Privacy Policy | EduGradUP — School Management Software

यह Privacy Policy EduGradUP ERP Technologies (Proprietorship, GSTIN: 09AJKPY6406F1ZS, Registered Office: Azamgarh, Uttar Pradesh, India — इसके बाद "Company", "हम", "हमारा", या "EduGradUP") द्वारा संचालित वेबसाइट schoolsoftwareindia.com और EduGradUP mobile/desktop applications (collectively "Platform") पर applicable है।

यह Policy Digital Personal Data Protection Act, 2023 (DPDPA), Information Technology Act, 2000 (IT Act), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), और अन्य applicable Indian laws के compliance में drafted है।

Platform use करके या अपना data provide करके, आप इस Privacy Policy से agree करते हैं। यदि आप agree नहीं करते, तो कृपया Platform use न करें।

1. Definitions (परिभाषाएँ)

"Data Fiduciary" — EduGradUP ERP Technologies, जो data collection का purpose और means determine करता है (DPDPA Section 2(i))
"Data Principal" — वह व्यक्ति जिसका personal data process किया जाता है — school admin, teacher, parent, या student (DPDPA Section 2(j))
"Data Processor" — कोई भी third-party जो हमारी ओर से data process करता है (cloud hosting, SMS gateway, payment gateway)
"Personal Data" — कोई भी data जिससे किसी व्यक्ति को identify किया जा सके — name, email, phone, address, Aadhaar (masked), photographs, etc.
"Sensitive Personal Data" (SPDI) — Passwords, financial information (bank account, UPI), biometric data, health records, और Aadhaar number
"School" — कोई भी educational institution (school, college, coaching center) जो EduGradUP Platform पर register करता है

2. Data Fiduciary की जानकारी (Who We Are)

Entity Name	EduGradUP ERP Technologies
Type	Proprietorship
GSTIN	09AJKPY6406F1ZS
Registered Office	Azamgarh, Uttar Pradesh, 276001, India
Website	schoolsoftwareindia.com
Support Email	support@schoolsoftwareindia.com
Phone / WhatsApp	+91 96280 30291

3. हम कौन सा Data Collect करते हैं

A. School Registration Data

School का नाम, board (CBSE/ICSE/State), UDISE code, address, city, state, pin code
Contact person (Principal/Admin) का नाम, designation, email, mobile number
Approximate student count और modules selected

B. Educational & Administrative Data (School द्वारा Enter किया गया)

Student Records: Name, class, section, roll number, date of birth, gender, blood group, religion, caste category, nationality, parent/guardian names, phone numbers, address, photographs, Aadhaar (last 4 digits only), previous school details, admission date
Attendance Records: Daily attendance status (present/absent/late/half-day), date, time, marked-by
Fee & Financial Data: Fee structures, payment records, receipt numbers, payment mode (UPI/cash/card/bank), outstanding amounts, concessions/discounts, GST details
Examination Data: Exam schedules, marks/grades, report cards, rank lists, term results, co-scholastic grades
Staff Data: Employee name, designation, department, qualification, experience, joining date, salary/payroll details, bank account (for salary processing), PAN, Aadhaar (masked), photograph
Transport Data: Bus routes, stop names, vehicle details, driver/conductor information, student-to-route mapping
Communication Records: SMS/WhatsApp messages sent, notifications, circular content, parent feedback

C. Automatically Collected Data (Technical)

IP address, browser type & version, operating system, device type (mobile/desktop)
Pages visited, features used, session duration, click patterns
Referral source (Google search, direct, ad campaign)
Error logs and crash reports (for debugging)

D. Third-Party Data

Payment confirmation data from payment gateways (Razorpay/UPI) — transaction ID, amount, status
SMS/WhatsApp delivery reports from messaging providers

4. Data Collection का Legal Basis

DPDPA 2023 के under, हम data निम्नलिखित lawful bases पर process करते हैं:

Consent (सहमति): Registration और platform use के दौरान explicit consent लिया जाता है
Contractual Necessity: Service provide करने के लिए (subscription agreement fulfill करने हेतु)
Legal Obligation: Tax (GST), accounting, और regulatory compliance के लिए
Legitimate Interest: Platform security, fraud prevention, और service improvement (analytics) — जब तक यह Data Principal के rights से अधिक न हो

5. हम Data का Use कैसे करते हैं

Purpose	Data Used
Core service delivery (ERP features)	Student, attendance, fees, exam, staff data
Account creation & authentication	Email, password (hashed), mobile, OTP
SMS/WhatsApp notifications	Mobile numbers, message content (attendance alerts, fee reminders)
Fee collection & invoicing	Fee amounts, GST, payment details, receipt generation
Report cards & certificates	Student name, marks, class, school logo
Customer support	Name, email, phone, issue description
Platform improvement (analytics)	Usage patterns, feature popularity (anonymized/aggregated)
Legal compliance	As required by applicable law — GST returns, audit trail
Marketing & communication	Email, phone (only with consent; opt-out available)

