ServFlo School ERP
Privacy Policy

1. About This Policy

This Privacy Policy describes how IntelFlo Technologies, a proprietorship firm with the product as ServFlo School ERP ("ServFlo", "we", "us", or "our"), collects, uses, stores, shares, and protects information when schools, their staff, students, parents, and authorised administrators use the ServFlo School ERP platform. The platform includes the web-based management dashboard, the ServFlo Teacher mobile application, the ServFlo Parent mobile application, and all associated APIs and backend services (collectively, the "Platform").

By accessing or using the Platform, the school institution and its authorised users agree to the practices described in this policy. Schools that deploy ServFlo on their own on-premise infrastructure remain subject to this policy for their interaction with ServFlo cloud services, while bearing primary data controllership responsibility for data residing on their own servers.

This policy is published in compliance with:

• The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• The Digital Personal Data Protection Act, 2023 (DPDP Act) and rules framed thereunder
• Google Play Store Developer Programme Policies
• Applicable data localisation and cross-border transfer regulations of India

2. Who We Are

ServFlo is a product developed and operated by IntelFlo Technologies, a proprietorship firm. IntelFlo Technologies is the parent entity under which two product verticals operate — ServFlo (service industry enterprise software) and ManuFlo (manufacturing industry enterprise software). ServFlo School ERP is the product under the ServFlo vertical, designed to digitise and streamline the complete operational, academic, financial, and communication workflows of educational institutions.

3. Data We Collect and Why

The Platform is operated as a service to schools. Data collected falls into two broad categories: data that schools and their users provide to us for the purpose of receiving our services, and data that is generated automatically as a result of using the Platform.

3.1 School Institution Data

When a school is onboarded to the Platform, we collect institution-level information including the school name, address, contact details, logo, and configuration preferences. This information is used to set up the school's dedicated environment and personalise the Platform for the institution.

3.2 Student Data

Schools upload and maintain student records on the Platform. This includes:

• Identity information such as name, date of birth, admission number, class, section, and roll number
• Family information including father's name, mother's name, parent contact number, and parent email address
• Demographic information such as category, blood group, religion, and residential address, to the extent provided by the school
• Government identification numbers such as Aadhaar number and Samagra ID, where provided by the school in accordance with applicable regulations
• Academic records including attendance, examination results, report cards, achievements, and subject assignments
• Financial records including fee demands, payment history, payment mode, and UPI transaction references
• Library records, transport assignments, and any additional fields configured by the school

3.3 Staff and Teacher Data

Teacher and staff records maintained on the Platform include:

• Identity and contact information: name, email address, phone number, and designation
• Employment information: date of joining, department, employee type, and academic and professional qualifications
• Government identifiers: Aadhaar number and PAN number, where provided by the school
• Financial information: bank account number, bank name, and IFSC code, used exclusively for salary processing within the Platform
• Attendance data: daily punch-in and punch-out times, hours worked, and attendance status
• GPS location coordinates, collected at the time of attendance punch, used solely to verify that attendance is being marked from within the school's geofenced premises

3.4 Parent and Guardian Data

Parent accounts are created by schools to enable communication between teachers and parents. We collect parent name, contact number, email address, and linkage to their child's record. Parents using the ServFlo Parent application may also generate messages, view circulars, and submit fee payments, all of which are recorded to maintain communication history and financial accuracy.

3.5 Device and Technical Data

When any user accesses the Platform through a mobile application or web browser, we automatically collect certain technical data to ensure secure and reliable operation. This includes:

• Internet Protocol (IP) address and approximate network location
• Device type, operating system, and browser or application version
• Session duration, features accessed, and actions performed within the Platform
• Secure authentication tokens stored on the user's device to maintain session security
• Push notification subscription identifiers, used to deliver relevant alerts

This technical data is recorded in our audit logs and is used for security monitoring, troubleshooting, and ensuring the integrity of the Platform. It is not used for advertising or behavioural profiling.

3.6 Camera and Media

The ServFlo Teacher mobile application requests access to the device camera for the purpose of scanning QR codes at school reception as part of the attendance verification process. Camera access is used only at the moment of scanning and no images or video are stored by the Platform. The application may also permit upload of files and documents, such as homework materials, which are stored securely on our cloud infrastructure.

3.7 GPS Location

GPS location data is collected through the ServFlo Teacher mobile application when a teacher chooses to mark attendance using the geo-punch method. The device's precise location is captured at the single moment of the punch action and transmitted to the server, which compares it against the school's configured geofence to determine validity. Location is not tracked continuously, is not stored beyond what is required to record the attendance event, and is never used for any purpose other than attendance verification.

