Privacy Policy

1.1 Account Information

When you create an account we collect your full name, institutional email address, mobile phone number, role (student / professor / admin), and password (stored only as a hashed credential — we never see plaintext passwords). If you sign in with Google, we receive your name and email from Google.

1.2 Biometric Data (students only)

For student users who opt in to face-based attendance, we collect:

• Facial photographs taken by the front camera of your device.
• Numerical representations of your face geometry, generated by an on-server machine-learning model and stored alongside your user ID.

Biometric data is processed exclusively for the purpose of identity verification during attendance sessions. It is encrypted and access-controlled, is not used for advertising or unrelated profiling, is not used to build individual-level marketing or analytics profiles, and is not sold to any third party.

1.3 Identity documents (when required by your institution)

Where an educational institution configures the platform to collect identity documents (for example, government-issued identification or a student ID card), we process that information only for identity verification and fraud prevention as directed by the institution. Such documents are stored with restricted access and are not used for advertising.

1.4 Device Permissions

• Camera — used only during explicit user-initiated face registration or attendance checks. No background camera access is requested.
• Location — requested (with your permission) to assist Wi-Fi proximity verification for attendance. Coarse or fine location is checked in-session and not stored persistently.
• Bluetooth — used on some campus networks for proximity detection. BLE scanning data is not stored on our servers.

1.5 Usage Data

We collect standard server logs (IP address, device type, OS version, app version, timestamps) for security monitoring and debugging. These are retained for 90 days and then deleted.

• Authenticate you and manage your account session.
• Verify your identity during attendance marking using your stored face profile data.
• Verify identity using documents or checks your institution enables, where applicable, and detect or prevent fraudulent account activity.
• Display your schedule, exam timetable, and campus calendar.
• Send important account notifications (e.g. email confirmation, password reset).
• Comply with legal obligations and prevent fraudulent activity.
• Improve the platform through aggregated, anonymised analytics.

We do not use your data to serve advertisements.

Under the DPDPA, we process your personal data on the basis of your voluntary, specific, informed, unconditional, and clear consent where the law requires consent — in particular for account creation, optional Google sign-in, and any biometric face data used for attendance. You may withdraw consent for optional processing (including biometric enrolment) at any time; withdrawal does not affect the lawfulness of processing that already occurred before withdrawal.

We also rely on processing that is necessary to provide the service you asked for (for example, authenticating you, displaying your timetable, and keeping the platform secure). We do not use your personal data for purposes that are incompatible with these terms without obtaining fresh consent where the DPDPA requires it.

Note: Certain categories of data (such as derived face data used to verify attendance) are treated with additional care and are collected only where you have agreed through in-app flows and this policy.

We share personal data only with:

• Hosted infrastructure — our database, authentication, and file storage run on secure cloud services. Data may be stored in the region configured for your deployment.
• Google — only if you choose Google sign-in. We receive your name and email; Google does not receive your biometric data.
• Your school — attendance outcomes and related academic records (for example, present or absent status tied to classes) may be visible to authorised staff at your college or university for academic administration. We do not provide raw biometric photographs or numerical face templates to institutions for unrelated commercial use; processing of such data remains governed by this policy and your consent.

We do not sell, rent, or trade personal data to any third party for commercial purposes.

Institutional deployment

When the platform is deployed or sponsored by an educational institution, the institution determines how attendance and academic records are used within its own policies. The institution is responsible for obtaining any consents required under applicable law (including for minors) before students or staff use certain features. The Nucleus processes personal data to provide the services configured on the platform and as described in this policy.

• Account data is retained for the duration of your active account plus 12 months after closure.
• Facial photographs and derived biometric data are deleted within 30 days of a biometric consent withdrawal or account deletion request.
• Attendance records are retained for the academic year plus 3 years for institutional compliance.
• Server logs are retained for 90 days.

We implement industry-standard safeguards: TLS encryption in transit, AES-256 encryption at rest for stored files, row-level security policies on all database tables, and short-lived signed URLs for accessing stored photos. Access to biometric data is restricted to authenticated requests from your own account and authorised backend services. We maintain access logs for privileged operations where technically feasible and conduct periodic internal reviews of security configuration and access patterns.

No method of transmission or storage is 100% secure. In the event of a personal data breach that is likely to affect your rights, we will take steps required under the DPDPA and related rules — including, where applicable, notifying the Data Protection Board of India and affected Data Principals in the manner and within the timelines the law prescribes.

The DPDPA grants you rights including (where applicable) the following. We honour these requests subject to verification of your identity and any exceptions the law allows (for example, records we must keep for legal or academic compliance).

• Access and information — obtain a summary of your personal data being processed and the main purposes of processing.
• Correction and updating — request correction of inaccurate, incomplete, or misleading personal data, or updating where it is incomplete.
• Erasure — request erasure of your personal data where the law permits and we no longer need it for the purpose for which it was collected.
• Grievance redressal — raise concerns about how we handle your personal data with us first; we will address grievances in line with DPDPA timelines once rules specify them, and in the meantime as promptly as practicable.
• Nomination — where the DPDPA allows, you may nominate another person to exercise your rights in the event of your death or incapacity, in the manner prescribed when rules are notified.
• Withdraw consent — where processing is based on your consent (including biometric enrolment), you may withdraw consent going forward.

To exercise these rights or ask questions, email info.thenucleus@gmail.com. We will respond without undue delay and, once Central Government rules fix a standard period, within that period.

Under the DPDPA, a child is an individual who has not completed eighteen years of age (subject to any age threshold the Central Government may notify for specific services). We do not knowingly collect or track personal data from young children for marketing. Where a school deploys The Nucleus for students who are children under the DPDPA, the school and parents or lawful guardians should ensure that any consent or authorisation required under applicable law is obtained before enrolment and use of biometric features. If you believe we have collected a child's personal data without appropriate authority, write to info.thenucleus@gmail.com; we will review and, if appropriate, delete such data.

The web platform uses browser local storage and session cookies for authentication. We do not use third-party tracking cookies or analytics cookies. A single, strictly-necessary session cookie is set upon login and cleared on logout.

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via in-app notice or email at least 14 days before taking effect. The "last updated" date at the top of this page indicates the most recent revision.

For privacy questions, grievances, or to exercise your rights as a Data Principal, contact: info.thenucleus@gmail.com

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once it is fully operational and the Central Government has prescribed the manner and form of complaints under the DPDPA. We will cooperate with the Board as required by law.

Where personal data is stored or processed outside India, such processing will follow restrictions and conditions notified under the DPDPA and related rules from time to time, including any requirements for transfers to trusted jurisdictions or contractual safeguards.