Privacy Policy

Privacy at a Glance

We collect only what's needed to run the Service
We never sell your data or student records to third parties
All data is transmitted over encrypted HTTPS connections
You can request deletion of your data at any time
Student photos and records are stored solely for ID card management

Who We Are
Information We Collect
How We Use Information
Sensitive Data & Minors
Information Sharing
Data Storage & Security
Your Rights
Cookies & Analytics
Third-Party Services
Data Retention
Changes to This Policy
Contact & Grievances

1 Who We Are

IDPOINT is a school ID card management application operated at idpoint.in. We provide software tools that help authorized school administrators manage student and staff identity records and generate ID cards.

For the purposes of applicable data protection laws, IDPOINT acts as a data processor for the personal data of students and staff, while the school (administrator) acts as the data controller. The school is responsible for having appropriate legal bases for processing student data before uploading it to our platform.

For questions about this Policy, contact us at: privacy@idpoint.in

2 Information We Collect

We collect two categories of information:

A. Admin/Account Information — Information about the school administrator:

Data Type	Why We Collect It
Name & email address	Account creation and communication
School/institution name	Project setup and identification
Login credentials (hashed)	Authentication and access control
IP address & device info	Security, fraud prevention, and session management
Usage logs (actions, timestamps)	System reliability and debugging

B. Student/Staff Record Data — Entered by the school administrator:

Data Type	Purpose
Full name	ID card generation
Father's name, Mother's name	ID card and record details
Date of birth	Student record completeness
Class & roll number	Class management and filtering
Mobile number	Contact information on ID cards
Address	Record management
School name	ID card header information
Photograph (4×4 square image)	ID card photo generation

3 How We Use Information

We use the information collected for the following purposes:

Service Delivery: To store, display, and manage student/staff records and generate ID cards
Account Management: To authenticate users and manage admin sessions securely
Missing Data Tracking: To compute and display which records have incomplete fields
Communications: To send service-related notifications (maintenance, updates, security alerts)
Security: To detect and prevent fraudulent activity, abuse, and unauthorized access
Service Improvement: To analyze aggregated usage patterns (no individual student data is used for this purpose)

We do not use student data for advertising, profiling, marketing, or any purpose beyond what is described above.

4 Sensitive Data & Minors

Important Notice Regarding Children's Data: IDPOINT processes personal data of students, who may be minors (under 18 years of age). This data is entered by and under the sole responsibility of the school administrator.

4.1 School Responsibility: Schools are solely responsible for:

Obtaining appropriate consent from parents or legal guardians before uploading student data
Complying with applicable laws regarding children's privacy (including India's DPDPA 2023)
Informing students and parents about the purpose of data collection
Ensuring only authorized personnel have access to student records

4.2 Photographs: Student photographs are particularly sensitive. They are stored securely on our servers, accessible only to authorized admins of the corresponding school project, and used exclusively for ID card generation.

4.3 No Direct Collection from Minors: IDPOINT does not directly collect any information from students or minors. All data is entered by adult school administrators on behalf of their institution.

Student photographs uploaded through IDPOINT are not publicly accessible. Each photo is served only to authenticated admins of the institution that uploaded it.

5 Information Sharing

We do not sell, rent, or trade any personal data. We may share information only in the following limited circumstances:

Service Providers: We use trusted third-party infrastructure providers (cloud hosting, database services) who are contractually bound to process data only on our behalf and under our instructions.
Legal Requirements: We may disclose information when required by law, court order, or governmental authority.
Protection of Rights: We may disclose information to protect the rights, property or safety of IDPOINT, our users, or the public.
Business Transfer: In the event of a merger, acquisition, or asset sale, user data may be transferred. We will provide notice before data is transferred and becomes subject to a different privacy policy.

In all cases, we share only the minimum information necessary and require recipient parties to maintain equivalent data protection standards.

6 Data Storage & Security

6.1 Where Data Is Stored: All data is stored on secure servers. Our primary infrastructure is hosted in India, in compliance with applicable data localization requirements.

6.2 Security Measures: We implement the following safeguards:

HTTPS/TLS encryption for all data in transit
Hashed and salted password storage (plaintext passwords are never stored)
Bearer token authentication with expiry for all API access
Role-based access controls — each admin can only access their own project data
Regular security reviews and vulnerability assessments
Automatic session expiry for inactive sessions

6.3 No Guarantee: Despite our best efforts, no system is completely secure. We cannot guarantee the absolute security of data transmitted over the internet or stored on our servers. You use the Service at your own risk and are encouraged to maintain strong, unique passwords.

7 Your Rights

As an admin user, you have the following rights regarding your data and the data you manage:

Right	What It Means	How to Exercise
Access	Request a copy of your account data	Email us at privacy@idpoint.in
Correction	Update inaccurate personal data	Via app settings or contact us
Deletion	Request deletion of your account and all associated data	Email with subject "Data Deletion Request"
Portability	Export your student/staff records	Contact us for a data export
Objection	Object to specific processing activities	Email with your specific concern
Restriction	Request temporary restriction of processing	Email us with details

We will respond to verified requests within 30 days. Requests may be subject to identity verification.

For student/staff data deletion requests from parents or individuals, please contact your school's administrator, who is responsible as the data controller for that data.

8 Cookies & Analytics

Mobile App: The IDPOINT mobile application does not use web cookies. We use AsyncStorage to store your authentication token and admin session locally on your device. This data remains on your device and is not transmitted to any third party.

Website (idpoint.in): Our website may use:

Essential cookies: Required for site functionality (e.g., session management). Cannot be disabled.
Analytics cookies: Used to understand aggregated site traffic. No personal data is linked to analytics data.

You can control cookie preferences in your browser settings. Disabling essential cookies may affect website functionality.

9 Third-Party Services

IDPOINT integrates with the following third-party services. Each has its own privacy policy:

Camera & Gallery (Device Native): Photo capture uses your device's native camera and photo library. No photos are shared with third parties — they go directly to our secure servers.
Cloud Hosting: Our servers run on a managed cloud infrastructure. Data is processed solely for hosting purposes under strict data processing agreements.
Fonts (Google Fonts – web only): The website loads fonts from Google Fonts. Google's Privacy Policy applies to font requests.

We do not integrate with advertising networks, social media tracking pixels, or any third-party analytics tools that have access to student data.

10 Data Retention

We retain your data as follows:

Active accounts: Data is retained as long as your account is active and the subscription/service is in use.
Account deletion: After you request account deletion, we will permanently delete all associated data within 30 days, except where we are legally required to retain it longer.
Inactive accounts: Accounts inactive for more than 24 months may be flagged for deletion. We will send a notice before taking any action.
Backup data: Deleted data may persist in encrypted backups for up to 90 days before being permanently removed from all systems.
Security logs: Login and access logs are retained for up to 12 months for security and compliance purposes.

11 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will:

Update the Effective Date at the top of this page
Display a notice in the app on your next login
Send an email notification for material changes affecting your rights

We encourage you to review this Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised Policy.

12 Contact & Grievances

For privacy-related questions, requests, or concerns:

Privacy Email: privacy@idpoint.in
General Support: support@idpoint.in
Website: idpoint.in

Grievance Officer (India – DPDPA 2023): If you are an Indian resident and have concerns about how your personal data is handled, you may contact our Grievance Officer:

Name: IDPOINT Privacy Officer
Email: grievance@idpoint.in
Response Time: Within 30 days of receipt of your complaint

You also have the right to lodge a complaint with the Data Protection Board of India if you believe your rights under the DPDPA 2023 have been violated.