Privacy Policy

Vellumarc ("VELLUMARC", "we", "us", or "our") operates the website www.vellumarc.com and the Campus platform — a school fee management SaaS — at https://campus.vellumarc.com. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have under the Indian Digital Personal Data Protection Act 2023 (DPDP), the Information Technology Act 2000 and its rules, and applicable international laws including the EU GDPR.

By using Campus or www.vellumarc.com, you agree to the practices described in this policy. If you do not agree, please do not use our services.

Vellumarc is the parent company that owns and operates Campus. For data processed through Campus, the school operating the account is the data fiduciary / controller, and Vellumarc acts as a data processor on the school's behalf. For data we collect directly through www.vellumarc.com (for example, contact-form submissions or marketing inquiries), Vellumarc is the data fiduciary.

3.1 School operator data (Campus accounts)

• Name, email address, phone number
• Role within the school (owner, admin, member)
• Authentication credentials (passwords stored as one-way hashes; we never see your password in clear text)
• Organization details (school name, branch, GST/registration where provided)

3.2 Student and guardian data (provided by schools)

Schools upload data about students and guardians so Campus can manage fee collection and communications. This includes:

• Student name, admission number, class/section
• Guardian name, guardian phone number
• Fee structure, fee records, payment history, receipts
• Notes a school chooses to attach to a student or guardian record

3.3 WhatsApp messaging data

Campus uses the WhatsApp Business Platform (WhatsApp Cloud API) operated by Meta Platforms, Inc. to deliver fee reminders, payment confirmations, and approved school communications. We process:

• Recipient phone numbers (typically guardian numbers provided by the school)
• Message templates submitted, approved, and sent
• Delivery, read, and failure status
• Meta-issued message IDs and conversation IDs
• Credit transaction logs (how many messages a school has sent)

3.4 Technical data

• IP address and approximate location
• Browser type, operating system, and device information
• Session cookies for authentication
• Audit logs (who logged in, what actions were taken, when)

3.5 Payment data

Payments are processed by third-party payment gateways. Vellumarc does not store full card numbers, CVVs, or UPI PINs. We retain only payment metadata such as gateway transaction IDs, amount, currency, status, and timestamps to reconcile receipts.

3.6 Information collected via www.vellumarc.com

When you submit a contact form or marketing inquiry on www.vellumarc.com, we collect the name, email, phone number, company, and project details you provide.

• To operate, maintain, and secure the Campus platform
• To send fee reminders, payment confirmations, and school communications via WhatsApp on behalf of schools
• To generate receipts, reports, and audit trails for financial compliance
• To prevent fraud, abuse, and unauthorized access
• To improve the service through aggregated, non-identifying analytics
• To respond to inquiries submitted on www.vellumarc.com
• To comply with applicable laws, court orders, and regulatory obligations

We process personal data on one or more of these grounds:

• Contractual necessity — to deliver the Campus service the school has subscribed to
• Legitimate interest — to keep the platform secure, prevent abuse, and improve the product
• Consent — for optional marketing communications and any non-essential cookies
• Legal obligation — to retain financial records as required by Indian law

We share personal data only with sub-processors who help us operate Campus. We do not sell personal data to anyone.

• Meta Platforms / WhatsApp — Delivery of WhatsApp messages on behalf of schools
• Razorpay — Payment processing for school fee collection
• AWS / Vercel — Application hosting and infrastructure
• Brevo — Transactional and operational email delivery

Each sub-processor is bound by its own privacy policy and data-protection commitments. Messages routed via the WhatsApp Business Platform are subject to Meta's WhatsApp Privacy Policy.

We may also disclose data when required by law, in response to valid legal process, or to protect the rights, property, or safety of Vellumarc, our users, or the public.

Most students whose data is processed via Campus are minors under 18. The school is the data fiduciary / controller and is responsible for obtaining verifiable parental consent in accordance with Section 9 of the DPDP Act 2023 before uploading or processing the personal data of children. Vellumarcacts as a data processor on the school's behalf and processes children's data only under the school's instructions.

We do not knowingly use children's data for tracking, profiling, behavioral monitoring, or targeted advertising. If a parent or guardian believes their child's data has been processed unlawfully, they should first contact the school. They may also email us at contact@vellumarc.com and we will cooperate with the school to investigate.

• Active account data — retained while account is active
• Financial records (payments, receipts, invoices) — retained for 8 years to comply with Indian financial record-keeping laws (Income-tax Act, Companies Act, GST Act)
• WhatsApp message logs — retained for 12 months
• Backups — rolling 90-day window; older backups overwritten automatically
• After account deletion — personal data is anonymized or deleted within 30 days, except where law requires longer retention

We protect personal data with industry-standard controls:

• Encryption in transit — TLS 1.2 or higher across all endpoints
• Encryption at rest — AES-256-GCM for sensitive credentials including WhatsApp access tokens
• Role-based access control — staff access is scoped to job function and reviewed periodically
• Audit logging — administrative and privileged actions are logged
• Regular security reviews — including dependency scanning, secret scanning, and code review

No system is 100% secure. If we become aware of a personal-data breach that affects you, we will notify the relevant Data Protection Board and affected users in accordance with the DPDP Act 2023.

Under the DPDP Act, GDPR, and other applicable laws, you have the right to:

• Access — obtain a copy of the personal data we hold about you
• Correction — ask us to correct inaccurate or incomplete data
• Erasure — request deletion of your personal data, subject to legal-retention requirements
• Portability — receive your data in a structured, commonly used, machine-readable format
• Withdraw consent — withdraw any consent you previously gave; this will not affect lawful processing already completed
• Grievance redressal — file a complaint with our Grievance Officer (see Section 13)

To exercise any right, email contact@vellumarc.com. We will respond within 30 days. For data held inside a school's Campus account, please contact the school directly first; we will support the school in fulfilling your request.

We use a small number of strictly necessary cookies for authentication and session management. We do not use third-party advertising or cross-site tracking cookies. If we add analytics or other non-essential cookies in the future, we will update this policy and obtain consent where required.

Personal data may be processed and stored on servers located outside India, including AWS regions and Meta's WhatsApp infrastructure. Where data is transferred outside India, we rely on the safeguards required by the DPDP Act 2023 and the GDPR (where applicable), including contractual commitments with our sub-processors.

In accordance with the Information Technology Act 2000, the IT (Reasonable Security Practices) Rules 2011, the Consumer Protection Act 2019, and the DPDP Act 2023, we have appointed a Grievance Officer to address complaints about data handling.

• Name: [PLACEHOLDER — grievance officer name]
• Email: contact@vellumarc.com
• Address: [PLACEHOLDER — registered business address]

The Grievance Officer will acknowledge complaints within 48 hours and resolve them within 30 days.

You can request deletion of your personal data at any time by following the steps on our Data Deletion page. Schools have a separate deletion process and retain control over their own account data.

We may update this Privacy Policy from time to time. For material changes, we will notify users by email and / or in-app notice at least 30 days before the changes take effect. The "Effective date" at the top of this page reflects the latest revision.

• Email: contact@vellumarc.com
• Address: [PLACEHOLDER — registered business address]
• Vellumarc website: www.vellumarc.com
• Campus product: https://campus.vellumarc.com
• Operational location: Raebareli — 229001, Uttar Pradesh, India