Privacy Policy

How EduSystem collects, uses, and protects your information

Effective Date: 21 February 2026  |  Last Updated: 21 February 2026

1. Introduction

EduSystem ("we," "our," or "us") operates a cloud-based education management platform (the "Service") designed to help educational institutions manage learners, assessments, grades, attendance, incidents, and finance. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you or your institution uses our Service.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Information Provided by Institutions

  • Institution name, registration details, and contact information
  • Administrator and staff profiles (names, email addresses, roles)
  • Learner records (names, dates of birth, enrollment data, academic history)
  • Guardian and parent contact information linked to learner profiles
  • Assessment results, grades, attendance records, and incident reports
  • Financial records relating to learner accounts

2.2 Information Collected Automatically

  • Login timestamps and session data
  • IP addresses and device/browser information (user agent)
  • API usage logs and activity audit trails

2.3 Authentication Data

We use Firebase Authentication for identity verification. We receive and store authentication tokens but do not store raw passwords. Sessions are managed securely via Redis with automatic expiry.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate users and manage sessions securely
  • Enforce multi-tenant data separation between institutions
  • Generate reports, assessments, and analytics for institutional use
  • Send administrative communications such as account changes and system notices
  • Comply with applicable legal obligations
  • Improve and develop the Service

4. Data Separation and Multi-Tenancy

Each institution's data is strictly isolated. We implement account-level data scoping to ensure that no institution can access another institution's data. Administrative access to raw data is restricted to authorised EduSystem personnel only, under strict confidentiality obligations.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share data only in the following circumstances:

  • Service Providers: Third-party vendors who assist in operating the Service (e.g., cloud hosting, authentication providers), bound by confidentiality agreements
  • Legal Requirements: When required by law, court order, or a competent government authority
  • Business Transfers: In connection with a merger, acquisition, or asset sale, with prior notice to affected institutions
  • With Your Consent: For any other purpose with your explicit written consent

6. Data Retention

We retain personal data for as long as an institution's account is active or as required to fulfil legal or contractual obligations. Upon account termination, institutions may request a data export. Data is deleted within 90 days of account closure unless we are legally required to retain it longer.

7. Children's Privacy

Our Service processes data relating to minors (learners) on behalf of educational institutions. This data is provided by the institution, which acts as the data controller. We process this data solely as a data processor under the institution's instructions and in accordance with applicable law.

Parents or guardians wishing to access, correct, or delete their child's information should contact their institution's administrator directly.

8. Security

We implement industry-standard security measures including:

  • Redis-based session management with automatic token expiry
  • Account-scoped data access controls
  • Role-based permission management
  • HTTPS encryption for all data in transit

No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data, subject to legal obligations
  • Restrict or object to certain processing activities
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time where processing is based on consent

To exercise these rights, contact your institution's administrator or reach out to us directly at the contact details below.

10. Cookies and Local Storage

We use session cookies and local storage for authentication and user preferences. We do not use third-party advertising or tracking cookies.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify institutions of material changes via email or in-platform notice at least 30 days before changes take effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related enquiries, please contact us: