Enacute Solutions India Private Limited ("Enacute", "we", "us", or "our") operates the School ERP Platform, including the web portal hosted at onlineschoolerp.com, all dedicated school-specific subdomains (e.g., school-a.onlineschoolerp.com), and associated mobile applications (collectively, the "Platform").
This Privacy Policy explains how personal data is collected, used, disclosed, and safeguarded when educational institutions ("Clients" or "Schools"), administrators, teachers, staff, parents, and students (collectively "End Users" or "you") interact with our SaaS-based School ERP platform.
1. Our Role in Data Processing: Controller vs. Processor
To understand your privacy rights, it is critical to identify the legal relationship between the School, Enacute, and the End Users:
- The School as Data Controller: The School contracting our services has sole administrative control over its designated subdomain. The School determines what student, parent, and employee data is uploaded, how long it is kept, and who receives access permissions. As the Data Controller, the School is responsible for obtaining necessary parental consents and answering user data rights requests.
- Enacute Solutions as Data Processor: We process all personal data strictly on behalf of, and under the written instructions of, the School. We act as the Data Processor. We do not own, sell, or use Client Data for independent marketing or advertising purposes.
2. Information We Collect
We process personal data across various platform modules to automate school operations, facilitate communication, and handle administrative workflows as outlined in School-ERP.pdf.
2.1 Information Uploaded by the School (Administrative & Academic Data)
The School administrators and teachers input the following baseline data:
- Student Information: Full name, date of birth, unique student ID, admission number, roll number, class/division, emergency contacts, academic grades, attendance logs, homework submissions, and library circulation history.
- Staff Information: Full name, designation, contact numbers, email address, qualification records, department, class timetable schedules, and payroll/HR administrative details.
2.2 Information Collected from Parents & Guardians (Parent App)
When parents use our parent mobile application, we collect or process:
- Profile & Contact Details: Full name, relationship to student, physical mailing address, billing address, phone number, and email address.
- Student Feedback: Responses to surveys, feedback submitted to teachers/principals, and interactive chat histories.
- Student Photos & Media: Profile pictures and student images uploaded to the "School Event Gallery" with the School's permission.
2.3 Financial, Escrow, and Transactional Data (Fee Management & e-Mandate)
To manage tuition fees, bus charges, and recurring billing, the platform integrates with certified banking frameworks. The processing scope depends on the payment routing option selected by the School:
- Pathway A (Direct Merchant Routing): If the School utilizes its proprietary merchant configuration, Parents process payments via integrated Payment Aggregators that route proceeds directly into the School’s bank account. Under Pathway A, Enacute only processes transaction status flags, references, and amounts strictly to update the student's ledger balances, and retains no operational contact with transaction funds.
- Pathway B (Optional Escrow Routing): If the School opts into Enacute's Escrow-Managed Settlement Program, digital transactions clear through our integrated, licensed third-party Payment Aggregators directly into our bank-managed Escrow Account. During this stage, transaction references, amounts, student/school identifiers, and settlement statuses are processed to execute automated ledger updates and facilitate final T+2 settlements.
- Shared Parameters (Applicable to Both Pathways): Payment Aggregators securely process transaction routes via UPI, RuPay, Visa, MasterCard, GPay, Paytm, PhonePe, Net Banking, and Bank Transfers. Neither Enacute nor the Payment Aggregators store raw credit card numbers, CVVs, or online banking passwords on our servers.
- e-Mandates: If a Parent/Guardian sets up an e-mandate for automated recurring collections, Payment Aggregators securely store and process the authentication token, bank mandate reference number, and payment schedule details.
2.4 Geolocation and Transit Data (Transport Management)
To enable live bus tracking for child safety:
- Driver Telemetry: The Bus Driver and Transport Head applications transmit continuous, real-time GPS coordinates (latitude, longitude, speed, and heading) while transport vehicles are actively in transit.
- Parent Access: Parents are granted restricted, real-time access to track the bus assigned to their specific child's route. This location data is cached temporarily for active tracking and is not stored permanently beyond what is logistically required.
2.5 Technical & Device Information (Automated Logging)
When any user logs into the browser platform or mobile apps:
- Log Data: IP address, device type, operating system version, browser type, login timestamps, and system activity logs (e.g., updates to grade reports, attendance marks).
- Cookies: We use session cookies to keep users securely authenticated as they navigate their specific subdomain. No cross-site tracking or advertising cookies are utilized.
3. How We Use Your Information
We use the processed data solely to deliver, secure, and improve the SaaS functionalities ordered by the School:
- Academic Execution: Compiling grade reporting, managing classrooms, scheduling exams, and processing library check-outs.
- Operational Administration: Managing school calendars, automating daily student/staff attendance, and distributing assignments.
- Billing, Escrow Settlement, and Accounting: Generating invoices, monitoring payment flows, executing T+2 escrow payouts (reconciled from Payment Aggregator collections) for schools opted into the Escrow program (Pathway B), and processing e-mandate recurring collections.
