Neosori - Student Management System

1. Introduction

Welcome to Neosori, a Montessori student observation and tracking platform owned and operated by Sofiven-FZCO (License No. 33117, Dubai Silicon Oasis). This Privacy Notice explains how we collect, use, disclose, and safeguard your information when you use our application. Please read this privacy notice carefully. If you do not agree with the terms of this privacy notice, please do not access the application.

We reserve the right to make changes to this Privacy Notice at any time and for any reason. We will alert you about any changes by updating the "Last Updated" date of this Privacy Notice. You are encouraged to periodically review this Privacy Notice to stay informed of updates.

2. Information We Collect

2.1 Student Information

Identifying Information: First name, last name, and unique email address
Enrollment Data: Enrollment date and current enrollment status
Relationships: Assigned Montessori Guide and Tutor identifiers
Environment Assignments: Current and historical classroom/environment assignments, enrollment dates, exit dates, principal guide assignments, and assignment notes
Timestamps: Account creation and last update dates

2.2 School Staff Information

Montessori Guides:

First name, last name, unique email address, phone number (optional)
School affiliation and environment assignments with role designations
Encrypted passwords for accounts that have been activated
Account status (active/inactive)

Tutors:

First name, last name, unique email address, contact number (optional)
Encrypted passwords for accounts that have been activated
Account status (active/inactive)

School Administrators:

First name, last name, unique email address, contact number (optional)
School affiliation and school role designation
Encrypted passwords for accounts that have been activated
Account status (active/inactive)

2.3 School and Environment Information

School Data: School name, address (optional), phone (optional), unique email address (optional)
Environments (Classrooms): Name, description, school affiliation, assigned guides and students
Academic Periods: Period name, description, school affiliation, associated student-environment assignments

2.4 Educational Assessment Data

Observation Records:

Observation date, start time, end time
Student developmental stage (Infant Community, Children's House, or Taller)
Initial emotional state and condition
Activity and Autonomous Work: Chosen activities, spontaneous start indicators, concentration duration, execution mode, task perseverance, work continuity, desire for improvement
Behavior and Self-Regulation: Material organization, behavioral changes, emotional state, group relations
Obedience and Adult Relations: Response to adults, obedience stability, obedience attitude, shared participation
Pedagogical notes and report summaries prepared by the guide
Developmental areas and specific skills observed (legacy fields)
Privacy status (private observations are hidden from tutors)
Observation status (Planned, Draft, or Final)
Finalization date when marked as final

Absenteeism Records:

Student identifier and recording guide identifier
Start date and end date of absence
Textual description of the absence
Creation and last update timestamps

2.5 Communication Data

Conversations: Subject, participants (guide and tutor identifiers), creation role (guide or tutor), conversation status (active or closed), creation and update timestamps
Messages: Message content (stored as text), sender identifier, sender type (guide or tutor), read/unread status, timestamp

2.6 Meeting Coordination Data

Meeting title, description, date, and duration (in minutes)
Location (physical or "Virtual") and video conference link (if applicable)
Status (Scheduled, Confirmed, Cancelled, or Completed)
Participants: Guide, tutor, and optionally a specific student being discussed
Meeting notes added after completion
Cancellation reason (if applicable)
Reminder notification status

2.7 Authentication and Security Data

Passwords: Stored using bcrypt hashing with salt (never stored in plain text)
Account Invitations: Unique invitation tokens and expiration timestamps (7-day validity)
Password Resets: Unique reset tokens and expiration timestamps (1-hour validity)
One-Time Passcodes (OTP): 6-digit codes, expiration timestamps (15-minute validity), last sent timestamp, last verified timestamp
Session Data: JWT tokens containing user ID, role, and associated identifiers (school, guide, or tutor ID as applicable), with 20-minute session timeout

2.8 System-Generated Data

Unique identifiers (CUID format) for all records
Creation timestamps (createdAt) and last update timestamps (updatedAt) for all database records
Database relationship mappings and foreign key references

2.9 Information We Do NOT Collect

To protect privacy, we explicitly do not collect:

