Daily Tab · Legal

Privacy Policy

Governing the Collection, Processing, Storage, and Transfer of Personal Data

Effective Date: July 2026 Version 1.1

DAILY TAB

PRIVACY POLICY

Governing the Collection, Processing, Storage, and Transfer of Personal Data

Effective Date: July 2026 | Version 1.1

1. Introduction and Identity of the Data Controller / Processor

Daily Tab ("Service," "we," "us," or "our") operates a cloud-based digital attendance management platform accessible at dailytab.app ("Platform"). This Privacy Policy describes, with full transparency, how personal data is collected, processed, stored, transferred, and protected when the Platform is used by educational institutions ("Colleges"), their administrative personnel ("Admins"), and their teaching staff ("Teachers").

In respect of institutional data submitted by Colleges, Daily Tab acts as a Data Processor under the instruction of each College, which is the Data Controller. In respect of operational and technical data processed to deliver the Platform, Daily Tab acts as Data Controller.

This Policy is designed to satisfy the requirements of the following data protection frameworks, each of which may apply depending on the jurisdiction of the College or its data subjects:

Jurisdiction Applicable Law Enforcement Authority
European Union / EEA General Data Protection Regulation (GDPR) 2016/679 National Supervisory Authorities / EDPB
United Kingdom UK GDPR & Data Protection Act 2018 Information Commissioner's Office (ICO)
United States – California CCPA / CPRA California Privacy Protection Agency
Brazil Lei Geral de Proteção de Dados (LGPD) Autoridade Nacional de Proteção de Dados (ANPD)
Canada PIPEDA / Quebec Law 25 Office of the Privacy Commissioner
India Digital Personal Data Protection Act 2023 (DPDPA) Data Protection Board of India
Nepal Privacy Act 2018 National Human Rights Commission
Sri Lanka Personal Data Protection Act 2022 Data Protection Authority
China Personal Information Protection Law (PIPL) 2021 Cyberspace Administration of China
South Africa Protection of Personal Information Act (POPIA) 2013 Information Regulator
Australia Privacy Act 1988 (13 APPs) Office of the Australian Information Commissioner
Singapore / Thailand / Indonesia PDPA / PDPA 2019 / PDP Law 2022 Respective National Authorities
UAE / Middle East Federal Decree-Law No. 45 of 2021 UAE Data Office

2. Definitions

For the purposes of this Policy, the following terms shall have the meanings set out below, interpreted consistently with the applicable law in each relevant jurisdiction:

3. Categories of Personal Data Collected

Daily Tab collects and processes only the minimum personal data necessary to provide the Platform. We do not collect payment information, government identification numbers, biometric data, health data, location data, or any special category personal data. The categories of data processed are limited to the following:

Data Subject Categories of Personal Data Method of Collection Purpose
College Admin Full name, official email address, encrypted authentication credentials Entered by Daily Tab upon College onboarding Account authentication and College administration
Teacher Full name, official email address, encrypted authentication credentials Entered by Admin via invitation workflow Account authentication and attendance marking
Student Full name, enrollment roll number, attendance records (dates and present/absent status) Entered by Admin or Teacher Attendance tracking, reporting, and academic records management

4. Lawful Basis for Processing

Daily Tab processes personal data on the following lawful bases, applied in accordance with the requirements of each applicable jurisdiction:

Processing Activity Lawful Basis (GDPR / UK GDPR) Equivalent Basis (Other Laws)
Admin and Teacher authentication Article 6(1)(b) – Contractual necessity Contractual necessity (LGPD Art. 7(V)); necessary performance (PIPEDA)
Student attendance processing Article 6(1)(b) – Contractual necessity; Article 6(1)(f) – Legitimate interests Legitimate interests (LGPD Art. 7(IX)); consent or legitimate interests (PDPA)
Sending transactional emails Article 6(1)(b) – Contractual necessity Contractual necessity across applicable frameworks
Platform security and integrity Article 6(1)(f) – Legitimate interests Legitimate interests across applicable frameworks
Compliance with legal obligations Article 6(1)(c) – Legal obligation Legal obligation across applicable frameworks

Where applicable law in a specific jurisdiction requires consent as the exclusive lawful basis for processing (including processing of personal data of minors under India's DPDPA, or processing subject to PIPL in China), each College, as Data Controller, is solely responsible for obtaining, recording, and maintaining such consent from the relevant data subjects prior to submitting their personal data to the Platform.

