Privacy Policy
TACHY School ERP — Mobile Apps & Web Services
Effective date: 2025-11-19
1. Summary
TACHY School ERP ("we", "our", "TACHY") is an India-first multi-tenant school management platform (mobile apps for Parents / Teachers / Students and web dashboards for schools). This policy explains what personal data we collect, why we collect it, who we share it with, how we protect it, and how you can exercise your privacy rights.
2. Scope & Applicability
This policy applies to personal data collected through:
- TACHY mobile apps (Teacher / Parent / Student)
- Web Dashboard and Admin consoles
- Support, onboarding forms and integrations (APIs)
- Payment and reporting services
3. Data we collect & transmit off-device (clear mapping)
Below is the exhaustive list of personal data types that may be collected or transmitted off a user's device by our apps or included SDKs. This list is intended to match Play Console Data Safety categories and to help you complete the Play Console form accurately.
A. Identifiers & Account
- Account identifiers: email address, username, school_id, admission/registration number — purpose: authentication, account management. Shared: Yes (with our servers; not sold).
- Device identifiers: device ID, advertising ID (when used) — purpose: analytics, fraud prevention, diagnostics. Shared: Yes (with analytics / ad providers if enabled).
B. Contact & Profile
- Full name, phone number, profile photo, parent/guardian contact details — purpose: communication, notifications, account setup. Shared: Only with the school and with selected processors.
C. Academic & School Operational Data
- Attendance records, exam marks, timetables, behavior notes, class/section assignment — purpose: core service delivery. Shared: Visible to school admins and authorized staff and stored on our servers.
D. Photos, Documents & Media
- Student/teacher photos, uploaded documents (PDFs, images) — purpose: ID, records, assignments. Shared: Stored on our cloud storage or school-designated storage; shared with authorized school users and subprocessors (storage provider).
E. Payments & Financial Metadata
- Transaction amount, order id, UPI reference, masked payment identifiers — purpose: fee processing and reconciliation. Shared: Payment gateways (Cashfree/Stripe) and banks as required. We do not store full card numbers.
F. Location & Contacts (if enabled)
- GPS/location only if explicitly enabled for a feature (e.g., bus tracking) — purpose: transport services. Shared: Yes with school or transport provider when feature enabled.
- Contacts import (phonebook) only when the user explicitly grants permission — purpose: invite parents/contacts. Shared: only with user's consent.
G. Usage & Diagnostics
- Crash logs, app usage events, IP address, OS and device model — purpose: analytics, improving product, security. Shared: Yes with analytics/crash vendors (e.g., Firebase Analytics, Crashlytics).
If your app/build does not include a particular SDK or feature listed above, edit the corresponding "Shared/Collected" flags in your Play Console Data safety form accordingly. Be conservative — declare any data type that your app or included SDKs might send off the device.
4. How we collect data
- Directly from you when you register, update profile, upload documents or use app features.
- From your school during onboarding (class lists, student records).
- Automatically from devices for diagnostics & analytics (logs, crash reports).
- From third-party processors (payment gateways, identity verification) when you use those services.
5. Legal basis (where applicable)
- Contractual necessity: to provide the ERP services contracted by the school.
- Legal obligation: to retain financial records for tax/audit purposes.
- Consent: for optional features like marketing emails, or where required for special categories.
- Legitimate interest: for analytics, security, and fraud prevention (balanced assessment performed).
6. Why we use personal data (Purposes)
- Core functionality: attendance, exams, fees, homework, messaging and reports.
- Authentication, role & permission management.
- Payments: reconciliation and receipt generation.
- Support & onboarding.
- Security, fraud detection and abuse prevention.
- Analytics and product improvement (aggregated or pseudonymized when possible).
7. Who we share data with (subprocessors)
We only share personal data where necessary and under contract or legal obligation. Typical recipients include:
- Your School / School Admins: core academic and administrative data under tenancy isolation.
- Cloud & Hosting: e.g., AWS / DigitalOcean / Linode (for compute and storage).
- Storage / CDN: e.g., Amazon S3, Cloudflare (for media and static assets).
- Payments: Cashfree, Stripe, Razorpay — for transaction processing.
- Messaging: SMS/OTP providers (e.g., MSG91, Twilio), Email providers (SendGrid / Mailgun).
- Analytics & Crash Reporting: Firebase Analytics, Firebase Crashlytics, Sentry (if enabled).
- Support / Onboarding: third-party ticketing / CRM providers engaged during onboarding (access limited).
- Legal Authorities: if required by law or court order.
We maintain a current list of subprocessors. Please request the latest Subprocessor List from privacy@tachy.in during onboarding.
8. International transfers
Data may be stored or processed in India and other jurisdictions where our subprocessors operate. When personal data is transferred internationally, we use appropriate safeguards (Standard Contractual Clauses, or other lawful transfer mechanisms) and ensure adequate protections.
9. Data retention
We retain personal data only as long as necessary for the purposes listed, subject to legal and contractual retention obligations. Typical retention periods:
- Active account data: while the school subscription is active + 1 year.
- Transaction & payment records: minimum 7 years (or as required by local tax law).
