Privacy Policy

Effective Date: 30 March 2026

Platform: Campus 24x7 - School ERP Software

1. Introduction

This Privacy Policy describes how Campus 24x7 ("we", "our", "us") collects, processes, stores, and protects personal and institutional data when users access or use the platform.

This platform is designed for educational institutions to manage academic, administrative, and financial operations, which involves handling sensitive personal data, including student information.

By accessing or using the platform, institutions and their authorized users agree to the collection and use of information in accordance with this policy.

2. Scope

This Privacy Policy applies to:

  • All users of the platform, including:
  • School administrators
  • Teachers and staff
  • Students
  • Parents/guardians
  • All services provided through:
  • Web application
  • Mobile interfaces (if applicable)
  • All data processed via:
  • Backend systems (NestJS APIs)
  • Frontend interfaces (React application)
  • Database systems (MySQL)

3. Roles and Responsibilities

3.1 Data Controller (Institution)

The educational institution (school/college) acts as the Data Controller.

Responsibilities include:

  • Deciding what data is collected
  • Determining how data is used
  • Ensuring lawful data collection (including parental consent where required)

3.2 Data Processor (Campus 24x7)

Campus 24x7 acts as a Data Processor, meaning:

  • We process data strictly on instructions from the institution
  • We do not independently determine purposes of data processing
  • We implement security and infrastructure to support data handling

3.3 End Users (Students, Parents, Staff)

End users:

  • Access data as authorized by the institution
  • Do not have direct contractual control over data processing
  • Must route requests (access, correction, deletion) through the institution

4. Information We Collect

We collect only data necessary for operating the School ERP system.

4.1 Institutional Data

Collected during onboarding and usage:

  • Institution name
  • Address and location details
  • Contact information (email, phone)
  • Subscription and billing details
  • Administrative configurations

4.2 User Data (Staff, Teachers, Admins, Parents)

  • Full name
  • Email address
  • Phone number
  • Role and designation
  • Login credentials (securely hashed)
  • Account activity data

4.3 Student Data

This is the most sensitive category:

  • Personal details (name, DOB, gender, contact info)
  • Academic records (classes, exams, grades)
  • Attendance records
  • Fee and financial data
  • Transport details
  • Communication history (notices, messages)

Important Constraint:

We do not collect unnecessary personal data beyond institutional requirements.

4.4 Technical and Usage Data

Automatically collected:

  • IP address
  • Device type and browser
  • Operating system
  • Login timestamps
  • Usage logs and activity tracking

Used strictly for:

  • Security monitoring
  • Performance optimization
  • Debugging

4.5 Payment Data

  • Transaction IDs
  • Payment status
  • Billing history

Explicit Limitation:

We do not store debit/credit card details

Payments are processed via certified third-party gateways

5. Data Minimization Principle

We follow a strict data minimization approach:

  • Only collect data required for platform functionality
  • Avoid unnecessary storage of sensitive information
  • Allow institutions to control additional fields (custom data)

6. How We Use Information (Purpose Limitation)

All collected data is processed strictly for defined and legitimate purposes.

6.1 Core Platform Functionality

  • Managing student lifecycle (admissions -> academics -> graduation)
  • Attendance tracking and reporting
  • Fee management and accounting
  • Examination and result processing
  • Transport and communication management

6.2 Communication

Sending notifications via:

  • SMS
  • Email
  • In-app alerts

Examples:

  • Fee reminders
  • Attendance alerts
  • Exam schedules
  • Administrative announcements

6.3 Reporting and Analytics

  • Generating academic and financial reports
  • Institutional dashboards and insights
  • Performance analysis

6.4 Security and Monitoring

  • Detecting unauthorized access
  • Monitoring suspicious activities
  • Logging system events

6.5 System Operations

  • Debugging and error resolution
  • Performance optimization
  • Feature improvements

6.6 Legal and Regulatory Compliance

  • Responding to lawful requests
  • Maintaining required records
  • Supporting audits (if applicable)

7. Legal Basis for Processing (India - SPDI Rules, 2011)

Data processing is based on the following lawful grounds:

7.1 Consent

  • Institutions provide consent during onboarding
  • Institutions are responsible for obtaining consent from:
  • Students
  • Parents/guardians (for minors)

7.2 Contractual Necessity

Processing is required to:

  • Deliver ERP services
  • Manage institutional operations

7.3 Legal Obligation

Processing may be required to:

  • Comply with applicable laws
  • Respond to government or regulatory authorities

7.4 Legitimate Use (Operational Necessity)

Includes:

  • System security
  • Fraud prevention
  • Service improvement

8. Data Sharing and Disclosure

We do not sell, rent, or trade personal data under any circumstances.

