Back to platform

    Legal

    Privacy Policy

    How UniSyft Private Limited collects, uses, and protects personal data on the EdSyft platform — in compliance with India's Digital Personal Data Protection (DPDP) Act, 2023.

    Effective 20 March 2026Last updated 20 March 2026

    UniSyft Private Limited · CIN: U47413AP2025PTC123150 · EdSyft is a flagship product of UniSyft Private Limited

    1. Introduction & Scope

    This Privacy Policy is published by UniSyft Private Limited (CIN: U47413AP2025PTC123150) ("UniSyft", "EdSyft", "we", "us", or "our"), the creator and operator of the EdSyft school network ERP platform.

    This Policy applies to:

    • edsyft.com — our public marketing website, where prospective customers request demos
    • app.edsyft.com — the EdSyft platform used by school networks, their staff, students, and parents

    This Policy governs how we collect, use, store, share, and protect personal data, and explains the rights available to individuals under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025.

    2. Data Fiduciary vs. Data Processor

    Under the DPDP Act, 2023, two distinct roles govern personal data processing:

    RoleWhoMeaning
    Data FiduciaryYour school / school network (our Customer)Determines the purpose and means of processing personal data (DPDP Act, s.2(i))
    Data ProcessorEdSyft / UniSyftProcesses personal data solely on behalf of and under the instructions of the Data Fiduciary (DPDP Act, s.2(k))

    Your school bears primary responsibility for ensuring a lawful basis exists before uploading personal data to EdSyft. EdSyft processes that data only to provide the platform service, under the school's instructions.

    Students and parents who have questions about how their school uses their data should contact their school administration first. Direct requests to EdSyft are also accepted — see Section 15.

    3. Data We Collect & Why

    3A. Marketing Website (edsyft.com)

    When you submit a demo request via our website, we collect the details you provide, including:

    DataPurposeBasis
    Full nameTo address you in correspondenceConsent
    Work email address, if providedTo send demo confirmation and follow-upConsent
    Phone numberTo schedule your demo callConsent
    School / organisation nameTo personalise your demoConsent
    Your role, if providedTo tailor the demo to your functionConsent
    Number of campuses, if providedTo demonstrate multi-campus featuresConsent
    Optional messageTo understand your specific challengeConsent

    We use Microsoft Graph / Microsoft 365 email delivery to forward your request to our team. We do not use cookies, analytics, tracking pixels, or any third-party scripts on this website.

    3B. EdSyft Platform (app.edsyft.com)

    Authentication

    Users log in using their email address or mobile phone number. A one-time password (OTP) is sent for verification. No passwords are stored. Your email or phone is used solely for authentication and account management.

    Staff & Administrator Data

    • Full name, work email, phone number
    • Assigned role (Principal, Accountant, Teacher, etc.)
    • Organisation and campus assignments
    • Profile picture (optional, stored in AWS S3)

    Student Personal Data

    • Full name, date of birth, gender, nationality, religion
    • Admission number, roll number, class, section, academic year
    • Residential address
    • Blood group (Sensitive — see Section 4)
    • Caste / category (Sensitive — see Section 4)
    • Aadhaar number (Sensitive — see Section 4)
    • Previous school records, academic performance

    Parent / Guardian Data

    • Father, mother, and guardian: full name, occupation, phone, email
    • Relationship to student and residential address

    Fee & Financial Records

    • Fee ledger entries, payment receipts, and transaction reference IDs
    • Payment method type only (cash, cheque, UPI, NEFT — reference numbers only)
    • We do not store full card numbers or bank account details

    Documents

    • Scanned certificates, mark sheets, transfer certificates, and photographs uploaded during onboarding
    • Stored in AWS S3 (Mumbai, ap-south-1); all access is logged

    System-Generated Data

    • Audit logs: every action by every user (who, what, when)
    • Sensitive field access logs: when Aadhaar, caste, or blood group fields are viewed
    • Session tokens (HTTP-only, short-lived)

    4. Sensitive Personal Data

    The following fields carry heightened protections under the DPDP Act. Explicit, separate consent is obtained and logged before any sensitive data is processed.

    Aadhaar Number

    • Collected only where mandated by applicable law (e.g., government scholarship portals, statutory reporting)
    • Stored in masked / tokenised form — full number never displayed after entry
    • Access restricted to Principal and Admin roles only
    • Every access is recorded in an immutable sensitive-field audit log

    Caste / Category

    • Collected only for government scheme eligibility or statutory regulatory reporting
    • Not used for profiling, discrimination, or any commercial purpose
    • Same access controls and audit logging as Aadhaar

    Blood Group

    • Collected solely for medical emergency purposes on school premises
    • Shared only with the school's medical or nursing staff
    • Not used for insurance, profiling, or any other purpose

    5. Minor Students & Parental Consent

    The DPDP Act, 2023 requires verifiable parental or guardian consent before processing personal data of children under 18 years of age.

    EdSyft is a B2B platform provided to schools. The school (as Data Fiduciary) is responsible for:

    • Obtaining verifiable parental or guardian consent before enrolling a student on the platform
    • Providing parents with a privacy notice disclosing EdSyft as a data processor
    • Responding to parental requests to withdraw consent, and instructing EdSyft accordingly

    By agreeing to EdSyft's Terms & Conditions, the school warrants it has fulfilled these obligations for every student enrolled.

