Privacy Policy

1 Data Fiduciary Information

Under the Digital Personal Data Protection Act, 2023, BrainBit Infotech Private Limited acts as the Data Fiduciary (equivalent to Data Controller) for personal data processed through the BrainBit-SOMS platform.

Data Fiduciary	BrainBit Infotech Private Limited
CIN	U72900JH2021PTC016964
Registered Office	Ranchi, Jharkhand, India
Email	info@brainbitinfotech.com
Phone	+91 99343 14471
Grievance Officer	As designated under Grievance Redressal Policy

Each subscribing educational institution acts as a joint Data Fiduciary for the student, parent, and staff data it uploads to the Platform, as the Institute determines the purpose and means of processing such data.

2 Definitions

All capitalized terms used herein shall have the meanings ascribed under the DPDP Act, 2023, and the Terms of Service. Key definitions include:

• "Data Principal" - The individual to whom the personal data relates (student, parent, teacher, staff member)
• "Data Fiduciary" - The entity that determines the purpose and means of processing personal data
• "Data Processor" - An entity that processes personal data on behalf of the Data Fiduciary
• "Personal Data" - Any data about an individual who is identifiable by or in relation to such data (Section 2(t), DPDP Act)
• "Sensitive Personal Data" - As defined under the IT (SPDI) Rules, 2011: passwords, financial information, health data, biometric data
• "Child" - An individual who has not completed eighteen (18) years of age (Section 2(f), DPDP Act)
• "Processing" - Any operation performed on personal data, including collection, storage, use, sharing, and deletion

3 Data We Collect

3.1. Institute Registration Data

Data Category	Examples	Mandatory
Institute Identity	School name, registration number, board affiliation, UDISE+ code	Yes
Contact Details	Address, phone, email, website	Yes
Authorized Person	Name, designation, email, phone of Principal/Director	Yes
Financial Details	GST number, PAN, bank details (for payroll)	Conditional

3.2. Student Data

Data Category	Examples	Legal Basis
Identity	Name, date of birth, gender, student code, photograph, Aadhaar (if provided)	Consent / Legitimate Purpose
Academic	Class, section, roll number, marks, grades, report cards	Legitimate Purpose
Attendance	Daily/period-wise attendance records, leave applications	Legitimate Purpose
Financial	Fee records, payment history, concessions, receipts	Consent / Contract
Medical	Blood group, allergies, medical conditions (if provided)	Explicit Consent
Guardian Details	Parent/guardian names, contact, relationship, occupation	Consent
Documents	Transfer certificates, birth certificates, previous marksheets	Consent

3.3. Staff Data

Data Category	Examples	Legal Basis
Identity	Name, date of birth, gender, photo, Aadhaar/PAN	Employment Contract
Employment	Designation, department, joining date, qualifications, experience	Legitimate Purpose
Financial	Salary details, bank account, PF number, ESI, IT declarations	Employment / Legal Obligation
Attendance	Attendance records, leave balances, leave history	Employment Contract

3.4. Parent Portal Data

• Login credentials (email/phone, password - stored as hash)
• Portal activity logs (pages viewed, actions taken, timestamps)
• Fee payment transaction records
• Leave application submissions
• Communication preferences

3.5. Technical & Usage Data

• IP address, browser type, device information, operating system
• Pages visited, time spent, click patterns (aggregate analytics)
• Login timestamps, session duration
• Error logs and diagnostic data

3.6. Website Enquiry Data

• Name, email, phone number, institute name, enquiry message
• Submitted voluntarily via the contact form on our website

4 Purpose of Data Collection

We collect and process personal data for the following specified, clear, and lawful purposes (as required under Section 4 of the DPDP Act, 2023):

Purpose	Data Used	Legal Basis
Providing Platform services	All Institute, Student, Staff data	Contract performance
Student admission and enrollment	Student identity, guardian details	Consent / Legitimate Purpose
Academic management (marks, report cards)	Academic records, grades	Legitimate Purpose
Fee management and payment processing	Financial data, payment records	Contract / Legal obligation
Attendance tracking	Attendance records	Legitimate Purpose
Payroll processing	Staff financial, tax data	Employment contract / Legal obligation (Income Tax Act, EPF Act)
Communication (SMS, Email, WhatsApp)	Contact details	Consent / Legitimate Purpose
Parent/Student portal access	Login credentials, activity logs	Consent
UDISE+ compliance reporting	Aggregate academic data	Legal obligation
Platform improvement and analytics	Anonymized usage data	Legitimate interest
Security and fraud prevention	IP addresses, login logs	Legitimate interest
Legal compliance	As required by law	Legal obligation

