Gurukul
Privacy & Security

Privacy Policy

Last updated: Asar 2083 (June 2026)

1. Introduction

The short version: we collect only what we need to run the Service, we never sell your data, and you can request an export or deletion at any time.

At Gurukul, we take your privacy seriously. This Privacy Policy explains what information we collect when you use our school management platform, why we collect it, how we protect it, and the choices you have. It applies to every type of user - school administrators, principals, teachers, accountants, parents, and students - and to every part of the Service, whether accessed through the web app or our APIs.

Gurukul acts as a data processor on behalf of the schools that subscribe to the Service. Each school remains the data controller of its students' records and decides how that data is used within the platform. We process student data only on the documented instructions of the school, and we do not use it for our own independent purposes such as advertising or profiling.

Throughout this policy, "we", "us", and "Gurukul" refer to Gurukul Educational Systems, and "you" refers to any person who uses the Service. By using our Service, you consent to the data practices described here. If you do not agree with any part of it, please discontinue use of the Service.

2. Information we collect

We collect the following categories of information so that the Service can function for your school:

Account information. Name, email address, phone number, password (stored only as a salted hash, never in plain text), role, and the school you belong to.

School information. Institution name, address, registration and affiliation details, logo, and configuration preferences such as your academic calendar, grading scheme, and fee structure.

Student & academic data. Student profiles, photographs, attendance records, marks and report cards, lesson plans, examination data, and parent/guardian contact details - entered and managed by the school.

Financial data. Fee structures, invoices, payment history, credits, and payment proofs. We do not store full card numbers; online payments are handled by our payment processors, who receive card details directly.

Communications. Messages, announcements, and notifications sent through the platform, along with delivery and read status where applicable.

Automatically collected data. Device and browser type, IP address, approximate location, and anonymized usage analytics (which features are used, response times, error logs) that help us keep the platform fast and reliable.

3. How we use your information

We use the information we collect only for purposes that support running the Service for your school:

  • To provide, operate, and secure the Service, including authenticating you and routing your requests.
  • To manage student records, attendance, examinations, and academic reporting.
  • To process fee payments and generate financial reports and receipts.
  • To facilitate communication between schools, teachers, parents, and students.
  • To send transactional messages - receipts, password resets, security alerts, and important product changes.
  • To improve the Service by diagnosing issues, measuring feature usage, and prioritizing new features.
  • To detect, prevent, and respond to fraud, abuse, or security incidents.
  • To comply with our legal obligations under the laws of Nepal.

We do not use student data to train general-purpose machine-learning models for our own benefit, and we do not sell or rent it to anyone.

4. Who else sees your data

The short version: we never sell your data; we share it only with your school community, vetted service providers under contract, or when the law requires it.

We do not sell, rent, or trade your personal information. We share data only in these limited situations:

  • Within your school ecosystem - with teachers, administrators, and parents as appropriate for educational purposes, governed by the school's own access rules and role-based permissions.
  • With service providers - trusted vendors who process data under strict contractual obligations, including cloud hosting and storage providers, our database provider, payment processors, and transactional email/notification providers.
  • For legal compliance - when required by a valid court order, law, or government request in Nepal.
  • Business transfers - in connection with a merger, acquisition, or asset sale, in which case we will notify you before your data becomes subject to a different privacy policy.

In every case, recipients may use the data only for the specific purpose for which it was shared.

5. Data storage & security

The short version: your data is stored on encrypted, access-controlled cloud infrastructure, and only the people your school authorizes can see it.

We apply industry-standard safeguards to protect your data:

  • SSL/TLS encryption for all data in transit.
  • AES-256 encryption for data at rest.
  • Role-based access controls and authentication, so each user only sees what their role permits.
  • Tenant isolation, so one school can never access another school's records.
  • Regular security reviews, monitoring, and encrypted, geographically isolated backups.

We also limit internal access to production data to a small number of authorized engineers, and only for maintenance, support, or incident response. No system is perfectly secure, but we work continuously to protect your data and will notify affected schools without undue delay if a breach is ever likely to affect their data.

