1. Introduction & Scope
This Privacy Policy is published by UniSyft Private Limited (CIN: U47413AP2025PTC123150) ("UniSyft", "EdSyft", "we", "us", or "our"), the creator and operator of the EdSyft school network ERP platform.
This Policy applies to:
- edsyft.com — our public marketing website, where prospective customers request demos
- app.edsyft.com — the EdSyft platform used by school networks, their staff, students, and parents
This Policy governs how we collect, use, store, share, and protect personal data, and explains the rights available to individuals under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025.
2. Data Fiduciary vs. Data Processor
Under the DPDP Act, 2023, two distinct roles govern personal data processing:
Your school bears primary responsibility for ensuring a lawful basis exists before uploading personal data to EdSyft. EdSyft processes that data only to provide the platform service, under the school's instructions.
Students and parents who have questions about how their school uses their data should contact their school administration first. Direct requests to EdSyft are also accepted — see Section 15.
3. Data We Collect & Why
3A. Marketing Website (edsyft.com)
When you submit a demo request via our website, we collect the details you provide, including:
We use Microsoft Graph / Microsoft 365 email delivery to forward your request to our team. We do not use cookies, analytics, tracking pixels, or any third-party scripts on this website.
3B. EdSyft Platform (app.edsyft.com)
Authentication
Users log in using their email address or mobile phone number. A one-time password (OTP) is sent for verification. No passwords are stored. Your email or phone is used solely for authentication and account management.
Staff & Administrator Data
- Full name, work email, phone number
- Assigned role (Principal, Accountant, Teacher, etc.)
- Organisation and campus assignments
- Profile picture (optional, stored in AWS S3)
Student Personal Data
- Full name, date of birth, gender, nationality, religion
- Admission number, roll number, class, section, academic year
- Residential address
- Blood group (Sensitive — see Section 4)
- Caste / category (Sensitive — see Section 4)
- Aadhaar number (Sensitive — see Section 4)
- Previous school records, academic performance
Parent / Guardian Data
- Father, mother, and guardian: full name, occupation, phone, email
- Relationship to student and residential address
Fee & Financial Records
- Fee ledger entries, payment receipts, and transaction reference IDs
- Payment method type only (cash, cheque, UPI, NEFT — reference numbers only)
- We do not store full card numbers or bank account details
Documents
- Scanned certificates, mark sheets, transfer certificates, and photographs uploaded during onboarding
- Stored in AWS S3 (Mumbai, ap-south-1); all access is logged
System-Generated Data
- Audit logs: every action by every user (who, what, when)
- Sensitive field access logs: when Aadhaar, caste, or blood group fields are viewed
- Session tokens (HTTP-only, short-lived)
4. Sensitive Personal Data
The following fields carry heightened protections under the DPDP Act. Explicit, separate consent is obtained and logged before any sensitive data is processed.
Aadhaar Number
- Collected only where mandated by applicable law (e.g., government scholarship portals, statutory reporting)
- Stored in masked / tokenised form — full number never displayed after entry
- Access restricted to Principal and Admin roles only
- Every access is recorded in an immutable sensitive-field audit log
Caste / Category
- Collected only for government scheme eligibility or statutory regulatory reporting
- Not used for profiling, discrimination, or any commercial purpose
- Same access controls and audit logging as Aadhaar
Blood Group
- Collected solely for medical emergency purposes on school premises
- Shared only with the school's medical or nursing staff
- Not used for insurance, profiling, or any other purpose
5. Minor Students & Parental Consent
The DPDP Act, 2023 requires verifiable parental or guardian consent before processing personal data of children under 18 years of age.
EdSyft is a B2B platform provided to schools. The school (as Data Fiduciary) is responsible for:
- Obtaining verifiable parental or guardian consent before enrolling a student on the platform
- Providing parents with a privacy notice disclosing EdSyft as a data processor
- Responding to parental requests to withdraw consent, and instructing EdSyft accordingly
By agreeing to EdSyft's Terms & Conditions, the school warrants it has fulfilled these obligations for every student enrolled.
EdSyft's commitments regarding student data:
- We do not engage in tracking, behavioural profiling, or targeted advertising of students
- Student data is never used for commercial purposes beyond delivering the school's ERP service
- Student data is never sold, licensed, or shared beyond the sub-processors listed in Section 6
6. How We Share Data
We never sell personal data. We share data only in the following circumstances:
6A. Authorised Sub-Processors
6B. Customer Schools
Authorised users within a Customer school can access their own students', parents', and staff's data. EdSyft's row-level security ensures no school can access another school's data.
6C. Legal Obligations
We may disclose data if required by Indian law, a valid court order, or a direction from the Data Protection Board of India. We will notify the relevant school prior to disclosure where legally permitted.
7. Data Retention
We retain personal data only as long as necessary for the purposes described, or as required by law.
8. Your Rights (DPDP Act)
Under the DPDP Act, 2023, every Data Principal has the following rights:
Right to Access (Section 11)
Request a summary of your personal data and the processing activities carried out. Fulfilled within 30 days.
Right to Correction (Section 12)
Request correction of inaccurate, incomplete, or outdated data. Fulfilled within 30 days.
Right to Erasure (Section 12)
Request deletion of data where the purpose has been fulfilled or consent withdrawn, with no legal retention requirement. Fulfilled within 30 days.
Right to Nomination (Section 14)
Nominate someone to exercise your rights on your behalf in the event of death or incapacity.
Right to Grievance Redressal (Section 13)
Lodge a complaint with us or escalate to the Data Protection Board of India if unsatisfied.
How to exercise your rights: Email operations@edsyft.com with the subject "DPDP Data Request — [Right Type]". We may request identity verification before processing your request.
Students and parents should contact their school administration first. The school will co-ordinate with EdSyft on your behalf.
9. Data Security
- Data in transit: TLS 1.2 or higher on all connections
- Data at rest: AES-256 encryption on AWS RDS (PostgreSQL) and AWS S3
- Tenant isolation: PostgreSQL row-level security (RLS) — no cross-tenant data leakage at the database layer
- Access control: Role-based access control (RBAC) enforced at API and database levels
- Sensitive field logging: Every access to Aadhaar, caste/category, and blood group is recorded in an immutable audit log
- Audit trails: Every platform action is logged with user ID, timestamp, and affected record
- Security assessments: Regular internal reviews and third-party penetration testing
10. Breach Notification
In the event of a personal data breach:
- We will notify the Data Protection Board of India within 72 hours of becoming aware, as required by DPDP Act, Section 8(6)
- We will notify affected Customer schools promptly and without undue delay
- Each school, as Data Fiduciary, is responsible for notifying affected students and parents
- Notifications will include: the nature and extent of the breach, likely consequences, remedial steps taken, and a point of contact
11. International Data Transfers
All student, staff, parent, and financial data is stored within India on AWS ap-south-1 (Mumbai).
The only cross-border transfer is via Microsoft Graph / Microsoft 365 email delivery, which processes email addresses and names to deliver transactional emails. This is carried out under appropriate safeguards (Standard Contractual Clauses or equivalent mechanisms) in accordance with the DPDP Act and Rules.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects any changes. For material changes affecting student data or sensitive personal data, we will notify Customer schools by email at least 30 days before the changes take effect.
14. Grievance Officer
As required by the DPDP Act, 2023, we have designated a Grievance Officer:
Designation: Grievance Officer / Data Protection Officer
Organisation: UniSyft Private Limited
Email: operations@edsyft.com
Address: 38-4-10, RCC Building, 3rd Floor, Punnammathota, Vijayawada (Urban), Krishna – 520010, Andhra Pradesh, India
Response timeline: We respond to all complaints within 30 days. Unresolved complaints may be escalated to the Data Protection Board of India.
15. Contact Us
For any privacy-related queries, requests, or concerns:
Email: operations@edsyft.com
Address: UniSyft Private Limited, 38-4-10, RCC Building, 3rd Floor, Punnammathota, Vijayawada (Urban), Krishna – 520010, Andhra Pradesh, India
Students and parents are encouraged to contact their school administration (the Data Fiduciary) in the first instance.