscribe to The Monthly. Used only to send you the newsletter and nothing else. Lawful basis: your consent. You can unsubscribe at any time via the link in every email.
• Contact and form submissions — name (optional), email, subject, and message, when you write to us through the contact form, the Ask the Newsroom form, or the Grievances form. Used to respond to your enquiry, to inform our journalism, and to identify patterns worth reporting. Lawful basis: legitimate interests (journalism) and, where relevant, your consent.
• Admin authentication — email address and a hashed password for staff who log in to the editorial admin panel. Standard session cookies set by our authentication system. Used only to keep authorised editors signed in. Lawful basis: contract and legitimate interests (running a publication).
• Server logs and minimal technical data — your IP address, browser user-agent string, and the URLs you request, recorded by our hosting provider (Vercel) and our database (Turso) for the ordinary purposes of running a website: security, fraud prevention, debugging, and aggregated readership counts. Lawful basis: legitimate interests.

We do not collect payment data — the site has no online checkout. We do not run behavioural advertising, retargeting, third-party trackers, or social media pixels. We do not sell personal data to anyone, ever. We do not use Google Analytics or any other behavioural analytics tool.

3. Cookies

The site uses a small number of strictly necessary cookies — for keeping authorised editors signed in, for preserving form state while you compose a message, and for the basic functioning of the website. These do not require consent under UK PECR or the EU ePrivacy Directive because they are essential to the service you have requested.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. We do not embed third-party content (YouTube, Facebook, Twitter widgets) that would set their own cookies on your device. If this changes in future, this policy will be updated and, where required, we will ask for your consent.

4. How long we keep data

• Newsletter subscriptions — kept while you are subscribed. Removed within 30 days of unsubscribe.
• Form submissions — kept for as long as the enquiry is useful for editorial purposes, and in any case no longer than three years from receipt. Submissions that prompt published journalism may be retained in anonymised form indefinitely as part of our editorial archive.
• Admin accounts — kept for as long as the staff member is associated with the publication. Removed within 30 days of departure.
• Server logs — typically retained for 30 to 90 days by our hosting and database providers, in line with their standard policies.

5. Who we share data with

We share personal data only with the providers we need to run the publication. Each of them processes data on our instructions, under a contract, and for limited and defined purposes.

• Vercel Inc. — our hosting provider. Stores cached site content, serves pages, and keeps short-term server logs. Data centres in the US and Europe.
• Turso (ChiselStrike, Inc.) — our managed database provider. Stores articles, inquiries, newsletter subscribers, and admin accounts. Our database is hosted in the ap-south-1 AWS region (Mumbai, India).
• Vercel Blob — image storage for photos used in articles. Stored on Vercel's infrastructure.
• Auth.js — the authentication library running on our servers; no third-party authentication providers are used.

We do not share personal data with the Government of India, the Indian missions abroad, or any other government body — even when readers submit a grievance about a government process. Our grievances page says this plainly: we use grievances editorially only, and point you to the official channels you can use yourself.

We may disclose personal data if required to do so by a court order, a regulator with valid jurisdiction, or to protect the legal rights of the publication or others — and only to the minimum extent legally required.

6. International transfers

Because we serve a global diaspora, your personal data may be processed in jurisdictions outside your country of residence — primarily the European Economic Area, the United Kingdom, the United States, and India. Where relevant, we rely on the UK's adequacy decisions, the EU's Standard Contractual Clauses, and our providers' own transfer mechanisms to ensure your data continues to be protected to the standard required by law.

7. Your rights

Depending on where you live, you have rights over your personal data — most of which are similar across the major data-protection regimes:

• Access — ask us what personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data (subject to limited journalism exceptions described below).
• Restriction — ask us to stop using your data while a dispute is resolved.
• Portability — ask us to give you your data in a portable format.
• Objection — object to processing based on legitimate interests.
• Withdrawal of consent — for processing based on consent (e.g. the newsletter), at any time.
• Lodging a complaint — with your national data-protection authority. In the UK, that is the Information Commissioner's Office (ico.org.uk). In India, the Data Protection Board under the DPDPA 2023.

To exercise any of these rights, write to privacy@diasporadream.com. We will respond within 30 days, or sooner where the law requires.

Journalism exception. Under UK GDPR Schedule 2, Part 5, and equivalent provisions in EU law and the India DPDPA, certain obligations are relaxed for processing carried out for the purposes of journalism. We rely on this exemption only where strictly necessary — principally to protect the integrity of editorial reporting, the confidentiality of sources, and the historical record of published work. We will tell you when we are relying on this exemption in response to a specific request.

8. India DPDPA — grievance contact

For the purposes of section 8(9) of the Digital Personal Data Protection Act, 2023, our grievance contact is privacy@diasporadream.com. We aim to acknowledge grievances within seven days and resolve them within thirty.

9. California residents

California residents have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act — including the right to know what personal information we have collected about you, the right to delete it, the right to correct it, and the right to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioural advertising, so there is no opt-out to exercise — but you can still exercise the other rights by writing to privacy@diasporadream.com.

10. Children

Diaspora Dreams is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a minor has provided personal data to us, please write to privacy@diasporadream.com and we will remove it.

11. Security

We take reasonable technical and organisational measures to protect your personal data, including encrypted transport (HTTPS), encrypted-at-rest storage with our providers, hashed passwords, scoped admin access, and security updates to our software dependencies. No system is perfectly secure, but we treat any breach involving personal data with the seriousness the law and basic decency require, and will notify affected users and the relevant regulators as required.

12. Changes to this policy

We will update this policy when our practices change. Material changes will be announced on this page and, where appropriate, by email to newsletter subscribers. The “effective” date at the top reflects the most recent material change.

13. Contact

Privacy enquiries: privacy@diasporadream.com
Editorial enquiries: contact page
Commercial enquiries: work with us

This policy was drafted in-house and reflects our actual practices as of the effective date. It is reviewed periodically; readers in jurisdictions with specific rules may wish to consult those rules independently. For binding interpretation, our legal counsel is the authoritative source.