Nest ERP by Emmple — Privacy Policy

1) Roles: Schools vs. Wisflux

• When a school or organization (the “School”) uses Nest, the School typically acts as the data controller for student/staff/parent data. Wisflux acts as the School’s data processor and processes data under the School’s instructions and our data processing terms.
• Wisflux may act as an independent controller for limited data such as our account/billing contacts, product analytics, security logs, and compliance records needed to operate and protect the Service.
• Parents/guardians seeking to exercise rights relating to school‑managed accounts should contact the School; we will support the School in fulfilling requests.

2) Information We Collect

2.1 Information you or your School provide

• Student lifecycle: student profiles, admission details, enrollment history, sessions/sections, promotions/retentions, guardians/contacts.
• Fees & receipts: fee plans and items, discounts/taxes, payment attempts and status, QR/UPI references, uploaded proofs (e.g., screenshots), receipt templates and issued receipts.
• Grades & attendance: daily attendance, grades/marks, class/grade views, statistics and history.
• Exams & reports: exam schedules, admit cards, results (when available), report configurations.
• Staff & shifts: employee profiles, designations/roles, rosters, attendance (including biometric status when enabled), shift and leave records.
• Transport: vehicles, routes/stops, passenger assignments, driver/attendant details, alerts; optional GPS/location events where enabled.
• Notices & feedback: notices, targeted distribution lists, acknowledgements, feedback, and responses.
• Parent app: parent/guardian accounts, requests (e.g., leave), proof uploads, and acknowledgements.
• Support & feedback: messages to support, survey inputs, issue descriptions.

2.2 Information collected automatically (Usage Data)

• Device & log data: IP address, device identifiers, OS, browser/app version, pages/screens, timestamps, referrer, session duration, crash logs, diagnostics.
• Cookies & similar tech: session/auth cookies, preference cookies, and analytics tags to keep you signed in, remember settings, and measure usage.

2.3 Integrations and other sources

• Identity/SSO: optional Google SSO for staff/admins (basic profile and email).
• Payments: UPI/QR and/or gateway providers provide payment status/metadata; we do not collect full card details through Nest.
• WhatsApp/SMS: message status and delivery metadata from communications providers.
• Biometric devices: when a School connects biometric attendance, device/vendor systems provide match events and status to Nest.

We do not intentionally collect special categories of data such as health information. If a School enables biometric attendance, we recommend avoiding storage of raw biometric templates in Nest; see Section 7.

SSO scope minimization: When you use Google SSO, we request only basic profile and email to create or sign you in. We do not maintain ongoing access to your Google account or request additional scopes without your explicit action and consent.

3) How We Use Information (Purposes)

We use personal information to:

1. Provide the Service: manage student lifecycle, fees/receipts, grades/attendance, exams/reports, staff/shifts, transport assignments/alerts, notices/feedback, and parent apps; issue admit cards and receipts; operate role‑based access and audit; and provide WhatsApp/SMS communications where configured.
2. Improve and secure Nest: analytics, diagnostics, testing, bug‑fixes, fraud/abuse prevention, performance/reliability, and security monitoring.
3. Communications: service messages, feature updates, policy changes, and support replies; WhatsApp/SMS where configured by the School.
4. Compliance & enforcement: comply with law, respond to lawful requests, enforce terms, and protect users and our platform.

Marketing communications (adults only): We may send optional product updates and offers to adult contacts (e.g., School admins). Parents and students do not receive marketing messages from Nest. You can opt out anytime via unsubscribe or by emailing [email protected].

We do not use children’s data for behavioral advertising and do not use third‑party advertising cookies.

4) Cookies & Similar Technologies

• Essential cookies (e.g., session, CSRF, auth) to run Nest.
• Preference cookies to remember settings (language, view).
• Analytics tags/SDKs to understand usage and improve features.

We do not use third‑party advertising cookies. A cookie/preferences control will be available in Settings > Privacy. Until then, you can manage cookies in your browser/app settings. If you prefer to opt out of non‑essential analytics before the in‑app control is available, email [email protected] with the subject “Analytics Opt‑out” and your account email; we will apply the preference where technically feasible. Blocking essential cookies may affect core functions.

