Effective from 17 September 2025
Our Privacy Commitment
At SchoolPad, your privacy is a priority. We have never sold your information for advertising purposes, nor have we profited by showing you third-party advertisements—and we never will. This has been our unwavering commitment since our inception over a decade ago, and it continues to guide how we build and operate our services.
This Privacy Policy ("Policy") explains how SchoolPad Technologies Private Limited (hereinafter referred to as "SchoolPad," "we," "us," "our"), a company registered under CIN U72900PB2013PTC037604, collects, processes, stores, secures, and shares personal data on SchoolPad and related applications (collectively, the "Application(s)").
For the purpose of this Policy:
-
- Customer: refers to educational institutions, schools, colleges, training centres, or any organization that contracts with SchoolPad to use our services.
- User(s): refers to individuals such as administrators, teachers, staff, students, parents, or guardians who access or use the Application, either directly or through a Customer’s account.
In accordance with the Digital Personal Data Protection Act, 2023, SchoolPad primarily acts as a Data Processor, processing personal data on behalf of and under the instructions of the Customer, who serves as the Data Fiduciary with respect to such data. In certain limited circumstances, SchoolPad may act as a Data Fiduciary, such as when directly collecting information for account setup, billing, or customer support.
Whenever you access or use the Application, this Policy provides transparency about how your personal data is collected, processed, and secured. If you are a parent/guardian of a minor or are accessing the Application on behalf of a Customer, please note that the institution (the Customer) remains primarily responsible for obtaining and managing the necessary consent, while SchoolPad processes such data strictly on their instructions and in compliance with applicable law.
1. Data Collection and Processing
1.1 Personal information is entrusted to us by our customers for the purpose of setting up and maintaining the system. Our customers own all data. The Customer uploads different types of data onto our platform including but not limited to personal information (full name, contact details, email addresses, phone numbers, user login credentials, and optional profile pictures), student-related information (academic records, performance data, attendance information, class schedules, assignments, and examination results), administrative information (fee payment records, transport route details, library usage data, and event participation), and where required, health-related information (medical conditions relevant to activities, allergies, dietary restrictions, and immunization records).
1.2 During the onboarding and implementation process, we may collect data including:
- Information you provide directly:
When you sign up for any of SchoolPad’s software or services, or contact us for customer support, you may provide personal and contact information such as:
- Your name
- Phone number
- Email address
- Organisation/school details
This information is used for purposes such as account setup, service implementation, billing, and customer support.
- Information about end users (parents, students, and staff):
During the onboarding and implementation process, we may collect personal data of students, parents, and staff members as required to configure the software in accordance with the Customer’s requirements and solely to fulfill the purpose set by the Client. This data is:
- Collected only to fulfill service obligations
- Processed solely under the instructions of the Customer
- Not used for any purpose other than the intended educational service delivery
Such information is typically collected through email or messaging platforms (e.g., WhatsApp), and is shared in formats such as Excel files within our internal departments.
We do not collect any data beyond what is necessary, and all data is handled in accordance with applicable data protection laws.
1.3 Certain mobile applications provided by SchoolPad may, with your consent, access device features such as the camera, microphone, photo gallery, location data, contacts, and local files to enable specific functionalities within the application (e.g., uploading student photos, enabling location-based attendance). Such access is subject to the permissions you grant and can be revoked at any time through your device settings.
1.4 Our Customers may upload new types of data onto our platform at their discretion. We do not request specific data beyond what is necessary for initial setup, but simply provide the platform on which such data is stored. Data is subsequently uploaded by authorized users of the Customer.
1.5 The responsibility for obtaining explicit consent from Users or legal guardians for sensitive personal data, particularly for minors under 18 years of age, primarily rests with our Customers. Our contracts with Customers explicitly require them to obtain all necessary consents before uploading sensitive personal data to our platform. SchoolPad reserves the right to suspend processing of data categories for which proper consent documentation cannot be verified.
1.6 User-Entered Data
In addition to data provided by Customers, Users may directly enter or update information on the Application. Examples include updating personal profiles, uploading documents, submitting assignments, applying for leave, making fee payments, communicating through built-in features etc. All User-entered data is processed and stored with the same level of security and in accordance with this Policy, under the governing instructions of the Customer.