Note for Indian Colleges (DPDPA 2023 / DPDP Rules 2025): Under India's Digital Personal Data Protection Act 2023, consent is the primary and sole lawful basis for processing personal data. References to “legitimate interests” as a lawful basis do not apply to Colleges subject to the DPDPA. All processing must be based on consent that is free, specific, informed, unconditional, and unambiguous. For students under 18 years of age, verifiable parental consent is mandatory. The College, as Data Fiduciary under the DPDPA, bears full responsibility for DPDPA compliance.

5. College Obligations as Data Controller

Each College is the Data Controller in respect of all Institutional Data. As Data Controller, the College assumes full legal responsibility for ensuring that:

6. Data Access Controls and Confidentiality

Access to personal data within the Platform is governed by strict role-based controls:

7. Sub-Processors and International Data Transfers

Daily Tab engages the following sub-processors in the delivery of the Platform. All sub-processors are bound by data protection agreements requiring standards of protection no less stringent than those set out in this Policy:

Sub-Processor Role Data Location Applicable Transfer Mechanism
Supabase, Inc. (on AWS infrastructure) Database hosting, user authentication, data storage, and access control Tokyo, Japan (AWS ap-northeast-1) Standard Contractual Clauses (EU/UK); LGPD SCCs; adequate safeguards per applicable law
Resend, Inc. Transactional email delivery (invitations and password reset communications only) Global AWS infrastructure Standard Contractual Clauses; adequate safeguards per applicable law
Cloudflare, Inc. Content delivery network (CDN), DNS resolution, application and legal-site hosting, TLS termination, and DDoS protection Global edge network (data processed at the nearest edge location) Standard Contractual Clauses; adequate safeguards per applicable law

By using the Platform, Colleges acknowledge and accept that Institutional Data is transferred to and stored in Japan. For Colleges subject to the EU GDPR or UK GDPR, such transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission. For Colleges subject to Brazil's LGPD, transfers are governed by equivalent contractual safeguards. For Colleges subject to India's DPDPA or China's PIPL, the College is responsible for ensuring that any applicable cross-border transfer authorization, consent, or security assessment requirements under those laws are satisfied prior to using the Platform. Daily Tab will not engage additional sub-processors without first notifying affected Colleges.

8. Data Retention

Category of Data Retention Period Rationale
Student attendance records Retained indefinitely until receipt of a verified written deletion request from the College Ongoing institutional academic record-keeping requirements
Teacher and Admin account data Retained for the duration of active membership; deleted upon verified account termination request Contractual and operational necessity
Authentication tokens and session logs Retained per Supabase infrastructure retention standards (typically 90 days for logs) Security monitoring and incident response
Transactional email delivery records Retained per Resend's standard log retention period Delivery confirmation and troubleshooting

Upon receipt of a verified written deletion request from a College, all Institutional Data associated with that College will be permanently and irreversibly deleted from all live systems within thirty (30) calendar days. Daily Tab does not maintain accessible backup copies of deleted Institutional Data beyond this period.

9. Data Security

Daily Tab implements technical and organizational security measures commensurate with the risk presented by the processing of personal data on the Platform. All data is encrypted in transit using Transport Layer Security (TLS) and encrypted at rest. Access to Institutional Data is governed by role-based permissions ensuring that data is accessible only to authorized users within each College. Platform architecture enforces strict data isolation between Colleges.

