Legal

Privacy Policy

Last updated: 1 January 2026

Your school's data belongs to your school. This policy explains what we collect, why we collect it, and how we protect it.

Contents
  1. 1. Data we collect
  2. 2. How we use your data
  3. 3. School data isolation
  4. 4. Third-party services
  5. 5. AI features & data
  6. 6. Data retention
  7. 7. Your rights
  8. 8. Security
  9. 9. Contact us

1. Data we collect

We collect only what is necessary to provide the SchoolPadi school management platform. This includes:

  • Account data — name, email address, role (admin, teacher, student, or parent), and password (stored as a salted hash, never in plain text)
  • School profile data — school name, logo, motto, and contact details entered by administrators
  • Academic records — student grades, attendance, timetables, and lesson plans created by teachers and administrators
  • Financial records — fee structures, payment records, and transaction history entered by school staff
  • Usage data — browser type, IP address, pages visited, and feature usage for performance monitoring and product improvement
  • Communications — messages sent through contact forms or support channels

We do not collect biometric data, location tracking, or any data beyond what is required to operate the platform.

2. How we use your data

Data collected is used exclusively to:

  • Operate and maintain the SchoolPadi platform for your school
  • Authenticate users and enforce role-based access control
  • Generate reports, dashboards, and academic summaries
  • Send transactional emails (e.g., password resets, fee reminders)
  • Improve platform performance and diagnose technical issues
  • Comply with applicable laws and respond to lawful requests

We do not sell your data, use it for advertising, or share it with any party outside the scope described in this policy.

3. School data isolation

Each school on SchoolPadi operates in its own isolated PostgreSQL schema. This means your school's student records, grades, fees, and staff data are physically separated from every other school on the platform. No cross-tenant data access is possible by design.

School administrators are the data controllers for all records within their school's schema. SchoolPadi acts as a data processor on their behalf, following their instructions and this policy.

4. Third-party services

SchoolPadi uses the following third-party sub-processors:

  • Neon (database hosting) — PostgreSQL database hosting with encryption at rest and in transit
  • Cloudinary — Secure cloud storage for uploaded school logos and profile images
  • Vercel / Railway — Application hosting infrastructure
  • Email service provider — Transactional email delivery (password resets, notifications)

All sub-processors are contractually bound to process data only as instructed and to maintain adequate security standards. We do not use analytics advertising platforms or tracking cookies.

5. AI features & data

SchoolPadi's AI teacher assistant (Padi-T) uses language model APIs to generate lesson plans, slide decks, and learning materials. When you use these features:

  • Only the specific inputs you provide (e.g., subject, topic, class level) are sent to the AI provider
  • Individual student names, grades, or personal identifiers are never transmitted to AI services
  • AI-generated content is not stored beyond the immediate session unless you explicitly save it
  • AI provider terms of service prohibit training on your inputs

The admissions chatbot displayed on public landing pages does not have access to any school data and operates only on general information you have chosen to publish.

6. Data retention

We retain data for as long as your school account is active. Upon account termination:

  • Your school's schema and all contained records are deleted within 30 days of account closure
  • Backups containing your data are purged within 90 days
  • Anonymised usage statistics may be retained indefinitely
  • Financial transaction records may be retained for up to 7 years where required by Ghanaian tax law

You may request early deletion at any time by contacting privacy@getportals.app.

7. Your rights

As a school administrator or individual user, you have the right to:

  • Access — request a copy of all personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your data, subject to legal retention requirements
  • Portability — export your school's data in a machine-readable format (CSV export available in-app)
  • Objection — object to specific processing activities

To exercise any of these rights, email privacy@getportals.app. We will respond within 14 calendar days.

8. Security

We apply industry-standard security measures to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Database storage is encrypted at rest
  • Passwords are stored using PBKDF2-SHA256 hashing
  • Role-based access control prevents unauthorised access within each school
  • Security reviews are conducted on a regular basis

If you discover a potential security vulnerability, please report it responsibly to security@getportals.app before public disclosure.

9. Contact us

For any questions about this Privacy Policy or how we handle your data, please contact:

We may update this policy from time to time. We will notify school administrators by email of any material changes. Continued use of the platform after the notification period constitutes acceptance of the updated policy.