Rivara.Back to home
Legal · Privacy

Privacy Policy

This policy describes how Rivara—the operating system for modern schools—collects, processes, and protects personal data across our multi-tenant educational platform, including information relating to minors and school employees.

Last updated: May 29, 2026

1. Data Controller Identification

Rivara is a multi-tenant School ERP platform operated on behalf of educational institutions. For the purposes of applicable data protection laws—including India's Digital Personal Data Protection Act, 2023 (DPDP Act)—the contracting school or educational institution typically acts as the Data Fiduciary for student and staff records, while Rivara processes personal data strictly under the school's documented instructions.

The details below identify Rivara as the technology provider and primary operational contact for privacy inquiries relating to the platform:

Company Legal Name
Rivara Developers
Registered Address
3-5-62, Attapur, Hyderabad, Telangana, India, 500048
Data Protection Officer (DPO)
Chintala Vasundhara (Founder) · rivaraerp@gmail.com
General Privacy Contact
rivaraerp@gmail.com

2. Information We Collect

Rivara processes only the data necessary to deliver school administration, communication, and compliance features. Data originates from the institution (school-provisioned records) and from routine technical operation of the service.

2.1 School-Provisioned Data

  • Student identity and enrollment details: full names, grades, class sections, and roll numbers.
  • Attendance records, leave requests, and daily presence logs.
  • Academic performance data: marks, report cards, homework assignments, and timetable allocations.
  • Parent and guardian contact information: names, phone numbers, and communication preferences supplied by the school.
  • Staff and faculty records: employment identifiers, roles, schedules, and administrative actions performed within the dashboard.

2.2 Technical Data

  • IP addresses and approximate connection metadata used for security monitoring and abuse prevention.
  • Device and application event logs (e.g., authentication events, API errors, audit trails) required to maintain service integrity.
  • Essential functional session cookies and tokens that keep users securely signed in to their school workspace.
  • Optional analytics cookies only where the user has provided explicit consent via the cookie banner (see our cookie preferences flow).

3. Lawful Basis for Processing

Rivara does not sell personal data. Processing is grounded in the following lawful bases:

  1. 1Institutional contract: Processing of school-provisioned student, parent, and employee data is conducted pursuant to a strict Data Processing Agreement (DPA) and master services contract between Rivara and the subscribing school entity. The school determines the purposes of processing; Rivara acts as a processor or technology partner implementing those purposes.
  2. 2Legitimate operational necessity: Limited technical data (security logs, session management) is processed where strictly required to authenticate users, prevent fraud, and maintain platform availability.
  3. 3Clear user consent: Where processing is not essential to core ERP functionality—such as optional performance analytics cookies—Rivara relies on explicit, granular consent obtained through the in-product cookie consent mechanism. Consent may be withdrawn at any time via Account Settings.

4. Heightened Protection for Minors

Because Rivara is designed for educational institutions, a significant portion of processed data relates to minors (students under 18). We apply heightened safeguards aligned with Section 9 of India's DPDP Act and comparable international standards for children's data.

Rivara expressly declares that we do not engage in tracking, profiling, or targeted advertisement of children. Optional analytics, where enabled at all, are limited to aggregated application performance measurement for authenticated school administrators—and never used to build behavioral profiles of students for marketing purposes.

Schools remain responsible for obtaining verifiable parental or guardian consent where required by law before uploading minor data to the platform. Rivara supports schools in fulfilling this obligation through role-based access controls and audit logging.

5. Data Isolation & Security

Rivara is architected as a multi-tenant system where each school's data must remain logically and physically isolated from every other institution on the platform.

  1. 1Row Level Security (RLS): Database policies enforce tenant-scoped access at the row level, binding every query to the authenticated user's school identifier. Cross-school data access is structurally prevented by the data layer—not merely by application logic.
  2. 2Encryption in transit: All client-to-server and service-to-service communication is protected using TLS 1.2 or higher.
  3. 3Encryption at rest: Personal data stored in Rivara-managed databases and object storage is encrypted at rest using industry-standard algorithms and key management practices.
  4. 4Role-based access control: Dashboard permissions are scoped by role (administrator, teacher, parent, etc.) so users see only the records their school authorizes.
  5. 5Audit trails: Sensitive administrative actions are logged to support institutional accountability and regulatory inquiries.

6. User Rights (Data Principals)

Under the DPDP Act and applicable regulations, data principals (students, parents, guardians, and employees) have rights including access, correction, erasure, and grievance redressal regarding their personal data.

Operational process: Because Rivara processes data on instruction of the school, requests from data principals should first be submitted through the school's administration portal or designated privacy contact at the institution. The school, as Data Fiduciary, will coordinate with Rivara to fulfill verified requests within statutory timelines.

  1. 1Right of access: Request a copy of personal data held about you through your school administrator.
  2. 2Right of correction: Report inaccurate records (e.g., misspelled names, wrong contact numbers) to the school; authorized staff can update records in the Rivara dashboard.
  3. 3Right of erasure: Submit a deletion request to your school when data is no longer required for educational or legal purposes; Rivara will execute erasure upon the school's verified instruction.
  4. 4Withdrawal of consent: For optional processing (such as analytics cookies), use Account Settings or contact your school administrator to update preferences.
  5. 5Grievance escalation: If your school does not resolve a concern, contact Rivara's Data Protection Officer using the details in Section 1 above.

Rivara may update this Privacy Policy to reflect changes in law, product features, or institutional requirements. Material changes will be communicated to subscribing schools in advance of taking effect.

Return to homepageBook a demo