EduSuite Privacy Policy

1. Who We Are and Our Role

EduSuite is a school management platform licensed to educational institutions ("Schools"). When a School uses EduSuite to manage its operations, the School is the data controller for the personal information of its students, parents, teachers, and staff. EduSuite acts as a data processor on the School's behalf and processes that information in accordance with the School's instructions and the data-processing terms in our agreement with the School.

For our own account creation, billing, security, product analytics, and direct communications with School administrators, EduSuite acts as a data controller.

2. Scope of This Policy

This Policy applies to:

• The EduSuite Android application;
• The web portal at app.edusuite.pk;
• Email, SMS, WhatsApp, and push notifications sent through the EduSuite platform.

It does not apply to third-party websites, applications, or services that your School may use independently of EduSuite, even if linked from within the App.

3. Information We Collect

3.1 Information You or Your School Provides

• Identity and profile: name, role (student, parent, teacher, admin), gender, date of birth, photograph, national identity number where required by law, contact number, email address, postal address.
• Academic information: class, section, roll number, attendance records, examination marks, report cards, homework and assessment submissions, fee status, library records, transport route, hostel allocation.
• Family information: parent/guardian names, contact details, occupation, and sibling links.
• Financial information: fee invoices, payment receipts, payment method references (we do not store full card numbers; payments are processed by our payment-gateway partners).
• Communications: messages, complaints, feedback, gate-pass requests, leave applications, and other content you submit through the App.
• Staff and payroll information (for School staff users): salary, allowances, attendance, leave balances, and statutory deductions.

3.2 Information Collected Automatically

• Device information: device model, operating system version, unique device identifiers (such as Android ID and advertising ID where permitted), language, timezone, mobile network and carrier.
• Usage information: screens viewed, features used, login timestamps, session duration, IP address, crash logs, and performance diagnostics.
• Push notification token: required to deliver alerts such as fee reminders, results, announcements, and gate-pass events.
• Location: only if your School uses geo-located attendance or features and you have granted location permission. We do not collect background location.
• Biometric authentication: if you enable fingerprint or face login on your device, the biometric template stays on your device. We never receive or store the biometric data itself; we only receive a confirmation that your device has authenticated you.

3.3 Information from Third Parties

• Payment status and reference numbers from payment gateways used for fee collection;
• Authentication confirmations from biometric attendance devices integrated by your School;
• Login confirmations from federated identity providers if your School enables single sign-on.

3.4 Cookies and Similar Technologies

The App uses local storage and authentication tokens to keep you signed in and remember preferences. The web portal uses cookies for the same purposes and for security. You can clear them through your device or browser settings; doing so will sign you out and may reset your preferences.

4. Children's and Student Data

EduSuite is designed for use by Schools that enrol minors. We collect data about students only on the lawful instruction of their School, which is responsible for obtaining the consent of parents or legal guardians under applicable law (including, where relevant, GDPR, COPPA, and Pakistani data-protection requirements).

For accounts identified as student accounts, we do not knowingly:

• serve behavioural or personalised advertising;
• share information with third-party advertising networks;
• permit students to publicly broadcast personal information through the App.

If you believe a child's information has been collected without proper consent, please contact us immediately using the details in Section 16. We will work with the relevant School to investigate and, where appropriate, delete the data.

5. App Permissions

The Android App may request the following permissions. You can grant or revoke any optional permission at any time in Android Settings.

6. How We Use Information

We use information to:

• operate the Service for your School (attendance, fees, results, communication, transport, library, hostel, payroll, accounting, examinations, reporting, and related modules);
• authenticate users and protect accounts;
• deliver in-app, push, email, SMS, and WhatsApp messages requested by your School (such as fee vouchers, result cards, gate passes, and announcements);
• generate the dashboards, exports, and PDF reports your School relies on;
• provide customer support and resolve issues;
• detect, prevent, and investigate fraud, abuse, security incidents, and policy violations;
• improve, debug, and develop new features, using aggregated or pseudonymised data wherever practicable;
• comply with legal obligations and respond to lawful requests from public authorities.

7. Legal Bases for Processing

Where data protection law requires us to identify a legal basis for processing personal information, we rely on:

• Contract: providing the Service to you and your School;
• Legitimate interests: securing the Service, preventing fraud, improving our products, and communicating with our customers;
• Consent: for optional features such as marketing emails, optional cookies, and certain device permissions — you may withdraw consent at any time;
• Legal obligation: tax, accounting, anti-fraud, and lawful disclosure orders.

8. How We Share Information

We share information with:

• Your School and its authorised users — the primary purpose of EduSuite;
• Service providers who support our operations under written confidentiality and data-processing agreements (cloud hosting, content delivery, payment processing, communications providers, analytics, customer-support tools — see Section 9);
• Authorities and courts when legally required;
• Successors in the event of a merger, acquisition, or restructuring, with notice where required by law.

We do not sell personal information. We do not share student information with advertising networks for behavioural targeting.

9. Third-Party Service Providers

Each provider receives only the minimum information required to perform its task and is bound by appropriate confidentiality and data-protection terms.

10. International Data Transfers

EduSuite is operated from Pakistan with primary servers hosted in Germany. By using the Service you understand that personal information will be transferred to and stored in these jurisdictions and, where relevant service providers are located outside them, in additional jurisdictions. Where applicable data protection law requires safeguards for international transfers, we rely on Standard Contractual Clauses or equivalent legal mechanisms with our service providers.

11. Data Retention

We retain personal information for as long as your School maintains an active account with us, plus the period required for backups, legal compliance, dispute resolution, and enforcement of our agreements. Financial records are typically retained for up to seven (7) years; routine encrypted backups are retained for up to ninety (90) days; usage logs are retained for up to twelve (12) months.

If your School ends its subscription, data is deleted or returned according to the agreement with the School. You may also request deletion as described in Section 14.

12. Data Security

We use industry-standard administrative, technical, and physical safeguards including TLS encryption in transit, encrypted backups, role-based access controls, multi-factor authentication for administrators, audit logging, network segmentation, and regular patching. No system is perfectly secure; you are responsible for protecting your password and the device on which you use the App. If you suspect unauthorised access to your account, contact us immediately.

13. Advertising

Some Schools may use a free or limited tier of the Service that is supported by advertising. Where advertising is shown:

• Ads are never shown inside student accounts;
• Ads on parent, teacher, and administrator screens are limited to general (non-behavioural) targeting in the free tier by default;
• Schools and individual users may upgrade to paid tiers to remove advertising entirely;
• Where applicable, we use Google AdMob and Meta Audience Network, which receive only the minimum information needed to serve ads (such as device advertising ID, IP address, and approximate location).

You can reset or limit your Android advertising ID at any time in your device settings under Settings → Privacy → Ads.

14. Your Rights

Depending on your jurisdiction, you may have the right to:

• access the personal information we hold about you;
• correct inaccurate information;
• request deletion ("right to be forgotten");
• restrict or object to processing;
• data portability;
• withdraw consent at any time;
• lodge a complaint with your local data protection or privacy regulator.

Because Schools are the data controllers for student, parent, and staff records, please send rights requests to your School in the first instance. If your School cannot respond, contact us at the address in Section 16 and we will assist or forward the request as appropriate.

15. Changes to This Policy

We may update this Policy from time to time. The revised version will be posted with a new "Last Updated" date. For material changes, we will notify you through the App or by email before the change takes effect. Continued use of the Service after the effective date means you accept the changes.

16. Contact Us

Any third-party providers in Section 9 you do not actually use should be removed; any additional providers should be added.