5) When We Share Information

• Service providers (processors): hosting, delivery, analytics, email/SMS/WhatsApp, logging/security — under contract and only as necessary.
• Schools and guardians: access to student/staff/parent records is governed by School roles and permissions; parents/guardians may view their child’s relevant records where enabled by the School.
• Payments: with payment providers to process QR/UPI/gateway transactions and reconcile status; we do not store full card details in Nest.
• Transport: where enabled, transport status/alerts may be shared with authorized parents/guardians and staff.
• Legal & safety: regulators, courts, or law enforcement when required by law or necessary to protect rights, safety, or integrity.
• Business transfers: if we restructure, merge, or sell assets, information may be transferred with continued protections and advance notice.

We do not sell personal information.

Subprocessors: We use vetted subprocessors to help deliver Nest. We limit access to the minimum necessary and require confidentiality and security commitments.

Categories of subprocessors include:

• Hosting and infrastructure (e.g., cloud compute, storage, networking)
• Email and in‑app notifications
• SMS/WhatsApp delivery (where enabled)
• Payments (where enabled)
• Analytics and diagnostics
• Logging and security monitoring

We will provide notice of material changes to subprocessors where required by law or contract. Institutions can request subprocessor update notifications by emailing [email protected] with the subject “Subprocessor Updates”.

6) Payments & Financial Data

• QR/UPI and gateways: Payment references, status, and limited metadata are processed to reconcile fees and issue receipts. Card numbers and CVV are handled by payment providers, not Nest.
• Proofs: If parents upload payment proofs (e.g., screenshots), these may contain bank/payment details; Schools should instruct families to mask sensitive data where possible. Proofs are used only for verification and reconciliation.
• Receipts & taxes: Receipt templates and tax/discount configurations are stored for issuance; tax treatments are configured by the School.
• Receipts entity details: Invoices and receipts display Wisflux’s legal entity name and address; line items may reference product branding (e.g., Nest) and applicable taxes.

7) Attendance & Biometrics (If Enabled)

• Biometric attendance is optional and configured by the School. Nest may receive match events, user IDs, timestamps, and device metadata from School‑provisioned devices/vendors.
• Storage options: Depending on configuration, the School may elect to store biometric templates in Nest and/or with a connected vendor/device. If stored in Nest, templates are encrypted at rest, access is restricted to authorized roles, and processing is limited to attendance and audit purposes. If stored only on devices or with a vendor, Nest typically stores match outcomes and audit logs (not raw templates).
• Retention defaults: Schools configure how long biometric templates (if stored in Nest) are retained. We recommend a maximum of 12 months retention for templates unless a longer period is legally required or operationally justified by the School. Match outcomes and audit logs typically follow the School’s attendance record retention policy.
• Schools are responsible for having a lawful basis and providing notices/consents for biometric processing (including template storage and retention settings). We support Schools in honoring requests and securing these data flows.

8) Transport & Location (If Enabled)

• Transport modules may process school‑owned or school‑managed vehicle identifiers, routes/stops, driver/attendant details, and passenger assignments.
• If GPS is enabled for School vehicles, devices may send approximate location events to support status and alerts (e.g., bus approaching); continuous tracking is not required for core functions and is configurable by the School.
• Location visibility is limited to authorized staff and parents/guardians of assigned passengers.

9) WhatsApp/SMS Communications (If Enabled)

• Nest may send transactional notices (e.g., fee reminders, attendance summaries, events/notices) via WhatsApp/SMS using approved providers.
• Phone numbers and message metadata are processed by those providers under their policies. Schools are responsible for ensuring appropriate consents. Recipients can opt out per channel instructions or by emailing [email protected].