    EdSyft's commitments regarding student data:

    • We do not engage in tracking, behavioural profiling, or targeted advertising of students
    • Student data is never used for commercial purposes beyond delivering the school's ERP service
    • Student data is never sold, licensed, or shared beyond the sub-processors listed in Section 6

    6. How We Share Data

    We never sell personal data. We share data only in the following circumstances:

    6A. Authorised Sub-Processors

    Sub-ProcessorPurposeData SharedLocation
    Msg91OTP delivery via SMS and emailMobile phone / email address onlyIndia
    Microsoft Graph / Microsoft 365Transactional email deliveryEmail address and nameMicrosoft service regions
    AWS S3 (ap-south-1)Document and file storageUploaded documents and filesIndia (Mumbai)

    6B. Customer Schools

    Authorised users within a Customer school can access their own students', parents', and staff's data. EdSyft's row-level security ensures no school can access another school's data.

    6C. Legal Obligations

    We may disclose data if required by Indian law, a valid court order, or a direction from the Data Protection Board of India. We will notify the relevant school prior to disclosure where legally permitted.

    7. Data Retention

    We retain personal data only as long as necessary for the purposes described, or as required by law.

    Data CategoryRetention PeriodReason
    OTP / authentication logs7 daysSecurity and fraud prevention
    Session data30 days after inactivityAccount continuity
    Student academic records5 years post-academic year (or per Customer instruction)Academic continuity and legal obligations
    Fee / payment records8 yearsIndian accounting and tax law requirement
    Audit logs3 yearsCompliance and dispute resolution
    Sensitive field access logs2 yearsDPDP Act accountability
    Demo request data (website)90 days after demo is conductedCRM follow-up
    Documents (AWS S3)Per Customer policy, minimum 3 yearsCustomer instruction

    8. Your Rights (DPDP Act)

    Under the DPDP Act, 2023, every Data Principal has the following rights:

    Right to Access (Section 11)

    Request a summary of your personal data and the processing activities carried out. Fulfilled within 30 days.

    Right to Correction (Section 12)

    Request correction of inaccurate, incomplete, or outdated data. Fulfilled within 30 days.

    Right to Erasure (Section 12)

    Request deletion of data where the purpose has been fulfilled or consent withdrawn, with no legal retention requirement. Fulfilled within 30 days.

    Right to Nomination (Section 14)

    Nominate someone to exercise your rights on your behalf in the event of death or incapacity.

    Right to Grievance Redressal (Section 13)

    Lodge a complaint with us or escalate to the Data Protection Board of India if unsatisfied.

    How to exercise your rights: Email operations@edsyft.com with the subject "DPDP Data Request — [Right Type]". We may request identity verification before processing your request.

    Students and parents should contact their school administration first. The school will co-ordinate with EdSyft on your behalf.

    9. Data Security

    • Data in transit: TLS 1.2 or higher on all connections
    • Data at rest: AES-256 encryption on AWS RDS (PostgreSQL) and AWS S3
    • Tenant isolation: PostgreSQL row-level security (RLS) — no cross-tenant data leakage at the database layer
    • Access control: Role-based access control (RBAC) enforced at API and database levels
    • Sensitive field logging: Every access to Aadhaar, caste/category, and blood group is recorded in an immutable audit log
    • Audit trails: Every platform action is logged with user ID, timestamp, and affected record
    • Security assessments: Regular internal reviews and third-party penetration testing

    10. Breach Notification

    In the event of a personal data breach:

    • We will notify the Data Protection Board of India within 72 hours of becoming aware, as required by DPDP Act, Section 8(6)
    • We will notify affected Customer schools promptly and without undue delay
    • Each school, as Data Fiduciary, is responsible for notifying affected students and parents
    • Notifications will include: the nature and extent of the breach, likely consequences, remedial steps taken, and a point of contact

    11. International Data Transfers

    All student, staff, parent, and financial data is stored within India on AWS ap-south-1 (Mumbai).

    The only cross-border transfer is via Microsoft Graph / Microsoft 365 email delivery, which processes email addresses and names to deliver transactional emails. This is carried out under appropriate safeguards (Standard Contractual Clauses or equivalent mechanisms) in accordance with the DPDP Act and Rules.

    12. Cookies & Tracking

    Marketing Website (edsyft.com)

    We use zero cookies, tracking pixels, analytics scripts, or third-party SDKs on our marketing website.

    Platform (app.edsyft.com)

    We use session cookies only: HTTP-only, Secure flag set, SameSite=Strict, and expiring after 24 hours of inactivity. We use no advertising cookies, no analytics cookies, and no third-party tracking of any kind on the platform.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects any changes. For material changes affecting student data or sensitive personal data, we will notify Customer schools by email at least 30 days before the changes take effect.

    14. Grievance Officer

    As required by the DPDP Act, 2023, we have designated a Grievance Officer:

    Designation: Grievance Officer / Data Protection Officer

    Organisation: UniSyft Private Limited

    Email: operations@edsyft.com

    Address: 38-4-10, RCC Building, 3rd Floor, Punnammathota, Vijayawada (Urban), Krishna – 520010, Andhra Pradesh, India

    Response timeline: We respond to all complaints within 30 days. Unresolved complaints may be escalated to the Data Protection Board of India.

    15. Contact Us

    For any privacy-related queries, requests, or concerns:

    Email: operations@edsyft.com

    Address: UniSyft Private Limited, 38-4-10, RCC Building, 3rd Floor, Punnammathota, Vijayawada (Urban), Krishna – 520010, Andhra Pradesh, India

    Students and parents are encouraged to contact their school administration (the Data Fiduciary) in the first instance.