Your school's data is safe with us.

The Digital Personal Data Protection Act 2023 is India’s primary data protection law. Chatmadi operates as a Data Fiduciary under DPDPA for the personal data of students, parents, teachers, and school staff managed inside our school ERP software. Schools use Chatmadi to process parent communications, fee records, attendance, exam results, and welfare signals. We process that data on behalf of each school, but we also determine the purposes and means of processing at the platform level, so DPDPA classifies us as a Data Fiduciary rather than a Data Processor.

Under DPDPA, students under 18 are minors, so parents and legal guardians exercise data rights on their behalf. The rights covered include access to the student’s personal data, correction of inaccurate records, erasure after the legal retention window, data portability to another school ERP, and a formal grievance redressal process. Chatmadi acknowledges every DPDPA request within 48 hours and resolves it within 30 days. Urgent requests, for example a student leaving a school, are prioritised.

Our Grievance Officer is Nayan Kumar, reachable at nayan@chatmadi.com. All DPDPA grievances, notices, and escalations are routed through this address. If Chatmadi fails to resolve a valid complaint within the 30 day statutory window, schools and data principals may escalate to the Data Protection Board of India. We maintain an audit log of every DPDPA request for regulator review.

The Protection of Children from Sexual Offences Act 2012 requires strict handling of any data that could identify a child, especially in welfare and safety alert contexts. Chatmadi’s safety alert system stores student welfare flags with role-based access. Only school principals and the assigned class teacher can view welfare-flagged student data. Admin staff see that an alert exists but cannot see the details unless the principal grants access. Welfare data is never broadcast to parent WhatsApp groups, and the Chatmadi inbox does not surface welfare content to any role outside that restricted circle.

All safety alerts are encrypted at rest using the database-level encryption in Supabase. Every access to welfare data, read, update, export, is written to an immutable audit log. Schools can export a full safety audit log for internal reviews or for state child welfare committee inspections. Chatmadi does not share any child-related data with third-party advertisers, analytics vendors, or AI training datasets. Data is shared only when compelled by a lawful order from an Indian court or regulator, and the affected school is notified unless the order prohibits notification.

Academic records.Student records, exam results, attendance history, fee ledgers, and welfare notes are retained for the duration of the school’s active subscription plus 90 days after termination. The 90 day buffer covers accidental cancellations, billing disputes, and end-of-year record exports. Archival beyond this window, for example retaining alumni records for 10 years, requires explicit written consent from the school and extends the Data Processing Agreement accordingly.

Account deletion. Schools can request full workspace deletion via hello@chatmadi.com or through the in-app deletion flow in Settings. All student, staff, and parent data tied to that workspace is permanently erased from primary databases within 30 days of the request. Encrypted backups are purged within 90 days as backup rotation completes. Chatmadi issues a signed deletion certificate to the school principal once erasure is verified.

Parent-submitted data. Parents can request deletion of their WhatsApp conversation data and any derived signals through their school admin or directly via the grievance officer. Individual parent deletion requests are processed within 7 business days. If a request would remove data a school legally must retain, for example attendance records for an active student, we retain the minimum required by the education regulator and delete everything else.

Chatmadi classifies security incidents across four severity levels. Critical covers any confirmed unauthorised access to student or parent data or any service outage longer than 4 hours. High covers suspected unauthorised access, significant data exposure risk, or sustained degraded performance. Medium covers isolated bugs that expose non-personal data, and Low covers internal issues with no customer-facing impact.

In the event of a Critical or High severity data breach, affected schools are notified within 72 hours via email to the school principal and an in-app notification banner in the Chatmadi dashboard. The notification details the scope of the incident, exactly which data was involved, the remediation steps taken, and guidance on whether the school must inform parents under DPDPA. For Critical incidents, Chatmadi also notifies the Data Protection Board of India within the statutory window.

Every incident triggers a formal root cause analysis led by our founder within 14 days. Schools impacted by the incident receive a post-incident report that covers the timeline, contributing factors, remediation applied, and preventive measures adopted to stop a repeat. Post-incident reports are written in plain language because school principals are the primary audience, not security engineers.

Chatmadi welcomes security researchers to responsibly disclose vulnerabilities in our school ERP software. Report findings to security@chatmadi.com with technical details, reproduction steps, and any suggested remediation. Include your preferred credit attribution if you want a hall-of-fame mention once the issue is resolved.

Safe harbour. Researchers acting in good faith are exempt from legal action. Good faith means no data exfiltration beyond proof of concept, no service disruption, no social engineering of school staff or parents, and a reasonable private disclosure window before publication. Chatmadi commits to acknowledging reports within 48 hours, providing a triage verdict within 7 days, and resolving valid issues within 90 days. Critical authentication, authorisation, or privacy defects are fast-tracked to fewer than 14 days.