Privacy Policy
1. Overview
THSSS ERP is the official school-management application of The Heritage Senior Secondary School, Kashipur (the School). The app is used by school staff, students, and their parents/guardians to access information that the School already holds about its students and employees — fees, attendance, marks, communications, timetable, homework and similar academic and administrative records.
This privacy policy explains what personal information the app handles,
how that information is used, who it is shared with, how long it is kept,
and the choices you have. This policy applies to the THSSS ERP Android
application (Google Play package com.techvm.thsssksp) and
the linked web application served from erp.thsssksp.com.
2. About the app
THSSS ERP is a private, school-internal tool. It is not a public service. Access is limited to people who already have an account created by the School — typically:
- School administrators (the Principal and authorised office staff).
- Teaching and non-teaching employees of the School.
- Currently-enrolled students of the School and their parents/guardians.
You cannot self-register through the app or the website. Accounts are provisioned by the School. If you are reading this policy because the app showed it to you at sign-in, your account was created for you by the School administration.
3. Who controls the data
Data controller (decides what is processed and why)
The Heritage Senior Secondary School is the data controller. The School decides which information about students and employees is collected, who is given an account, and how long records are kept, in line with its existing admission, employment, and academic record-keeping practices.
Data processor (operates the technical platform)
VM Technologies is the technology provider that builds and operates the THSSS ERP platform on the School's behalf. VM Technologies only processes data on the School's instructions; it does not use the information for its own purposes, does not sell it, and does not share it with advertisers.
4. What we collect
The app handles the following categories of information:
Provided by the School (not by you)
| Category | Examples |
|---|---|
| Student profile | Full name, admission number, class & section, gender, date of birth, contact phone, address, parent/guardian names and contact numbers, student photograph. |
| Employee profile | Full name, designation, role, employee phone, email, address, date of birth, joining date, emergency contact, employee photograph. |
| Fee records | Fee head, due dates, fines, discounts, payments collected, transport fees, payment mode, payer notes. |
| UPI payment submissions | When you pay school fees via UPI, the app records: the amount you requested to pay, the screenshot of the UPI confirmation you uploaded, and the transaction remark (formatted as <class>-<first name>-<admission number>, capped at 50 characters). The remark also appears in the school's bank statement so the accountant can reconcile your payment to your child's account. We do not store your UPI PIN, bank account number, or card details — those never leave your UPI app. |
| Academic records | Attendance, exam marks (with statuses Normal/Absent/Medical Leave/Withheld where applicable), letter grades resolved from the school's configured grade scheme, term-end co-scholastic grades (Discipline, Music, Physical Education and similar non-academic subjects), homework, notes, timetable, leave requests, transfer certificates. |
| Teacher remarks | Free-text remarks recorded by teachers against a student's performance: per-subject remarks (e.g. “needs more reading practice”), per-exam class-teacher remarks (e.g. “missed half the paper due to illness”), and term-end holistic class-teacher remarks meant for the report card. Remarks are only visible to a student/parent in the portal after the relevant exam or term has been published by the school administration. |
| Audit information | Record of which staff account performed which action (e.g. who collected a fee, who entered or edited an exam mark, who wrote a remark, who published a result, who changed the examination policy), with timestamp and IP address — used for internal accountability. |
Collected from you when you use the app
| Category | Examples |
|---|---|
| Account & sign-in | Username (typically your registered mobile number or admission number) and password. The password is stored as a one-way salted hash; we cannot read your password. |
| Messages and attachments | Messages you send to staff or students through the in-app Communicate feature, and any files (PDF, image, document) you choose to attach. |
| Photographs and documents | Any photograph or document you upload — for example, when an administrator adds a student photo, or a teacher submits a task deliverable. |
| Device and notification information | Firebase Cloud Messaging (FCM) device token (required to send push notifications), Android version, platform, and a device identifier used only to keep your push token correctly bound. We do not collect your contacts, calendar, location, IMEI, advertising identifier, or browsing history. |
| Operational logs | HTTP error logs (route, status, error message) captured to diagnose technical issues. These are kept for a short period and are not used for advertising or analytics. |
What the app does NOT collect. No location data, no contacts, no calendar entries, no SMS/call logs, no microphone recordings for advertising or analytics, no advertising ID, no browsing history outside the app, no biometrics. We do not use third-party analytics, advertising, or attribution SDKs.
5. How we use it
- To let you sign in and identify you as a staff member, student, or guardian.
- To show fee receipts, dues, attendance, homework, exam results, and timetable that belong to you (or to your child, if you are a guardian).
- To deliver messages and tasks within the School community.
- To send push notifications when something happens that concerns you — for example, a new fee receipt, an attendance mark, a homework assignment, a message, or an exam result becoming available.
- To accept UPI payment screenshots you upload from the parent portal so the school can verify and approve the corresponding fee receipt.
- To produce school documents such as fee receipts, tabulation sheets, and transfer certificates.
- To keep an internal audit trail of staff actions for accountability.
- To debug technical errors and keep the platform reliable and secure.
We do not use your information for advertising, profiling for marketing, or any purpose unrelated to running the School's day-to-day operations.
