Privacy Policy

1. Who We Are

doublesixOS is a school and institution management platform operated by Wahab Publications (Pvt.) Ltd., a Punjab Textbook Board registered firm established in 1980, based in Sialkot, Pakistan. This policy explains how we collect, use, and protect your data when you use our platform at doublesixos.com.

2. Data We Collect

When you register and use doublesixOS, we collect:

• Account data: Your name, email address, and password (encrypted).
• Institution data: Institution name, type, city, country, and contact details you provide during onboarding.
• Student records: Student names, parent/guardian names, phone numbers, class assignments, attendance records, fee records, and academic results entered by your institution.
• Staff data: Staff names, roles, contact details, qualifications, and salary information entered by your institution.
• Usage data: Pages visited, features used, and technical logs (IP address, browser type, device type) for platform improvement and troubleshooting.

3. How We Use Your Data

We use your data exclusively to:

• Provide and operate the doublesixOS platform for your institution.
• Authenticate users and enforce role-based access control.
• Generate reports, charts, and analytics within your institution's dashboard.
• Send transactional emails (account verification, password resets, system notifications).
• Improve platform performance, fix bugs, and develop new features.
• Provide customer support when you contact us.

We do not sell, rent, or share your data with third parties for advertising or marketing purposes. We do not use your institution's student data to train AI models.

4. Multi-Tenancy & Data Isolation

doublesixOS is a multi-tenant platform. Each institution's data is logically isolated using Row Level Security (RLS) policies enforced at the database level. This means:

• Institution A cannot access, view, or modify Institution B's data under any circumstances.
• Users can only access data belonging to the institution(s) they are members of.
• All API requests are validated against the authenticated user's institution membership.

5. Data Storage & Security

Your data is stored on Supabase infrastructure (powered by PostgreSQL) with the following protections:

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Passwords are hashed using bcrypt. We never store plaintext passwords.
• Row Level Security (RLS) policies are enforced at the database level.
• We implement Content Security Policy (CSP) headers to prevent cross-site scripting attacks.
• Regular automated backups are maintained by our infrastructure provider.

6. Third-Party Services

We use the following third-party services to operate doublesixOS:

• Supabase, Database, authentication, and real time infrastructure.
• Google OAuth, Optional sign in method (only if you choose to use it).
• Google Fonts, Typography delivery.
• Formspree, Contact form submissions on our marketing website.
• Hostinger, Web hosting for our frontend application.

We do not use analytics tools like Google Analytics, Facebook Pixel, or any advertising trackers on the platform.

7. WhatsApp Integration

Our WhatsApp integration works by opening the WhatsApp application on your device with a pre-filled message. We do not send WhatsApp messages on your behalf, access your WhatsApp account, or store WhatsApp message history. The integration uses the standard wa.me URL scheme provided by WhatsApp/Meta.

8. Your Rights

As an institution administrator, you have the right to:

• Access: Export your institution's data at any time from the platform.
• Correction: Edit or update any data within your institution's workspace.
• Deletion: Request complete deletion of your institution's data by contacting our support team.
• Portability: Download your data in standard formats (CSV, PDF).

For institutions subject to GDPR (UK/EU), we act as a data processor on behalf of the institution (data controller). We process data only as instructed by the institution administrator.

9. Data Retention

We retain your institution's data for as long as your account is active. If you cancel your subscription, your data is retained for 90 days (in case you wish to reactivate), after which it is permanently deleted from our systems and backups.

10. Children's Data

doublesixOS is designed for use by school administrators and teachers, not by students directly. Student data is entered and managed by authorized institution staff. We do not knowingly collect data directly from children under the age of 13. If you believe a child has provided us with data directly, please contact us immediately.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of doublesixOS after such changes constitutes your acceptance of the revised policy.