Unity Privacy Policy

Effective Date: June 8, 2025

This Privacy Policy describes how UNITY (hereinafter referred to as “we,” “us,” or “our”), a school ERP solution built using the open-source Frappe ERPNext framework, collects, uses, discloses, and protects the personal data of users accessing and utilising our software and services (collectively, “Services”). We are committed to protecting your privacy and handling your personal data in a transparent and secure manner, in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act, 2023) and other applicable Indian laws. 

By accessing or using UNITY Services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy.

1. Data Fiduciary and Data Principal

• Data Fiduciary: UNITY, as the entity determining the means and purpose of processing personal data, acts as the Data Fiduciary.
• Data Principal: The individual to whom the personal data relates (e.g., students, parents, teachers, administrative staff) is the Data Principal.
• Consent Manager: We may utilise or facilitate the use of a Consent Manager as stipulated under the DPDP Act, 2023, for obtaining, managing, and withdrawing consent.

2. Personal Data We Collect

We collect personal data that is necessary for the provision of our Services and for the efficient management of educational institutions. The types of personal data we may collect include:

a) Data provided by the Educational Institution (Our Client):

This data is typically uploaded or entered by the educational institution into the UNITY system. The educational institution is responsible for obtaining necessary consents from Data Principals where required by law.

• Student Data: Name, date of birth, gender, address, contact information (phone, email), parent/guardian details, emergency contact, academic records (grades, attendance, performance), health information (if relevant for school records), admission details.
• Parent/Guardian Data: Name, relationship to student, contact information (phone, email), address.
• Staff Data (Teachers, Administrative Staff): Name, contact information (phone, email), address, designation, department, employee ID, attendance records, payroll information (if integrated), academic qualifications.
• Demographic Information: Such as nationality, religion, category (if applicable for school records).
• Financial Information: Limited details related to fee payments, if integrated into the ERP (e.g., transaction ID, amount paid, payment status). We do not store sensitive payment card details directly.
• Other Information: Any other data deemed necessary by the educational institution for its operations and entered into the UNITY system.

b) Data Collected Automatically:

• Usage Data: Information about how you access and use the Services, such as IP addresses, browser type, operating system, pages viewed, time spent on pages, and referring URLs.
• Device Information: Information about the device used to access the Services, such as device model, unique device identifiers.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to enhance user experience, analyse trends, administer the website/application, track users’ movements around the site/application, and gather demographic information. You can control cookie preferences through your browser settings.

3. Purpose of Collecting and Processing Personal Data

We collect and process personal data for the following purposes, with the consent of the Data Principal where required, or on other lawful bases as per the DPDP Act, 2023:

• To Provide and Maintain Services: To facilitate school administration, student management, academic operations, staff management, communication, and other core ERP functionalities.
• To Improve Services: To understand user needs, debug issues, perform data analysis, research, and product development.
• To Communicate: To send important notices, updates, security alerts, and administrative messages.
• To Ensure Security: To detect and prevent fraud, unauthorized access, and other malicious activities.
• To Comply with Legal Obligations: To meet requirements of applicable laws, regulations, and legal processes.
• For Analytics and Reporting: To generate aggregated and anonymized reports for internal use and to help institutions understand their data.

4. Lawful Basis for Processing

We process personal data based on one or more of the following lawful bases as per the DPDP Act, 2023:

• Consent: Where the Data Principal has given consent for one or more specific purposes.
• Legitimate Uses: For a “legitimate use” as defined by the DPDP Act, including but not limited to:

• For the performance of any function under any law.
• For compliance with any judgment or order issued under any law.
• For responding to a medical emergency.
• For provision of a service or benefit to the Data Principal.
• For employment purposes.
• In the public interest.

The educational institution, as our client, is primarily responsible for ensuring that they have obtained the necessary consents or rely on other lawful bases for processing personal data as required by law before uploading or entering data into UNITY.

5. Disclosure and Sharing of Personal Data

We do not sell, rent, or trade your personal data. We may disclose or share personal data only in the following circumstances:

• With the Educational Institution: All data collected through UNITY is accessible by the respective educational institution that is the licensee of the software.
• Service Providers: We may engage trusted third-party service providers (e.g., hosting providers, IT support, analytics providers) who assist us in operating our Services. These providers are contractually bound to protect the confidentiality and security of personal data and to process it only according to our instructions and in compliance with the DPDP Act, 2023.
• Legal Requirements: If required by law, regulation, legal process, or governmental request (e.g., summons, court order).
• Business Transfers: In connection with a merger, acquisition, asset sale, or similar transaction, personal data may be transferred as part of the assets involved. We will notify you of any such change in ownership or control of your personal data.
• With Consent: With your explicit consent.

6. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, to provide our Services, to comply with our legal obligations¹ (e.g., tax, accounting), resolve disputes, and enforce our agreements.

Upon termination of our Services agreement with an educational institution, we will retain data for a reasonable period as agreed upon or as required by law, after which it will be securely deleted or anonymized.

7. Data Security

We implement robust technical and organizational security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction.² These measures include:

• Encryption of data in transit and at rest.
• Access controls³ and authentication mechanisms.
• Regular security audits and vulnerability assessments.
• Employee training on data privacy⁴ and security.
• Data backup and recovery procedures.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure.⁵ Therefore, we cannot guarantee absolute security.

8. Your Rights as a Data Principal (under DPDP Act, 2023)

As a Data Principal, you have the following rights concerning your personal data, subject to certain exceptions and conditions under the DPDP Act, 2023:

• Right to Information: To obtain information about the personal data being processed, including a summary of such data and processing activities.
• Right to Correction and Erasure: To request correction or completion of inaccurate or incomplete personal data, and to request erasure of personal data under certain circumstances.
• Right to Grievance Redressal: To have a readily available means of grievance redressal provided by the Data Fiduciary.
• Right to Nominate: To nominate another individual to exercise rights in case of death or incapacity.

Requests for exercising these rights should be directed to the respective educational institution, as they are the primary Data Fiduciary for the data entered into UNITY, or to our Grievance Officer where applicable. We will cooperate with educational institutions to fulfil Data Principal requests where technically feasible and legally permissible.

9. International Data Transfers

If, for any reason, personal data processed by UNITY needs to be transferred outside India, we will ensure that such transfers comply with the provisions of the DPDP Act, 2023, and are adequately protected, for instance, through contractual clauses or other lawful mechanisms.

10. Children’s Privacy

UNITY Services are primarily used by educational institutions, which may process personal data of minors (children below 18 years of age). We acknowledge our obligation as a Data Fiduciary when processing children’s data. Educational institutions using UNITY are responsible for obtaining verifiable consent from parents or legal guardians as required by law for the collection and processing of children’s personal data. We do not knowingly collect personal data directly from children without such consent facilitated by the educational institution.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.⁶ We will notify you of any material changes by posting the updated policy on our website or⁷ within the UNITY application and updating the “Effective Date” at the top of this policy. Your continued use of the Services after such modifications will constitute your acknowledgment of the modified Privacy Policy.⁸

12. Grievance Redressal

If you have any questions, concerns, or grievances regarding this Privacy Policy or our data handling practices, please contact our Grievance Officer.

We will endeavour to address your concerns promptly and within the timelines stipulated by applicable laws.