Student dates of birth, ages, or precise birth information
Student home addresses or family contact information
Payment or financial information
Geolocation tracking or device identifiers
Cookies for tracking or advertising purposes
Third-party analytics or advertising identifiers
IP addresses or detailed browsing logs

3. How We Use Your Information

We use the information we collect exclusively for the following purposes:

3.1 Core Educational Functions

Student Observation and Assessment: Record, store, and manage detailed Montessori-based developmental observations created by guides
Absenteeism Tracking: Document and track student absences for educational continuity and planning purposes
Environment Management: Assign students and guides to appropriate educational environments (classrooms) and track transitions
Educational Record-Keeping: Maintain comprehensive student records including observations, absenteeism, environment history, and assigned personnel

3.2 Communication and Coordination

Guide-Tutor Messaging: Enable secure, role-based communication between Montessori guides and tutors regarding student progress
Meeting Coordination: Schedule, manage, and track meetings between guides and tutors, including automated email notifications
Information Sharing: Share finalized observations with assigned tutors while respecting privacy settings (private observations are not shared)

3.3 Account Management and Security

User Authentication: Verify user identity through email and password credentials
Account Invitations: Send secure invitation emails to new users (guides, tutors, school administrators) with time-limited tokens
Password Management: Process password reset requests via secure tokens sent to registered email addresses
Two-Factor Authentication: Generate and verify One-Time Passcodes (OTP) sent via email for enhanced login security
Session Management: Maintain secure user sessions with automatic 20-minute timeout for inactive users

3.4 Access Control and Data Isolation

Enforce role-based permissions ensuring users only access data appropriate to their role
Maintain school-level data isolation for school administrators
Restrict guide access to students in their assigned environments
Limit tutor access to their specifically assigned students only
Validate ownership before allowing edits or deletions of records

3.5 Email Notifications

We send emails exclusively for the following purposes:

Account invitation links for new user registration
Password reset links (1-hour validity)
One-Time Passcode (OTP) codes for login authentication (15-minute validity)
Meeting creation notifications sent to tutors when guides schedule meetings

3.6 What We Do NOT Do With Your Data

We explicitly do not:

Sell, rent, or trade personal information to third parties
Use data for advertising or marketing purposes
Track user behavior across other websites or applications
Share student data with third parties except as required by law
Use data for automated decision-making or profiling
Perform analytics or data mining beyond basic application functionality
Send promotional or marketing emails

4. Data Sharing and Disclosure

4.1 Within the Application - Role-Based Access

Access to information is strictly controlled based on user roles and relationships. No user can access data outside their authorized scope:

System Administrators:

Can view and manage schools and school administrators across the entire system
Can view all guides, students, and tutors for administrative purposes
Cannot access detailed observation content or private educational assessments

School Administrators:

Can view and manage all users (guides, tutors, students) within their specific school only
Can create and manage environments and academic periods for their school
Can assign guides to environments and students to guides
Cannot access data from other schools
Cannot access detailed observation content or guide-tutor messages

Montessori Guides:

Can view and create observations only for students in their assigned environments
Can create and manage absenteeism records for their students
Can only edit or delete observations and absenteeism records they personally created
Can view student details and environment assignments for their assigned students
Can communicate with tutors assigned to their students via the messaging system
Can schedule meetings with tutors for their students
Can mark observations as "private" to prevent tutor access
Cannot access students outside their assigned environments

Tutors:

Can view information only for students explicitly assigned to them
Can view finalized observations for their students, except those marked as private by guides
Can view absenteeism records for their students
Can communicate with guides assigned to their students via the messaging system
Can view meetings scheduled by guides
Cannot create, edit, or delete observations or absenteeism records
Cannot access data for students not assigned to them

4.2 Third-Party Service Providers

We use the following third-party services that may have access to data as necessary to provide their services. These providers are contractually obligated to protect your data:

Supabase (PostgreSQL Database Hosting): Stores all application data in a PostgreSQL database with encryption at rest and in transit via SSL/TLS connections. Server location: [specify region if known]
Vercel (Web Application Hosting): Hosts the Next.js application frontend and API routes. Does not directly access database content but processes user requests
Gmail (Google Workspace): Used exclusively to send transactional emails (account invitations, password resets, OTP codes, meeting notifications). We use Gmail SMTP with app-specific passwords. Google processes email metadata but we do not use Google Analytics or other Google tracking services

We do not use any analytics services, advertising networks, or third-party tracking tools.

4.3 Data Ownership and Isolation

Each school's data is completely isolated from other schools
Users can only delete records they created (observations, absenteeism, messages)
Student-environment assignments are managed by school administrators and guides
Cascade deletion policies ensure related data is removed when parent records are deleted (e.g., deleting a student removes their observations and absenteeism records)

4.4 Legal Requirements and Protection of Rights

We may disclose your information only if required to do so by law or in response to:

Valid legal process such as a court order or subpoena
Requests from public authorities or government agencies where legally required
Situations necessary to protect the safety of students, users, or the public
Investigation of potential violations of our terms of service

We will notify affected users of such requests unless legally prohibited from doing so.

4.5 No Sale or Commercial Use

We do not and will never sell, rent, lease, or trade personal information to third parties for commercial purposes. Student data is used exclusively for educational record-keeping as described in this notice.

5. Data Security

We implement comprehensive technical and organizational measures to protect your data:

5.1 Encryption and Secure Transmission

Password Protection: All passwords are hashed using bcrypt with salt before storage. Passwords are never stored in plain text
Database Encryption: Data at rest is encrypted in the PostgreSQL database hosted by Supabase
Transport Encryption: All data transmission uses HTTPS with TLS/SSL encryption
Database Connections: Secure SSL/TLS encrypted connections between application and database
Token Security: All authentication tokens (invitations, password resets, OTP) are cryptographically generated random strings

5.2 Access Controls

Role-Based Access Control (RBAC): Strict enforcement of role-based permissions at the API and database level
Session Management: JWT-based sessions with 20-minute automatic timeout for inactive users
Two-Factor Authentication: Optional email-based OTP (One-Time Passcode) for additional login security
Ownership Validation: Users can only edit or delete records they created
Data Isolation: School-level and role-level data segregation prevents cross-access

5.3 Time-Limited Security Tokens

Account invitation tokens expire after 7 days
Password reset tokens expire after 1 hour
One-Time Passcodes (OTP) expire after 15 minutes
User sessions expire after 20 minutes of inactivity
All expired tokens are invalidated and cannot be reused

5.4 Application Security Measures

Server-side validation of all user inputs
Protection against SQL injection through parameterized queries (Prisma ORM)
CSRF protection through framework security features
Secure authentication flow using NextAuth.js industry standards
Database indexing for efficient and secure data retrieval

5.5 Operational Security

Regular security updates of dependencies and frameworks
Monitoring of authentication attempts and failed logins
Cascade deletion policies to maintain data integrity
Audit trails through timestamps on all records (createdAt, updatedAt)

5.6 Limitations

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to protect your personal information using commercially reasonable means. Users are responsible for maintaining the confidentiality of their passwords and should not share account credentials.

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Notice, unless a longer retention period is required or permitted by law.

6.1 Active User Data

User Accounts: Retained while the account is active (isActive = true) and the user remains affiliated with a school
Student Records: Retained throughout active enrollment and as determined by the school's educational record retention policies
Observations: Retained as part of the permanent educational record for the student's duration in the system
Absenteeism Records: Retained for the academic period and as required by school policies
Messages and Conversations: Retained while the conversation status is "ACTIVE" and both participants remain in the system

6.2 Temporary Security Data

Invitation Tokens: Expire and are invalidated after 7 days. Expired tokens are not automatically deleted but cannot be used
Password Reset Tokens: Expire and are invalidated after 1 hour. Replaced when new reset requests are made
OTP Codes: Expire after 15 minutes. System tracks last sent and last verified timestamps for security monitoring
JWT Session Tokens: Expire after 20 minutes of inactivity and are regenerated upon new activity

6.3 Meeting and Communication Records

Meetings: Retained indefinitely with status tracking (Scheduled, Confirmed, Cancelled, Completed) for historical reference
Meeting Reminder Status: Tracked to prevent duplicate email notifications
Messages: Retained as long as the conversation remains active and participants are in the system