6. Data Security (डेटा सुरक्षा)

हम IT Act 2000 Section 43A और SPDI Rules 2011 Rule 8 के compliance में "reasonable security practices" implement करते हैं:

Technical Measures:

SSL/TLS (HTTPS) — सभी data transit में 256-bit encrypted रहता है
AES-256 Encryption at Rest — Aadhaar, PAN, bank account जैसे sensitive fields database में encrypted store होते हैं
Schema Isolation (Multi-Tenant Architecture) — हर school का data अलग PostgreSQL schema में isolated है। एक school दूसरे school का data कभी access नहीं कर सकता, चाहे application-level bug हो
Password Hashing — Passwords bcrypt/PBKDF2 algorithm से hashed store होते हैं; plain text में कभी store नहीं होते
Role-Based Access Control (RBAC) — School Admin, Teacher, Student, Parent — हर role के लिए अलग permissions
Rate Limiting & DDoS Protection — API endpoints पर request throttling
Audit Trails — Critical operations (marks edit, fee modification, attendance change) का complete audit log maintain होता है including who, what, when

Organizational Measures:

Daily Automated Backups — Encrypted backups geographically separate location पर
Access Control — EduGradUP team members को minimum-necessary access principle पर access दिया जाता है
Incident Response Plan — Data breach की स्थिति में defined response procedure
Secure Development Practices — OWASP Top 10 compliance, code reviews, dependency scanning

Disclaimer: कोई भी security system 100% impenetrable नहीं है। हम reasonable measures लेते हैं, लेकिन absolute security guarantee नहीं कर सकते। Data breach होने पर Section 12 देखें।

7. Data Sharing & Third-Party Disclosure

हम आपका personal data किसी third-party को sell, rent, trade, या बेचते नहीं हैं। Data केवल निम्नलिखित limited circumstances में share होता है:

Third Party	Data Shared	Purpose	Safeguard
Cloud Hosting Provider (AWS Mumbai Region)	All platform data	Infrastructure / Hosting	Data Processing Agreement; AWS SOC-2 certified; data stays in India
SMS Gateway (MSG91 / similar)	Mobile numbers, message text	Attendance alerts, fee reminders	Contractual data protection obligations
WhatsApp Business API Provider	Mobile numbers, message content	Notifications, parent communication	Meta Business compliance; end-to-end encryption
Payment Gateway (Razorpay / similar)	Transaction amount, order ID	Payment processing (UPI, card, netbanking)	PCI-DSS Level 1 certified; RBI guidelines compliant
Email Service Provider	Email address, email content	Transactional emails, OTP, receipts	Data Processing Agreement
Analytics (Google Analytics)	IP (anonymized), device, pages visited	Website usage analysis	IP anonymization enabled; no PII shared
Law Enforcement / Government	As required by law	Legal compliance	Only on valid court order, warrant, or statutory requirement

सभी third-party Data Processors contractual obligations से bound हैं कि वे data केवल specified purpose के लिए use करें और adequate security measures implement करें।

8. Data Retention & Deletion (डेटा संग्रहण अवधि)

Data Category	Retention Period	After Retention
Active subscription data	Subscription period तक	See below
Post-cancellation data	90 calendar days after subscription end	Permanently deleted (database + backups)
Financial/tax records (invoices, GST)	8 years (as per GST Act & Companies Act)	Archived, then deleted
Audit trail / security logs	2 years	Purged
Marketing communication consent	Until consent withdrawn	Immediately deleted
Support tickets	3 years from resolution	Anonymized / deleted
Website analytics	26 months (Google Analytics default)	Auto-purged by Google

School अपने subscription period के दौरान या 90-day grace period में किसी भी समय data export (CSV/Excel format) request कर सकता है। Export request 72 hours के अंदर fulfill किया जाएगा।

9. Cross-Border Data Transfer

Primary hosting: सभी data AWS Mumbai (ap-south-1) region में store होता है — India में ही रहता है।

कुछ third-party services (Google Analytics, email delivery) data outside India process कर सकती हैं। ऐसे cases में DPDPA Section 16 और applicable regulations का compliance ensure किया जाता है, जिसमें:

Data Processing Agreements with Standard Contractual Clauses
Adequacy decisions (where applicable)
यदि Central Government कोई specific country restrict करे, तो transfer immediately stopped

10. Children's Privacy (बच्चों की गोपनीयता)

EduGradUP एक school management platform है। Students (minors under 18) का data school administration की authorization और responsibility के under store होता है।