10) International Processing & Cloud Providers

We use servers and services of popular global cloud providers such as AWS, Cloudflare, and DigitalOcean, with datacenters in the US, Europe, or India. When data moves across borders, we apply contractual and technical safeguards (e.g., encryption, access controls) to maintain protection comparable to applicable requirements (including India’s Digital Personal Data Protection Act, 2023).

Regional addenda for specific jurisdictions (e.g., EEA/UK, California) appear below. As an India‑based company, our initial operations are focused on India; when we begin offering services in additional regions, we will publish and apply region‑specific notices and mechanisms as required by law.

11) Retention

We retain personal information only as long as necessary for the purposes in this Policy or as required by law. Retention is purpose‑ and role‑based.

• Student/staff records: as directed by the School and/or as required by applicable education and employment laws.
• Fees & receipts: as required for accounting/tax compliance and School policies.
• Analytics/logs: typically up to 90 days for diagnostics and security.
• Backups: 30–90 days with secure rotation.
• Support records: up to 24 months.
• Biometric match logs (if enabled): limited to what is necessary; typical retention aligns with attendance record retention set by the School.

Deletion requests: For School‑managed accounts, contact the School. For Wisflux‑managed records (e.g., account/billing contacts), after verification, we aim to complete deletion within up to 45 days, except where we must retain data for legal, security, or dispute reasons. Data in backups is not actively used and expires on schedule.

12) Your Rights

Subject to law and the School’s role as controller, you may:

• Access your data and receive a copy.
• Correct inaccurate or incomplete data.
• Delete data in certain circumstances.
• Withdraw consent where processing relies on consent.
• Complain to our Grievance contact and, if unresolved, to the appropriate authority.

Under India’s Digital Personal Data Protection Act, 2023, you may also:

• Nominate an individual to exercise your rights in the event of your incapacity or death.

How to exercise: For School‑managed data, contact your School. For Wisflux‑managed records (e.g., admin/billing contacts), use in‑product settings (where available) or email [email protected]. We may request information to verify identity/authority.

13) Security and AI/ML Use

We implement safeguards including encryption in transit/at rest (where applicable), role‑based access, logging/audit, backups, and vulnerability management. No method is 100% secure, but we continually improve. If a data incident occurs, we will investigate and mitigate, and we will notify affected institutions/users and authorities without undue delay after reasonable investigation where required by law, and take remedial steps.

AI—when it helps: We start with deterministic workflows (e.g., fee nudges, proof reviews, attendance summaries) and offer opt‑in AI assistance for reconciliation, reminders, and anomaly detection as teams are ready. We do not use personal data to train external AI models. For any AI features that process personal data, we disclose the purposes, data, and providers, and offer appropriate choices.

14) Third‑Party Links

Nest may link to or embed third‑party services (e.g., videos, resources, payment gateways, WhatsApp Business providers). Their privacy practices are governed by their own policies. Review them before use.

15) Changes to this Policy

We may update this Policy to reflect changes in Nest, laws, or practices. We will post updates here and revise the “Last updated” date. For material changes, we will provide prominent notice and request renewed consent where required.

16) Contact & Grievance

Company: Wisflux Private Limited
Address: A-107, Shiksha Vihar, Jagatpura, Jaipur, Rajasthan 302017, India
Privacy contact: [email protected]
Support (Nest): [email protected]
Grievance contact: [email protected]

We acknowledge grievances within 15 days and aim to resolve them within 45 days. If your grievance remains unresolved, you may escalate to the Data Protection Board of India.

17) Regional Addenda

EEA/UK: We are preparing dedicated EEA/UK notices. When we begin offering services in these regions, we will implement appropriate data transfer mechanisms (e.g., EU Standard Contractual Clauses and the UK IDTA/Addendum) and a regional cookie consent banner. Until then, this section serves as notice of intent rather than a current commitment.

California (CPRA/CCPA): We do not “sell” or “share” personal information for cross‑context behavioral advertising. California residents may have rights to know/access, correct, and delete certain personal information, and to limit use of sensitive personal information, subject to exceptions. To exercise these rights, contact [email protected] or [email protected]. We do not discriminate against you for exercising your rights.