Legal

    Privacy Policy

    Effective date: 23 June 2026. This policy explains how Sevabharathi Trust (R.) and Sevabharathi Vidya Kendra (R.) collect, use, and protect personal information in accordance with the Information Technology Act, 2000, the IT (Reasonable Security Practices) Rules, 2011, and the Digital Personal Data Protection Act, 2023.

    1. Who We Are

    This website (sevabharathi-tth.school) and the school management system are operated by:

    • Sevabharathi Trust (R.) — 'Prerana' Sangha Office, Kuvempu Road, Thirthahalli – 577432, Karnataka. PAN: AABTS7349R
    • Sevabharathi Vidya Kendra (R.) — Raghavendra Badavane, Thirthahalli – 577432, Karnataka. PAN: AAYTS7813H

    Together referred to as "we," "us," or "the School."

    2. What We Collect

    We collect different data depending on how you interact with us:

    A. Students & Guardians (admission & enrolment)

    • Full name, date of birth, gender, religion, caste category (SC / ST / OBC / GM), SATS ID
    • Aadhaar number — collected for government reporting (DISE, scholarship); stored encrypted at rest using AES-256 (Fernet); never returned in full from any API
    • Medical information (blood group, disabilities, allergies)
    • Guardian name, relationship, phone number, email, address
    • Bank account number and IFSC (guardian's, for scholarship / refund disbursement only)
    • Student photograph and scanned documents (stored on Cloudflare R2; accessible only to authorised staff)

    B. Donors

    • Donor name, phone, email, address
    • PAN or Aadhaar number (for 80G tax exemption receipts)
    • Donation amount, payment mode, purpose

    C. Staff (school management system login)

    • Email address and hashed password (via Better Auth)
    • Role (admin / headmaster / teacher)
    • Action logs (who recorded a fee payment, who edited a record)

    D. Public website visitors

    • We do not use Google Analytics, Meta Pixel, or any third-party tracking on public pages.
    • The Contact page map is served by OpenStreetMap (openstreetmap.org) — your IP address is sent to OSM tile servers when the map loads. OSM's Privacy Policy.
    • No personal data is collected from visitors who do not interact with the staff portal.

    3. Why We Collect It

    Data / RecipientPurpose / Basis
    Student & guardian dataGovernment enrolment records, scholarship processing, fee management, Transfer Certificates, statutory reporting (DISE / UDISE)
    AadhaarRequired by Karnataka state government for DISE reporting and scholarship disbursement only
    Medical infoStaff awareness for student safety; not shared with third parties
    Bank accountScholarship / refund transfers to guardian; not used for any other purpose
    Donor PAN / Aadhaar80G income-tax deduction receipts as required under the Income Tax Act, 1961
    Staff login dataSystem access control and audit trail

    4. Storage & Security

    • Database: Student and donor records are stored on Neon (neon.tech), a managed PostgreSQL service. Data is encrypted at rest and in transit (TLS 1.2+). Neon servers are located outside India; see Section 5 for cross-border transfer details.
    • File storage: Student documents and photographs are stored on Cloudflare R2 (cloudflare.com), a global object-storage service. Access requires a server-generated signed URL with a short expiry — direct public access is not possible.
    • Application hosting: The school ERP is hosted on Vercel (vercel.com) with servers outside India.
    • Aadhaar encryption: All Aadhaar numbers are encrypted using industry-standard Fernet symmetric encryption before being stored. The raw number is never logged or returned by any API — only the masked form (XXXX-XXXX-1234) is displayed to authorised staff.
    • SPDI encryption: Bank account numbers and medical information (allergies, conditions, medications) are encrypted using the same standard before storage. These are never returned in plaintext to any API client.
    • Access control: Role-based — only admin and headmaster roles can view sensitive financial data; teacher role is limited to class-level data.
    • Passwords: Never stored in plaintext; hashed using a modern adaptive algorithm before storage.
    • Transport: All connections use HTTPS (TLS). HTTP requests are automatically redirected to HTTPS.

