Privacy Policy
Governing the Collection, Processing, Storage, and Transfer of Personal Data
DAILY TAB
PRIVACY POLICY
Governing the Collection, Processing, Storage, and Transfer of Personal Data
Effective Date: July 2026 | Version 1.1
1. Introduction and Identity of the Data Controller / Processor
Daily Tab ("Service," "we," "us," or "our") operates a cloud-based digital attendance management platform accessible at dailytab.app ("Platform"). This Privacy Policy describes, with full transparency, how personal data is collected, processed, stored, transferred, and protected when the Platform is used by educational institutions ("Colleges"), their administrative personnel ("Admins"), and their teaching staff ("Teachers").
In respect of institutional data submitted by Colleges, Daily Tab acts as a Data Processor under the instruction of each College, which is the Data Controller. In respect of operational and technical data processed to deliver the Platform, Daily Tab acts as Data Controller.
This Policy is designed to satisfy the requirements of the following data protection frameworks, each of which may apply depending on the jurisdiction of the College or its data subjects:
| Jurisdiction | Applicable Law | Enforcement Authority |
| European Union / EEA | General Data Protection Regulation (GDPR) 2016/679 | National Supervisory Authorities / EDPB |
| United Kingdom | UK GDPR & Data Protection Act 2018 | Information Commissioner's Office (ICO) |
| United States – California | CCPA / CPRA | California Privacy Protection Agency |
| Brazil | Lei Geral de Proteção de Dados (LGPD) | Autoridade Nacional de Proteção de Dados (ANPD) |
| Canada | PIPEDA / Quebec Law 25 | Office of the Privacy Commissioner |
| India | Digital Personal Data Protection Act 2023 (DPDPA) | Data Protection Board of India |
| Nepal | Privacy Act 2018 | National Human Rights Commission |
| Sri Lanka | Personal Data Protection Act 2022 | Data Protection Authority |
| China | Personal Information Protection Law (PIPL) 2021 | Cyberspace Administration of China |
| South Africa | Protection of Personal Information Act (POPIA) 2013 | Information Regulator |
| Australia | Privacy Act 1988 (13 APPs) | Office of the Australian Information Commissioner |
| Singapore / Thailand / Indonesia | PDPA / PDPA 2019 / PDP Law 2022 | Respective National Authorities |
| UAE / Middle East | Federal Decree-Law No. 45 of 2021 | UAE Data Office |
2. Definitions
For the purposes of this Policy, the following terms shall have the meanings set out below, interpreted consistently with the applicable law in each relevant jurisdiction:
"Personal Data" or "Personal Information": Any information relating to an identified or identifiable natural person, as defined under applicable law in each jurisdiction.
"Data Controller": The entity (in this context, the College) that determines the purposes and means of processing personal data.
"Data Processor": The entity (Daily Tab) that processes personal data on behalf of and under the instruction of the Data Controller.
"Data Subject": The identified or identifiable individual whose personal data is being processed, including students and teaching staff.
"Institutional Data": All personal data submitted to the Platform by or on behalf of a College, including student and staff records.
"Sub-Processor": A third-party service provider engaged by Daily Tab to assist in the delivery of the Platform.
"Processing": Any operation performed on personal data, whether automated or not, including collection, recording, storage, adaptation, retrieval, use, disclosure, and deletion.
"Special Category Data" or "Sensitive Personal Information": Categories of data afforded heightened protection under applicable law, including health data, biometric data, religious beliefs, racial or ethnic origin, and similar categories.