4. How We Use the Data

We use the information collected through the Platform for the following purposes:

• Service delivery: Delivering the contracted school management services including student management, attendance tracking, fee collection, examination management, timetabling, library management, transport tracking, staff management, messaging, and all other modules within the Platform.
• Platform improvement: Analysing aggregated and anonymised usage patterns across the Platform to identify areas for improvement, develop new features, and enhance the overall reliability and performance of the service. No individually identifiable data is used for this purpose.
• Value-added services: Using aggregated and anonymised insights derived from collective platform intelligence to develop and offer value-added services to schools, including but not limited to marketplace services and procurement advisory. Data used for this purpose is stripped of all individual identifiers before analysis.
• Security and compliance: Monitoring platform activity to detect and prevent unauthorised access, fraud, data breaches, and abuse. Maintaining audit logs to support accountability and regulatory compliance.
• Communication: Sending transactional communications related to service availability, system updates, maintenance notifications, and support responses. We do not send unsolicited marketing communications to school users.
• Legal obligations: Processing data as required by applicable Indian law, court orders, or regulatory directions.

5. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023, we process personal data on the following legal bases:

• Contractual necessity: Processing student, staff, and institutional data is necessary to fulfil our contractual obligations to the school under the services agreement.
• Legitimate interests: Processing technical and usage data to maintain platform security, prevent fraud, and improve service quality, where such interests are not overridden by the rights of data principals.
• Consent: Where specific processing activities go beyond contractual necessity, such as the introduction of new value-added services, we obtain appropriate consent from schools as the data fiduciaries responsible for their institutional data.
• Legal obligation: Processing required by applicable law, regulation, or court direction.

6. Our Role — Data Fiduciary and Data Processor

The relationship between ServFlo and the schools it serves involves a layered data responsibility structure:

ServFlo as Data Fiduciary: For technical data, platform usage analytics, and data related to our direct relationship with the school as a customer, ServFlo acts as the Data Fiduciary as defined under the DPDP Act, 2023, and is responsible for determining the purpose and means of processing.

ServFlo as Data Processor: For all student, parent, and staff personal data uploaded to the Platform by the school, ServFlo acts as a Data Processor operating on behalf of the school, which is the Data Fiduciary. The school is responsible for ensuring that personal data is uploaded with appropriate authorisation and that data subjects have been informed of its use.

On-Premise Deployments: Schools that choose to deploy ServFlo on their own servers bear primary data controllership and storage responsibility for all data residing on their infrastructure. ServFlo's role in such cases is limited to software licensing and support services. These schools are independently responsible for their data security, backup, and compliance obligations.

7. How We Share Data

Data is shared only in the following limited and defined circumstances:

• Cloud infrastructure providers: Data is stored on secure cloud servers hosted by our infrastructure partners. File attachments, uploaded documents, and media are stored using secure cloud object storage services. These providers process data only on our instructions and under data processing agreements.
• Payment infrastructure: Fee payment transactions processed through the Platform may involve Razorpay or other payment service providers as the payment gateway. These providers process transaction data in accordance with their own privacy policy and applicable RBI regulations. ServFlo does not store complete card or sensitive payment credential information.
• Communication services: SMS, email, and messaging platform notification services may be used to deliver transactional alerts and school communications. These providers receive only the contact details necessary to deliver the specific communication.
• Legal and regulatory disclosure: We may disclose information when required by law, court order, or lawful direction from a government or regulatory authority. We will notify the school wherever legally permissible before making such a disclosure.
• Business transfers: In the event of a merger, acquisition, or sale of substantially all assets of IntelFlo Technologies, school data may be transferred to the successor entity, subject to equivalent privacy protections. Schools will be notified in advance.

8. Data Storage and Security

All data transmitted between user devices and our servers is encrypted in transit using industry-standard encryption protocols. Authentication is implemented using secure token-based mechanisms with defined expiry periods, and passwords are stored using one-way cryptographic hashing. Access to platform data is role-based — each user can access only the data their role and permissions permit within their school's environment.

Each school's data is logically isolated in a dedicated schema within our multi-tenant database architecture. This structural separation ensures that no school can access data belonging to another school on the Platform.

File uploads including UPI payment screenshots, homework attachments, and documents are stored on cloud infrastructure with access controls. All platform actions are recorded in an immutable audit log that captures the user, timestamp, IP address, and nature of the action.

