SoNow
Draft — pending legal review. This policy is a working draft prepared in good faith and has not yet been reviewed by a qualified legal adviser. It may change before publication.

Privacy Policy

Version 1.0.0-draft · Last updated: 12 June 2026

SoNow is a school and coaching-institute management platform operated by Matrikar ("Matrikar", "we", "us", "our"). This policy explains what personal data we process through the SoNow platform, why we process it, and the rights available to individuals whose data we handle.

We process personal data in accordance with the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the rules made under it. In most cases, an educational institute that subscribes to SoNow (the "Institute") decides what data is collected and why — it acts as the Data Fiduciary for the data it puts into the platform. Matrikar acts as a Data Processor on the Institute's instructions for that data. For the limited account and billing data we collect directly from Institutes, we act as the Data Fiduciary.

1. Who This Policy Covers

  • Institute administrators and ownerswho create and manage an Institute's SoNow account
  • Teachers and employees who are given access by the Institute
  • Students, including minors, whose records are maintained by the Institute
  • Parents and guardians whose contact details are held for communication

2. Data We Process

Institute and Account Data

Institute name, branch details, billing contact, administrator name, email address and phone number used to set up and manage the account.

Staff Data

Names, contact details, role and employment-related records of teachers and employees that the Institute chooses to maintain.

Student Data (including minors' data)

Student names, enrolment and class details, attendance records, assessment and test scores, fee and payment records, and other academic information entered by the Institute. A large proportion of students are below the age of 18, so this data is treated as children's data under Section 9 of the DPDP Act (see Section 5 below).

Guardian Contact Data

Names, phone numbers and email addresses of parents and guardians, used by the Institute to communicate about attendance, fees, results and announcements.

3. Why We Process This Data

  • To create, operate and secure the Institute's SoNow account
  • To enable the Institute to manage enrolment, attendance, assessments, fees and communication with guardians
  • To process the Institute's subscription and send billing receipts
  • To provide support and respond to queries
  • To keep the platform secure and prevent misuse
  • To meet legal and regulatory obligations

We do not sell personal data, and we do not use student, staff or guardian data for advertising.

4. Legal Basis

Under the DPDP Act we process personal data on the basis of consent or for legitimate uses permitted by the Act. For student and guardian data, the Institute is responsible for obtaining the necessary consent from the data principal or, in the case of a minor, from the parent or lawful guardian, before entering the data into SoNow. Matrikar processes that data only to provide the platform to the Institute.

5. Children's Data (Section 9, DPDP Act)

The SoNow platform routinely holds data about students who are minors. In line with Section 9 of the DPDP Act:

  • The Institute must obtain verifiable consent from a parent or lawful guardian before a minor's data is processed in SoNow. The Institute, as the body with a direct relationship with families, is responsible for collecting and recording this consent.
  • We do not undertake tracking, behavioural monitoring or targeted advertising directed at children.
  • We process children's data only to deliver the services the Institute uses on a child's behalf — such as attendance, assessment and fee records — and not for any purpose likely to cause harm to a child.

6. Your Rights as a Data Principal

Subject to the DPDP Act, data principals may:

  • Access a summary of the personal data being processed about them
  • Correct inaccurate or incomplete data and request completion or updating
  • Erase personal data where it is no longer needed for the purpose it was collected
  • Nominate another individual to exercise these rights in the event of death or incapacity
  • Grievance redressal — raise a complaint and have it addressed (see Section 9)

Because most student and guardian data is controlled by the Institute, requests relating to that data are usually directed to the Institute in the first instance. We will assist the Institute in responding to such requests, and you may also contact our Grievance Officer directly.

7. Sub-Processors

We use a small number of trusted infrastructure providers to run the platform. Each is bound to process data only on our instructions and to keep it secure.

Sub-processorPurposeLocation
VercelHosting of the SoNow marketing websiteGlobal edge network
Amazon Web Services (AWS)Hosting, storage and processing for the SoNow application backendAWS data centres

We will update this list before introducing any new sub-processor that handles personal data.

8. Data Retention

We retain Institute account and billing data for as long as the subscription is active and for a reasonable period afterwards to meet legal and accounting obligations. Student, staff and guardian data is retained for as long as the Institute's account is active or until the Institute instructs us to delete it. On verified deletion of an Institute account, personal data is removed from active systems within 30 days, except where retention is required by law. Backups are purged on their normal rotation cycle.

9. Grievance Officer (Section 10, DPDP Act)

In accordance with Section 10 of the DPDP Act, we have designated a Grievance Officer to address questions and complaints about how personal data is handled on the SoNow platform.

  • Name: [GRIEVANCE OFFICER NAME — to be appointed before publication]
  • Address: [Matrikar registered office address — to be filled before publication]
  • Email: grievance@sonow.in

We aim to acknowledge grievances within 72 hours and to resolve them within 30 days of receipt, in line with the timelines under the DPDP Act.

10. Security

We protect personal data using encryption in transit and at rest, role-based access controls, and access scoped to each Institute. For more detail, see our Security page. No system can be guaranteed to be completely secure, but we work to reduce risk.

11. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated version string and date. Where changes are material, we will also notify Institutes.

12. Contact

For privacy questions, contact our Grievance Officer at grievance@sonow.in.