Privacy Policy

This Privacy Policy is published by UniSyft Technologies Pvt. Ltd. ("UniSyft", "edSyft", "we", "us", or "our"), the creator and operator of the edSyft school network ERP platform.

This Policy applies to:

• edsyft.com — our public marketing website, where prospective customers request demos
• app.edsyft.com — the edSyft platform used by school networks, their staff, students, and parents

This Policy governs how we collect, use, store, share, and protect personal data, and explains the rights available to individuals under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025.

By using our website or platform, you acknowledge that you have read and understood this Policy.

Under the DPDP Act, 2023, two distinct roles govern personal data processing:

This means your school (as Data Fiduciary) bears primary responsibility for ensuring a lawful basis exists before uploading personal data to edSyft. edSyft (as Data Processor) processes that data solely to provide the platform service, strictly under the school's instructions and our agreed terms.

Students and parents who have questions about how their school uses their data should contact their school administration first. Direct requests to edSyft are also accepted — see Section 15.

3A. Marketing Website (edsyft.com)

When you submit a demo request via our website, we collect:

We use Resend (email delivery service) to forward your request to our sales team. No data is stored in a database by the marketing website — it is transmitted by email and retained by our team in email only. We do not use cookies, analytics, tracking pixels, or any third-party scripts on edsyft.com.

3B. edSyft Platform (app.edsyft.com)

Authentication Data

Users log in using their email address or mobile phone number. A one-time password (OTP) is sent for verification. No passwords are stored. The email/phone number is your account identifier and is used solely for authentication and account management.

Staff & Administrator Data

• Full name, work email, phone number
• Assigned role (e.g., Principal, Accountant, Teacher)
• Organisation and campus assignments
• Profile picture (optional, stored in AWS S3)

Student Personal Data

• Full name, date of birth, gender
• Admission number, roll number, class, section, academic year
• Permanent and current residential address
• Blood group (Sensitive — see Section 4)
• Caste / category (Sensitive — see Section 4)
• Aadhaar number (Sensitive — see Section 4)
• Previous school records, TC number
• Academic performance records
• Nationality, religion

Parent / Guardian Data

• Father, mother, and guardian: full name, occupation, phone, email
• Relationship to student
• Residential address

Fee & Payment Data

• Fee ledger entries: amount billed, collected, outstanding
• Payment receipts with transaction reference IDs (Razorpay)
• Payment method type (cash, cheque, UPI, card, NEFT — reference numbers only)
• We do not store full card numbers or bank account numbers — Razorpay handles PCI-DSS compliance

Documents

• Scanned certificates, mark sheets, transfer certificates, photographs uploaded during onboarding
• Stored in AWS S3 (Mumbai region, ap-south-1)
• All document access is logged

System-Generated Data

• Audit logs: every action performed by every user (who, what, when)
• Sensitive field access logs: when Aadhaar, caste, or blood group fields are viewed
• Session tokens (HTTP-only, short-lived, server-side)

The following fields carry heightened protections under the DPDP Act. Explicit, separate consent is obtained and logged before any sensitive data is processed.

The DPDP Act, 2023 requires verifiable parental or guardian consent before processing personal data of children under 18 years of age.

edSyft is a B2B platform provided to schools. The school (as Data Fiduciary) is responsible for:

• Obtaining verifiable parental/guardian consent before enrolling a student on the platform
• Providing parents with a privacy notice that discloses edSyft as a data processor
• Responding to parental requests to withdraw consent, and instructing edSyft accordingly

By agreeing to edSyft's Terms & Conditions, the school warrants that it has fulfilled these obligations for every student enrolled.

edSyft's commitments regarding student data:

• We do not engage in tracking, monitoring, behavioural profiling, or targeted advertising of students
• Student data is never used for commercial purposes beyond delivering the school's ERP service
• Student data is never sold, licensed, or shared with any third party beyond the sub-processors listed in Section 6

We never sell personal data. We share data only in the following circumstances:

6A. Authorised Sub-Processors

6B. Customer Schools (Data Fiduciaries)

Authorised users within a Customer school can access the personal data of their own students, parents, and staff. edSyft enforces row-level security so that no school can access another school's data — even within the same network.

