Qaf School App Logo

Privacy Policy

Your privacy and data security are our top priorities

Last updated: April 2026

Introduction

At Qaf School App, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your data when you use our educational platform.

This policy applies to all users of Qaf School App, including school administrators, teachers, parents, and students. By using our Services, you consent to the practices described in this Privacy Policy.

Information We Collect

We collect information necessary to provide and improve our educational services:

Account Information

  • Name and email address
  • Role (administrator, teacher, parent, or student)
  • School affiliation

Educational Data

  • Student academic progress and grades
  • Attendance records
  • Class enrollment information
  • Homework assignments and submissions

Usage Information

  • Login and authentication activity
  • Device information (browser type, operating system)
  • Error logs and debugging information

How We Use Your Information

We use the collected information solely for educational purposes:

  • To provide and operate our educational platform
  • To authenticate users and manage access controls
  • To enable communication between teachers, parents, and students
  • To track academic progress and attendance
  • To improve our Services and user experience
  • To ensure platform security and prevent fraud

We do not sell your data. Your information is never sold to third parties or used for marketing purposes without your explicit consent.

Legal Basis for Processing (GDPR)

For users in the UK, European Union, and other jurisdictions with similar requirements, we process your personal data on the following legal grounds:

Contract Performance

Processing necessary to deliver the Services you or your school have requested — such as authentication, attendance tracking, homework management, and notifications.

Legitimate Interests

Processing for platform security, fraud prevention, error logging, and service improvement — where our interests do not override your rights.

Legal Obligation

Processing required to comply with applicable laws, court orders, or regulatory requirements, such as retaining academic records.

Data Security

We use commercially reasonable efforts to secure your data and protect it from unauthorized access, loss, or misuse. We implement industry-leading security measures, including:

  • Encryption: All data is encrypted in transit using TLS/SSL and at rest using AES-256 encryption
  • Access Controls: Multi-layer security rules and role-based access permissions
  • Data Isolation: Each school's data is completely isolated from other schools
  • Regular Audits: Continuous monitoring, security assessments, and static code analysis using CodeQL — our full codebase is audited for vulnerabilities on every release
  • Data Backups: Regular backups are performed to prevent data loss

Infrastructure Providers & Compliance

We use three industry-leading providers, each responsible for a specific layer of the platform:

Database (Firebase)

Stores all school, student, and user data

  • SOC 2 Type II Certified
  • ISO/IEC 27001 Compliant
  • GDPR & CCPA Compliant
  • COPPA Compliant
  • ISO/IEC 27017 (Cloud Security)
  • ISO/IEC 27018 (Cloud Privacy)

Hosting (Vercel)

Hosts and serves the web application globally

  • SOC 2 Type II Certified
  • ISO 27001 Certified
  • GDPR Compliant
  • PCI DSS Level 1
  • HIPAA Eligible
  • Edge Network DDoS Protection

CDN & File Storage (Cloudflare)

Delivers media and handles secure file uploads

  • SOC 2 Type II Certified
  • ISO/IEC 27001 Certified
  • GDPR Compliant
  • PCI DSS Level 1
  • Global DDoS Mitigation
  • Zero Trust Network Access

International Data Transfers

Our infrastructure providers are headquartered in the United States. If you access our Services from the UK, European Union, Australia, or other regions, your data will be transferred to and processed in the US. We ensure such transfers are lawful through the following safeguards:

  • Standard Contractual Clauses (SCCs): Google (Firebase) and Vercel have executed SCCs with us as part of their Data Processing Agreements, providing GDPR-compliant transfer safeguards.
  • EU-US Data Privacy Framework: Google participates in the EU-US Data Privacy Framework, providing an additional adequacy mechanism for transatlantic transfers.

Data Sharing & Third Parties

We share your information only in limited circumstances:

  • Within Your School: With authorized staff based on role permissions (administrators, teachers with assigned classes)
  • Service Providers: With trusted infrastructure providers (cloud hosting, database services) under strict security agreements for technical operations only
  • Legal Requirements: When required by law, court order, or valid legal process

Important: We never share personal data with advertisers or for marketing purposes. Your educational data stays within the platform for educational use only.