3. Categories of Personal Data Collected
Daily Tab collects and processes only the minimum personal data necessary to provide the Platform. We do not collect payment information, government identification numbers, biometric data, health data, location data, or any special category personal data. The categories of data processed are limited to the following:
| Data Subject | Categories of Personal Data | Method of Collection | Purpose |
| College Admin | Full name, official email address, encrypted authentication credentials | Entered by Daily Tab upon College onboarding | Account authentication and College administration |
| Teacher | Full name, official email address, encrypted authentication credentials | Entered by Admin via invitation workflow | Account authentication and attendance marking |
| Student | Full name, enrollment roll number, attendance records (dates and present/absent status) | Entered by Admin or Teacher | Attendance tracking, reporting, and academic records management |
4. Lawful Basis for Processing
Daily Tab processes personal data on the following lawful bases, applied in accordance with the requirements of each applicable jurisdiction:
| Processing Activity | Lawful Basis (GDPR / UK GDPR) | Equivalent Basis (Other Laws) |
| Admin and Teacher authentication | Article 6(1)(b) – Contractual necessity | Contractual necessity (LGPD Art. 7(V)); necessary performance (PIPEDA) |
| Student attendance processing | Article 6(1)(b) – Contractual necessity; Article 6(1)(f) – Legitimate interests | Legitimate interests (LGPD Art. 7(IX)); consent or legitimate interests (PDPA) |
| Sending transactional emails | Article 6(1)(b) – Contractual necessity | Contractual necessity across applicable frameworks |
| Platform security and integrity | Article 6(1)(f) – Legitimate interests | Legitimate interests across applicable frameworks |
| Compliance with legal obligations | Article 6(1)(c) – Legal obligation | Legal obligation across applicable frameworks |
Where applicable law in a specific jurisdiction requires consent as the exclusive lawful basis for processing (including processing of personal data of minors under India's DPDPA, or processing subject to PIPL in China), each College, as Data Controller, is solely responsible for obtaining, recording, and maintaining such consent from the relevant data subjects prior to submitting their personal data to the Platform.
Note for Indian Colleges (DPDPA 2023 / DPDP Rules 2025): Under India's Digital Personal Data Protection Act 2023, consent is the primary and sole lawful basis for processing personal data. References to “legitimate interests” as a lawful basis do not apply to Colleges subject to the DPDPA. All processing must be based on consent that is free, specific, informed, unconditional, and unambiguous. For students under 18 years of age, verifiable parental consent is mandatory. The College, as Data Fiduciary under the DPDPA, bears full responsibility for DPDPA compliance.
5. College Obligations as Data Controller
Each College is the Data Controller in respect of all Institutional Data. As Data Controller, the College assumes full legal responsibility for ensuring that:
All personal data submitted to the Platform has been collected lawfully and with appropriate authority, notification, or consent as required by the laws of the College's jurisdiction.
Students, teaching staff, and, where required by applicable law, their parents or guardians, have been informed of the data processing conducted through the Platform in a manner consistent with applicable transparency requirements.
The submission of student personal data to a platform whose infrastructure is located in Japan (Tokyo AWS region) is authorized under applicable law, including any cross-border transfer requirements in India (DPDPA), China (PIPL), and other jurisdictions with data localization requirements.
All required registrations, notifications, or approvals with relevant data protection authorities have been obtained where required.
Individuals under the age of eighteen (18), or such higher age threshold as defined by applicable law, are processed in accordance with heightened protections for minors, including parental consent requirements under India's DPDPA, China's PIPL, South Africa's POPIA, and equivalent instruments.
6. Data Access Controls and Confidentiality
Access to personal data within the Platform is governed by strict role-based controls:
College Admins may access all Institutional Data belonging exclusively to their own College. No Admin may access, view, or modify data belonging to any other College.
Teachers may access only the student data pertaining to the specific classes and subjects to which they have been expressly assigned by the Admin. Teachers have no access to data of other classes, subjects, or teachers.
Daily Tab operational personnel may access Institutional Data solely for the purposes of technical maintenance, debugging, and support, and only where strictly necessary to maintain Platform integrity or upon request from the College.
No Institutional Data is shared with third parties for any commercial, marketing, research, advertising, or analytical purpose not directly related to the provision of the Platform.