10. Personal Data Breach Notification

In the event that Daily Tab becomes aware of a personal data breach affecting Institutional Data, Daily Tab shall notify the affected College without undue delay and, to the extent feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33, India's DPDPA, and equivalent provisions under applicable law. Such notification shall include: (i) a description of the nature and approximate scope of the breach; (ii) the categories and estimated number of data subjects affected; (iii) the likely consequences of the breach; and (iv) the measures taken or proposed to address the breach and mitigate its effects.

Each College, as Data Controller, is solely responsible for determining whether and how to notify affected data subjects and relevant supervisory authorities, and for fulfilling all such notification obligations under applicable law in its jurisdiction.

11. Rights of Data Subjects

To the extent provided under applicable law, data subjects have the following rights in respect of their personal data. The availability of specific rights varies by jurisdiction:

Right GDPR / UK GDPR LGPD CCPA/CPRA DPDPA POPIA / Others
Access Yes – Art. 15 Yes – Art. 18 Yes Yes Yes
Rectification / Correction Yes – Art. 16 Yes – Art. 18 Yes (limited) Yes Yes
Erasure / Deletion Yes – Art. 17 Yes – Art. 18 Yes Yes Yes
Portability Yes – Art. 20 Yes – Art. 18 Yes (limited) No No
Restrict Processing Yes – Art. 18 Yes – Art. 18 Opt-out only No Yes
Object to Processing Yes – Art. 21 Yes – Art. 18 Opt-out Withdrawal Yes
Automated Decision Rights Yes – Art. 22 Yes – Art. 20 Yes (CPRA) Limited Limited

Data subject requests should be directed to the College in the first instance, as the College is the Data Controller. Where a request is forwarded to Daily Tab, we shall assist the College in responding within the timeframes required by applicable law. GDPR and UK GDPR require responses within one calendar month. India's DPDPA and LGPD require responses within a reasonable time as defined by their respective authorities.

12. California-Specific Disclosures (CCPA / CPRA)

For Colleges operating in or processing personal information of California residents, the following additional disclosures apply:

13. Children and Minors

The Platform is intended solely for use by undergraduate and graduate educational institutions. Daily Tab does not knowingly collect personal data from individuals for whom parental or guardian consent is required without the College having first obtained such consent. Specific requirements by jurisdiction include:

In all cases, the College bears sole responsibility as Data Controller for ensuring compliance with applicable minors' data protection requirements.

14. Cookies and Tracking Technologies

The Platform uses authentication cookies strictly necessary for the operation of user sessions and login functionality. No tracking cookies, advertising cookies, analytics cookies, or any cookies requiring user consent under the EU ePrivacy Directive or equivalent instruments are used. No third-party tracking technologies are embedded in the Platform.

15. Changes to This Policy

Daily Tab reserves the right to amend this Privacy Policy at any time to reflect changes in applicable law, Platform functionality, or data processing practices. In the event of material changes, Colleges will be notified by email no fewer than fourteen (14) days prior to the changes taking effect. The date of the most recent revision is displayed at the top of this Policy. Continued use of the Platform following notification constitutes acceptance of the revised Policy. Colleges that do not accept material changes must cease use of the Platform and may request deletion of their Institutional Data.

16. Contact and Data Protection Inquiries

All inquiries, data subject access requests, data deletion requests, breach notifications, and other correspondence relating to data protection and this Privacy Policy should be directed to Daily Tab at support@dailytab.app. Daily Tab will acknowledge all data protection inquiries within five (5) business days and will endeavor to resolve them within the timeframes required by applicable law. For Colleges subject to India's DPDPA, Daily Tab maintains a grievance redressal mechanism and will respond to all data principal requests within ninety (90) days as required under the DPDPA and DPDP Rules 2025.

© 2026 Daily Tab. All rights reserved. This document is subject to periodic review and amendment. The most current version is available at dailytab.app.