Your Privacy Rights

You have the following rights regarding your personal information:

Access Your Data

Request a copy of your personal information stored in our system.

Correct Inaccuracies

Update or correct any inaccurate personal information.

Delete Your Data

Request deletion of your personal information (subject to legal requirements).

Export Your Data

Obtain your data in a portable format for your records.

Restrict Processing

Request that we pause processing of your data while a dispute about its accuracy or our use of it is being resolved.

Object to Processing

Object to processing based on our legitimate interests (e.g., analytics or service improvement) where your rights and interests outweigh ours.

To exercise these rights, please contact your school administrator or reach out to us directly at admin@qaf.app.

Right to Lodge a Complaint with a Supervisory Authority

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • France: Commission nationale de l'informatique et des libertés (CNIL) — cnil.fr
  • Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
  • Other EU countries: Your national data protection authority as listed at edpb.europa.eu

Children's Privacy (COPPA Compliance)

Qaf School App is committed to protecting children's privacy in compliance with the Children's Online Privacy Protection Act (COPPA):

  • We only collect student information necessary for educational purposes
  • Schools must obtain parental consent before creating student accounts
  • Parents can review, update, or request deletion of their child's information
  • Student data is never used for advertising or marketing

Student Educational Records (FERPA)

For users in the United States, Qaf School App operates in a manner consistent with the Family Educational Rights and Privacy Act (FERPA). Schools that use our platform are the data controllers for student educational records, and Qaf acts as a service provider ("school official") processing that data on their behalf.

  • Parental Rights: Parents and eligible students (age 18+) have the right to inspect and review educational records, request correction of inaccuracies, and consent to disclosures of personally identifiable information.
  • Limited Disclosure: We do not disclose students' educational records to third parties without consent, except as permitted by FERPA (e.g., to school officials with a legitimate educational interest, or as required by law).
  • School as Controller: Your school controls what records are maintained and can fulfill FERPA requests directly. To exercise FERPA rights, contact your school administrator.

Data Retention

We retain your information for as long as your account is active or as needed to provide educational services. When a student graduates or an account is deleted, we retain minimal records as required by law or for legitimate business purposes (e.g., transcripts, academic records). You may request data deletion by contacting your school administrator.

India — Digital Personal Data Protection Act (DPDPA 2023)

For users in India, Qaf School App complies with the Digital Personal Data Protection Act 2023 (DPDPA). The following provisions apply specifically to Indian users:

  • Parental Consent for Minors (Under 18): Under the DPDPA, verifiable parental or guardian consent is required before processing personal data of any person under the age of 18. Schools are responsible for obtaining and documenting this consent before enrolling students on the platform.
  • Cross-Border Transfers: Personal data of Indian users is transferred to and processed in the United States via our infrastructure providers (Firebase/Google and Vercel). Such transfers are governed by their respective data processing agreements and applicable transfer mechanisms.
  • Grievance Officer: Indian users may direct privacy grievances to our designated contact: admin@qaf.app. We will acknowledge your grievance within 48 hours and aim to resolve it within 30 days.

Australia — Notifiable Data Breaches

For users in Australia, Qaf School App operates in accordance with the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme.

  • Breach Notification: If we become aware of an eligible data breach — one that is likely to result in serious harm to any affected individual — we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, and no later than 30 days after becoming aware of the breach.
  • What We Will Tell You: A breach notification will describe the nature of the breach, the types of information involved, steps we have taken to contain it, and recommended steps you can take to protect yourself.
  • Contact for Australian Privacy Matters: Reach us at admin@qaf.app. If your concern is not resolved, you may complain to the OAIC at oaic.gov.au.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify users of significant changes by posting the updated policy on our website and updating the "Last updated" date. Continued use of our Services after changes constitutes acceptance of the updated policy.

Contact Us About Privacy

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Email: admin@qaf.app

Website: qaf.app

We are committed to addressing your privacy concerns promptly and transparently.