Privacy Policy
Effective: 6 May 2026 • Version: v1.1-2026-05
This Privacy Policy explains how VidyaHub AI ("we", "us") collects, uses, shares, and retains personal data when you or your child uses the VidyaHub school management platform ("Service"). It is written to satisfy the disclosure requirements of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), in particular sections 5, 6, 7, 9, and 16.
VidyaHub is the Data Fiduciary for personal data processed in connection with the Service. Your school is typically a joint Data Fiduciary for the educational records it uploads about its students and staff.
1. What we collect
We collect the following categories of personal data:
| Category | Examples | Purpose | Source |
|---|---|---|---|
| Identity | Full name, date of birth, gender, blood group, photograph | Account creation; identification on records and certificates | You; your school |
| Contact | Email address, mobile number, postal address | Authentication; communications; receipts | You; your school |
| Educational records | Class enrolment, attendance, exam results, timetables | Operating the school's academic workflows | Your school |
| Financial | Fee assignments, payments, payment-gateway tokens (encrypted) | Collecting and reconciling fees; statutory accounting | Your school; payment gateway |
| Documents | Uploaded files (e.g., aadhaar, certificates) | Record-keeping; certificate issuance | You; your school |
| Communications | Messages, announcements, notifications you send or receive | Operating the messaging surface; audit | The Service |
| Technical | IP address, user-agent, request timing, error traces | Security; debugging; abuse prevention | Your device |
We do not knowingly collect special categories of data (e.g., health, biometrics) beyond the blood-group field, which is collected so it can be recorded on student profiles and surfaced to school staff in emergencies.
2. Children's data (DPDP §9)
Most students using the Service are minors. For each minor we require verifiable parental consent before processing the minor's data for purposes other than the bare minimum needed to enrol the child. Parental consent is captured itemised — academic records, fee processing, email communications, SMS communications, photo publication, and certificate issuance are each granted (or withheld) separately. Parents may withdraw any of these consents at any time, and the Service is built to honour that withdrawal even though some downstream legal-records obligations may require us to retain a minimal copy (see Section 6).
3. Why we process your data (purpose limitation)
We process personal data only for the purposes listed against each category in Section 1, and for the limited additional purposes of:
- complying with legal, accounting, and audit obligations;
- preventing fraud and abuse of the Service;
- providing customer support when you contact us.
We do not sell personal data, and we do not use it for advertising, profiling, or any form of behavioural targeting.
4. Sub-processors
We rely on the following sub-processors. Each processes only the data needed for its function and is bound by a written data-processing agreement. "Region" indicates where production personal data is primarily processed.
| Sub-processor | Region | Purpose |
|---|---|---|
| Supabase, Inc. | India (Mumbai, ap-south-1) | Production database hosting (PostgreSQL), authentication, file storage. Pre-production development environments operate in the United States and contain no production personal data. |
| Vercel, Inc. | India (Mumbai) primary + United States fallback | Application hosting; the Mumbai region serves Indian users, with the United States region used for failover and edge serving |
| Resend, Inc. | Japan (Tokyo) | Transactional email delivery |
| MSG91 | India | Transactional SMS delivery (DLT-compliant) |
| Sentry, Inc. | European Union (Frankfurt) | Application error monitoring |
| Axiom, Inc. | United States (US East 1) | Application logs (via Vercel Log Drain) |
| Razorpay Software Pvt Ltd | India | Online fee collection (when enabled by your school) |
| Cashfree Payments India Pvt Ltd | India | Online fee collection (when enabled by your school) |
| PhonePe Pvt Ltd | India | Online fee collection (when enabled by your school) |
This list is current as of the policy version above. Any addition will be communicated and will require renewed consent before continued use of the affected feature.
5. International transfers (DPDP §16)
Most personal data processed by the Service stays in India. Production database hosting (Supabase Mumbai), payment processing (Razorpay, Cashfree, PhonePe), and SMS delivery (MSG91) all occur on Indian infrastructure. Application hosting (Vercel) is multi-region with Mumbai as the primary region serving Indian users.
Cross-border transfers occur only for these supporting functions:
- Email delivery — Resend (Japan)
- Error monitoring — Sentry (European Union)
- Application logs — Axiom (United States)
- Application hosting fallback — Vercel (United States), used when the Mumbai region is unavailable
By using the Service you consent to your personal data being processed in the locations listed above. We rely on contractual safeguards with each sub-processor and on the DPDP Act's permissibility of cross-border transfers to jurisdictions that are not on the Central Government's negative list.
6. Retention
We retain personal data only as long as needed for the purpose for which it was collected, plus any period required by law:
- Financial records (fee payments, receipts, payroll): seven (7) years, to satisfy Indian statutory accounting requirements.
- Academic records (enrolment, attendance, exam results): retained while the student is enrolled and for a reasonable alumni period thereafter; deletion on request honoured subject to any legal records obligation on the school.
- Onboarding artefacts (initial-credentials CSV, Excel templates): seven (7) and thirty (30) days respectively, then auto-deleted.
- Application logs: retained per the Vercel and Axiom default retention policies (typically 30 days for app logs, longer for security-relevant audit logs).
- Marketing or promotional data: not collected.
7. Your rights (DPDP §11–§14)
You have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request erasure where lawful;
- nominate another person to exercise your rights in the event of your death or incapacity;
- file a grievance with our Data Protection Officer (see Section 10).
Self-service tools to exercise these rights are being built into the Service; until they are live you can email dpo@vidyahub.ai and we will respond within thirty (30) days.
8. Security
We use Transport Layer Security (TLS) for all data in transit, AES-256-GCM for sensitive at-rest secrets (e.g., payment-gateway API keys), Postgres Row-Level Security to enforce per-school tenant isolation, and append-only audit logs for sensitive events including consent grants and withdrawals. No security control is perfect; in the event of a personal-data breach likely to result in significant harm, we will notify the Data Protection Board of India and affected data principals as required by the DPDP Act.
9. Cookies and similar technologies
The Service uses only the cookies and local-storage entries needed for authentication, session management, and remembering your preferences (e.g., dark mode). We do not use advertising or third-party analytics cookies.
10. Grievance redressal
Concerns about how your personal data is being handled can be raised with our Data Protection Officer:
- Email: dpo@vidyahub.ai
- Postal: (address to be published before pilot launch)
A self-service form at /admin/data-requests is in development and will
provide a tracked alternative to email. We aim to acknowledge grievances
within seventy-two (72) hours and to resolve them within thirty (30) days.
If you are not satisfied with our response, you may approach the Data Protection Board of India.
11. Changes to this policy
We may update this policy. Material changes will require renewed consent through the Service before continued use of the affected feature. The version and effective date at the top of this page identify the currently active text; superseded versions are retained for audit and can be provided on request.