6.4 Cascade Deletion Policies

When certain records are deleted, related data is automatically removed:

School Deletion: Removes all associated school administrators, environments, and academic periods
Student Deletion: Removes all observations, absenteeism records, environment assignments, and meeting references for that student
Guide Deletion: Removes observations, absenteeism records, conversations, and meetings created by that guide
Tutor Deletion: Removes conversations and meetings involving that tutor
Environment Deletion: Removes guide-environment assignments, student-environment assignments, and environment-specific observations
Conversation Deletion: Removes all messages within that conversation

6.5 Data Deletion Requests

Users may request deletion of their data by contacting their School Administrator or our support team. Upon receiving a valid deletion request:

We will deactivate the account (set isActive = false) immediately
We will permanently delete the account and associated data within 30 days, subject to legal retention requirements
Educational records (observations, assessments) may be retained if required by educational regulations or school policies
We cannot delete data that must be retained by law or for legal proceedings

6.6 Automatic Data Cleanup

Currently, expired security tokens (invitations, password resets, OTP codes) are invalidated but not automatically purged from the database. We may implement periodic cleanup of expired tokens as part of routine database maintenance.

7. Your Privacy Rights

Depending on your location and applicable privacy laws (including GDPR, CCPA, and similar regulations), you may have the following rights regarding your personal information:

7.1 Individual Rights

Right to Access: Request a copy of the personal information we hold about you, including observations, messages, meetings, and account details
Right to Rectification: Request correction of inaccurate, incomplete, or outdated personal information
Right to Deletion (Right to be Forgotten): Request deletion of your personal information, subject to legal retention obligations and educational record requirements
Right to Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format (JSON or CSV)
Right to Restriction of Processing: Request that we limit how we use your personal information under certain circumstances
Right to Object: Object to our processing of your personal information based on legitimate interests
Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time

7.2 Parental Rights (Student Data)

Parents and legal guardians of students have the right to:

Review all observations, absenteeism records, and educational assessments concerning their child
Request correction of inaccurate information in their child's educational records
Understand who has access to their child's data and for what purposes
Request that observations marked as "private" by guides be explained or reviewed
Withdraw consent for data processing where applicable (subject to school enrollment requirements)

Parents should contact their School Administrator to exercise these rights regarding student data.

7.3 How to Exercise Your Rights

To exercise any of these rights, please:

Contact your School Administrator directly (for school-related data requests)
Email our support team at privacy@neosori.com with "Privacy Rights Request" in the subject line
Provide sufficient information to verify your identity (name, email address, role)
Specify which right you wish to exercise and what data is involved

7.4 Response Timeline

We will acknowledge receipt of your request within 48 hours
We will respond to your request within 30 days (may be extended to 60 days for complex requests)
If we cannot fulfill your request, we will explain why and inform you of your right to complain to a supervisory authority

7.5 Limitations and Exceptions

We may be unable to fulfill certain requests if:

The request would reveal personal information about another individual
We are legally required to retain the data (e.g., educational records, legal proceedings)
The request is manifestly unfounded or excessive
Deletion would impair the rights of other users (e.g., deleting a guide would affect student records)

7.6 Right to Lodge a Complaint

If you believe we have not handled your personal information in accordance with applicable law, you have the right to lodge a complaint with the appropriate supervisory authority in your jurisdiction. For EU residents, this is your national data protection authority. We encourage you to contact us first so we can address your concerns directly.

8. Children's Privacy (COPPA and FERPA Compliance)

8.1 Application Purpose and User Base

Neosori is designed exclusively for use by educational professionals (Montessori Guides, Tutors, and School Administrators) to document and track student developmental progress. The application is NOT intended for direct use by children under the age of 13 or any students.

