Privacy Policy

Last updated:

1. Introduction

NeramIQ takes the privacy of students, staff, and parents seriously. This Privacy Policy explains how NeramIQ Technologies Pvt. Ltd. ("NeramIQ", "we", "our", or "us") collects, uses, discloses, and safeguards information when you or your institution uses the NeramIQ platform, including our web application, APIs, and related services (collectively, the "Services").

This policy applies to all data processed on behalf of educational institutions ("Schools") that have entered into a subscription agreement with NeramIQ. By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Services.

NeramIQ acts as a data processor on behalf of Schools, which are the data controllers for student and staff personal information. Schools are responsible for obtaining lawful bases and appropriate consents from data subjects as required by applicable law.

2. Data We Collect

We collect and process the following categories of data, solely to deliver and improve the Services on behalf of your institution:

  • Account information — names, email addresses, roles, and login credentials for administrators, teachers, and staff members registered by the School.
  • School operational data — timetables, class schedules, room assignments, period structures, and academic-year calendars.
  • Attendance records — check-in/check-out timestamps, leave records, substitution events, and absenteeism logs.
  • Usage analytics (anonymized) — feature interactions, session durations, page-load performance metrics, and error logs used to improve the platform. These are stripped of personal identifiers before aggregation.
  • Device and browser information — IP addresses, browser type and version, operating system, and referring URLs, collected automatically via server logs and the PostHog analytics SDK.

We do not sell personal data to third parties and do not use student data for advertising or profiling outside the contracted educational purpose.

3. How We Use Data

Data collected through the Services is used exclusively for the following purposes:

Scheduling and Operations

We use operational data to generate AI-powered timetables, manage substitutions, allocate rooms and resources, and surface scheduling conflicts in real time. This is the core function of the Services.

Safety and Emergency Response

Attendance data may be used to support school safety workflows, including mustering during evacuation drills, early-absence notifications to parents, and compliance with local authority safeguarding requirements.

Analytics and Predictions

Anonymized and aggregated usage data is analysed to identify patterns — such as peak scheduling complexity periods or substitution frequency — and to train and validate our AI models. No personally identifiable information is used in model training without explicit School consent.

Communications

We may use contact information to send transactional emails (password resets, product notifications), service announcements, and — where opted in — product update newsletters. Communication preferences can be managed in account settings.

4. Data Storage & Security

NeramIQ employs industry-leading controls to protect the confidentiality, integrity, and availability of all data:

  • AES-256 encryption at rest for all database records and file-system objects. TLS 1.3 in transit for all API and web traffic.
  • SOC 2 Type II controls — we maintain policies and technical safeguards aligned with the AICPA Trust Service Criteria across Security, Availability, and Confidentiality.
  • Configurable data residency — Schools may elect a data region (EU / UK / India / US) at onboarding; all primary data storage and processing occurs within the elected region.
  • Regular penetration testing — we engage independent third-party security firms to conduct annual penetration tests and ad-hoc vulnerability assessments. Critical findings are remediated within 72 hours.
  • Role-based access controls (RBAC) restrict NeramIQ engineering access to production data; access is logged and reviewed quarterly.
  • Automatic backups with point-in-time recovery (PITR) retained for 30 days.

In the event of a confirmed data breach affecting personal data, NeramIQ will notify affected Schools within 72 hours of becoming aware of the incident, in accordance with GDPR Article 33 obligations and applicable local law.

5. Third-Party Services

NeramIQ engages the following sub-processors to deliver the Services. Each sub-processor is bound by a Data Processing Agreement and may only process data for the specific purpose for which they are engaged:

  • Resend — transactional email delivery for system notifications and password resets.
  • Twilio — SMS delivery for absence alerts, emergency notifications, and two-factor authentication.
  • WhatsApp Business API (via Twilio) — optional channel for parent and guardian notifications, enabled only where the School configures it.
  • Razorpay / Stripe — payment processing for subscription billing. Card data is never stored by NeramIQ; it is tokenised directly by the payment provider.
  • PostHog — product analytics using anonymized, cookieless event tracking. No cross-site tracking; data is not shared with advertisers.
  • AWS / Supabase — cloud infrastructure and managed database services used for storage, compute, and real-time data delivery within the School's elected data region.

An up-to-date list of sub-processors is available on request by contacting privacy@neramiq.com. Schools will be notified of material changes to the sub-processor list with at least 14 days' notice.

6. FERPA Compliance

For Schools in the United States, NeramIQ acknowledges its obligations under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its implementing regulations at 34 C.F.R. Part 99.

  • Education records — NeramIQ processes education records (as defined by FERPA) solely at the direction of, and under the authority of, the School as the educational agency.
  • Parent and eligible student rights — Schools are responsible for upholding FERPA rights including the right to inspect, review, and seek amendment of education records. NeramIQ will cooperate with School requests to facilitate these rights.
  • Designated school official — NeramIQ acts in the capacity of a "school official" with a "legitimate educational interest" under FERPA when processing education records to provide the contracted Services.
  • No re-disclosure — NeramIQ will not re-disclose education records to any third party except as directed by the School or as required by applicable law.

7. GDPR Rights

For individuals in the European Economic Area (EEA) and the United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) grants a number of rights regarding personal data. As data processor, NeramIQ supports Schools in fulfilling these rights:

  • Right of access — data subjects may request a copy of the personal data held about them.
  • Right to rectification — inaccurate or incomplete personal data must be corrected without undue delay.
  • Right to erasure ("right to be forgotten") — personal data may be deleted where it is no longer necessary, or where consent is withdrawn and no other lawful basis applies.
  • Right to data portability — data subjects may request their data in a structured, machine-readable format.
  • Right to object — data subjects may object to processing based on legitimate interests or for direct marketing purposes.
  • A Data Processing Agreement (DPA) is available for EU/EEA and UK Schools and will be executed as part of the subscription agreement. Standard Contractual Clauses (SCCs) are used for international data transfers where required.

Requests to exercise any of the above rights should first be directed to the School's Data Protection Officer or system administrator. NeramIQ will assist Schools in responding to data subject requests within the statutory timeframe.

8. Data Retention

  • Active accounts — all data is retained for as long as the School holds an active subscription with NeramIQ.
  • Deleted accounts — upon account closure or contract termination, School data enters a 90-day grace period during which it remains recoverable. After 90 days, all personal data is permanently and irreversibly purged from production systems and backups.
  • Audit logs — system audit logs (access events, permission changes, data exports) are retained for 7 years to satisfy legal, regulatory, and contractual obligations.
  • Anonymized analytics — aggregated and de-identified usage analytics may be retained indefinitely as they no longer constitute personal data.

Schools may request early deletion of their data at any time by submitting a written request to privacy@neramiq.com. Deletion will be confirmed in writing within 30 days.

9. Children's Privacy

NeramIQ is a B2B platform contracted directly with Schools, not with individual students or parents. We do not knowingly collect personal data directly from children under the age of 13.

  • Parental consent — where student data includes information about children under 13, Schools are responsible for obtaining appropriate parental or guardian consent in accordance with the Children's Online Privacy Protection Act (COPPA) and any applicable local legislation.
  • COPPA compliance — NeramIQ supports Schools in meeting their COPPA obligations as a service provider. We do not use children's personal data for any purpose other than providing the contracted Services.
  • Data minimisation — NeramIQ does not require the collection of more personal data about students than is necessary to provide the Services. Schools should only upload or input the minimum data required.

10. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact our Privacy team:

NeramIQ Privacy Team

Email: privacy@neramiq.com

Response time: within 48 business hours

NeramIQ Technologies Pvt. Ltd., Chennai, Tamil Nadu, India