SkoolBus

PRIVACY AND DATA PROTECTION POLICY

1. Who are we and the purpose of this policy

  1. This Privacy and Data Protection Policy sets out the practices that SB Technologies (Pvt) Ltd. ("we", "our", "us", "Company") follows with respect to the collection, use maintenance, and disclosure of information collected via SkoolBus Application ("Application").
  2. We respect and value the privacy of each person ("you" or "your") who visits the Application and we commit towards maintaining the highest standards required in order to protect any personal information you consent to share with us in accordance with the Sri Lanka's Personal Data Protection Act No 9 of 2022 ("PDPA"). This Privacy Policy applies only to information we collect from this Application and does not apply to any other application, website, or business activity of the Company.
  3. Personal Data as defined by the PDPA means any information that can identify a data subject directly or indirectly, by reference to an identifier such as a name, financial data, location data, or an online identifier or one or more factors specific to the physical, economic, cultural or social identity of that individual.
  4. The purpose of this policy is to provide you with an understanding of how we collect, handle, and use your personal data.
  5. We reserve the right to revise this Privacy Policy at any time, without prior notice, and the changes will be effective subsequent to posting the changes to the Application. Please check our Application frequently to be updated on the changes. By accessing the content and services made available on this Application and by providing your personal data to us, you acknowledge and agree that you have fully read and understood this policy, and consent to the collection, use, processing, and disclosure of your personal data as described in this policy.

2. What information do we collect and how we collect it

  1. a. We collect and maintain personal information about you from many sources to understand and meet your needs, facilitate your request, and provide our services. The personal data we collect may include but is not limited to,
    If Parent/Guardian;
    1. Full name and residential address of the parent/guardian.
    2. Full name of the child
    3. Date of birth of the child
    4. Contact number of the parent/guardian
    5. Full name of the nominated guardian
    6. Contact number of the nominated guardian
    7. Child's School details including name, address, grade etc.
    8. Child's availability for the journeys
    9. Medical information of the child
    If Driver;
    1. Full name of the primary driver
    2. Contact number of the primary driver
    3. Residential address of the primary driver
    4. License number of the primary driver
    5. Primary driver's vehicle information
    6. Primary driver's journey start/end time
    7. Primary driver's journey start location
    8. Full name of the secondary driver
    9. Contact number of the secondary driver
    10. License number of the secondary driver
    11. Secondary driver's vehicle information
    12. Secondary driver's journey start/end time
    13. Secondary driver's journey start location.
  2. We collect most of the personal data of the parent/guardian and the primary driver/ secondary driver to enhance your child's safety and provide the parent/guardian with real-time location information of your child during their school journeys.
  3. To the extent that the personal information we collect constitutes sensitive personal information under applicable law, the Application will collect and process this sensitive personal information within the limits provided by applicable law, and only after establishing reasonable security safeguards for such sensitive personal information. Where required by law, the Application will seek your consent before processing sensitive personal information.
  4. We will not share any data collected with any non-authorized third parties.

3. How We Use Your Information

The Company collects personal data for some or all of the following reasons.

  1. Provide and maintain the services- To process and fulfill your purchases and subscriptions, send you confirmation emails of your purchase and subscription status and allow you to pay for subscriptions.
  2. Improve, personalize, and develop the services-We use the information collected to; improve and personalize customer experience, perform data analysis and testing, collect feedback to help improve our programs, features or/and services, produce certification, enhance the online experience of using the Application.
  3. Communicate with you-To alert you about products upgrades and revisions, respond to you when you contact us, and promote new features or products that we feel may be of interest you to assist in addressing your inquiries and troubleshooting, about our products and services. To provide you with information that is relevant to your use of the service.

4. How we disclose your information

  1. We do not sell, trade or otherwise transfer to third parties your personally identifiable information. Any information provided to the Application will be protected from loss, misuse, unauthorized access or disclosure, alteration or destruction. However, we share your personal information with authorized third parties who assist us in operating the Application, conducting our business or servicing you including, but not limited to, credit card payments and online support, as long as these parties are compliant with applicable data protection laws.
  2. We use Firebase, a service provided by Google, for data storage and Phone Authentication. Your data may be processed and stored by Firebase in accordance with their privacy policy.
  3. We may choose to retain your personal information to the full extent of any period provided by law and statute. We may also choose to delete your personal information from our databases after a required number of years and/or if the intended purposes for which we have collected your information is completed or is no longer relevant. We may release your information when we are required to comply with the law, enforce our policies, or protect Company's and other third-party rights, property or safety. However, non-personally identifiable information may be provided by the Company to third parties for marketing, advertising, or other uses.

5. Storage and Retention

We may keep information and content in our systems, backup files, and archives as follows;

  1. Utilized encryption for data at rest and in transit.
    1. Strong hashing for sensitive information in the database tables.
    2. Server-side encryption by default in the database.
  2. Obtaining regular backup for the Application data and testing the backup and recovery procedures.
  3. Monitoring and logging access (only metadata), network traffic, and system activities for detection of security incidents and getting monitored via Security Operation Centre.
  4. Classified data based on sensitivity and applied appropriate security controls over the Risk Based Authentication.

Your personal data will be retained as long as necessary to provide you with the services requested. When we no longer need to use your personal data to comply with business requirements, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it, unless we need to keep your personal data, including if we need to keep your personal data to comply with legal or regulatory obligations to which we are subject.

6. Threat Assessment and Protection

We have standardized enterprise-wide analysis of software-related threats within the organization and have prioritized proactive improvement of threat coverage throughout the organization to ensure that there are no leaks of the data we collect.

We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure we have put in place the following suitable physical, electronic, and managerial procedures to secure the information.

  1. Implement strong access controls including input validation and multifactor authentication.
  2. Use secure protocols (SSL/TLS version 1.2 and higher) for data transmission and avoid transmitting sensitive data over unsecured networks.
  3. Establish clear data retention policies and securely dispose of data that is no longer needed.
  4. The Company is keeping systems and software up to date with the latest security patches.
  5. Conduct regular security audits, GDPR compliances and assessments to identify vulnerabilities and implement necessary measures.
  6. Encrypted the offline data stored on the device using strong encryption algorithms. Android provides cryptographic APIs and libraries (AES)
  7. Established secure key management techniques to store and handle encryption keys (API keys).
  8. Data protection by design and default
    1. Monitoring and reporting in a file any unauthorized or illegal access attempts.
    2. Monitoring specific activities such as who accesses personal data and with whom the data are being shared.
    3. Keeping a record of how long the data are to be stored while being stored.
    4. The data are encrypted, pseudonymized, and anonymized whenever possible, to protect them from any unauthorized access.
    5. The components are following industry standards GDPR and acquiring a security certification.

7. Your Rights

  1. Right of access- You may have the right to obtain from us confirmation as to whether personal data concerning you is processed, and, where that is the case, to request access to the personal data.
  2. Right to rectification- You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  3. Right to object- If the processing of your personal data is based on legitimate interests, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case, your personal data will no longer be processed for such purposes by us.
  4. Right to fair treatment- We will not discriminate against you for exercising any of your privacy rights. Irrespective of your standing on your privacy preferences, we will provide the services.
  5. To restrict the use of your information- You can request to restrict the use of your information.
  6. To complain to a supervisory authority- If you have any complaints regarding the data collected and usage of it, you have the right to lodge a complaint to a superior authority.

8. How to Contact Us

If you have any questions or concerns regarding the Privacy Policy, please feel free to contact us at the following email or telephone number;

Email: [email protected]

Phone: (+94) 77 547 4343