2. Purpose of Data Processing
2.1 We process personal data exclusively for the purposes specified by our Customers, including but not limited to: providing and maintaining our educational management services through our software and mobile apps by facilitating the creation and management of student, teacher, and parent accounts, enabling the tracking of academic progress and generation of report cards, facilitating communication between Customers, teachers, and parents, supporting the management of administrative functions (fees, attendance, etc.), analysing usage patterns to improve our Application, responding to inquiries and support requests, and complying with legal obligations and regulatory requirements. SchoolPad processes this information solely on behalf of the Customer, who acts as the Data Fiduciary under the Digital Personal Data Protection Act, 2023, while SchoolPad acts as the Data Processor, bound by the instructions of the Customer.
2.2 We collect and process your personal data only when we have a valid legal basis to do so. In most cases, this is either because you have given us your consent, or because the data is necessary to fulfil a contract or service agreement you or your institution has entered into with us. In certain cases, we may rely on our legitimate business interests—such as improving our services, ensuring operational security, or communicating important service-related information—or to comply with legal obligations.
2.3 We strictly adhere to the principles of purpose limitation and data minimization, ensuring only necessary data is processed for the specified purposes.
3. Ownership and Control of Service Data
3.1 We recognize that all Service Data is owned by the Customer. SchoolPad provides Customers full control over their Service Data, including the ability to access and review the data stored, export the data upon request, request correction or deletion of the data, and configure sharing settings with authorized users or third-party integrations.
3.2 SchoolPad processes Service Data strictly in accordance with the Customer's instructions and does not use it for any purpose other than to provide, maintain, and support the services.
4. Consent Management
4.1 The primary responsibility for obtaining explicit, informed consent for data collection, processing, and usage rests with our customers. As part of our contractual agreements with Customers, we require them to: a) Obtain and maintain all necessary consents from Users or their legal guardians for the processing of personal data, especially sensitive personal data; b) Implement appropriate processes for collecting and documenting such consent; c) Ensure that consent is freely given, specific, informed, and unambiguous; and d) Provide evidence of such consent upon reasonable request.
4.2 For users under 18 years of age, our customers are contractually obligated to obtain verifiable consent from parents or legal guardians in accordance with the governing laws, before uploading or processing any personal data of such minors on our platform.
4.3 While the primary responsibility for consent lies with our customers, we may provide consent management tools within our platform to facilitate the process and maintain records of consent where applicable.
4.4 You may withdraw your consent at any time by contacting our designated Grievance Officer. In most cases, requests to withdraw consent will be directed to the relevant Customer as they are the primary data fiduciary.
4.5 Please note that withdrawal of consent may impact our ability to provide certain services.
5. Data Storage and Security
5.1 Data is securely stored on Amazon Web Services (AWS) infrastructure, with primary data centres located in Singapore, India, and the United States.
5.2 We implement comprehensive technical and organizational security measures including HTTPS/SSL encryption for all data transmission, AES-256 encryption for stored data, two-factor authentication (2FA) for all administrative access, role-based access controls for internal staff, regular penetration testing and vulnerability assessments, automated threat detection systems, regular security audits by independent third parties, and online backups maintained for disaster recovery.
5.3 We also maintain a robust data breach response protocol that includes immediate isolation of affected systems, investigation and containment procedures, notification process for affected users and authorities, and post-incident analysis and preventive measure implementation.
6. Data Sharing and Third-Party Integrations
6.1 As per the requirements of the Customer, data might be shared with third party APIs including payment processing providers to facilitate fee payments, communication service providers (SMS, email, WhatsApp APIs), cloud infrastructure providers, and analytics providers (in anonymized or aggregated form).
6.2 Data sharing is limited to fulfilling the service requirements of Customers, processing necessary transactions, facilitating communication functions, technical hosting and infrastructure needs, and improving Application performance (anonymized data only).
6.3 We do not sell, rent, or lease personal data to third parties for marketing purposes.
6.4 All third-party service providers are contractually obligated to use data only for specified purposes, implement adequate security measures, comply with relevant data protection laws, and delete or return all personal data upon service termination.
6.5 Authorized employees and contractors of SchoolPad Technologies may be given limited access to Service Data only for the purposes of resolving support queries, performing system maintenance, or onboarding new data. Access is role-based, logged, and audited. All personnel are bound by confidentiality obligations and are trained in data protection and privacy compliance.
7. Data Retention
7.1 We retain personal data only for as long as necessary to fulfil the purposes for which it was collected.
7.2 Specific retention periods include active account data (for the duration of your account plus 90 days), transaction records (7 years, as required by financial regulations), communication logs (2 years), and technical logs (90 days).
7.3 Upon termination of services or account closure, you have three months to download your data via our excel export tool available across the software.
