Privacy Policy

AllowBox ("AllowBox", "we", "us") operates a school-management platform used by schools, teachers, parents, and students. This policy explains what personal data we collect, why we collect it, how we store and protect it, and the rights you have over it.

1. Who is the data controller?

Your school is the data controller for information about its students, parents, and staff. AllowBox is the data processor— we store and process that data on the school's instructions. For AllowBox's own customers (school admins who register an account directly with us), AllowBox is the controller.

2. What data we collect

• Account data: name, email, phone number, role (school admin, teacher, parent, student), password hash.
• School records: attendance, grades, homework submissions, fee invoices and payment status, daily diary entries, timetables, leave requests, announcements.
• Communication content: messages, support tickets, and attachments sent through the platform.
• Payment data: fee payments are made offline (UPI, bank transfer, cash, cheque). Parents may upload a payment receipt or screenshot for the school to verify. AllowBox stores the receipt image and the transaction reference you enter, not card numbers or UPI credentials.
• Device + usage data: IP address, user-agent, approximate location derived from IP, in-app actions (to detect abuse and improve reliability), crash reports.
• Uploads: photos, PDFs, and documents that you or your school upload (e.g. homework submissions, ID documents, profile pictures).

3. Why we use it

• Operate the core product — log you in, show your dashboard, deliver messages.
• Track and reconcile fee invoices that schools send to families.
• Send transactional email and push notifications (attendance alerts, fee reminders, announcements).
• Keep the service secure — rate-limit abusive traffic, detect account compromise, investigate incidents.
• Comply with legal obligations (tax records, responses to lawful requests).

We do not sell personal data. We do not use your data to train third-party advertising models.

4. Children's data

AllowBox is designed to be used by schools for student management. Student accounts are created by the school on the school's legal basis. Parents and guardians can request access to or deletion of their child's data through their school administrator at any time.

5. Who we share data with

• Your school. Teachers, parents, and school admins see data appropriate to their role (parents only see their own children, teachers only see assigned classes, etc.).
• Sub-processors we use to run the platform:Amazon Web Services (hosting), MongoDB Atlas (database), Redis Cloud (caching & queues), Cloudflare R2 (file uploads), Resend (transactional email), Vercel (web frontend hosting).
• Authorities, when required by a valid legal request.

6. Where your data is stored

Primary data is stored in Amazon Web Services' Mumbai (ap-south-1) region and MongoDB Atlas (India). File uploads are stored in Cloudflare R2. Sub-processors may store data in other regions per their own data residency terms (for example, Resend operates in the EU/US).

7. How long we keep data

• Active accounts: for as long as the school uses AllowBox.
• Deactivated accounts: up to 12 months, then permanently deleted unless a law requires otherwise (e.g. tax records: 7 years).
• Backup snapshots are purged on a 30-day rolling window.

8. Your rights

Depending on your jurisdiction (India DPDPA, EU GDPR, etc.), you may have the right to access, correct, export, or delete your personal data, and to object to or restrict specific processing. To exercise any of these, email privacy@allowbox.in, or contact your school administrator if they are the data controller.

9. Security

We use HTTPS everywhere, store passwords as bcrypt hashes, rate-limit authentication endpoints, rotate refresh tokens, and scan uploaded files by magic-byte signature to reject disguised payloads. Access to production databases is restricted to named operators and audited.

10. Changes

We may update this policy. Material changes will be announced inside the app and via email. Continued use of AllowBox after an update means you accept the new policy.

11. Contact

AllowBox — privacy@allowbox.in
Registered in India.