This Privacy Policy ("Policy") describes how Schoolyst ("Schoolyst," "we," "us," or "our") collects, uses, stores, shares, and protects personal data when you visit our website at https://schoolyst.in, use our school management software platform, mobile interfaces, APIs, or interact with us in any other way (collectively, the "Services").
Schoolyst provides business-to-business (B2B) software to educational institutions. Schools and other institutions that subscribe to Schoolyst are generally the data controllers (or "Data Fiduciaries" under Indian law) for student, parent, staff, and related personal data they upload or manage through the platform. Schoolyst acts as a data processor (or "Data Processor") on behalf of those institutions, as further described in our Data Processing Agreement.
By accessing or using the Services, registering an account, submitting a contact or enquiry form, subscribing to our newsletter, or otherwise providing personal data to us, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Services.
1. Scope of This Policy
This Policy applies to:
- Visitors to our public website, including marketing pages, blogs, help center, and contact forms.
- Registered users who create accounts, manage schools, or access dashboards and administrative tools.
- Personal data processed on behalf of subscribing schools, including data relating to students (including minors), parents/guardians, teachers, and administrative staff.
- Communications with our support, sales, and legal teams.
This Policy does not apply to third-party websites, payment gateways, or services that we do not control, even if linked from our platform. Those services are governed by their own privacy policies.
2. Personal Data We Collect
2.1 Data You Provide Directly
Depending on how you interact with Schoolyst, we may collect:
- Account and identity data: name, email address, phone number, password (stored in hashed form), job title, role, profile photo, and account preferences.
- School and institutional data: school name, address, registration details, branch information, academic structure, branding assets, and authorized representative details.
- Student and minor data (on behalf of schools): student names, admission numbers, class/section, date of birth, gender, attendance records, academic performance, fee records, parent/guardian contact details, photographs, and other data uploaded by the school.
- Staff data (on behalf of schools): employee names, roles, contact information, attendance, payroll-related identifiers where applicable, and performance records.
- Communication data: messages sent through contact forms, support tickets, live chat, demo requests, and email correspondence.
- Newsletter and marketing data: email address and subscription preferences when you opt in to receive updates.
- Billing data: billing contact details, invoice information, transaction references, and subscription plan details. We do not store full payment card numbers on our servers; payments are processed by third-party payment providers.
2.2 Data Collected Automatically
When you use the Services, we may automatically collect:
- Device and technical data: IP address, browser type and version, operating system, device identifiers, language settings, and screen resolution.
- Usage data: pages viewed, features used, clickstream data, session duration, login timestamps, error logs, and performance metrics.
- Cookie and similar technologies data: as described in our Cookie Policy.
- Security logs: authentication events, access attempts, and audit trails to protect the platform and detect abuse.
2.3 Data from Third Parties
We may receive personal data from:
- Schools that invite users or upload records to the platform.
- Payment processors confirming transaction status.
- Authentication providers if single sign-on is enabled.
- Publicly available sources for business verification where lawful.
3. How We Use Personal Data
We use personal data for the following purposes:
- Providing the Services: to create and manage accounts, enable school administration features (attendance, exams, fees, communication, reporting), and deliver customer support.
- Account administration: to authenticate users, enforce role-based access, maintain audit logs, and manage subscriptions.
- Communication: to respond to enquiries, send service announcements, security alerts, onboarding guidance, and support updates.
- Marketing (with consent where required): to send newsletters, product updates, and promotional content. You may unsubscribe at any time.
- Billing and compliance: to process subscriptions, generate invoices, maintain financial records, and comply with tax and accounting obligations.
- Security and fraud prevention: to monitor for unauthorized access, investigate incidents, and protect users and institutional data.
- Product improvement: to analyze aggregated or de-identified usage patterns, fix bugs, and develop new features.
- Legal obligations: to comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.
Where we process personal data on behalf of a school, we process it only according to the school's documented instructions and our Data Processing Agreement, unless otherwise required by law.