6. App permissions explained
The Android app requests the following device permissions when needed:
| Permission | Why the app uses it |
|---|---|
| Internet & network state | To connect to the School's secure server to read and update records. |
| Notifications (Android 13+) | To deliver push notifications for fees, attendance, messages, homework, tasks, and exam-result publication. You can turn this off any time from the device's app settings. |
| Camera | Only when you choose to capture a photograph — for example, a staff member taking a student's profile photo or attaching a picture to a message. Optional. |
| Photos & media (READ_MEDIA_IMAGES, etc.) | Only when you choose a photo or video already saved on your phone to attach to a message, task, or profile. Optional. |
| Files / documents | Only when you choose a document (PDF, DOC, XLSX, etc.) to attach to a message, task, or fee record. Optional. |
| Vibration | For brief haptic feedback when you tap a button. No external use. |
The app does not request access to your contacts, calendar, microphone for audio recording, precise location, body sensors, or call logs.
8. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Google Firebase Cloud Messaging (FCM) | Deliver push notifications to your Android device. | FCM device token, notification title, short body, deep-link target inside the app. |
| Google Play Services (on Android) | Receive FCM messages on the device. | As required by the platform; no profile or message content sent to Google by us beyond the notification itself. |
We do not embed third-party advertising networks, analytics SDKs (Google Analytics, Firebase Analytics, Crashlytics, Mixpanel, etc.), attribution SDKs, social-login SDKs, or any other third-party tracker.
9. Data security
- All traffic between the app and the server is encrypted using HTTPS (TLS).
- Passwords are stored as one-way salted hashes; the platform cannot recover your plaintext password.
- Sensitive form fields and uploaded files are protected by per-account access controls; you only see what your role and permissions allow.
- Each school's data is stored in a logically separate database (per-tenant isolation), so one school cannot access another school's records.
- Every administrative change is captured in an internal audit log with the actor, timestamp, and IP address.
- Backups are taken on a regular schedule. Backups are stored encrypted on the same secure infrastructure and are retained for a limited time.
No system is perfectly secure. If we become aware of a breach that affects your information, we will notify the School promptly so the School can inform affected users and the relevant authorities as required by law.
10. Data retention
- Active students and employees: Records are kept for as long as you are enrolled or employed at the School.
- Past students and employees: Once a student leaves or an employee separates, their academic and accounting records are retained for the period required by the School's record-keeping policy and by Indian education/accounting regulations (typically several years, for the purpose of issuing transfer certificates, verifying past attendance/marks, and meeting audit obligations).
- Operational logs and backups: Short-lived (typically kept for diagnostic and disaster-recovery purposes only, and then rotated out).
- Push notification tokens: Removed automatically when you uninstall the app or sign out. Inactive tokens are also pruned by the platform when Firebase reports them as no longer registered.
11. Children and minors
The THSSS ERP app is intended for use within an educational setting and will, by its nature, hold information about children (school students). Personal information about students is provided to the platform by the School in the course of its lawful educational activities, with the consent of the parents/guardians that the School obtains at the time of admission.
Student accounts are created and managed by the School. Where a student is a minor, the student's parent/guardian is treated as the responsible adult for the purposes of this policy. Parents/guardians who do not want their child's information in the app should contact the School directly to discuss alternatives.
The app is not designed for, marketed to, or intended for use by children outside the School's enrolment.
12. Your rights
Subject to applicable law (including the Digital Personal Data Protection Act, 2023 in India), you may have the following rights with respect to your personal information:
- Access — ask what information is held about you.
- Correction — ask for inaccurate information to be corrected.
- Erasure — ask for your information to be deleted, subject to lawful retention requirements.
- Grievance — raise concerns about how your information is being handled.
- Withdraw push notifications — turn off notifications any time from the device settings.
Because the School is the data controller, requests of this kind should be addressed to the School (see Contact us). Requests will be answered within a reasonable time, normally within 30 days.
13. How to request account / data deletion
To request deletion of your account or the personal information held about you, send a written request to the School at the contact details below, with:
- Your full name and your role at the School (student/parent/employee).
- Your admission number (for students) or employee ID (for staff).
- Your registered mobile number.
- A short description of the data you want deleted.
The School will verify your identity, action the request, and confirm back. Some information may be retained for legitimate accounting, regulatory, or transfer-certificate purposes even after the rest is deleted — the School will tell you exactly what is being retained and why.
If you simply want to stop using the app, you can uninstall it from your device at any time. Uninstalling does not delete the records the School holds about you on the server.
14. Changes to this policy
We may update this privacy policy from time to time — for example, when we add new features or when a relevant law changes. The "Last updated" date at the top of this page shows when the most recent change was made. For material changes, the School will notify users in-app or by direct message. Continued use of the app after a change means you accept the updated policy.
15. Contact us
The School is the data controller for purposes of this policy. To exercise any of the rights described above, or to ask anything about how your information is handled, please contact:
The Heritage Senior Secondary School
Near Jindal South City, Aliganj Road,
Kashipur, U. S. Nagar, Uttarakhand – 244713, India
Phone: +91 84499 61000
Email: contact@thsssksp.com
For technical questions relating to the platform (VM Technologies is the data processor), the School can forward your enquiry on your behalf, or you may contact the developer directly:
VM Technologies (developer & maintainer)
Website: www.techvm.in
Email: support@techvm.in