7.4 After this period, your personal data will be permanently deleted from our active systems, though anonymized or aggregated data may be retained for analytical purposes.
7.5 For Service Data, we retain it for as long as the Customer's account remains active. Upon termination of the account, the data is archived and permanently deleted from our active databases in accordance with a defined retention policy. Typically data is removed from active systems within 3 months of account termination, and data backups are purged within an additional 3-month cycle. Earlier deletion requests can be honoured upon verified instruction from the Data Fiduciary.
8. User Rights and Data Principal Requests
8.1 In accordance with the applicable data protection laws, you have the right to: a) access your personal data: request confirmation of whether we process your personal data and access your information, b) correct your data: request correction of inaccurate or incomplete personal data, c) request erasure: deletion of your personal data under specific circumstances, d) restrict processing: request limitation of how we use your data in certain scenarios, e) data portability: request transfer of your personal data in a machine-readable format, and f) object to certain types of processing based on your particular situation.
8.2 If you are a Data Principal (i.e., an individual whose personal data is being processed) and believe that SchoolPad is processing your personal data on behalf of a Customer (such as your school or educational institution), we request that you contact the respective institution directly. As the Data Fiduciary, they are responsible for responding to requests for access, correction, erasure, or grievance redressal under the DPDP Act.
8.3 SchoolPad acts solely as a Data Processor for Service Data, and will provide all reasonable support to the Customer in fulfilling such requests in accordance with applicable law and within a reasonable timeframe.
8.4 To exercise any of these rights for data where SchoolPad acts as a Data Fiduciary, please contact our Grievance Officer. Please note that access to your data may be limited by Customer policies, including but not limited to restrictions related to account status.
9. Special Provisions for Children's Data
9.1 We recognize the sensitivity of children's personal data and implement additional protections.
9.2 We require our customers to obtain parental/guardian consent for all users under 18 years. We may provide age-appropriate privacy notices, apply enhanced security measures to children's data, strictly limit data processing to educational purposes only, send no marketing communications to children, and ensure no automated decision-making affecting children without human oversight.
10. Grievance Redressal
10.1 For any concerns or grievances regarding your personal data or this Policy, please contact our designated Grievance Officer: Abhiraj Malhotra, Grievance Officer, SchoolPad Technologies Private Limited, SCO 46, Sector 80, Mohali, Punjab-160062, Email: grievance@schoolpad.in, Phone: +91-9769660000.
10.2 We commit to acknowledging all grievances within 48 hours, providing an initial response within 7 business days, resolving grievances within 15 business days of receipt, and escalating unresolved issues to senior management for further review.
11. Data Breach Notifications
11.1 In the event of a personal data breach that poses a risk to user rights and freedoms, we will: a) Notify affected Users without undue delay (typically within 72 hours of discovery), b) Inform the Data Protection Board of India as required by law, c) Provide details regarding the nature of the breach, likely consequences, and measures taken, and d) Offer guidance on how affected users can protect themselves.
12. Cross-Border Data Transfers
12.1 Personal data may be transferred across international borders under safeguards including transfer to countries recognized as providing adequate protection, implementation of Standard Contractual Clauses, Binding Corporate Rules for intra-group transfers, and explicit consent for specific transfers where appropriate.
12.2 We primarily maintain data within India, with servers from Amazon Web Services hosted in Singapore and the United States. For customers in Canada we use Amazon Web Services servers hosted in Canada . All transfers comply with cross-border transfer provisions.
13. Cookies and Tracking Technologies
13.1 We utilize several types of cookies and similar technologies: a) essential cookies are required for Application functionality, b) preference cookies to remember your settings and preferences, c) analytics cookies that help us understand usage patterns, and d) session cookies to maintain your login session security.
14. Amendments to this Policy
14.1 We review this Privacy Policy periodically and may update it to reflect changes in our practices or legal requirements. Significant changes may be communicated through email notifications to registered users, prominent notices on our Application, and update notifications in your account dashboard.
14.2 Continued use of the Application after notification of updates implies acceptance of the revised Policy.
14.3 The effective date at the top of this document indicates when it was last updated.
15. Governing Law
15.1 This Privacy Policy is governed by the laws of India, particularly the Digital Personal Data Protection Act, 2023, and other applicable data protection regulations.
15.2 Any disputes related to this Policy shall be subject to the exclusive jurisdiction of competent courts in S.A.S Nagar, Punjab.
15.3 If you have any questions about this Privacy Policy, please contact us at grievance@schoolpad.in or through the Grievance Officer details provided above.
