Privacy Policy
Last updated: June 2026
This Privacy Policy explains how SchoolMemories ("we", "us", or "our") collects, uses, shares, and protects your personal data when you use the SchoolMemories platform (the "Service"). We are based in Vijayapura, Karnataka, India, and we process personal data in accordance with India's Digital Personal Data Protection Act, 2023 ("DPDP Act").
For data that a school shares with us, the school is the principal Data Fiduciary and we act as a Data Processor on its behalf. For data a parent provides directly (such as a reference photo of their child), we act as the Data Fiduciary.
1. Information We Collect
Account Information
When you register, we collect your name, email address, and school affiliation via Google Sign-In. We do not store passwords — authentication is handled entirely by Google. For delivery over WhatsApp, we also process the parent's phone number (provided by the school roster and/or the parent).
Photos & Facial Data
The Service processes event photos uploaded by school staff and a reference photo of each child (provided by the parent, or by the school with parental consent) to perform AI face matching:
- Event photos are uploaded by authorized school staff and stored in encrypted cloud storage.
- Face data is a mathematical representation (a "faceprint") generated by AWS Rekognition and stored as a Face ID in a per-school, isolated face collection. We store Face IDs (pointers); the underlying biometric template is held within AWS Rekognition.
- Reference photos of children are stored privately and accessed only via short-lived signed URLs after authentication — never as permanent public URLs.
- Parent selfies submitted to search an event are processed in real time and not stored after matching.
- Every new biometric relationship record carries explicit verification provenance (school-roster verified / staff approved / self-claimed), and consent is recorded before face matching or storage.
Usage Data
We automatically collect standard usage data — device type, browser, pages visited, and timestamps — for security, analytics, and improving the Service. IP addresses are hashed; we do not store raw IP addresses.
2. Legal Basis — Consent
Our primary legal basis for processing personal data, including children's photos and facial data, is consent under the DPDP Act. A parent or guardian provides verifiable consent before we create or use a child's faceprint, and that consent can be withdrawn at any time (see Your Rights). Schools confirm they have obtained the necessary consent for photographing children at school events under their own policies.
3. How We Use Your Information
- To provide the core Service: photo upload, AI face matching, and delivering a child's photos to their parent.
- To deliver photos and notifications — in the app, by email, by web push, and over WhatsApp (with consent).
- To manage accounts and the school dashboard.
- To process payments for optional one-time keepsake purchases.
- To secure, maintain, and improve the Service, and to comply with legal obligations.
4. Sub-Processors & Data Sharing
We do not sell your personal data. We share data only with the service providers needed to run the Service:
- The school — uploads event photos and provides class rosters; the principal Data Fiduciary for school-supplied data.
- AWS (Amazon Rekognition) — AI face indexing and matching; faceprints/Face IDs are held in per-school collections (Mumbai region, ap-south-1).
- Cloudflare (R2) — encrypted storage of photos.
- Supabase — database and authentication.
- WhatsApp (Meta Platforms) — delivery of a child's photos and notifications to the parent's WhatsApp number, with consent.
- Razorpay — payment processing for optional keepsake purchases.
- Resend — transactional and notification email.
- Vercel — application hosting and delivery.
- Analytics & error monitoring (PostHog, Sentry, Google Analytics) — product analytics and reliability, using hashed/limited identifiers.
- Law enforcement — only when required by law or to protect rights and safety.
5. Data Security
- Data is encrypted in transit (TLS) and at rest.
- Access to stored data is controlled by Row Level Security (RLS) policies and per-school isolation.
- Children's reference photos are served only via short-lived signed URLs, never permanent public links.
- Sensitive actions are recorded in an audit log; IP addresses are hashed.
6. Children's Data
The Service is operated by and for adults (schools and parents/guardians); children do not create accounts. Under Section 9 of the DPDP Act, processing a child's personal data requires verifiable parental consent, which we obtain before generating or using a child's faceprint. We do not use children's data for tracking, behavioural monitoring, or targeted advertising. A parent can withdraw consent and request full erasure of their child's reference photo and face data at any time.
7. Data Retention
- Event photos: retained while the school maintains an active account; schools can delete events and photos at any time.
- Face data & reference photos: retained while needed to provide the Service, or until the parent requests deletion/erasure. Erasure removes the reference photo, the Face ID/faceprint, and all linked guardian/enrollment records.
- Account data: retained until account deletion is requested.
8. Your Rights (DPDP Act)
Subject to applicable law, you have the right to:
- Access a summary of the personal data we process about you.
- Correct or complete inaccurate data.
- Erase your data, including your child's reference photo and faceprint (self-service in the gallery, or by email request).
- Withdraw consent at any time.
- Grievance redressal — raise a concern with our Grievance Officer (below) and, if unresolved, with the Data Protection Board of India.
9. Cross-Border Transfers
Some sub-processors may process data outside India. Where this happens, we rely on the provider's safeguards and process such transfers in accordance with the DPDP Act and applicable regulations.
10. Cookies
We use essential cookies for authentication and session management. We do not use third-party advertising cookies.
11. Changes to This Policy
We may update this Policy from time to time. We will notify users of material changes via email or an in-app notice. Continued use of the Service after changes constitutes acceptance.
12. Contact & Grievance Officer