Daily Tab does not sell, rent, license, or otherwise transfer personal data to any third party for consideration.
7. Sub-Processors and International Data Transfers
Daily Tab engages the following sub-processors in the delivery of the Platform. All sub-processors are bound by data protection agreements requiring standards of protection no less stringent than those set out in this Policy:
| Sub-Processor | Role | Data Location | Applicable Transfer Mechanism |
| Supabase, Inc. (on AWS infrastructure) | Database hosting, user authentication, data storage, and access control | Tokyo, Japan (AWS ap-northeast-1) | Standard Contractual Clauses (EU/UK); LGPD SCCs; adequate safeguards per applicable law |
| Resend, Inc. | Transactional email delivery (invitations and password reset communications only) | Global AWS infrastructure | Standard Contractual Clauses; adequate safeguards per applicable law |
| Cloudflare, Inc. | Content delivery network (CDN), DNS resolution, application and legal-site hosting, TLS termination, and DDoS protection | Global edge network (data processed at the nearest edge location) | Standard Contractual Clauses; adequate safeguards per applicable law |
By using the Platform, Colleges acknowledge and accept that Institutional Data is transferred to and stored in Japan. For Colleges subject to the EU GDPR or UK GDPR, such transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission. For Colleges subject to Brazil's LGPD, transfers are governed by equivalent contractual safeguards. For Colleges subject to India's DPDPA or China's PIPL, the College is responsible for ensuring that any applicable cross-border transfer authorization, consent, or security assessment requirements under those laws are satisfied prior to using the Platform. Daily Tab will not engage additional sub-processors without first notifying affected Colleges.
8. Data Retention
| Category of Data | Retention Period | Rationale |
| Student attendance records | Retained indefinitely until receipt of a verified written deletion request from the College | Ongoing institutional academic record-keeping requirements |
| Teacher and Admin account data | Retained for the duration of active membership; deleted upon verified account termination request | Contractual and operational necessity |
| Authentication tokens and session logs | Retained per Supabase infrastructure retention standards (typically 90 days for logs) | Security monitoring and incident response |
| Transactional email delivery records | Retained per Resend's standard log retention period | Delivery confirmation and troubleshooting |
Upon receipt of a verified written deletion request from a College, all Institutional Data associated with that College will be permanently and irreversibly deleted from all live systems within thirty (30) calendar days. Daily Tab does not maintain accessible backup copies of deleted Institutional Data beyond this period.
9. Data Security
Daily Tab implements technical and organizational security measures commensurate with the risk presented by the processing of personal data on the Platform. All data is encrypted in transit using Transport Layer Security (TLS) and encrypted at rest. Access to Institutional Data is governed by role-based permissions ensuring that data is accessible only to authorized users within each College. Platform architecture enforces strict data isolation between Colleges.
10. Personal Data Breach Notification
In the event that Daily Tab becomes aware of a personal data breach affecting Institutional Data, Daily Tab shall notify the affected College without undue delay and, to the extent feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33, India's DPDPA, and equivalent provisions under applicable law. Such notification shall include: (i) a description of the nature and approximate scope of the breach; (ii) the categories and estimated number of data subjects affected; (iii) the likely consequences of the breach; and (iv) the measures taken or proposed to address the breach and mitigate its effects.
Each College, as Data Controller, is solely responsible for determining whether and how to notify affected data subjects and relevant supervisory authorities, and for fulfilling all such notification obligations under applicable law in its jurisdiction.