8.1 Authorized Sub-processors

Data may be shared with third-party vendors strictly for service delivery:

a) Hosting Provider

Hostinger VPS

Purpose: Infrastructure and storage

b) Payment Gateways

For processing transactions

We do not store financial credentials

c) Communication Providers

SMS gateways

Email service providers

8.2 Data Sharing Principles

All third-party access follows:

  • Data minimization (only required data shared)
  • Contractual confidentiality obligations
  • Use restricted to specific services

8.3 Legal Disclosure

Data may be disclosed:

  • To government authorities
  • Under court orders or legal processes
  • To comply with regulatory obligations

8.4 Institutional Access Control

  • Data is accessible only to authorized users within the institution
  • Access controlled via RBAC (Role-Based Access Control)

9. No Unauthorized Commercial Use

  • Personal data is never used for advertising or resale
  • No profiling or behavioral monetization is conducted

10. Sub-processor Transparency (Important Gap to Fix)

Current state:

  • Sub-processors are used but not publicly listed

Recommended improvement:

Maintain a public sub-processor list page including:

  • Vendor name
  • Purpose
  • Data processed

11. Data Retention Policy

Data is retained only for as long as necessary to fulfill operational, contractual, and legal requirements.

11.1 Active Subscription Period

During an active subscription:

  • All institutional and user data remains accessible
  • Data is continuously updated and processed
  • No automatic deletion occurs

11.2 Post-Termination Retention

After subscription termination:

  • Data is retained for a maximum of 12-24 months
  • Purpose:
  • Account reactivation (if requested)
  • Legal and audit requirements
  • Dispute resolution

11.3 Early Deletion Requests

Institutions may request earlier deletion:

  • Verified requests are processed within 30 days
  • Data may be:
  • Permanently deleted, or
  • Anonymized (where full deletion is not feasible immediately)

11.4 Legal Retention Exceptions

Certain data may be retained beyond standard periods if required for:

  • Legal compliance
  • Financial record obligations
  • Fraud or dispute investigations

11.5 Backup Retention

  • Backup copies may persist temporarily after deletion
  • Backup lifecycle is governed by rotation policies
  • Full purge occurs after backup cycle expiration

12. Data Deletion Process

Deletion is executed using controlled procedures:

  • Verification of request (institution-level authorization)
  • Identification of associated datasets
  • Removal from active database
  • Scheduled removal from backups
  • Confirmation of completion

Constraint:

Immediate deletion from backups is not always technically feasible.

13. Data Security Measures

We implement layered security controls aligned with SaaS best practices.

13.1 Network Security

  • HTTPS enforced (TLS 1.2+)
  • Reverse proxy via Nginx
  • Rate limiting and request throttling
  • Protection against brute-force attempts

13.2 Application Security

  • Backend: NestJS with validation pipelines
  • Frontend: React (TypeScript) with strict typing
  • Input validation at all entry points

Protection against:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)

13.3 Authentication and Access Security

  • Password hashing using bcrypt
  • Multi-Factor Authentication (MFA) for privileged roles
  • JWT-based authentication
  • Session expiration and token invalidation

13.4 Authorization Controls

  • Role-Based Access Control (RBAC)
  • Custom permissions per institution
  • Strict API-level enforcement

13.5 Data Isolation (Multi-Tenant Security)

  • Logical tenant isolation enforced
  • All queries scoped via institution ID
  • Strict query validation middleware prevents cross-tenant leakage

13.6 Logging and Monitoring

  • Centralized managed logging system
  • Tracking of:
  • Login attempts
  • Data changes
  • Permission updates
  • Real-time monitoring and alerts

13.7 Backup and Recovery

  • Automated periodic backups
  • Secure storage of backup data
  • Regular restoration testing

13.8 Vulnerability Management

  • Regular dependency updates
  • Security patches applied promptly
  • Periodic vulnerability assessments

14. User Rights (B2B SaaS Context - Important Clarification)

User rights are exercised through the institution (Data Controller).

