Privacy Policy

Welcome to Lyca Technologies' Smart School ERP ("the Platform"). This Privacy Policy explains how Lyca Technologies ("we", "us", or "our") collects, uses, stores, and protects information when you use our School Enterprise Resource Planning web platform and mobile application (collectively, the "Service").

The Service is provided exclusively to educational institutions ("Schools") and their authorised users — including school administrators, teachers, non-teaching staff, students, and parents/guardians — under a Software-as-a-Service (SaaS) agreement. By accessing or using the Service, you agree to the practices described in this Privacy Policy.

Lyca Technologies is the data processor for the Smart School ERP Platform. Each School that subscribes to the Platform acts as the data controller for the personal data of its staff, students, and parents within its own account. Lyca Technologies processes that data on behalf of the School in accordance with this policy and the applicable SaaS agreement.

For questions about this Privacy Policy, contact us:

We collect information necessary to provide a fully functional school management system. This includes the following categories:

3.1 Account & Authentication Data

• Full name
• Username and password (passwords are encrypted using bcrypt)
• Email address (where applicable per role)
• Phone number (used for OTP-based password reset)
• User role: Administrator, Teacher, Employee, Student, Parent/Guardian
• School code and campus code (to scope access to the correct institution)
• Profile picture (optional, uploaded by the School or user)

3.2 Student-Specific Data

• Class and section assignment
• Roll number
• Parent/guardian linkage and family code
• Relationship to student (for parent accounts)

3.3 Teacher & Employee Data

• Subject assignments and department
• Designation
• Class assignments

3.4 Device & Push Notification Tokens

To deliver push notifications to your device, we store:

• Firebase Cloud Messaging (FCM) token — Android
• Apple Push Notification service (APNs) token — iOS

These tokens are refreshed automatically and are used solely to route notifications to your device.

3.5 Notification Preferences

Users may configure their preferred notification channels from: Push Notifications, In-App Notifications, Email, WhatsApp, and SMS. These preferences are stored on our servers and honoured when dispatching notifications.

3.6 Attendance Data (QR Code Scanning)

The mobile application requests access to your device camera for the purpose of scanning QR codes to record student attendance. Camera access is used exclusively for this feature. We do not capture photos, videos, or any biometric data through the camera.

3.7 Activity & Log Data

• Login timestamps and IP addresses
• API request logs (for debugging and audit trails)
• Device operating system and app version

• Authenticating users and managing secure access to school data
• Displaying relevant academic, administrative, and operational information to each user based on their role and campus
• Recording and managing student attendance via QR code scanning
• Sending push notifications, in-app alerts, SMS, email, and WhatsApp messages for school events, announcements, fee reminders, attendance updates, exam schedules, and other school-related communications
• Enabling password reset via OTP delivered by email or WhatsApp
• Maintaining audit logs for school administrators
• Providing technical support and resolving issues
• Improving the platform features and fixing bugs

All data is stored on secure cloud infrastructure. We implement the following security measures:

• Passwords are hashed using bcrypt before storage and are never stored in plaintext
• All API communications are encrypted in transit using HTTPS/TLS
• JWT authentication with configurable expiry for session management
• Role-based access control (RBAC): each user can only access data pertinent to their role and campus
• Campus-code and school-code scoping enforced at the API level to prevent cross-school data access
• Rate-limiting on sensitive operations such as password changes
• OTP attempts are limited (maximum 5 attempts) to prevent brute-force attacks

While we employ industry-standard security practices, no system is 100% immune to threats. In the event of a data breach that affects your personal data, we will notify the relevant School and take all reasonable remediation steps.

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for commercial purposes. Data may be shared only in the following limited circumstances:

• With the School: all data within a School's account is accessible to that School's authorised administrators
• Service providers: third-party infrastructure providers (cloud hosting, SMS/WhatsApp delivery, email) who process data on our behalf under strict confidentiality obligations
• Legal compliance: if required by law or a valid legal request (court order, governmental authority)
• Business transfer: in the event of a merger, acquisition, or sale of assets, with prior notice to affected Schools

We want to be fully transparent about the boundaries of data use:

The Smart School ERP mobile application sends push notifications to keep users informed of school-related events. Notifications may include:

• Attendance alerts (mark in, mark out)
• Fee reminders and payment acknowledgements
• Exam schedules and result announcements
• School announcements and circulars
• Homework and assignment updates
• General administrative communications from the school

You may manage your notification preferences within the app under Settings → Notifications. Disabling notifications at the operating system level will prevent all push notifications regardless of in-app settings.

The mobile application requests the following device permissions:

Camera

Used exclusively for scanning QR codes to mark student attendance. The camera feed is processed locally on-device for QR detection. No images or frames are transmitted to our servers. Camera access is triggered only when the attendance scanning screen is actively open.

Network Access

Required to communicate with ERP servers for all data operations (login, fetching records, submitting forms, etc.).

Push Notification Permission

Required to receive school notifications on your device. This permission is requested on first launch and can be revoked at any time through your device's system settings.

Data is retained for the duration of the School's active subscription with Lyca Technologies. Upon termination of the SaaS agreement:

• The School may request a full export of its data prior to account closure
• Data is deleted from our active systems within 30 days of account closure
• Backup copies may be retained for up to 90 days for disaster recovery, after which they are permanently deleted

Individual user account data is retained for as long as the School maintains that account. Schools may delete individual accounts at any time through the administrator panel.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

Because the School is the data controller for its users, most data rights requests should be directed to the School's administrator in the first instance. For platform-level requests, contact us at info@lycatech.pk.

The Smart School ERP is designed for educational institutions and their staff, students (aged 13 and above), and parents/guardians. The Platform is not intended for and does not knowingly collect personal information from children under the age of 13.

Student accounts are created and managed by the School. Schools are responsible for ensuring that student data collected and entered into the Platform complies with applicable child protection laws in their jurisdiction, including COPPA (USA), GDPR (EU/UK), and equivalent local legislation in Pakistan.

The Smart School ERP mobile application does not use advertising cookies, tracking pixels, or cross-app tracking technologies. The web-based administrative portal may use essential session cookies solely for the purpose of maintaining authenticated sessions. No third-party analytics or advertising cookies are used.

To deliver the full functionality of the Platform, we integrate with the following categories of third-party services:

• Cloud infrastructure providers (hosting and database storage)
• Firebase Cloud Messaging / Apple Push Notification service (push notification delivery)
• Email delivery services (OTP and transactional emails)
• WhatsApp Business API / Twilio (WhatsApp and SMS OTP delivery)

Each of these providers is bound by their own privacy policies and data processing agreements. We do not grant any third-party provider access to your data beyond what is strictly necessary for their integration to function.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the 'Effective Date' at the top of this page
• Notify School administrators via the platform or by email
• Provide a reasonable notice period before significant changes take effect

Your continued use of the Platform after the effective date of the revised policy constitutes your acceptance of the changes.

This Privacy Policy is governed by and construed in accordance with the laws of Pakistan, without regard to conflict of law principles. Any disputes arising from this policy or the use of the Platform shall be subject to the exclusive jurisdiction of the courts of Karachi, Sindh, Pakistan.

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please reach out: