Privacy Policy

1. Who we are

School Harmony Hub (“we”, “our”, the “Platform”) is a Software-as-a-Service product operated by Dubey Group, India, that provides school management functionality to K-12 institutions. For data submitted by a school’s administrators, teachers, parents and students, the school is the data fiduciary and the Platform acts as a data processoron the school’s instructions.

2. Personal data we process

The personal data flowing through the Platform varies by role:

• School administrators & teachers: name, work email, phone, role, encrypted password, login history.
• Students: name, date of birth, gender, admission number, class/section, attendance, marks, fee status, photograph (optional), guardian linkage.
• Parents/Guardians: name, relation, contact phone, email, occupation (optional).
• School records: name, address, board affiliation, GSTIN, UDISE code, principal name, contact details, subscription history.
• Prospects (contact form): name, school, email, phone, role, message.
• Operational logs: IP address, browser, action timestamps, error traces.

3. Why we process it

• To provide the contracted SaaS functionality (attendance, marks, fees, timetables, communications) to the school.
• To authenticate users and protect accounts.
• To comply with applicable Indian laws including the Digital Personal Data Protection Act 2023, the Information Technology Act 2000, and applicable state education regulations.
• To detect, investigate, and prevent abuse, fraud, and security incidents.
• To respond to your inquiries and provide support.
• To improve the Platform — we do not use student or parent personal data to train any third-party AI models.

4. Children’s personal data

The Platform processes personal data of children (persons under 18 years of age). Under the DPDP Act 2023, this requires verifiable parental consent. We rely on the school’s representationthat, in its capacity as the data fiduciary, it has obtained the required parental/guardian consent for each enrolled student before entering that student’s data into the Platform.

We do not knowingly profile children, use children’s data for behavioural advertising, or apply automated decision-making that could harm a child. Children’s data is masked from Sentry error reporting and other observability tooling.

5. Subprocessors

The Platform uses the following subprocessors. They process data only on our documented instructions and are bound by contractual confidentiality and security obligations.

• Supabase, Inc. (United States) — managed Postgres database, authentication, file storage.
• Vercel Inc. (United States) — application hosting and edge delivery.
• Functional Software, Inc. d/b/a Sentry (United States) — error monitoring (PII-scrubbed at source).
• Upstash, Inc. (United States) — rate-limit counters (no personal data).
• Razorpay Software Private Limited (India) — subscription billing (when enabled).

Several subprocessors are located outside India. By using the Platform, you acknowledge cross-border transfer to those jurisdictions, which we restrict in accordance with section 16 of the DPDP Act.

6. Retention

Personal data is retained for as long as the school’s subscription is active, plus a wind-down period during which the school can export its data. Academic records that the school is legally required to maintain may be retained for longer at the school’s instruction. Operational logs are retained for up to 90 days. On termination, we delete or anonymise school data within 30 days unless retention is required by law.

7. Your rights

Subject to verification, you have the following rights under the DPDP Act and other applicable laws:

• Right to access a summary of your personal data and how it is processed.
• Right to correction or erasure of inaccurate or no-longer-necessary data.
• Right of grievance redressal — see contact below.
• Right to nominate another individual to exercise your rights in case of death or incapacity.

Where the school is the data fiduciary (most student and parent data), requests should be raised with the school first; we will assist the school in fulfilling valid requests.

8. Security

We apply role-based access control, row-level security policies in our database, encryption of data in transit (TLS) and at rest, and least-privilege handling of administrative credentials. We will publish an incident-response policy as part of our enterprise tier. No system is perfectly secure; we will notify affected schools of material incidents without undue delay.

9. Cookies and similar technologies

We use a small number of strictly necessary cookies for authentication and session management. Optional analytics or session-replay cookies are loaded only after you accept them via the cookie banner.

10. Grievance redressal & contact

For privacy questions, data-subject requests, or to file a grievance, contact our Data Protection Officer:

Email: dpo@schoolharmonyhub.in
Postal address: Dubey Group, India (full address to be published before public launch)

If you are not satisfied with our response, you may approach the Data Protection Board of India once it is operational.

11. Changes to this policy

We will publish material changes here and notify the primary contact of each school by email at least 14 days before they take effect. The version number and effective date at the top of this page reflects the latest version.