While we implement commercially reasonable and industry-standard security measures, no system is entirely immune to risk. In the event of a data breach that is likely to result in harm to data principals, we will notify affected schools and, where required, the Data Protection Board of India, in accordance with the DPDP Act, 2023.

9. Data Retention

We retain school and student data for the duration of the active services agreement with the school. Upon termination of the agreement, the school may request an export of their data in a standard format. Following a period of ninety (90) days after termination, data is permanently deleted from our systems unless retention is required by applicable law or the school has requested an extended retention arrangement in writing.

Audit logs and transaction records may be retained for a longer period where required by financial, regulatory, or legal obligations applicable to educational institutions under Indian law.

Technical data such as IP address logs and session data is retained for a period of up to twelve (12) months for security and compliance purposes.

10. Children's Data

The Platform processes personal data of students, many of whom are minors below the age of eighteen years. This data is provided to ServFlo by the school institution, which acts as the custodian of such data on behalf of parents and guardians. ServFlo does not collect student data directly from children and does not operate any interface designed for direct use by students below the age of eighteen.

Schools are responsible for obtaining appropriate parental consent for the collection and use of student data where required under applicable law. ServFlo processes student data strictly within the scope defined by the school and does not use it for profiling, advertising, or any purpose beyond institutional service delivery.

11. Rights of Data Principals

Under the DPDP Act, 2023, individuals whose personal data is processed on the Platform have the following rights, exercisable through the school administration or directly with us:

• Right to access: You may request confirmation of whether your personal data is being processed and obtain a summary of the data held about you.
• Right to correction: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
• Right to grievance redressal: You have the right to have grievances addressed by our designated Grievance Officer within a reasonable timeframe.
• Right to nominate: You may nominate another individual to exercise these rights on your behalf in the event of death or incapacity.

Requests related to student or staff data held within a school's account should be directed to the school administration in the first instance, as the school is the Data Fiduciary for such data. For data directly held by ServFlo, requests may be submitted to team@servflo.in.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, IntelFlo Technologies has designated a Grievance Officer to address concerns and complaints relating to the processing of personal data on the Platform.

If you are not satisfied with our response, you may approach the Data Protection Board of India, once constituted under the DPDP Act, 2023, for further redressal.

13. Cookies and Tracking

The ServFlo web dashboard uses session cookies and authentication cookies that are strictly necessary for the operation of the Platform. These cookies maintain your logged-in state and preserve session context across page navigations. We do not use third-party advertising cookies, tracking pixels, or behavioural analytics tools on the Platform.

The ServFlo mobile applications do not use cookies. Authentication state is maintained using secure tokens stored in the device's protected local storage.

We may use privacy-respecting analytics on the Platform's marketing website (servflo.in) to understand visitor traffic. No personally identifiable information is collected through these analytics.

14. Cross-Border Data Transfers

The Platform's infrastructure, including primary database and application servers, is hosted with cloud service providers whose data centres may be located outside India, including within the European Union. File attachments and media are stored using secure cloud object storage services which may similarly operate across international infrastructure.

Where personal data is processed or stored outside India, such processing is subject to appropriate contractual safeguards and is carried out in a manner consistent with the requirements of the Digital Personal Data Protection Act, 2023, and applicable cross-border transfer regulations as notified by the Government of India from time to time. European Union hosted infrastructure operates under the General Data Protection Regulation (GDPR), which provides a high standard of data protection comparable to or exceeding the protections applicable in India.

We continuously evaluate our infrastructure choices to align with evolving data localisation requirements applicable to educational data in India.

15. Third-Party Services and Links

The Platform may integrate with or reference third-party services such as payment gateways, accounting software, SMS providers, and messaging platform services. These third parties operate under their own privacy policies and terms of service. ServFlo is not responsible for the privacy practices of third-party services and recommends that users review the relevant policies of any third-party service they interact with through the Platform.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform's features, or applicable legal requirements. The updated policy will be published at servflo.in/school-erp-privacy.html with a revised "Last Updated" date. For material changes that affect how we use personal data, we will notify schools through the Platform or by email at least fourteen (14) days before the change takes effect.

Continued use of the Platform after the effective date of a revised policy constitutes acceptance of the updated terms. If a school does not agree with a material change, it may terminate its services agreement in accordance with its contractual terms.

17. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the handling of personal data on the Platform, please reach out to us at:

This policy is governed by the laws of India. Any disputes arising from this policy shall be subject to the jurisdiction of courts in India.