6C. Legal Obligations

We may disclose personal data if required by Indian law, a valid court order, or a direction from the Data Protection Board of India. We will, where legally permitted, notify the relevant Customer school prior to disclosure.

We retain personal data only as long as necessary for the purposes described, or as required by applicable law.

Upon subscription termination, all Customer data is returned or securely deleted within 30 days of the termination date (see Terms & Conditions, Section 12).

Under the Digital Personal Data Protection Act, 2023, every Data Principal (individual whose data we process) has the following rights:

How to exercise your rights: Email privacy@edsyft.com with the subject line "DPDP Data Request — [Right Type]". We may request identity verification before processing your request.

Students and parents should contact their school administration first (as the Data Fiduciary). The school will instruct edSyft accordingly. Direct requests to edSyft are also accepted.

We implement appropriate technical and organisational measures to protect personal data:

• Data in transit: TLS 1.2 or higher for all connections to app.edsyft.com
• Data at rest: AES-256 encryption on AWS RDS (PostgreSQL) and AWS S3 (documents)
• Tenant isolation: PostgreSQL row-level security (RLS) policies enforce strict data separation between organisations — no cross-tenant data leakage is possible at the database layer
• Access control: Role-based access control (RBAC) enforced at both API and database levels; users see only what their assigned role permits
• Sensitive field logging: Every access to Aadhaar, caste/category, and blood group fields is recorded in an immutable audit log
• Audit trails: Every action performed on the platform (create, update, delete) is logged with the user ID, timestamp, and affected record
• Security assessments: Regular internal reviews and third-party penetration testing

In the event of a personal data breach, we will notify the Data Protection Board of India within 72 hours as required by DPDP Act Section 8(6).

A "personal data breach" means any accidental or unauthorised disclosure, acquisition, or destruction of personal data.

In the event of a breach:

• We will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by DPDP Act Section 8(6)
• We will notify affected Customer schools (Data Fiduciaries) promptly and without undue delay
• Each school, as Data Fiduciary, is responsible for notifying affected students, parents, and other individuals in compliance with their own DPDP Act obligations
• Notifications will include: the nature and extent of the breach, likely consequences, remedial steps taken, and a point of contact for further queries

All student, staff, parent, and payment data is stored within India on AWS ap-south-1 (Mumbai).

The only cross-border data transfer is via Resend (email delivery, USA), which processes email addresses and names to deliver transactional emails. This transfer is carried out under appropriate safeguards (Standard Contractual Clauses / equivalent mechanisms) in accordance with the DPDP Act and Rules.

We actively monitor Central Government notifications under the DPDP Act regarding permitted and restricted countries for cross-border transfers, and will update our practices accordingly.

Marketing Website (edsyft.com)

We use zero cookies, tracking pixels, analytics scripts, or third-party SDKs on our marketing website. If you submit the demo request form, your data is transmitted directly to our team by email — nothing is stored in a browser cookie or third-party analytics platform.

Platform (app.edsyft.com)

We use session cookies only:

• HTTP-only (not accessible to JavaScript)
• Secure flag set (HTTPS only)
• SameSite=Strict (cross-site request forgery protection)
• Session expires after 24 hours of inactivity

We use no advertising cookies, no analytics cookies, and no third-party tracking on the platform.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. The "Last Updated" date at the top of this page will reflect any changes.

For material changes that affect how we process student data or sensitive personal data, we will notify Customer schools by email at least 30 days before the changes take effect. Continued use of the platform after that period constitutes acceptance of the updated Policy.

As required by the DPDP Act, 2023, we have designated a Grievance Officer to address data protection complaints:

For any privacy-related queries, requests, or concerns, please contact us at:

Students and parents are encouraged to contact their school administration (the Data Fiduciary) in the first instance. The school will co-ordinate with edSyft on your behalf.