Privacy Policy

1) Scope, Roles, and Applicability

This Policy applies to all features and services offered via KAMPUS websites, web apps, and mobile apps, including integrations and APIs.

Institutional Relationship: For most campus-management modules, Institutions are the primary data controllers/fiduciaries. KAMPUS generally acts as a data processor on their documented instructions. For certain activities (e.g., our marketing website, account provisioning, fraud prevention, support, billing for direct subscriptions), KAMPUS may act as an independent controller/fiduciary.

This Policy is designed to align with applicable data protection laws in your region (e.g., India’s Digital Personal Data Protection Act, 2023 and allied rules as notified, and—where relevant—laws of other jurisdictions). Where a local law imposes stricter requirements, that law prevails.

2) Definitions (Plain Language)

• Personal Data: Any information that can identify an individual or is reasonably linkable to an individual.
• Processing: Any operation performed on data (e.g., collection, use, sharing, storage, deletion).
• Child/Minor: As per applicable law. In India, a child is typically under 18 years.
• Sensitive or Special Categories: Certain laws define special categories (e.g., health, biometrics). We avoid collecting such data unless the service explicitly requires it and the Institution authorizes it.
• Data Controller/Fiduciary: Entity that determines purposes and means of processing (often the Institution).
• Data Processor: Entity that processes data on behalf of the controller/fiduciary (often KAMPUS for core modules).

3) What Information We Collect

We collect information in the following categories, depending on who you are and how you use the Platform. Exact data elements vary by Institution’s configuration:

• Identity & Contact Data: Name, photograph, IDs, date of birth, contact details.
• Academic & Administrative Records: Admissions, classes, attendance, assessments, grades, certificates, library, hostel, transport, health logs.
• Teacher/Staff Records: Qualifications, rosters, performance.
• Financial & Transaction Data: Fee plans, invoices, receipts, concessions, payment methods (via secure gateways).
• Device, Technical & Usage Data: IP, device IDs, logs, session data, crash reports, diagnostics.
• Location & Communications: Approximate location, messages, support tickets, emails, calls.
• Content You or Your Institution Provide: Documents, assignments, recordings, feedback, surveys.

4) Sources of Information

• Directly from Users (e.g., during onboarding, updates).
• From Institutions and their authorized staff.
• From service providers (e.g., payment processors).
• Automatically via cookies/SDKs, app logs, and device data.

5) Why We Process Data (Purposes)

• Core Service Delivery: attendance, academics, communication.
• Account & Security: authentication, fraud prevention.
• Support & Operations: troubleshooting, analytics.
• Payments & Billing: fee collection, reconciliation.
• Compliance: legal/regulatory obligations.
• Product Improvement: de-identified analytics.
• Communications: transactional and service notices.

6) Cookies, SDKs & Similar Technologies

We use essential cookies/SDKs for login, session management, load balancing, and security. With consent or as allowed by law, we may use analytics to improve performance. We do not use advertising cookies within student experiences.

You can manage cookies in browser/app settings. Disabling essential cookies may affect functionality.

7) How We Share Information

• Institutions and their authorized personnel.
• Service Providers/Sub-processors (hosting, payments, messaging).
• Integrated Apps chosen by the Institution.
• Legal/Regulatory Authorities when required.
• Corporate Transactions with continued protection and notice.

8) International Data Transfers

We may process and store data in India and/or other countries where our service providers operate. Transfers comply with applicable law, safeguards, and institutional agreements.

9) Data Retention & Deletion

Data is retained as long as necessary for services, compliance, and legal obligations. Institutions may define module-specific periods. Upon contract termination, data is deleted/returned per agreements, subject to legal retention and backup cycles.

10) Security Measures

• Encryption in transit (TLS 1.2+) and at rest.
• Role-based access control, confidentiality obligations.
• SSO/MFA, strong password policies, session timeouts.
• WAF, anti-DDoS, hardened environments.
• Secure development lifecycle, penetration tests.
• Continuous monitoring, audit logs.
• Regular backups, disaster recovery plans.

No system is 100% secure. Incidents will be notified without undue delay as per law/contracts.

11) Children’s Privacy

Children may only use the Platform with required consent. We avoid behavioral ads and limit data to educational purposes. Parents may access, correct, or request deletion via Institutions.

12) Your Rights & Choices

• Access, correct, delete your data.
• Withdraw consent, object/restrict certain processing.
• Data portability where applicable.
• Nominate authorized persons (if permitted by law).

Requests should go via your Institution admin or directly to us.

13) Automated Decision-Making & Profiling

KAMPUS does not use automated decision-making with legal effects. Limited analytics/alerts assist staff but do not replace judgment.

14) Third-Party Services & Links

The Platform may link to or integrate with third-party services. Their practices are governed by their own policies. Please review them separately.

15) Accuracy & Responsibility

Users and Institutions are responsible for ensuring accuracy of data entered. If inaccurate, please update via profile or contact Institution/support.

16) Data Breach & Incident Response

We maintain an incident response plan (containment, recovery, review). Affected Institutions/Users will be notified as required by law.

17) Changes to This Policy

We may update this Policy for legal/technical/service changes. Material changes will be communicated via Platform/email. See “Last Updated” date.

18) Contact, Address & Data Protection

19) Jurisdiction-Specific Notices (Summary)

• India: Aligns with Digital Personal Data Protection Act, 2023. Consent for minors, grievance redressal, rights honored.
• EU/EEA & UK: GDPR/UK GDPR rights, transfer safeguards, local reps/DPO as required.
• Other Regions: Local law obligations/safeguards as applicable.

20) Data Processing Addendum (For Institutions)

Our standard Data Processing Addendum (DPA) forms part of Institution contracts and covers roles, confidentiality, security, sub-processing, user rights, breach notification, deletion/return of data, and audits. A copy is available on request.

Annex A — Template Retention Schedule (Indicative)

Annex B — Sub-Processor Categories (Examples)

• Cloud infrastructure & storage providers
• Content delivery and security (WAF/CDN)
• Payment gateways and processors
• Notification gateways (SMS/Email/Push)
• Analytics and diagnostics (operations only)
• Customer support/ticketing tools
• Backup and disaster recovery services

Annex C — Cookie & SDK Table (Template)