Your child's data, kept where it belongs.

Where your data lives

All school, parent, child and message data is stored in a Supabase Postgres database provisioned in the Mumbai (ap-south-1) region. No replicas outside India. Daily encrypted backups, also in-region.

Who can see what

We enforce row-level security at the database level — not just in the app. A parent's session can only ever read rows tied to their own child. A teacher can read rows for the class they teach. Even an exploit in the front-end app cannot return another family's data.

What we never do

• We never sell or rent your data.
• We never share data with advertisers.
• We never use third-party analytics scripts that read child data.
• We never auto-translate or train AI models on your messages.

Your DPDPA rights

You can request a full export of every record we hold about you and your child, correct anything that's wrong, or ask us to delete it. We honour requests within 30 days. Full details in our privacy policy.

Operational controls

• All traffic is HTTPS.
• Sensitive credentials (SMS gateway, server keys) are never exposed to the app.
• Admin actions are logged to an immutable audit table visible to your school office.
• Soft-delete on student records protects against accidental removal.

Vendors we use

The list is short by design. Each is a data processor with a narrow purpose:

• Supabase (database + auth + storage, Mumbai region)
• Twilio (OTP SMS to your phone)
• Mapbox (map tiles only — sees no child identity)
• Vercel (app hosting)

That's it. No advertising SDKs, no behavioural-analytics SDKs, no chat widgets that read your messages.

For your school's data-protection officer

We're happy to share our security architecture document, processor list with data-processing agreements, and pen-test summaries on request. Email privacy@kindredschool.in.