Privacy Policy

Campus OS ("we", "us") provides a multi-tenant campus management platform to educational institutions globally. Each institution that uses Campus OS is a Data Controller of its students, parents and staff records, and Campus OS acts as a Data Processor on its behalf, under a Data Processing Addendum.

• Identity data: full name, role, profile photo, institution-issued IDs.
• Contact data: email address, phone number, postal address.
• Academic data: enrollment, attendance, grades, assignments, study materials.
• Financial data: fee plans, payments, receipts (no card numbers — handled by PCI-DSS gateways).
• Technical data: IP address, device fingerprint and approximate geolocation at QR-attendance scans.
• Parental / guardianship data linking minor students to their legal guardians.

Where GDPR or UK GDPR applies we rely on: (a) contract with the institution; (b) legitimate interests for product security and audit logging; (c) consent for optional channels such as WhatsApp notifications; and (d) legal obligation for tax, education and child-protection record-keeping.

Subject to the framework that applies to you — GDPR, UK GDPR, DPDP Act 2023 (India), PDPL (UAE), PDPA (Singapore), APP (Australia), PIPEDA (Canada), Privacy Act 2020 (NZ), POPIA (South Africa), DPA 2012 (Philippines), or US sectoral laws including FERPA and COPPA — you have rights to access, rectify, erase, restrict, port, and object to processing of your personal data. Submit a request via our Privacy Contact page; we respond within 30 days (or sooner where the local law requires).

For students under the age of digital consent in their jurisdiction, processing requires verified consent from a parent or legal guardian. Campus OS records each consent event with timestamp, version, channel and IP, and surfaces a consent audit log to institution administrators.

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access is governed by row-level security on every table, role-based access control, and an immutable audit log on 14 entity types. See our Trust Center for full details.

Institutions may select EU, UK, India, Singapore or US data residency. Cross-border transfers are protected by Standard Contractual Clauses (UK/EU), the UK International Data Transfer Addendum, or equivalent safeguards permitted by the applicable framework.

Personal data is retained for the period configured by the institution administrator (default 7 years for academic records; shorter for marketing and support tickets). Authenticated deletion requests are honoured within 30 days unless a legal obligation requires longer retention.

Privacy team: privacy@campusos.app — or use our privacy request form.