Udyamik
Start free trial

Privacy Policy

Last updated: 24 April 2026

This policy explains what personal data Udyamik collects when you use our platform, why we collect it, how long we keep it, who we share it with, and the rights you have under India's Digital Personal Data Protection Act, 2023 (“DPDP Act”).

In this policy, “Udyamik”, “we”, “us”, or “our” refers to Udyamik Technologies Private Limited, the data fiduciary under the DPDP Act. “You” refers to the data principal — the person whose personal data is being processed (a school administrator, teacher, parent, or student).

1. Who we are

Udyamik is a multi-tenant software platform for Indian SMB education, finance and allied verticals. Our first product is EduSuite, a school-management application. Our registered details are:

  • Legal name: Udyamik Technologies Private Limited
  • Trading as: Udyamik
  • Registered address: Munshi Ray Lane, Moti Chauk, Nagar Panchayat Saraiya, Muzaffarpur, Bihar, India
  • Primary contact: privacy@udyamik.com

2. What personal data we collect

We collect the following categories of personal data:

  • Identity data — first name, last name, 10-digit Indian mobile number, email address, role inside your organisation.
  • Academic data — APAAR ID (if you provide it), admission number, class / section / academic session, attendance, exam marks, term results, report cards.
  • Payment data — fee invoices, payment method (cash, cheque, UPI, card, NetBanking, Razorpay), receipt numbers, transaction reference numbers. Card / UPI credentials themselves are captured and stored directly by Razorpay — we never see or store them.
  • Communication data — WhatsApp / SMS / email send events (timestamps, template key, delivery status). We store a SHA-256 hash of the recipient phone / email, never the raw value (convention #26 in our engineering handbook).
  • Device & technical data — client-generated device id (per “trusted device” registration), platform (Android / iOS / Web), IP address at last login, one-way-hashed PIN (Argon2id), JWT-session metadata.
  • Document vault — documents you upload to your personal vault (e.g. Aadhaar, PAN, address proof, scholarship certificates) are stored encrypted at rest.
  • Audit data — immutable log of sensitive mutations (fee waivers, role changes, report publishes), along with the user id, IP and device id of the actor.

We deliberately do not collect: passwords (our platform has none — see §10), full card numbers, precise GPS location, biometric data, or browsing behaviour outside Udyamik.

3. Why we collect it

Personal data is collected for the following specific, limited purposes:

  • To register and operate your tenant (school / lender / clinic).
  • To process admissions, fees, attendance, exams and reports.
  • To send transactional notifications to parents and staff (fee reminders, attendance alerts, report publications) on channels you have opted into at the tenant level.
  • To provide audit trails for financial and academic compliance.
  • To fulfill our obligations under the Companies Act, 2013 and the Indian Income Tax Act, 1961 (retention of financial records).
  • To detect and prevent fraud, abuse and security incidents.

Under the DPDP Act and applicable law, we rely on the following grounds:

  • Contract — for data processing necessary to deliver the Udyamik service you have subscribed to (e.g. raising invoices, sending receipts).
  • Consent — for optional processing such as parent-communication campaigns outside the transactional flow, marketing opt-ins, and uploads to your personal document vault.
  • Legal obligation — where Indian law requires retention (tax records, DPDP audit trails).
  • Legitimate use (DPDP Act §7) — for security, fraud prevention, and the narrow categories the Act expressly permits.

5. How long we retain it

  • Identity & academic data: for the lifetime of your Udyamik account, plus 90 days after account closure (grace period for restoration).
  • APAAR ID: for the lifetime of the account; deletion on request sets it to NULL and removes it from logs.
  • Payment records & platform invoices: 8 years from the end of the financial year (Income Tax Act §44AA + §44AB retention norms).
  • Communication events (WhatsApp / SMS / email logs): 24 months rolling. Raw recipient phone / email is never stored — only a SHA-256 hash.
  • Audit log: 24 months on Starter / Pro; 8 years on Enterprise.
  • Device-bound PIN hashes: deleted when the device is revoked or after 30 days of inactivity.

6. Who we share it with

We do not sell your personal data. We share it only with the following categories of processors, each bound by contract or by the DPDP Act's data-processor obligations:

  • Razorpay Software Private Limited — payment processing. Razorpay privacy policy.
  • Meta Platforms Ireland Limited — WhatsApp Business Platform message delivery (when your tenant uses Meta Direct). WhatsApp Business policy.
  • Interakt Marketing Technologies Private Limited — WhatsApp Business Platform delivery (when your tenant uses Interakt). Interakt privacy policy.
  • OpenAI, L.L.C. — AI query processing for the Sahayak App, where enabled. OpenAI privacy policy.
  • Your school / tenant administrators — the school that invited you into a tenant has access to the data you produce inside that tenant (grades, attendance, fee status). This is a feature of the platform, not a sharing decision by Udyamik.
  • Lawful authorities — only when compelled by a valid legal process under Indian law.

7. Where it is stored

All primary data is stored on servers physically located in India (currently Hostinger VPS, Mumbai region). Backups are encrypted at rest and retained in the same jurisdiction. We use AES-GCM with a 128-bit authentication tag to encrypt sensitive tenant configuration at rest (see our security overview for details).

Where a sub-processor's infrastructure is cross-border (e.g. OpenAI, Meta), data transfers are governed by that processor's own data-transfer controls; we share only the minimum necessary to complete the request.

8. Your rights

Under the DPDP Act, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or out-of-date data.
  • Erase your personal data (subject to retention obligations — see §5 and our data-deletion page).
  • Port your data (receive a machine-readable export).
  • Withdraw consent where processing was consent-based.
  • Nominate a representative to exercise these rights on your behalf in the event of incapacity or death (DPDP §14).

To exercise any of these rights, email privacy@udyamik.com. We respond within 30 days.

9. Children's data

Udyamik processes data about children (students under 18) only through their school (the tenant), which acts as verifiable parent-consent gatekeeper under DPDP §9. We do not create direct-to-student accounts for minors; a minor appears in our database only as a record attached to a tenant that has received parent consent through its own offline admission process.

We never use children's data for advertising, profiling, or tracking.

10. Security measures

Our security posture is documented in full at /legal/security. The headline controls:

  • No passwords — authentication is OTP + device-bound Argon2id PIN.
  • TLS 1.3 in transit for every connection.
  • AES-GCM encryption at rest for tenant secrets (Razorpay keys, Meta access tokens, Interakt API keys).
  • Row-Level Security (RLS) on every tenant-scoped database table.
  • Immutable audit log on sensitive mutations.
  • Rate limiting on all public endpoints.

11. Cookies

The marketing site at udyamik.com sets no cookies at all. The application at app.udyamik.com uses strictly-necessary cookies for authentication and CSRF protection. We do not use analytics or advertising cookies. Full details: /legal/cookies.

12. Changes to this policy

We may update this policy to reflect changes in law, our services, or our practices. Material changes will be notified via email to account holders and by a prominent banner on app.udyamik.com at least 15 days before they take effect. The “Last updated” date at the top of this page always reflects the most recent revision.

13. Grievance Officer

Per DPDP §10 and the IT Intermediary Rules 2021 §3(2), our designated Grievance Officer is:

  • Name: Will be published before public launch.
  • Designation: Grievance Officer
  • Email: grievance@udyamik.com
  • Phone: +91 99017 26296
  • Response SLA: 15 working days (per DPDP Act §10)

The dedicated grievance procedure — escalation, acknowledgement template, and redress path — is documented at /legal/grievance.

14. Last updated

This Privacy Policy was last updated on 24 April 2026. Prior versions are available on request.