- Backups & logs: up to 12 months unless longer retention is required for compliance or investigation.
10. Security measures
We apply industry standard security controls, including:
- TLS 1.2+ / HTTPS for data in transit; HSTS where appropriate.
- Encryption at rest (AES-256) for sensitive storage where used.
- Role-based access control (RBAC) and tenancy isolation by
school_id. - Prepared statements / parameterized SQL to prevent SQL injection.
- CSRF protection on state-changing endpoints and secure session handling.
- Secure upload handling: MIME type + extension checks, size limits, randomized filenames, non-public storage with signed URLs.
We perform periodic security scans and patch dependencies regularly. However, no system can be 100% secure — users should also follow best practices (strong passwords, device security).
11. Children & parental consent
Our services are designed for use by schools, which may include children. Where local law requires parental consent (for example, children under 13 in some jurisdictions), we rely on parental or school-provided consent during registration. If you believe we collected a child's data without consent, contact privacy@tachy.in.
12. Your rights & how to exercise them
You may have the following rights depending on jurisdiction:
- Access & portability — request a copy of your personal data in a commonly used format.
- Correction — request correction of inaccurate data.
- Deletion — request deletion subject to legal retention obligations.
- Restriction/Objection — to certain processing activities.
- Withdraw consent — for activities based on consent.
To exercise rights, contact our Data Protection contact at privacy@tachy.in. We will verify your identity before fulfilling requests. Businesses / school admins should submit requests through their admin dashboard or support channels for faster processing.
13. Cookies, tracking & analytics
We use cookies and similar technologies to provide core functionality (authentication), preferences, and analytics. If you enable analytics or marketing features, we will indicate these in the app or onboarding. You can manage cookie and permission settings via your device or browser.
14. Payments
Payment processing is handled by third-party payment processors (e.g., Cashfree, Stripe, Razorpay). We only store payment metadata required for reconciliation (transaction id, amount, date). Complete payment card data is processed by the payment gateway and never stored by us.
15. Data breaches & notifications
In the event of a security incident that risks user rights, we will notify affected users and relevant authorities in accordance with applicable law (e.g., CERT-In in India, supervisory authorities in the EU) without undue delay.
16. Data Safety / Play Console mapping (exact recommended entries)
Use the below mapping when filling Play Console Data safety form. Review and adjust only if a particular SDK or feature is not included in your app build.
| Data type | Collected? | Shared with 3rd parties? | Primary purpose |
|---|---|---|---|
| Identifiers (email, school_id) | Yes | Yes | Authentication, account |
| Contacts (phonebook import) | Only if user enables | No (unless user shares) | Invite contacts |
| Photos/Media (uploads) | Yes | Yes (storage provider) | Documents, IDs, assignments |
| Location | Only if feature enabled | Yes (transport partner) | Bus tracking |
| Financial & payment metadata | Yes | Yes (payment gateway) | Payment processing |
| Usage & Diagnostics (crash logs) | Yes | Yes (Firebase/Sentry) | Performance & stability |
Other Play Console questions (Encryption, deletion, user opt-out): Answer truthfully. We encrypt in transit (TLS) and support deletion requests; admin deletion may be subject to legal retention (e.g., payment logs).
17. How to request deletion, export or corrections
For account data deletion or export:
- School admins: use the Admin dashboard → Compliance → Data export / Delete.
- Parents / Teachers / Students: email privacy@tachy.in with subject line
Data Request: [Export/Delete]. Include your account email and school_id (if available). - We will verify identity and respond within 30 days, or sooner if local law requires a different SLA.
Note: some records (e.g., payment logs) may be retained to satisfy legal obligations.
18. Contact & Data Protection
For privacy inquiries, data requests, or DPO contact:
- Email: support@tachy.in
- Privacy / DPO: privacy@tachy.in
- Demo & Sales: demo@tachy.in
When contacting us include your school_id and account email (if applicable) to help us verify requests quickly.
19. Internal data inventory (developer / auditor copy)
For internal audit and mapping to Play Console Data safety, a copy of your database schema / dump can help identify PII fields. You earlier uploaded a dump to our environment. For internal review only (do not publish this link externally):
Internal file path (for your internal audit): /mnt/data/u780096188_school (50).sql
If you want, we can scan that dump for columns named email, phone, aadhar, student_id, etc., and produce a PII report for Play Console mapping.
20. Changes to this policy
We may update this Privacy Policy to reflect changes in our services, law, or processing activities. Changes will be published with an updated effective date.
21. Governing law
For Indian customers: Indian laws (including the Information Technology Act) govern this policy. For customers in other jurisdictions, local laws (e.g., GDPR) may also apply and we will comply where relevant.
Developer / Compliance notes (internal)
- Before publishing, confirm exact third-party SDKs in your APK/AAB. Common ones to check: Firebase (analytics & crashlytics), Sentry, payment SDKs, ad SDKs.
- Update the Subprocessor list and DPA links in onboarding materials.
- Ensure privacy link in Play Console points to this page and the Data Safety form reflects the mapping in section 16.
CHANGELOG
- 2025-11-19 — Updated Privacy Policy with explicit Data Safety mapping, subprocessors examples, and internal data inventory path for audit.