11. Rights of Data Subjects
To the extent provided under applicable law, data subjects have the following rights in respect of their personal data. The availability of specific rights varies by jurisdiction:
| Right | GDPR / UK GDPR | LGPD | CCPA/CPRA | DPDPA | POPIA / Others |
| Access | Yes – Art. 15 | Yes – Art. 18 | Yes | Yes | Yes |
| Rectification / Correction | Yes – Art. 16 | Yes – Art. 18 | Yes (limited) | Yes | Yes |
| Erasure / Deletion | Yes – Art. 17 | Yes – Art. 18 | Yes | Yes | Yes |
| Portability | Yes – Art. 20 | Yes – Art. 18 | Yes (limited) | No | No |
| Restrict Processing | Yes – Art. 18 | Yes – Art. 18 | Opt-out only | No | Yes |
| Object to Processing | Yes – Art. 21 | Yes – Art. 18 | Opt-out | Withdrawal | Yes |
| Automated Decision Rights | Yes – Art. 22 | Yes – Art. 20 | Yes (CPRA) | Limited | Limited |
Data subject requests should be directed to the College in the first instance, as the College is the Data Controller. Where a request is forwarded to Daily Tab, we shall assist the College in responding within the timeframes required by applicable law. GDPR and UK GDPR require responses within one calendar month. India's DPDPA and LGPD require responses within a reasonable time as defined by their respective authorities.
12. California-Specific Disclosures (CCPA / CPRA)
For Colleges operating in or processing personal information of California residents, the following additional disclosures apply:
Daily Tab does not sell personal information as defined under the CCPA.
Daily Tab does not share personal information for cross-context behavioral advertising.
Daily Tab acts as a Service Provider under the CCPA, processing personal information solely to provide the Platform pursuant to its agreement with the College.
California residents have the right to know, delete, correct, and opt-out of the sale or sharing of their personal information. As no sale or sharing occurs, opt-out rights are not applicable.
Daily Tab does not engage in profiling in furtherance of decisions that produce legal or similarly significant effects.
13. Children and Minors
The Platform is intended solely for use by undergraduate and graduate educational institutions. Daily Tab does not knowingly collect personal data from individuals for whom parental or guardian consent is required without the College having first obtained such consent. Specific requirements by jurisdiction include:
India (DPDPA): Colleges must obtain verifiable parental consent for processing data of students under eighteen (18) years of age.
EU/UK (GDPR): Colleges must obtain verifiable parental consent for processing data of children below the age of digital consent in their member state (typically 13–16 years).
Brazil (LGPD): Colleges must obtain specific and highlighted consent of at least one parent or legal guardian for processing data of children under thirteen (13) years.
South Africa (POPIA): Colleges must obtain consent of a competent person for processing data of individuals under eighteen (18) years.
In all cases, the College bears sole responsibility as Data Controller for ensuring compliance with applicable minors' data protection requirements.
14. Cookies and Tracking Technologies
The Platform uses authentication cookies strictly necessary for the operation of user sessions and login functionality. No tracking cookies, advertising cookies, analytics cookies, or any cookies requiring user consent under the EU ePrivacy Directive or equivalent instruments are used. No third-party tracking technologies are embedded in the Platform.
15. Changes to This Policy
Daily Tab reserves the right to amend this Privacy Policy at any time to reflect changes in applicable law, Platform functionality, or data processing practices. In the event of material changes, Colleges will be notified by email no fewer than fourteen (14) days prior to the changes taking effect. The date of the most recent revision is displayed at the top of this Policy. Continued use of the Platform following notification constitutes acceptance of the revised Policy. Colleges that do not accept material changes must cease use of the Platform and may request deletion of their Institutional Data.
16. Contact and Data Protection Inquiries
All inquiries, data subject access requests, data deletion requests, breach notifications, and other correspondence relating to data protection and this Privacy Policy should be directed to Daily Tab at support@dailytab.app. Daily Tab will acknowledge all data protection inquiries within five (5) business days and will endeavor to resolve them within the timeframes required by applicable law. For Colleges subject to India's DPDPA, Daily Tab maintains a grievance redressal mechanism and will respond to all data principal requests within ninety (90) days as required under the DPDPA and DPDP Rules 2025.
© 2026 Daily Tab. All rights reserved. This document is subject to periodic review and amendment. The most current version is available at dailytab.app.