5 Lawful Basis for Processing

We process personal data under the following lawful bases as provided under the DPDP Act, 2023:

1. Consent (Section 6): Where the Data Principal has given free, specific, informed, unconditional, and unambiguous consent
2. Legitimate Uses (Section 7): Where processing is necessary for:
   • Performance of obligations under a contract (subscription agreement)
   • Compliance with any law, judgment, or order issued by the State or any court
   • Responding to medical emergencies involving threat to life or health
   • Employment-related purposes (staff data)
3. Voluntary Provision: Where the Data Principal has voluntarily provided data and not indicated objection to processing

6 Processing of Children's Data (Section 9, DPDP Act)

6.1. Verifiable Parental Consent

In compliance with Section 9(1) of the DPDP Act, 2023, before processing any personal data of a child:

• The Institute (as joint Data Fiduciary) shall obtain verifiable consent from the parent or lawful guardian of the child at the time of admission/enrollment
• Consent is obtained through the admission form (physical or online) signed/submitted by the parent/guardian
• Parent Portal registration constitutes additional digital consent for portal-related data processing

6.2. Prohibited Processing

In compliance with Section 9(2) and 9(3) of the DPDP Act, 2023, we shall NOT:

• Undertake tracking or behavioral monitoring of children through the Platform
• Undertake targeted advertising directed at children
• Process children's data in any manner that is likely to cause detrimental effect on the well-being of a child
• Engage in profiling of children for commercial purposes

6.3. Data Minimization for Children

We collect only the minimum data necessary for educational management purposes. The Institute is responsible for ensuring that only relevant student data is entered into the Platform.

6.4. Right of Parent/Guardian

Parents/guardians retain the right to:

• Access all personal data of their child stored on the Platform (via Parent Portal)
• Request correction of inaccurate data
• Withdraw consent (subject to impact on service delivery)
• Request deletion of their child's data upon leaving the Institute

7 Consent Mechanism

7.1. Notice and Consent: Before collecting personal data, we provide a clear notice (this Privacy Policy) describing the data collected, the purpose, and the Data Principal's rights, as mandated by Section 5 of the DPDP Act.

7.2. Consent Collection:

• Institute Level: Obtained during subscription/registration via the Terms of Service agreement
• Staff Level: Obtained through the employment/onboarding process managed by the Institute
• Student/Parent Level: Obtained through the admission process managed by the Institute
• Website Visitors: Obtained through voluntary form submission with consent acknowledgment

7.3. Withdrawal of Consent: Any Data Principal may withdraw consent at any time by:

• Contacting the Institute administrator
• Emailing info@brainbitinfotech.com
• Using the contact details in Section 17

Withdrawal of consent shall not affect the lawfulness of processing carried out prior to the withdrawal. Withdrawal may impact the Institute's ability to provide certain services.

8 Data Storage & Security Measures

8.1. Storage Location: All data is stored on servers located in India, in compliance with data localization requirements.

8.2. Security Measures: We implement reasonable security practices and procedures as mandated under Section 8(4) of the DPDP Act, 2023 and Rule 8 of the IT (SPDI) Rules, 2011, including:

Technical Measures

• HTTPS/SSL encryption for all data in transit (TLS 1.2+)
• Password hashing using industry-standard algorithms (bcrypt/Argon2)
• Multi-tenant data isolation at the application and database level
• CSRF protection on all forms
• Rate limiting to prevent brute-force attacks
• Input validation and sanitization to prevent SQL injection and XSS
• Regular automated backups with encryption
• Session management with secure cookies and timeout policies
• Login audit trails and security logging

Organizational Measures

• Access control based on the principle of least privilege (role-based access)
• Security awareness among development and operations team
• Periodic security reviews and vulnerability assessments
• Incident response procedures

9 Data Sharing & Disclosure

9.1. No Sale of Data: We do NOT sell, rent, lease, or trade personal data to any third party for any purpose.

9.2. Authorized Sharing: We may share personal data only in the following circumstances:

Recipient	Purpose	Data Shared
Razorpay (Payment Gateway)	Processing fee payments	Transaction amount, order ID (NO card/account details stored by us)
SMTP/Email Provider	Sending transactional emails	Recipient email, message content
WhatsApp Business API	Sending WhatsApp notifications	Recipient phone number, message content
SMS Gateway	Sending SMS notifications	Recipient phone number, message content
Government/Regulatory Bodies	Legal compliance (e.g., UDISE+, Income Tax, EPF)	As required by law
Law Enforcement	Court orders, legal proceedings	As ordered by competent authority

9.3. Third-Party Data Processors: All third-party service providers engaged by us are contractually bound to maintain confidentiality and implement appropriate security measures, in compliance with Section 8(2) of the DPDP Act, 2023.