14.1 Right to Access

Users may request access to their personal data via the institution.

14.2 Right to Correction

Users can request correction of:

  • Incorrect or outdated data
  • Incomplete records

14.3 Right to Deletion

Users may request deletion, subject to:

  • Institutional approval
  • Legal and operational constraints

14.4 Right to Restrict Processing

Processing may be limited where:

  • Data accuracy is contested
  • Legal disputes exist

14.5 No Direct User Control Over System-Level Data

End users:

  • Cannot directly modify system-level processing
  • Must route all requests through institutional administrators

15. Institutional Responsibilities (Critical Section)

Institutions must:

  • Obtain valid consent from users and parents (for minors)
  • Ensure accuracy of uploaded data
  • Assign appropriate roles and permissions
  • Prevent unauthorized account sharing
  • Respond to user data requests

Failure at institutional level can lead to:

  • Data misuse
  • Compliance violations

16. Data Accuracy Disclaimer

We rely on institutions for data accuracy.

We are not responsible for:

  • Incorrect data entry
  • Outdated records
  • Misclassification of users

17. Cookies and Tracking Technologies

We use cookies and similar technologies strictly for operational and security purposes.

17.1 Types of Cookies Used

a) Essential Cookies

Required for core functionality:

  • User authentication
  • Session management
  • Security validation

These cannot be disabled without breaking the system.

b) Performance and Analytics Cookies

Used to:

  • Monitor system performance
  • Identify errors
  • Improve user experience

No behavioral advertising or cross-site tracking is performed.

17.2 Cookie Control

Users can:

  • Manage cookies via browser settings
  • Disable non-essential cookies

Limitation:

Disabling essential cookies may prevent platform access.

17.3 No Advertising Tracking

  • No third-party advertising trackers are used
  • No user profiling for marketing purposes

18. Children's Data (Critical Section)

The platform processes data of minors (students), which requires strict handling.

18.1 Role of Institution

Institutions are solely responsible for:

  • Collecting student data lawfully
  • Obtaining parental/guardian consent where required

18.2 Our Role

We process children's data only on institutional instructions

Data is used strictly for:

  • Educational administration
  • Academic and operational purposes

18.3 Restrictions

We do NOT:

  • Use student data for advertising
  • Profile minors for commercial purposes
  • Share student data beyond required services

19. Cross-Border Data Transfer

19.1 Data Storage Location

Data is primarily stored on infrastructure selected by us (Hostinger VPS or equivalent)

19.2 International Transfers

If data is transferred outside India:

  • Transfers are limited to necessary services
  • Appropriate safeguards are implemented
  • Data protection standards are maintained

19.3 Compliance Approach

We ensure:

  • Equivalent security controls
  • Contractual safeguards with vendors

20. Data Breach Notification

In case of a confirmed or suspected data breach:

20.1 Immediate Actions

  • Detection and containment
  • Isolation of affected systems
  • Investigation of root cause

20.2 Notification

Affected institutions will be notified within a reasonable timeframe

Notification will include:

  • Nature of breach
  • Data affected
  • Mitigation steps

20.3 Corrective Measures

  • Vulnerabilities patched
  • Security controls strengthened
  • Preventive actions implemented

Response Timeline

Acknowledgement within: 48 hours

Resolution within: 30 days

22. Third-Party Liability Disclaimer

We are not responsible for:

  • Failures or breaches caused by third-party services
  • Unauthorized actions by external vendors
  • Downtime or issues originating outside our infrastructure

23. Limitation of Liability (Privacy Context)

To the extent permitted by law:

We are not liable for:

  • User negligence (e.g., credential sharing)
  • Incorrect data entered by institutions
  • External cyberattacks beyond reasonable control

24. Policy Updates

  • This Privacy Policy may be updated periodically
  • Significant changes will be communicated to institutions
  • Continued use implies acceptance of updates

25. Jurisdiction

This policy is governed by the laws of India.

Jurisdiction:

Courts located in [Your City, State] shall have exclusive jurisdiction.

26. Contact Information

For privacy-related queries:

Email: info@campus24x7.in

Website: https://campus24x7.in