Legal · effective April 22, 2026

Privacy Policy

How M College collects, uses, and protects student, staff, and institutional data.

M College (“we”, “our”, “us”) provides college management software to educational institutions. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that data. By using the service, you agree to the terms described below.

1. Overview

We act in two roles depending on context:

  • Data controller for information about our institutional customers (the college's administrators, billing contacts, signup forms).
  • Data processor for information entered into the platform about students, faculty, and staff — the college is the data controller of that data.

2. Data we collect

2.1 From college administrators

  • Name, email, phone, role (when signing up)
  • College name, address, affiliation, logo
  • Payment information (processed by our payment partners; we do not store card numbers)
  • Usage logs (pages visited, actions taken)

2.2 From end-users (students / faculty — entered by the college)

  • Personal details: name, date of birth, gender, photo, contact info
  • Academic records: enrollment number, programme, marks, attendance, fees
  • Parent / guardian contacts
  • Optional: Aadhaar (stored encrypted), bank account (for payroll)

2.3 Automatically collected

  • IP address, browser type, device info
  • Session cookies (essential — required for login)
  • Referring URLs, timestamps

3. How we use data

  • Service delivery. Provide the features the college subscribed to — admissions, attendance, fees, etc.
  • Communication. Send service updates, security notices, billing reminders.
  • Support. Help college staff resolve issues. We access tenant data only with explicit permission or when legally required.
  • Improvement. Analyse aggregated, de-identified usage to improve product. We never train external AI models on your data.
  • Legal compliance. Respond to lawful requests from Indian authorities; preserve records where statute requires.

4. Sharing & third parties

We do not sell personal information. Ever. We share data only with sub-processors necessary to deliver the service:

  • Cloud hosting — AWS Mumbai region (data residency in India)
  • Payments — Razorpay (for online fee collection)
  • Email — Amazon SES (for transactional emails)
  • SMS — MSG91 (when the college enables SMS reminders)
  • WhatsApp — Meta Business API (when enabled)
  • Error tracking — Sentry (scrubbed of PII)

Each sub-processor is bound by a DPA that requires equivalent protection. The current full list lives at /legal/subprocessors.

5. Retention & deletion

  • Active customers: data retained as long as your college subscription is active.
  • After cancellation: we keep an encrypted backup for 30 days (to allow recovery), then delete.
  • Audit logs & financial records: retained for 7 years per Indian statutory requirements.
  • Anonymised analytics: retained indefinitely but cannot be linked back to individuals.

Colleges can request full export (CSV + SQL dump) at any time. Export is processed within 72 hours.

6. Security

See our dedicated security page for details. In short:

  • Each college gets an isolated database — not a shared table.
  • Data encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Daily automated backups with 30-day retention.
  • Integration secrets (payment / SMS / email keys) encrypted with per-deployment keys.
  • Role-based access control with full audit logging.

7. Your rights

Under the Digital Personal Data Protection Act, 2023 (India), you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Erase data subject to our retention obligations.
  • Withdraw consent at any time (may affect service availability).
  • Raise a grievance with our Data Protection Officer.

For end-users (students / faculty): please contact your college first — they are the data controller of your record.

8. Children's data

M College may process data of minors (students under 18) on behalf of educational institutions, in line with Section 9 of the DPDP Act. Consent is obtained from parents / guardians by the college at enrolment; we act as the processor under that consent.

9. International transfers

All production data is stored in India (AWS Mumbai). We do not transfer data outside India without explicit contractual safeguards. Some sub-processors (e.g., Sentry) may process metadata outside India — scrubbed of PII and bound by SCCs.

10. Contact us

Questions? Reach our Data Protection Officer:

Data Protection Officer · M College
Email: privacy@mcollege.in
Post: Bodakdev, Ahmedabad 380054, Gujarat, India
Response time: within 30 days per DPDP Act

11. Changes to this policy

We'll post material updates on this page and notify account owners by email at least 30 days before they take effect. Historical versions available at /legal/privacy/history.

Last updated: April 22, 2026. Version 1.0.