- Logistics and Safety: Rendering live GPS coordinates of transit routes to parents and admins.
- System Security: Monitoring for unauthorized cross-tenant subdomain probing, system vulnerabilities, and abnormal login activities.
4. Data Sharing & Third-Party Integrations
We do not sell, rent, or trade your personal data. We only share information with third-party services that are essential to executing the Platform's core functionalities:
- Third-Party Payment Aggregators: Secure payment transaction data is shared with and processed by our integrated, RBI-authorized Payment Aggregator partners (such as Paytm, PhonePe, Razorpay, or Cashfree) to safely clear digital deposits.
- Escrow Banking Partners: If the School is enrolled in Pathway B, aggregated collection and settlement data are shared with our partner commercial banks maintaining the Escrow Account to execute final payouts to schools on a T+2 basis.
- SMS and Email Delivery Services: Contact phone numbers and email addresses are processed by bulk communication service providers to deliver vital notices, homework updates, fee reminders, and emergency alerts.
- Mapping and Navigation Services: Transit GPS telemetry is securely mapped using external mapping APIs (such as Google Maps API) to render real-time transit positions inside the Parent and Admin interfaces.
- Hosting Providers: All data is securely hosted inside logical databases within enterprise-grade cloud computing environments.
- Legal Requirements: We may disclose personal data if required to do so by applicable Indian law, court order, or formal request from cyber safety/governmental regulators.
5. Tenant Isolation, Storage, and Security
5.1 Subdomain-Level Isolation
Enacute employs strict logical tenant isolation architectures. Data residing within a customized subdomain (e.g., school-a.onlineschoolerp.com) is structurally quarantined at the database level and cannot be accessed, read, or queried by administrators or users from another school's subdomain (e.g., school-b.onlineschoolerp.com).
5.2 ISO/IEC 27001:2022 Certification & Security Guardrails
We protect personal data through a multi-tiered security defense framework. Enacute Solutions India Private Limited is an ISO/IEC 27001:2022 certified organization, indicating that our Information Security Management System (ISMS) has been rigorously audited and certified to meet the highest global standards for data protection:
- Information Security Management (ISMS): Our platform development, customer data administration, and operational systems are managed under strict ISO/IEC 27001:2022 policies, guaranteeing routine risk assessments, employee background checks, security training, and vulnerability management.
- Encryption: Data is encrypted during transmission using Transport Layer Security (TLS 1.3) and at rest on our secure hosting servers using industry-standard AES encryption keys.
- Role-Based Restrictions: Granular authorization levels ensure a security guard, teacher, driver, accountant, or student can only access the exact data modules assigned to their functional role.
- Session Integrity: Users are automatically logged out after a set period of inactivity to prevent unauthorized physical terminal access.
6. Children’s Data Privacy
Our platform is purposely designed to process student data, which includes minors. Because of this:
- The Consent Mandate: The School acts as the principal interface and warrants that it has collected the legally binding parental or guardian consent required under local laws—including the Indian Digital Personal Data Protection (DPDP) Act—before registering any student profiles.
- No Direct Registration: Students cannot independently sign up or register for an account on the Platform. All student profiles must be provisioned directly by the authorized School Administration.
7. Data Retention and De-Onboarding
- Active Retention: We retain your personal data for as long as your School maintains an active subscription with us.
- Termination and De-Onboarding: Upon termination or expiration of the School's subscription, the School has a thirty (30) calendar day window to request a secure export of all database entries.
- Permanent Deletion: Following this 30-day window, Enacute permanently purges all active databases of the School's Client Data and de-provisions the customized subdomain to prevent residual data storage. Backups are overwritten in normal rotational cycles.
8. User Rights (Access, Correction, and Erasure)
Under applicable regulations (such as the DPDP Act in India), users have rights regarding their personal data, including accessing their records, correcting inaccuracies, and requesting erasure.
- Exercising Your Rights: Because we act as a Data Processor, all requests for access, correction, or deletion of student or parent records must be submitted directly to the School's administration.
- Processing Requests: Once the School validates and approves a data amendment or deletion request, our technical support team will execute the necessary database alterations within the timeline mandated by local regulations.
9. Amendments to this Privacy Policy
We reserves the right to modify this Privacy Policy to reflect changing legal, technical, or business standards. In the event of material changes:
- We will notify the School's primary administrators at least thirty (30) days prior to the changes taking effect.
- The School is responsible for communicating updated policies to its parents, teachers, and student communities. Continued use of the platform after the update window constitutes acceptance of the revised policy.
10. Contact Information
If you have any questions, concerns, or grievances regarding this Privacy Policy or our data security practices, please contact our Data Protection Officer (DPO):
Office Address: Pune, Maharashtra, India
Web Portal: onlineschoolerp.com
Email Address: privacy@enacute.com
Contact Number: +91 8956959697 / +91 7387524023