Privacy Policy.

SchoolSathi ("we," "our," "us," or "the Company") is a school management software-as-a-service (SaaS) product developed and operated by Sanothimi Private Limited, registered in Nepal. We are committed to protecting the privacy and security of all personal information entrusted to us by educational institutions and their stakeholders. This policy is written in compliance with the Individual Privacy Act, 2018 (Nepal) and internationally recognized data protection standards. By using SchoolSathi, you agree to the collection and use of information in accordance with this policy.

"Personal Data" means any information relating to an identified or identifiable natural person. "Data Controller" refers to the School, which determines the purposes and means of processing personal data. "Data Processor" refers to the Company, which processes data on behalf of the School. "Stakeholder" includes school owners, administrators, staff members, students, parents, and legal guardians.

2.1 This Privacy Policy applies to all individuals whose data is processed through the SchoolSathi platform. 2.2 It covers institutional accounts, user profiles, student educational records, and staff employment data. 2.3 It also applies to visitors of our public marketing website (sanothimi.com.np).

3.1 Institutional Data: School name, registration details (PAN/VAT), principal contact info, billing addresses, and digital assets like logos. 3.2 Student Data: Full name, gender, date of birth (BS/AD), blood group, academic performance, attendance, disciplinary records, and health alerts. 3.3 Parent/Guardian Data: Names, contact numbers, email addresses, and relationship to the student. 3.4 Staff Data: Personal identity, qualification records, PAN, PF/SSF retirement fund numbers, salary structures, and employment history. 3.5 Technical Data: IP addresses, browser types, device identifiers, and login audit trails for security monitoring.

4.1 To facilitate school operations: attendance tracking, result management, and portal access. 4.2 To manage financial records: IRD-compliant fee invoicing and staff payroll processing. 4.3 To ensure safety: parent notification via SMS for student entry/exit and emergency alerts. 4.4 To comply with law: maintaining academic records required by the Ministry of Education, Nepal.

5.1 Contractual Necessity: Processing required to perform the services agreed upon in the Subscription Agreement. 5.2 Legitimate Interests: Ensuring system security, preventing fraud, and improving infrastructure performance. 5.3 Legal Obligation: Complying with Nepal's Tax, Labour, and Education regulations.

6.1 Internal Control: Data is strictly isolated. One school's administrators can never see another school's data. 6.2 Role-Based Access: Teachers can only see data for their assigned classes; accountants can only see financial data. 6.3 Third-Party Providers: We share data with MongoDB Atlas (Hosting), Cloudinary (Media Storage), and authorized SMS gateways. All are bound by strict Data Processing Agreements. 6.4 Legal Disclosure: We disclose data to government authorities only if required by a valid legal warrant or court order under Nepal law.

7.1 Global Infrastructure: Data is stored in the Singapore region (MongoDB Atlas) for high performance and disaster recovery. 7.2 Retention: We retain academic and financial records for 7 years as required by Nepal regulatory framework. 7.3 Disposal: Upon institutional account termination, data remains in read-only for 90 days for export. After 90 days, all data is permanently and securely erased from our primary and backup systems.

8.1 Encryption at Rest: All database records are encrypted using AES-256. 8.2 Encryption in Transit: All data moving between the browser and our servers uses TLS 1.3 encryption. 8.3 Passwords: We use Bcrypt with high salt rounds; we never store plain-text passwords. 8.4 Backups: Daily automated backups are performed with multi-site redundancy.

9.1 In accordance with Nepal's Individual Privacy Act, 2018, individuals have the following rights: - Right to Access: View the data stored about you. - Right to Rectification: Correct inaccurate or incomplete records. - Right to Deletion: Request erasure of personal data when no longer needed for educational purposes. - Right to Portability: Receive your data in a structured, machine-readable format.

10.1 We recognize the sensitivity of student data. Schools are responsible for obtaining parental consent before entering student data into SchoolSathi. 10.2 We do not use student data for marketing, profile-building, or targeted advertising. 10.3 Student photos are used exclusively for institutional documents like ID Cards and Report Cards.

11.1 System Alerts: We send SMS/Email notifications on behalf of schools for fees, attendance, and exam results. 11.2 Opt-out: Parents may opt-out of optional notifications via their school's administration office. 11.3 No Marketing: We never send marketing or promotional material to staff, students, or parents.

12.1 Necessary Cookies: We use secure session cookies for authentication and CSRF protection. 12.2 No Ad-Trackers: SchoolSathi does not use third-party advertising trackers or behavioral pixels inside the application.

13.1 By subscribing to SchoolSathi, the School acknowledges and consents to the transfer and storage of data in our cloud infrastructure (Singapore). 13.2 Such locations are chosen to provide security and performance levels that exceed domestic Nepal standards.

14.1 In the event of a significant data breach, the Company will notify the affected School Admin within 72 hours of discovery. 14.2 We will provide detailed reports and technical assistance to help schools fulfill their individual notification duties.

15.1 This Privacy Policy may be updated periodically. 15.2 Active subscribers will be notified of material changes via email at least 30 days before they take effect.

For any privacy-related inquiries or to exercise your data rights: Privacy Officer: privacy@sanothimi.com.np Institutional Legal: legal@sanothimi.com.np If grievances remain unresolved, individuals may approach the Department of Information Technology (DoIT) or the relevant administrative authority in Nepal.