हम directly children से data collect नहीं करते
School Data Principal (school administration) responsible है parents/guardians से appropriate consent लेने के लिए (DPDPA Section 9)
Student data केवल educational और administrative purposes के लिए use होता है
Student data कभी भी advertising, profiling, या marketing के लिए use नहीं होता
Parent/Guardian request पर student data delete/export किया जा सकता है (school admin के through)

11. Cookies & Tracking Technologies

Essential Cookies (हमेशा active):

Session cookie — Login session maintain करने के लिए (expire: browser close पर)
CSRF token — Security — form submissions को protect करने के लिए
JWT token — API authentication (expire: 24 hours)

Analytics Cookies (optional):

Google Analytics (_ga, _gid) — Website usage patterns track करने के लिए (anonymized IP)

आप browser settings से non-essential cookies disable कर सकते हैं। Essential cookies disable करने से login और core features काम नहीं करेंगे।

12. Data Breach Notification

IT Act 2000 Section 43A और DPDPA 2023 Section 8(6) के अनुसार, data breach होने पर:

Data Protection Board of India (DPBI) को breach discovery के 72 hours के अंदर notify किया जाएगा
Affected Data Principals (schools, users) को email/WhatsApp से breach की nature, scope, और remedial steps बताए जाएंगे
Breach investigation report maintain किया जाएगा
Remedial measures (password resets, enhanced monitoring) तुरंत implement किए जाएंगे

13. आपके Rights (DPDPA 2023 & IT Act के अंतर्गत)

आपको अपने personal data पर निम्नलिखित rights हैं:

Right to Access (DPDPA Section 11) — अपना stored data देखने का अधिकार। Request पर 30 days में response
Right to Correction (DPDPA Section 11) — गलत, incomplete, या outdated data correct करवाने का अधिकार
Right to Erasure (DPDPA Section 12) — Data delete करवाने का अधिकार, subject to legal retention obligations
Right to Data Portability — अपना data structured, machine-readable format (CSV/Excel) में download करने का अधिकार
Right to Withdraw Consent — कभी भी consent withdraw करने का अधिकार। Withdrawal से पहले की processing lawful रहेगी
Right to Nominate (DPDPA Section 14) — Death/incapacity की स्थिति में nominee designate करने का अधिकार
Right to Grievance Redressal (DPDPA Section 13) — Data Fiduciary से complaint करने का, और unsatisfied होने पर Data Protection Board of India (DPBI) को complaint करने का अधिकार

Rights exercise करने के लिए: support@schoolsoftwareindia.com पर email करें या WhatsApp (+91 96280 30291) पर message करें। हम 30 days के अंदर respond करेंगे।

14. Grievance Officer (शिकायत अधिकारी)

IT (Intermediary Guidelines) Rules, 2021 Rule 4 और DPDPA 2023 के compliance में, निम्नलिखित व्यक्ति Grievance Officer नियुक्त किया गया है:

Name	Vinod Kumar Yadav
Designation	Founder & Grievance Officer
Email	grievance@schoolsoftwareindia.com
Phone / WhatsApp	+91 96280 30291
Response Time	Acknowledgment within 24 hours; resolution within 30 days
Address	EduGradUP ERP Technologies, Azamgarh, Uttar Pradesh, 276001, India

यदि Grievance Officer से satisfactory response नहीं मिलता, तो आप Data Protection Board of India (DPBI) को complaint file कर सकते हैं।

15. Changes to This Policy

हम समय-समय पर यह Privacy Policy update कर सकते हैं
Material changes होने पर सभी registered schools को email और WhatsApp notification भेजा जाएगा, कम से कम 15 दिन पहले
"Last updated" date page पर updated रहेगी
Updated policy के बाद continued use = acceptance of updated policy

16. Governing Law & Jurisdiction

यह Privacy Policy Republic of India के laws से governed होगी, जिसमें शामिल हैं:

Digital Personal Data Protection Act, 2023 (DPDPA)
Information Technology Act, 2000 (और amendments)
IT (Reasonable Security Practices) Rules, 2011 (SPDI Rules)
IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
Consumer Protection Act, 2019

किसी भी dispute का exclusive jurisdiction Azamgarh, Uttar Pradesh, India की competent courts होंगी।

17. Contact Us

Privacy related कोई सवाल, request, या complaint हो तो:

📧 Email: support@schoolsoftwareindia.com
📧 Grievance: grievance@schoolsoftwareindia.com
📞 Phone: +91 96280 30291
💬 WhatsApp: Chat Now
📍 Address: EduGradUP ERP Technologies, Azamgarh, Uttar Pradesh, 276001, India

Privacy Policy / गोपनीयता नीति