10 Cookies & Tracking Technologies

10.1. The Platform uses the following types of cookies:

Cookie Type	Purpose	Duration
Essential/Session Cookies	Authentication, session management, CSRF protection	Session / Until logout
Remember Me Cookie	Persistent login (if opted by user)	30 days
Preference Cookies	UI preferences (theme, language)	1 year

10.2. No Third-Party Tracking: We do NOT use Google Analytics, Facebook Pixel, or any third-party behavioral tracking cookies. We do NOT serve advertisements on the Platform.

10.3. Cookie Management: You may manage cookies through your browser settings. Please note that disabling essential cookies will prevent you from using the Platform.

11 Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, as required under the DPDP Act, 2023:

Data Category	Retention Period	Basis
Active student records	Duration of enrollment + 5 years	Academic record-keeping requirements
Financial/fee records	8 years from transaction date	Income Tax Act, 1961 (Section 149)
Payroll/salary records	8 years from financial year	Income Tax Act / EPF Act
Staff employment records	Duration of employment + 5 years	Labour law compliance
Login/audit logs	1 year	Security compliance
Website enquiries	2 years	Business purpose
Post-termination data	90 days (export window)	Contractual obligation

Upon expiry of the retention period, personal data shall be permanently and irreversibly deleted in compliance with Section 8(7) of the DPDP Act, 2023.

12 Your Rights as Data Principal

Under the DPDP Act, 2023 (Chapter III), every Data Principal has the following rights:

12.1. Right to Access (Section 11)

You have the right to obtain a summary of the personal data being processed and the processing activities undertaken.

12.2. Right to Correction and Erasure (Section 12)

You have the right to:

• Correct inaccurate or misleading personal data
• Complete incomplete personal data
• Update outdated personal data
• Erase personal data that is no longer necessary for the stated purpose

12.3. Right to Grievance Redressal (Section 13)

You have the right to file a complaint with our Grievance Officer. See our Grievance Redressal Policy for details.

12.4. Right to Nominate (Section 14)

You have the right to nominate an individual who may exercise your rights in the event of your death or incapacity.

12.5. How to Exercise Your Rights

To exercise any of the above rights, you may:

• Contact your Institute administrator for Institute-level data requests
• Email us at info@brainbitinfotech.com with subject line "Data Principal Rights Request"
• Contact our Grievance Officer (details in Grievance Redressal Policy)

We shall respond to verifiable requests within 30 (thirty) days.

13 Cross-Border Data Transfer

13.1. Current Position: All personal data collected through BrainBit-SOMS is stored and processed on servers located within India.

13.2. Transfer Restrictions: We shall not transfer personal data to any country or territory outside India unless such transfer is permitted under Section 16 of the DPDP Act, 2023 (i.e., the country/territory is not restricted by the Central Government).

13.3. In the event cross-border transfer becomes necessary (e.g., for cloud backup redundancy), we shall:

• Transfer data only to jurisdictions not restricted by the Central Government
• Ensure equivalent data protection standards at the receiving end
• Update this Privacy Policy to reflect such transfers
• Notify affected Data Principals

14 Data Breach Notification

14.1. In the event of a personal data breach, the Company shall:

• Notify the Data Protection Board of India in the prescribed manner and timeframe as per Section 8(6) of the DPDP Act, 2023
• Notify the Indian Computer Emergency Response Team (CERT-In) within 6 hours as per CERT-In directions under the IT Act, 2000
• Notify the affected Data Principals (Institutes, and through Institutes, individual users) without undue delay

14.2. The breach notification shall include:

• Nature and description of the breach
• Categories and approximate number of affected Data Principals
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details of the person from whom further information can be obtained

15 Grievance Redressal

If you have any concerns about how your personal data is being processed, you may contact our designated Grievance Officer. Full details are available in our Grievance Redressal Policy.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India established under Section 18 of the DPDP Act, 2023.

16 Changes to this Privacy Policy

16.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

16.2. Material changes shall be communicated via:

• Email notification to all registered Institute administrators
• In-app notification upon login
• Updated "Last Updated" date on this page

16.3. Continued use of the Platform after the effective date of any update constitutes acceptance of the updated Privacy Policy.

17 Contact Information