    We follow the security practices prescribed under Rule 8 of the IT (Reasonable Security Practices) Rules, 2011.

    5. Who We Share With

    We do not sell, rent, or trade personal data. Limited sharing occurs only with:

    Data / RecipientPurpose / Basis
    Karnataka state government (DISE / UDISE portal)Student enrolment data as required by law
    Scholarship bodies (e.g. NSP portal)Name, Aadhaar, bank account — mandated by the scheme
    Resend (resend.com) — transactional emailDonor email address, receipt PDF — for sending donation receipts only
    Neon (neon.tech) — databaseAll personal data in the ERP database; data processed under Neon's DPA
    Vercel (vercel.com) — application hostingStaff usage analytics (dashboard only); processed under Vercel's DPA
    Cloudflare (cloudflare.com) — file storageStudent documents and photos stored in Cloudflare R2
    Upstash (upstash.com) — session cacheStaff session tokens; processed under Upstash's privacy policy
    OpenStreetMap FoundationVisitor IP (map embed on Contact page)

    No data is shared with advertisers, data brokers, or unrelated third parties.

    6. Data Retention

    • Student records: Retained for the period required under the Right to Education Act, 2009 and Karnataka state education rules (minimum 7 years after graduation).
    • Fee & donation records: Retained for 7 years as required under the Income Tax Act, 1961.
    • Staff login data: Deleted within 30 days of account termination on written request.
    • Soft-deleted records: Donation void records and deletion requests are retained in audit logs for 7 years for legal accountability; they are not accessible in the normal interface.

    7. Your Rights

    Under the Digital Personal Data Protection Act, 2023 (DPDPA), individuals whose data we hold ("Data Principals") have the right to:

    • Access — request a summary of personal data we hold about you or your child. Email us with subject: "Data Access Request — [Student Name]". We will respond within 7 days.
    • Correction — request correction of inaccurate data. Email us with subject: "Data Correction Request — [Student Name]" and specify the field and correct value.
    • Erasure — request deletion of data no longer required for its original purpose (subject to statutory retention obligations under RTE Act and Income Tax Act). Email us with subject: "Data Deletion Request — [Student Name]".
    • Grievance — raise a complaint with our Grievance Officer (see Section 10). We acknowledge within 48 hours and resolve within 30 days.
    • Nominate — nominate another person to exercise these rights on your behalf in the event of death or incapacity.

    Send all data rights requests to the Grievance Officer at hello@sevabharathi-tth.school with the appropriate subject line as described above. General enquiries: Data Request — [Student Name].

    8. Cookies

    We use only essential session cookies — a single HTTP-only, Secure, SameSite=Lax cookie set when staff log in to the school management system. This cookie expires when the browser session ends or after 7 days, whichever comes first.

    We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. No cookie consent banner is shown on public pages because no non-essential cookies are set for unauthenticated visitors.

    9. Children's Data

    Because we are a school, the majority of personal data we hold belongs to students who are minors. This data is provided by parents or guardians at the time of admission, and collection is necessary to fulfil the school's statutory obligations under the Right to Education Act, 2009 and Karnataka state education regulations.

    We do not collect children's data for commercial purposes and do not disclose it to any party outside of the statutory purposes described in Section 5.

    10. Grievance Officer

    As required under Rule 11 of the IT (Reasonable Security Practices) Rules, 2011, we have designated a Grievance Officer to address any complaints or concerns related to this Privacy Policy or the processing of personal data:

    Grievance Officer — Sevabharathi Trust (R.) & Sevabharathi Vidya Kendra (R.)

    Headmaster, Sevabharathi Higher Primary School

    Soppugudde, Thirthahalli – 577432, Shivamogga District, Karnataka

    hello@sevabharathi-tth.school

    Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt.

    11. Changes to This Policy

    We may update this policy to reflect changes in law or our practices. The effective date at the top of this page will be updated accordingly. Continued use of the website or enrolment in the school after any change constitutes acceptance of the updated policy.

    For questions not covered here, contact us at hello@sevabharathi-tth.school or visit the Contact page.