TanvritTanvrit

Privacy Policy

Last updated: 1 May 2026 · Version 1.0

Published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA") of India.

1. Identity of the Data Fiduciary

SchoolOS is operated by Tanvrit Pvt. Ltd. ("Tanvrit", "we", "us"), the data fiduciary under the DPDPA. Registered office: 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.

2. Data Protection Officer

Vivek Singh (founder) acts as the DPO under DPDPA Section 8(9) until a separate DPO is appointed. Contact: dpo@tanvrit.com.

3. Personal Data We Collect

SchoolOS processes the following categories of personal data, on behalf of the school as the controller of its student records, and on its own behalf for the operator account.

  • Operator account — principal / admin name, email, mobile, role. Purpose: provision the school's tenant. Retention: life of contract + 90 days.
  • Authentication — password hashes, OTPs, magic-link tokens, refresh tokens. Purpose: identity verification. Retention: OTP / magic-link 10 minutes; auth audit logs 365 days.
  • Student / teacher / parent profile — name, class, roll number, date-of-birth, contact details, parent/guardian contact, attendance, grades, fees. Purpose: school operations. Retention: as long as the student is enrolled, plus the statutory archival period determined by the school.
  • Financial / fee records — invoices, GST line items, payment-processor reference IDs. Purpose: fee collection and statutory compliance. Retention: 7 years (Income Tax Act, GST Act).
  • Device & telemetry — device model, OS, app version, IP address, crash logs, anonymised usage events. Retention: 90 days raw events.
  • Communications — emails / chats with our support team. Retention: 3 years after the case closes.

We do not store card numbers, CVVs, or UPI PINs. Payment data is tokenised by Razorpay or Stripe.

4. Lawful Basis

Under DPDPA Section 4 we rely on consent (Section 6) for account creation and any optional feature, and on certain legitimate uses (Section 7) for transactions you initiate, statutory compliance, and emergencies.

5. Sharing & Cross-Border Transfers

We do not sell personal data. We use the following processors: Google Cloud Run (asia-south1, Mumbai) for application servers; MongoDB Atlas as the primary database; Cloudflare for global CDN and DDoS protection; Razorpay (India) for fees collected via UPI / cards / netbanking; Stripe Inc. (United States) for any international subscriptions; Twilio Inc. (United States, with Indian DLT partners) for transactional SMS / OTP. Cross-border transfers occur under safeguards permitted by DPDPA Section 16.

6. Your Rights as a Data Principal (DPDPA Section 11)

  • Access a summary of the personal data we process.
  • Correction or erasure of inaccurate data.
  • Nominate another individual to exercise your rights.
  • Grievance redressal.
  • Withdraw consent where consent is the basis of processing.

Email dpo@tanvrit.com from your registered address, or use the deletion form at /account/delete. We respond within 30 days.

7. Children's Data — DPDPA Section 9

SchoolOS processes the data of children (data principals under 18) and persons with disabilities who have a lawful guardian, on behalf of the school as the controller of those records.

In line with Section 9 of the DPDPA:

  • We obtain verifiable parental consent before processing personal data of a child. The school is responsible for collecting that consent at the time of admission and for attesting it to us. Tanvrit provides the technical mechanisms (signed consent record, parent-OTP verification on a separate registered number, downloadable consent receipt).
  • We do not undertake any tracking, behavioural monitoring, or targeted advertising directed at children.
  • We do not engage in any processing of a child's data that is likely to cause any detrimental effect on the well-being of the child.
  • A parent or guardian may at any time withdraw consent and request erasure by emailing dpo@tanvrit.com or by raising the request through the school administrator.
  • Until the consent and age-gate flow is fully verified for a given school's deployment, accounts may be created only for users who certify they are 18 or older.

8. Security

We apply reasonable security safeguards under DPDPA Section 8(5): TLS 1.3 in transit, AES-256-GCM at rest for personal-data fields, JWT auth with mutex-protected refresh-token rotation, OTP rate limiting, passkey replay protection, role-based access controls and admin audit trails. We do not currently hold ISO 27001 or SOC 2 attestations and do not claim a public uptime SLA. Availability is best-effort.

9. Breach Notification

On detection of a personal-data breach we notify the Data Protection Board of India and every affected data principal (including, where applicable, the parent / guardian) within 72 hours, in line with DPDPA Section 8(6) and rules thereunder.

10. Retention

  • Financial / tax records: 7 years.
  • Inactive accounts after a deletion request: 90 days.
  • Authentication logs: 365 days.
  • Analytics events: 90 days raw; aggregate counts longer.
  • Student records: as instructed by the school, subject to any statutory retention obligation imposed on the school.

11. Cookies & Local Storage

  • auth_token, refresh_token — session continuity; cleared on logout.
  • tanvrit_school_id — remembers the active school tenant.
  • Cloudflare anti-bot cookies (__cf_bm) — security; set by Cloudflare.

12. Updates to this Policy

Material changes are communicated to registered users (and, for children's data, to the registered parent / guardian) by email at least 30 days in advance.

13. Grievance Redressal & Contact

Tanvrit Pvt. Ltd., 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.
DPO: dpo@tanvrit.com
Product support: hello@schoolos.app