4. Legal Bases for Processing
Depending on your location and the nature of the data, we rely on one or more of the following legal bases:
- Contract: processing necessary to provide the Services you or your institution have requested.
- Consent: for optional marketing, non-essential cookies, and certain communications where consent is required.
- Legitimate interests: for security, fraud prevention, service improvement, and B2B relationship management, balanced against your rights.
- Legal obligation: where processing is required by applicable law, court order, or regulatory authority.
- Vital interests or public interest: in rare cases involving safety or legally mandated educational record-keeping, as directed by the controlling institution or law.
For personal data of children and students, schools are responsible for obtaining any required parental or guardian consent before uploading data to Schoolyst. We process such data solely on the school's instructions.
5. How We Share Personal Data
We do not sell personal data. We may share personal data only in the following circumstances:
- With subscribing schools: data entered into a school's workspace is accessible to authorized users of that institution according to configured roles and permissions.
- Service providers and subprocessors: trusted vendors who assist with hosting, cloud infrastructure, email delivery, customer support tools, analytics (where consented), payment processing, and security monitoring. These providers are bound by contractual confidentiality and data protection obligations.
- Payment processors: to complete subscription transactions securely.
- Professional advisers: lawyers, accountants, or auditors under confidentiality obligations.
- Business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, subject to appropriate safeguards and notice where required.
- Legal and safety: when required by law, regulation, legal process, or to protect the rights, property, or safety of Schoolyst, our users, or others.
- With your consent: for any other purpose disclosed at the time of collection.
A list of key subprocessors may be provided upon request to institutional customers or published in our security documentation.
6. International Data Transfers
Schoolyst is based in India. Your data may be stored and processed in India and, where necessary to deliver the Services, in other countries where our infrastructure providers operate. When personal data is transferred across borders, we implement appropriate safeguards such as contractual clauses, vendor security assessments, and access controls consistent with applicable data protection laws, including the Digital Personal Data Protection Act, 2023 (India) and, where applicable, the General Data Protection Regulation (GDPR).
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.
- Account data: retained while your account is active and for a reasonable period thereafter to resolve disputes, enforce agreements, and comply with legal obligations.
- School workspace data: retained for the duration of the school's subscription and handled according to our Cancellation Policy upon termination.
- Marketing data: retained until you unsubscribe or withdraw consent.
- Security and audit logs: retained for a limited period consistent with security best practices and legal requirements.
- Legal and financial records: retained as required under applicable tax, accounting, and commercial laws.
Schools may export their data during an active subscription. After cancellation, data may be deleted or anonymized according to our retention schedule, except where retention is legally required.
8. Data Security
We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, where appropriate:
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of sensitive data at rest using industry-standard methods.
- Role-based access controls and principle of least privilege.
- Multi-factor authentication options for administrative accounts.
- Regular backups and disaster recovery procedures.
- Security monitoring, logging, and incident response processes.
- Employee confidentiality obligations and security training.
- Vendor due diligence for infrastructure and subprocessors.
No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your login credentials and notifying us promptly of any suspected unauthorized access.
9. Your Rights and Choices
Depending on applicable law and whether Schoolyst acts as a controller or processor for specific data, you may have the following rights:
- Access: request confirmation of whether we process your personal data and obtain a copy.
- Correction: request correction of inaccurate or incomplete personal data.
- Erasure: request deletion of personal data, subject to legal exceptions and institutional record-keeping requirements.
- Restriction: request limitation of processing in certain circumstances.
- Data portability: receive personal data you provided in a structured, commonly used format where technically feasible.
- Objection: object to processing based on legitimate interests or for direct marketing.
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
- Nominate: under India's DPDP Act, nominate another individual to exercise your rights in the event of death or incapacity.
For school-managed data: If you are a student, parent, or staff member whose data is managed by a school through Schoolyst, please contact your school first. The school, as data controller, is primarily responsible for handling your requests. We will assist the school as required by our agreement and applicable law.