8.2 COPPA Compliance (United States)

We comply with the Children's Online Privacy Protection Act (COPPA):

Students do not create accounts, log in, or directly interact with the application
Student information is entered and managed solely by authorized school personnel
We collect only the minimum student information necessary for educational record-keeping (names, email addresses for identification, and educational assessments)
We do NOT collect dates of birth, social security numbers, home addresses, geolocation, photographs, or other sensitive personal identifiers of students
Schools using our platform are responsible for obtaining verifiable parental consent as required by COPPA before entering student information
Parents have the right to review their child's information and request deletion through their School Administrator

8.3 FERPA Compliance (United States)

For schools subject to the Family Educational Rights and Privacy Act (FERPA), we operate as a "school official" with legitimate educational interests:

We use student data exclusively for educational record-keeping purposes as directed by the school
We maintain strict access controls ensuring only authorized personnel can view student records
We do not disclose student information to third parties except as required by law or school policy
We support schools in providing parents with access to student educational records
Observation records constitute "education records" under FERPA and are protected accordingly

8.4 International Children's Privacy Laws

For jurisdictions outside the United States, we comply with similar children's privacy protections including:

GDPR (EU) provisions for processing children's data with appropriate safeguards
PIPEDA (Canada) requirements for children's personal information
Other applicable national or regional children's privacy laws

8.5 School Responsibilities

Schools using Neosori are responsible for:

Obtaining appropriate parental or guardian consent before entering student information
Complying with applicable educational privacy laws in their jurisdiction
Notifying parents of their rights to access and request correction of student records
Ensuring only authorized personnel have access to the application
Maintaining their own policies regarding educational record retention and deletion

8.6 Parent and Guardian Rights

If you are a parent or legal guardian and have questions about your child's information in our system:

Contact your child's school administrator to review what information is stored
Request access to all observations, absenteeism records, and educational assessments
Request correction of any inaccurate information
Request deletion of your child's information, subject to educational record retention requirements
Understand how the information is being used and who has access

For questions about children's privacy, contact us at privacy@neosori.com.

9. International Data Transfers

9.1 Data Storage and Processing

Your information may be transferred to, stored, and processed in countries other than your own, where data protection laws may differ from those in your jurisdiction:

Database Hosting: PostgreSQL database hosted by Supabase. Data location depends on the Supabase region selected by the application administrator (typically US or EU regions)
Application Hosting: Next.js application hosted on Vercel's global content delivery network (CDN)
Email Services: Transactional emails sent via Gmail (Google Workspace) servers, which may process data across multiple jurisdictions

9.2 Safeguards for International Transfers

When transferring data internationally, we rely on the following safeguards:

Encryption: All data in transit is encrypted using TLS/SSL, and data at rest is encrypted in our database
Service Provider Agreements: Our third-party providers (Supabase, Vercel, Google) maintain their own privacy and security commitments, including compliance with GDPR and other international standards
Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission or similar authorities regarding data protection in destination countries
Standard Contractual Clauses: We may utilize Standard Contractual Clauses (SCCs) or other approved mechanisms for data transfers where required

9.3 EU and UK Data Subjects

For users in the European Union or United Kingdom:

We ensure appropriate safeguards are in place for data transfers outside the EU/UK as required by GDPR and UK Data Protection Act 2018
You have the right to request information about the safeguards we use for international transfers
You may exercise all rights under GDPR/UK GDPR as described in Section 7 of this notice

9.4 Regional Data Residency Requests

If your school requires data to be stored in a specific geographic region due to local regulations, please contact us at privacy@neosori.com to discuss potential accommodation. We will work with our hosting providers to configure appropriate data residency where technically feasible.

10. Changes to This Privacy Notice

We reserve the right to update or modify this Privacy Notice at any time to reflect changes in our practices, legal requirements, or for other operational reasons.

10.1 Notification of Changes

Material Changes: For significant changes that affect how we handle your personal information, we will notify users via email to their registered address at least 30 days before the changes take effect
Minor Updates: For non-material changes (e.g., clarifications, contact information updates), we will update the "Last Updated" date at the top of this notice
Continued Use: Your continued use of the application after the effective date of changes constitutes acceptance of the updated Privacy Notice

10.2 Review Responsibility

You are responsible for periodically reviewing this Privacy Notice to stay informed of updates. We recommend checking this page each time you log in or at least quarterly to ensure you understand our current data handling practices.