6. Children's & student privacy

The short version: schools and guardians control student data; we only process it to run the school, never for advertising, and we keep collection to a minimum.

Our Service is designed for use by educational institutions, which inevitably means processing the data of students who may be minors. We collect and process children's data only as directed by the school and in compliance with applicable child-protection laws.

Schools are responsible for obtaining any necessary consent from parents or guardians for the collection and use of student data within Gurukul. Parents and guardians may exercise a student's privacy rights - such as access or correction - through the school or by contacting us.

We do not knowingly use children's data for any purpose other than delivering the Service to the school, and we never use it for marketing or behavioural advertising. We collect from students only the data needed to run the educational features of the platform.

7. Data retention

We retain personal data for as long as your school's account is active and as needed to provide the Service. Academic records may be retained for longer where required by educational regulations or to preserve a student's historical record.

When a school's subscription ends, its data is retained for 90 days to allow for export, after which it is securely deleted unless a longer retention period is required by law. Backups are rotated on a fixed schedule and purged automatically. Anonymized, aggregated analytics that cannot identify any individual may be retained indefinitely to help us understand and improve the Service.

8. Your rights & choices

The short version: you can access, correct, export, or delete your data - ask your school admin first, or contact us and we respond within 30 days.

Depending on your role and location, you may have the right to:

  • Access - request a copy of the personal data we hold about you.
  • Correction - ask us to fix inaccurate or incomplete data.
  • Deletion - request deletion of your data, subject to legal and academic-record retention requirements.
  • Portability - request an export of your data in a portable format.
  • Objection - object to certain processing activities.
  • Withdraw consent - where processing relies on consent, withdraw it at any time without affecting prior processing.

Many of these actions can be performed directly by your school administrator. For anything else, contact us using the details in the final section and we will respond within 30 days. We will not charge you for exercising these rights except where a request is manifestly unfounded or excessive.

9. International data transfers

Gurukul primarily stores and processes data on cloud infrastructure selected for performance and reliability. Some of our service providers - for example, hosting, storage, email, and analytics vendors - may process data on servers located outside Nepal.

Where data is transferred across borders, we take steps to ensure it remains protected to a standard consistent with this policy, including contractual safeguards with our providers that require them to keep your data confidential and secure. By using the Service, you understand that your data may be processed in the locations where we and our providers operate.

10. Cookies & analytics

We use a small number of first-party cookies and similar technologies:

  • Essential cookies - required for sign-in and core functionality.
  • Preference cookies - remember settings such as your theme and calendar system.
  • Analytics - anonymized, aggregated usage measurement to help us improve the Service.

We do not use third-party advertising trackers that follow you across the web. Our analytics are configured to measure how the Service is used in aggregate, not to build profiles of individuals. You can manage or clear cookies through your browser settings, though disabling essential cookies may prevent you from signing in.

11. Third-party service providers

To deliver the Service, we rely on a small set of carefully chosen sub-processors, each engaged under contractual terms that require appropriate security and confidentiality. These typically include:

  • Cloud hosting & databases - to run the application and store records securely.
  • File & document storage - for images, documents, and generated reports.
  • Payment processors - to handle online fee payments without exposing card details to us.
  • Email & notification providers - to deliver transactional messages, receipts, and alerts.

These providers may only process data on our instructions and for the purpose of supporting the Service. We review our providers periodically and update our practices as our infrastructure evolves.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy here, refresh the "Last updated" date, and - where appropriate - notify you by email or an in-app notice before the changes take effect.

We encourage you to review this policy periodically to stay informed about how we protect your data. Your continued use of the Service after an update takes effect means you accept the revised policy.

13. Contact us

If you have questions about this Privacy Policy or our data practices, contact our privacy team:

  • Email: privacy@gurukulhq.com
  • Phone: +977-1-4567890
  • Address: Gurukul Educational Systems, Kathmandu, Nepal

We respond to all data-related requests within 30 days.