Privacy Policy

The DAC Academy ERP system is a software platform developed and maintained by TestLearn (hereinafter "the Platform Provider"). DAC Academy (hereinafter "the Institution") operates as the data controller and retains full ownership of all institutional data processed through this platform. TestLearn acts as a data processor, processing personal data strictly on behalf of, and under the instructions of, the Institution.

This Privacy Policy applies to the following platform users:

• Students enrolled at or admitted to DAC Academy
• Parents and legal guardians of enrolled students
• Academy staff including teaching, administrative, and hostel staff
• Academy management and authorized administrators

The ERP platform collects and processes the following categories of personal data to deliver its services:

Personal data is collected and processed for the following institutional purposes:

• Managing student admissions, enrollment, and academic records
• Processing and reconciling fee payments and generating receipts
• Administering hostel occupancy, outings, and student welfare
• Enabling authorized parent access to student information
• Facilitating communication between the institution and parents via notifications
• Enforcing role-based access control and branch-scoped data isolation
• Maintaining a tamper-evident audit trail of all system actions
• Ensuring operational continuity, system security, and compliance
• Generating institutional reports and operational analytics

Data is not collected for advertising, profiling, or commercial sale to third parties.

All data collected is used exclusively to fulfill the operational requirements of DAC Academy. Access to personal data is restricted by the platform's role-based access control (RBAC) system. Specifically:

• Administrators may access data within their authorized branch scope
• Counselors may access student academic and admission data relevant to their role
• Wardens may access hostel and outing-related student data
• Parents may only access data for their own registered ward(s)
• No user may access data belonging to another institution branch without explicit authorization

The platform uses HTTP-only session cookies to maintain authenticated user sessions. These cookies are essential for the secure operation of the platform and cannot be disabled without preventing login functionality.

• Session cookies are created upon successful login and expire upon logout or timeout
• Cookies are set as HttpOnly and Secure to prevent client-side access
• No third-party advertising or tracking cookies are used
• Cookie data is not shared with external parties

Personal data is retained for as long as is necessary to fulfill the institutional and regulatory purposes for which it was collected:

• Active student records are retained for the duration of enrollment and thereafter as required by institutional policy
• Fee records and payment receipts are maintained as permanent, immutable financial records
• Audit logs are retained indefinitely to ensure institutional accountability
• Inactive staff accounts are disabled and retained in accordance with institutional HR policy
• Parent accounts are deactivated upon student unenrollment

Requests for data deletion must be directed to DAC Academy administration, who will assess the request in accordance with applicable legal and institutional obligations.

The platform implements industry-standard security measures to protect personal data:

• All passwords are stored as cryptographic hashes — plaintext passwords are never stored
• All data in transit is encrypted using TLS/HTTPS
• Session tokens are rotated and invalidated on logout
• Role-based access control prevents unauthorized data access
• Every data mutation is recorded in a tamper-evident audit log with actor traceability
• Optimistic locking prevents concurrent stale writes to financial records
• Application error monitoring via Sentry for rapid security incident detection
• Branch-scoped data isolation ensures multi-branch data segregation

Access to data within the DAC Academy ERP is governed by a branch-scoped, role-based access control (RBAC) system:

• Every action requires authentication validation, role validation, branch validation, and ownership validation
• Access rights are assigned and managed by academy administrators
• Parent portal users are strictly limited to their own ward's data
• System administrators retain the highest level of access within their authorized branch
• Privilege escalation attempts are blocked at the middleware layer

To maintain strict isolation and maximum security of institutional data, the platform utilizes a dedicated self-hosted infrastructure. No commercial third-party software-as-a-service (SaaS) databases or external telemetry services are utilized.

Specifically:

• All database, storage, and authentication services are hosted within private networks managed on behalf of the Institution.
• Telemetry, diagnostic logging, and error tracking are processed locally using self-hosted Loki and Grafana instances.
• System logs do not transmit personally identifiable information (PII) to external observability providers.

All platform users are responsible for:

• Maintaining the confidentiality of their account credentials
• Using the platform only for its intended institutional purposes
• Reporting unauthorized access or suspicious activity to the administrator immediately
• Not sharing account credentials with any other person
• Logging out of sessions on shared or public devices
• Providing accurate and truthful information when submitting data through the platform

Parents and guardians of enrolled students have the right to:

• View their ward's academic, fee, and hostel records through the Parent Portal
• Request correction of inaccurate personal data by contacting academy administration
• Request information on how their data is used
• Request account deactivation upon student unenrollment

These requests must be submitted to the academy administration. TestLearn will support the institution in fulfilling such requests within reasonable timeframes.

For questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact:

This Privacy Policy may be updated from time to time to reflect changes in platform functionality, applicable regulations, or institutional requirements. The effective date at the top of this document will be updated accordingly. Continued use of the platform after any changes constitutes acceptance of the revised policy.