11. Contact Information

If you have questions, concerns, or requests regarding this Privacy Notice or our data handling practices, please contact us through the following channels:

General Inquiries

Legal Entity: Sofiven-FZCO (License No. 33117, Dubai Silicon Oasis, Owner and Operator of Neosori)

Privacy Inquiries: privacy@neosori.com

Technical Support: support@neosori.com

Data Protection Officer: dpo@neosori.com

For School Administrators

If you are a School Administrator and have questions about data management for your school, contractual arrangements, or data processing agreements, please contact: schools@neosori.com

For Parents and Guardians

If you are a parent or legal guardian with questions about your child's information:

First Contact: Reach out to your child's School Administrator directly, as they manage access and permissions for your school
Alternative Contact: If you cannot reach your school administrator or have concerns about their response, email us at privacy@neosori.com with "Parent Inquiry" in the subject line

Response Time

We aim to acknowledge all privacy-related inquiries within 48 hours and provide substantive responses within 30 days. Complex requests may require additional time, and we will notify you if an extension is needed.

Note: For operational questions about using the application (password resets, login issues, feature questions), please use the technical support email. For privacy rights, data access, or compliance questions, please use the privacy or DPO email addresses.

12. Legal Basis for Processing (GDPR)

For users in the European Union, United Kingdom, or other jurisdictions with similar regulations, we process personal data based on the following legal grounds under GDPR Article 6:

12.1 Contract Performance (Article 6(1)(b))

Processing is necessary to perform our contract with schools and provide services to authorized users:

User account creation and authentication
Provision of observation tracking, messaging, and meeting coordination features
Communication between guides and tutors for educational purposes

12.2 Legitimate Interests (Article 6(1)(f))

Processing is necessary for our legitimate interests in providing a secure and functional educational platform:

Security measures including password encryption and access controls
Session management and fraud prevention
Technical support and application improvements
Data integrity and backup processes

12.3 Legal Obligation (Article 6(1)(c))

Processing is necessary to comply with legal obligations:

Retention of educational records as required by law
Response to valid legal requests from authorities
Compliance with data protection and educational privacy regulations

12.4 Consent (Article 6(1)(a))

For certain processing activities, we rely on consent:

Optional features or communications beyond core functionality
Processing of student data where consent is the appropriate legal basis under local law

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

12.5 Special Category Data

We do not intentionally collect or process special category data (sensitive personal data) as defined in GDPR Article 9, such as racial or ethnic origin, health data, or biometric data. Observations are educational assessments focused on developmental progress and do not constitute health data. If schools inadvertently include such information in observation notes, schools must ensure they have appropriate legal grounds (such as explicit consent or substantial public interest) under their local regulations.

13. User Consent and Acceptance

13.1 By Using the Application

By accessing and using Neosori, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Notice. Your continued use of the application following the posting of changes to this Privacy Notice will be deemed your acceptance of those changes.

13.2 School Administrator Responsibilities

School Administrators who register their schools and invite users to the platform represent and warrant that:

They have the legal authority to bind their school or educational institution to this Privacy Notice
They have obtained all necessary consents from parents/guardians for collecting and processing student information, as required by applicable laws (including COPPA, FERPA, GDPR, or similar regulations in their jurisdiction)
They will ensure that all users from their school (guides, tutors, administrators) are made aware of this Privacy Notice
They will comply with all applicable educational privacy laws and regulations in their jurisdiction
They will maintain appropriate policies regarding data retention, access, and deletion within their organization

13.3 Individual User Responsibilities

All users (guides, tutors, school administrators) agree to:

Maintain the confidentiality of their account credentials
Use the application only for its intended educational purposes
Respect the privacy of students and other users
Not share or disclose student information outside the application except as authorized
Report any suspected security breaches or unauthorized access to their School Administrator or our support team
Access only the data they are authorized to view based on their role and assignments

13.4 Disagreement with Privacy Notice

If you do not agree with the terms of this Privacy Notice, you must not use the application. Please contact your School Administrator if you have concerns about how your school's data is being managed, or contact us at privacy@neosori.com to discuss your concerns before discontinuing use.