iTOTS is a school management platform run by CEF. Schools sign up to use iTOTS for running their daily operations. Parents, staff, and students whose schools use iTOTS are the people whose information we end up holding. This page explains what we hold, why, and what choices you have.
Who is the data controller
For each school that uses iTOTS, the school is the data controller of student, parent, and staff records. iTOTS is the data processor — we store and process the information on the school's behalf, under the school's instructions. If you want a record deleted, contact your school. If the school is not responsive, you can write to us directly and we will help.
What we collect
From schools and staff
- Name, email address, mobile phone number
- Role within the school (teacher, accountant, admin, etc.)
- For staff: salary structure, bank account details, leave records, attendance records
- Login activity (date and IP of each sign-in)
From parents
- Name, email address, mobile phone number
- Relationship to the student (father / mother / guardian)
- Login activity
- Payment history (we receive transaction confirmations from the payment gateway; we never see your card number or CVV)
About students
- Name, date of birth, gender, blood group
- Class, section, admission number, academic year
- Attendance, exam marks, report cards
- Photos uploaded by teachers during school activities
- Health notes and allergies, when entered by the school
- Transport pickup / drop-off location, when transport is used
From devices
When you use the iTOTS app:
- Device location — only used to verify staff QR check-in (to confirm the staff member is at school). Location is not collected for parents or students.
- Camera — only when you tap to scan a QR code or upload a photo.
- Push notification token — to send you school announcements and attendance alerts.
- Diagnostic logs — basic crash reports without personal information.
How we use it
- Run the school operations the school signed up for: attendance, fees, exams, communication, transport, etc.
- Send transactional emails (admission confirmation, fee receipts, password resets) and push notifications
- Process fee payments through Razorpay (so money lands in the school's bank account)
- Investigate security incidents and abuse
- Improve iTOTS — based on aggregated, non-identifying usage patterns
We do not sell your data. We do not use it for advertising. We do not share it with third-party marketers.
Who we share it with
We work with a small number of trusted service providers. Each one only receives the data they need to do their job:
- Razorpay — for processing online fee payments. They handle card and UPI data; we do not store it.
- Resend — for sending transactional emails on our behalf.
- Firebase Cloud Messaging (Google) — for delivering push notifications to phones.
- Google Maps — for showing pickup locations and bus routes on a map.
- Cloud hosting — our servers run on Indian infrastructure; database backups are stored in Cloudflare R2.
We also share data when required by law (court order, government request with valid legal basis), or to protect the safety of a person or the school.
Where the data is stored
All data is stored on servers located in India. Encrypted off-site backups are stored on Cloudflare R2.
How long we keep it
- Active students, parents, staff: as long as the school is an iTOTS customer
- Alumni records (graduated students): kept indefinitely unless the school requests deletion
- Financial records (invoices, payments, receipts): 7 years, as required by Indian tax law
- Login history and diagnostic logs: 90 days, then deleted
- If a school ends its iTOTS subscription: we delete the school's data within 60 days of termination, except records required by law
Your rights
- See what we hold about you — write to your school or us
- Correct information that's wrong
- Ask for your record to be deleted (subject to legal retention requirements)
- Withdraw consent to receive notifications (without losing access to the app itself)
- Export your data — we can provide a CSV / PDF of your records
We respond to requests within 30 days.
Children's data
Students whose information is in iTOTS are under 18 by definition (it's a school platform). Their data is entered by their parent or their school, and is only visible to authorized staff, the student's own parents, and platform administrators on a need-to-know basis. Students themselves do not sign in to iTOTS.
Security
- Passwords are hashed with bcrypt — we cannot read your PIN.
- Payment gateway credentials per school are encrypted using AES-256-GCM.
- All web traffic uses HTTPS.
- JWT tokens for mobile sessions expire and rotate.
- Database backups are encrypted at rest.
We can't guarantee that no incident will ever happen. If we discover one that affects your data, we will inform you and the school within 72 hours.
Cookies on the iTOTS website
Our marketing website at itots.in uses only essential cookies for session management. No advertising or tracking cookies.
Changes to this policy
When we change this policy, we will post the new version here with a new “last updated” date. If the change is material, we will notify school admins by email.
Contact
Write to support@itots.in or WhatsApp +91 90922 55524. Postal: CEF, Chennai, Tamil Nadu, India.