For direct Schoolyst account holders: To exercise rights relating to your account or website interactions, contact us at privacy@schoolyst.in. We may need to verify your identity before responding. We aim to respond within 30 days, or within the timeframe required by applicable law.
10. Children's and Student Data
Schoolyst is not intended for direct use by children under 18 without involvement of a school, parent, guardian, or authorized adult. We do not knowingly collect personal data directly from children for our own marketing purposes.
Student and minor data is processed on behalf of educational institutions that determine the lawful basis and purpose for such processing. Schools using Schoolyst represent that they have obtained all necessary consents, permissions, and authorizations from parents, guardians, or applicable authorities before uploading student data.
We apply heightened care to student data, including access restrictions, purpose limitation, and prohibitions on using institutional student data for unrelated advertising.
11. Marketing Communications
If you subscribe to our newsletter or opt in to marketing emails, we will send you product news, educational content, and promotional offers. Every marketing email includes an unsubscribe link. You may also contact privacy@schoolyst.in to update your preferences.
Service-related communications (such as security alerts, billing notices, and material changes to policies) are not marketing messages and may be sent even if you opt out of promotional emails.
12. Cookies and Tracking Technologies
We use cookies and similar technologies as described in our Cookie Policy. You can manage cookie preferences through our cookie banner and your browser settings.
13. Compliance with Indian Law
13.1 Digital Personal Data Protection Act, 2023 (DPDP Act)
Schoolyst processes digital personal data in accordance with the DPDP Act and applicable rules. Where Schoolyst acts as a Data Fiduciary for account holders, website visitors, and direct contacts, we process data lawfully, for specified purposes, with appropriate notice and security. Where we act as a Data Processor for schools, we process data only on documented instructions and assist fiduciaries with their compliance obligations.
13.2 Information Technology Act, 2000 and SPDI Rules
We comply with reasonable security practices and procedures under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, where applicable, including safeguards for sensitive personal data such as passwords, financial information, and biometric data if ever processed.
13.3 Grievance Officer
In accordance with applicable Indian law, the Grievance Officer for Schoolyst is:
- Name: Grievance Officer, Schoolyst
- Email: privacy@schoolyst.in
- Address: 6th Phase, JP Nagar, Bengaluru, Karnataka 560078, India
- Phone: +91 1800-555-1234
Grievances will be acknowledged within 24 hours and resolved within 15 days, or within the period required by applicable law, whichever is sooner.
14. GDPR (European Economic Area, UK, and Switzerland)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland and Schoolyst processes your personal data as a controller, you have the rights listed in Section 9 and may lodge a complaint with your local data protection authority. Our legal bases for processing are set out in Section 4. International transfers are protected by appropriate safeguards as described in Section 6.
15. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you may have additional rights including the right to know what personal information we collect, request deletion, correct inaccurate information, and opt out of the sale or sharing of personal information. Schoolyst does not sell personal information. To exercise California privacy rights, contact privacy@schoolyst.in.
16. Data Breach Notification
In the event of a personal data breach that is likely to result in harm, we will notify affected institutions and, where required, relevant supervisory authorities and individuals, in accordance with applicable law and our contractual obligations. We maintain an incident response procedure to contain, investigate, and remediate security incidents promptly.
17. Third-Party Links and Integrations
The Services may contain links to third-party websites or integrations (such as payment gateways or communication tools). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing personal data.
18. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated Policy on this page and revise the "Last updated" date. For material changes, we will provide additional notice (such as email or in-app notification) where appropriate. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
19. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our data practices, contact:
- Privacy & Grievance: privacy@schoolyst.in
- General inquiries: hello@schoolyst.in
- Postal address: Schoolyst, 6th Phase, JP Nagar, Bengaluru, Karnataka 560078, India
- Phone: +91 1800-555-1234