Privacy Policy

Privacy Policy :

Effective Date: January 2026


1. INTRODUCTION

STEPUPNXT WEBTECH PVT LTD ("Company", "we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our STEP EDTECH ERP Solution ("ERP"), including the web dashboard, mobile application (iOS/Android), and related services.

This policy applies to:

  • Institutions (schools, colleges, universities)
  • Administrators, teachers, and non-teaching staff
  • Students and parents/guardians

By accessing or using the ERP, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the ERP.

2. INFORMATION WE COLLECT

We collect different types of information depending on your role:

Role

Data Collected

Institution

Institution name, address, affiliation details, bank account (for fee collection), contact person name, email, phone number, GST number.

Teachers/Staff

Name, employee ID, date of birth, gender, qualification, contact number, email, photograph, salary details (if payroll module used), attendance logs, device/IP info.

Students

Name, roll number, class/division, date of birth, gender, parent/guardian names, parent contact numbers & emails, address, medical information (if provided), previous academic records, attendance, exam marks, fee payment history, transport route (if applicable).

Parents/Guardians

Name, relationship to student, email address, phone number(s), occupation (optional), communication preferences.

System Usage Data

Login timestamps, IP addresses, device type, browser version, app version, pages/modules accessed, feature usage patterns.

Sensitive Personal Data (if collected) – biometric attendance, caste/category (for scholarships), medical conditions. Such data is collected only with explicit consent from the institution and, where required, from parents/students.

3. HOW WE USE YOUR INFORMATION

We use collected data for the following purposes:

  • To provide ERP services: Attendance tracking, fee management, exam results, timetable, online assignments, communication (SMS/email/in-app notifications), library management, payroll processing.
  • To improve the ERP: Analyse usage patterns to fix bugs, enhance user experience, add new features.
  • To communicate: Send alerts about fee dues, exam schedules, holiday notices, system updates, or security alerts.
  • To ensure security: Detect unauthorized access, prevent fraud, monitor for abusive activities.
  • To comply with legal obligations: Respond to court orders, government requests, or regulatory requirements.

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

4. DATA SHARING & DISCLOSURE

We may share your information only in the following limited circumstances:

Recipient

Reason

Institution (School/College)

All data (students, parents, staff) is owned by the institution. We share data with the institution’s authorized representatives as per their access rights.

Third-party service providers

Cloud hosting (AWS/Azure/Google Cloud), SMS gateway providers, payment gateways (Razorpay, Paytm, etc.), email services. These vendors are contractually bound to use data only for ERP-related purposes and maintain confidentiality.

Government/regulatory authorities

If required under Indian law (e.g., RTI, student data for scholarships, court orders).

Legal advisors & auditors

For compliance, audit, or dispute resolution.

No data is shared with – advertisers, data brokers, unrelated ed-tech companies, or political organizations.

5. DATA OWNERSHIP & INSTITUTION'S RESPONSIBILITY

  • All student, parent, teacher, and academic data entered into the ERP remains the sole property of the respective educational institution.
  • The institution is responsible for obtaining consent from parents/students (where applicable) before collecting and processing their personal data through the ERP.
  • The institution shall comply with applicable data protection laws including but not limited to the Digital Personal Data Protection Act, 2023 (India) when it comes to handling student/parent data.

6. DATA STORAGE & SECURITY

6.1 Storage Location

All data is stored on secure cloud servers located in India (or as mutually agreed in the MoU). Data is not transferred outside India without explicit written consent from the institution.

6.2 Security Measures
We implement:

  • Encryption: TLS 1.2/1.3 for data in transit; AES-256 for data at rest (databases, backups).
  • Access Controls: Role-based access (admin, teacher, student, parent) with multi-factor authentication (MFA) optional for admins.
  • Regular Audits: Vulnerability scanning, penetration testing (minimum annually), and log monitoring.
  • Backups: Daily automated encrypted backups retained for 90 days.

6.3 Limitations
No security system is impenetrable. In the event of a data breach, we will:

  • Notify the institution within 72 hours of detection.
  • Notify affected individuals (students/parents) if legally required.
  • Take immediate remedial action and cooperate with authorities.

7. DATA RETENTION & DELETION

Data Type

Retention Period

Action on Termination

Active institution data (students, staff, academic records)

For the duration of the subscription + 30 days grace period.

After 30 days without renewal, data is permanently deleted from active systems.

Backups

90 days rolling.

After 90 days, backups are overwritten/deleted.

Usage logs (IP addresses, login timestamps)

180 days (for security audit purposes).

Anonymized after 180 days; deleted after 365 days.

Financial transaction records (fees, payroll)

7 years (as per Indian income tax laws).

Retained in encrypted archived form; access restricted to compliance only.

Institution can request data export at any time. After termination, data export must be requested within 15 days; otherwise, data will be deleted as per above schedule.

8. YOUR RIGHTS (STUDENTS, PARENTS, STAFF)

Depending on your role and applicable law (DPDP Act, 2023), you may have the following rights:

  • Right to Access: Request a copy of your personal data held in the ERP.
  • Right to Correction: Request correction of inaccurate or incomplete data (e.g., wrong phone number, name spelling).
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it (this may limit ERP functionality).
  • Right to Grievance Redressal: Lodge a complaint with the institution’s nodal officer or directly with our Grievance Officer.

How to exercise your rights:

Contact your institution’s ERP coordinator first. If unresolved, contact our Grievance Officer (details in Section 12).

Note: Students under 18 must exercise these rights through their parent/guardian or institution.

9. CHILDREN’S PRIVACY

The ERP collects data of students who are minors (under 18 years). We do not directly collect data from children without the institution’s authorization. The institution is responsible for obtaining parental consent for collecting and processing student data.

We do not use student data for any purpose other than providing educational ERP services.

10. COOKIES & TRACKING TECHNOLOGIES

The web dashboard uses:

  • Essential cookies: For login, session management, security.
  • Functional cookies: To remember user preferences (language, theme).
  • Analytics cookies: To understand usage patterns (anonymized; can be disabled by institution admin).

No third-party advertising cookies are used.

Users can disable cookies via browser settings, but some ERP features may not function properly.

11. DISCLAIMER REGARDING THIRD-PARTY LINKS

The ERP may contain links to external websites (e.g., payment gateways, government portals). We are not responsible for the privacy practices of those third parties. Please review their privacy policies separately.

12. GRIEVANCE REDRESSAL & CONTACT INFORMATION

If you have any concerns regarding your privacy or data handling, please contact our support team:

Email: support@stepedtech.com
Phone: 80915-80500
Postal Address:
STEPUPNXT WEBTECH PVT LTD
2nd Floor, F-208, Phase -8B, IT Park, Mohali – 160055 (Punjab)

Response Time: We acknowledge complaints within 24 hours and resolve within 15 business days.

You may also escalate to the institution’s designated nodal person.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. Material changes will be notified via:

  • In-app notification / email to institution administrators (at least 15 days in advance, where feasible).
  • Posting the revised policy on the ERP login page with a new "Last Updated" date.

Continued use of the ERP after changes constitutes acceptance of the revised policy.

14. GOVERNING LAW

This Privacy Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of courts in Mohali, Punjab.

DECLARATION BY INSTITUTION (To be signed with MoU)

The undersigned authorised representative of the Institution confirms that:

  1. We have read, understood, and agree to this Privacy Policy on behalf of our institution, staff, students, and parents.
  2. We have obtained or will obtain all necessary consents from parents/guardians before collecting student/parent data.
  3. We shall cooperate with the Company in case of any data subject requests or legal inquiries.