Privacy Policy.
How Infoiles handles personal data - for visitors to this site and for the schools we serve.
Last updated: [date]This Privacy Policy explains how Infoiles handles personal data - both for visitors to this website and for the schools that use the Infoiles Ed platform. It is written for an Indian SaaS that processes the personal data of students (often minors) and Aadhaar-linked identity, under India's Digital Personal Data Protection Act, 2023 (DPDP Act).
1 Who we are & scope
This website and the Infoiles Ed platform are published and operated by [registered legal name], of [registered address], [jurisdiction city/state], India ("Infoiles", "we", "us"). We refer to ourselves as "Infoiles" throughout; the registered legal entity details are above.
This policy covers two things: (a) this marketing website at infoiles.com, including its contact / demo-request form; and (b) the Infoiles Ed platform we provide to schools. Where a school's own agreement with us says something more specific about its data, that agreement also applies.
2 Controller vs processor - an important distinction
Who is responsible for personal data depends on whose data it is and why it is being handled. This distinction shapes the rest of the policy.
The school is the controller
For students, guardians, staff, attendance, fees, documents and Aadhaar-linked identity, the school is the data controller (data fiduciary) and Infoiles is the processor - we act only on the school's documented instructions.
Infoiles is the controller
For data a visitor gives us about themselves through this website (for example, a demo enquiry), Infoiles is the controller and decides how that data is used.
3 Data we collect
(a) Marketing / contact-form data - given to us directly
When you contact us or request a demo through this website, we collect what you provide:
- your name, school name and role;
- your email address and phone number;
- any message you choose to send us; and
- basic technical metadata recorded with the submission (such as the time, IP address and browser) to help prevent spam and abuse.
(b) School-side data - processed on behalf of schools
When a school uses Infoiles Ed, we process the data it puts into the platform to run the service. This is collected and controlled by the school; we process it on the school's instructions. It can include:
- student, guardian and staff details (demographics, contact details and profiles);
- academic records - classes and sections, attendance, marks and report cards;
- fees, invoices and receipts, and supporting documents the school uploads; and
- Aadhaar-linked identity verified through DigiLocker - handled as described in section 5 (Aadhaar is never stored in full).
4 How & why we use it; legal basis
Marketing data. We use the details you submit through the form solely to respond to your enquiry and arrange a demo. As the controller for this data, our basis is your consent (given when you submit the form) and our legitimate interest in responding to a request you have made of us.
School data. We use school-side data only to provide and operate the platform on the school's instructions - for example, generating receipts, producing report cards, or running attendance. We process it under the school's authority as the data fiduciary.
We do not sell personal data, and we do not use it for unrelated profiling or advertising.
5 DigiLocker / Aadhaar handling
Where a school chooses to verify identity, Aadhaar is verified through the government's DigiLocker (Meri Pehchaan) service. Aadhaar is never stored in full. We retain only:
- a masked form of the Aadhaar number (for example, XXXXXXXX1234);
- the last four digits; and
- an opaque DigiLocker token recording that verification took place.
Aadhaar verification is optional - schools can admit students and onboard staff without it. This mirrors the platform's actual security posture: even a database backup never contains a full Aadhaar number.
6 Payment data (CCAvenue)
Online fee payments are processed through CCAvenue's hosted checkout. Card details are entered on CCAvenue's secure pages, not on ours.
- No card data is stored on our systems - no card number, no PAN, no CVV. This keeps the payment path within a reduced PCI scope (SAQ-A).
- We retain only non-sensitive transaction references (such as a transaction ID and amount) needed to reconcile payments and issue receipts.
7 Cookies & analytics
This marketing website is built to be lightweight. Our default posture is minimal, essential cookies only, with no third-party tracking or advertising cookies.
8 Sharing & sub-processors
We do not sell personal data. We share data only with the limited sub-processors needed to run the service, each under appropriate terms:
- CCAvenue - online fee payments (hosted checkout).
- DigiLocker / Meri Pehchaan - optional Aadhaar identity verification.
- LiveKit - media for self-hosted live online classes.
- Our hosting / infrastructure provider - [hosting / infrastructure provider].
We keep this list current. [Counsel / owner to confirm and maintain the sub-processor list.]
9 Data retention
We keep personal data only as long as needed for the purpose it was collected:
- Marketing leads from the contact form are kept for as long as needed to respond and follow up on your enquiry [specify period].
- School-side data is retained for as long as the school uses the service, and otherwise handled per the school's instructions and agreement (export, return or deletion on termination).
- Audit logs are retained per the platform's audit-log retention policy [specify period].
[Specify exact retention periods with counsel.]
10 Security measures
We take protecting personal data seriously and apply, among others:
- Per-school data isolation - each school runs in its own isolated database; one school's data is never mixed with another's;
- Encryption of sensitive credentials, and encrypted, rate-limited logins that time out when idle;
- Access control (RBAC) - staff access is role-based with per-user overrides, and de-activation can take effect mid-session; and
- an append-only audit trail of sensitive actions that cannot be edited or deleted.
No method of storage or transmission is ever 100% secure, but we work to protect personal data using measures appropriate to its sensitivity.
11 Children's data
The platform handles the personal data of students, who are often minors, on behalf of schools. Under the DPDP Act 2023, the school is the data fiduciary and is responsible for obtaining the necessary parental / guardian consent. Infoiles processes children's data only on the school's instructions and does not use it for any independent purpose.
12 Your rights under the DPDP Act 2023
Subject to the DPDP Act and its rules, you may have the right to:
- access a summary of the personal data we hold about you and how it is processed;
- correct, complete or update inaccurate or incomplete data;
- erase data that is no longer needed for the purpose it was collected;
- withdraw consent you previously gave (without affecting earlier lawful processing); and
- grievance redressal - raise a concern and have it addressed.
13 Grievance officer & contact
To exercise a right or raise a grievance, contact our Grievance Officer:
- Grievance Officer: [Grievance Officer name / designation]
- Email: contact@infoiles.com
- Phone: +91 8448570294
- Registered address: [registered address]
We will acknowledge and respond to requests within the timelines required under the DPDP Act and its rules. [Counsel to set the exact response timelines.]
14 Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the latest version. Where changes are material, we will notify affected parties [how - e.g. email / in-app notice].