Privacy Policy

1. Introduction

Zuse Technologies (Private) Limited (“Zuse Technologies”) provides service platform software, including a Day Care System (DCS) (hereinafter, the “Platform”), to Educational Institutions.

Zuse Technologies is committed to ensuring that personal data is processed in compliance with the Personal Data Protection Act No. 9 of 2022 (“PDPA”) of Sri Lanka.

This Privacy Policy sets out the manner in which personal data is processed in connection with the provision and operation of the Platform.

Use of the Platform is subject to the applicable Terms and Conditions, including acceptable use obligations and system integrity requirements.

2. Binding

By registering with, accessing, or otherwise using this Platform, you hereby agree to be bound by this Privacy Policy set forth below. The mere use of this website implies the knowledge and acceptance of this Privacy Policy.

3. Data Controller & Data Processor

For the purposes of the PDPA:

• The Educational Institution subscribing to the Platform acts as the Data Controller, determining the purposes and means of processing personal data.
• Zuse Technologies acts as the Data Processor, processing personal data strictly in accordance with the documented instructions of the Educational Institution.

Zuse Technologies does not independently determine the purposes for which student, parent, or staff data is processed.

4. Categories of Personal Data Processed

In the course of providing the Platform, the following categories of personal data may be processed:

4.1 Institutional Records

• Full name
• Institutional email address
• Student or staff identification number
• Academic records, including grades, attendance, and enrollments
• Administrative and fee-related information

4.2 User-Generated Content

• Profile photographs
• Messages and forum posts
• Uploaded assignments, documents, and media files

4.3 Technical and Usage Information

• IP address
• Device identifiers
• Browser type and operating system
• Login timestamps and activity logs
• Mobile device tokens for push notifications

5. Purposes of Processing

Personal data is processed solely for the following purposes:

• Provision, operation, and maintenance of the Platform
• Administration of educational and institutional services
• Communication of institutional notices and alerts
• Ensuring system integrity, security, and fraud prevention
• Enabling third-party integration authorized by the Educational Institution
• Compliance with legal and regulatory obligations

Zuse Technologies does not sell or trade personal data for marketing purposes.

6. Legal Basis for Processing

Processing of personal data is undertaken on one or more of the following lawful bases:

• Performance of contractual obligations between Zuse Technologies and the Educational Institution
• Compliance with legal obligations under applicable law
• Legitimate interests in maintaining secure and efficient platform operations
• Consent, where required by law

In relation to Authorized Users under eighteen (18) years of age, the Educational Institution is responsible for obtaining and verifying parental or guardian consent prior to granting access to the Platform. Zuse Technologies processes children’s personal data strictly on the documented instructions of the Educational Institution.

7. Data Sharing and Disclosure

Personal data may be disclosed to:

• Cloud hosting providers and infrastructure partners engaged for service delivery
• Authorized sub-processors subject to written contractual confidentiality and data protection obligations
• Third-party service providers integrated at the direction of the Educational Institution
• Courts, regulators, or public authorities where disclosure is required by applicable law

Zuse Technologies shall maintain an up-to-date list of authorized sub-processors and shall make such list available to the Educational Institution upon request. Sub-processors shall be bound by written agreements imposing data protection obligations no less protective than those set out herein.

Where personal data is transferred outside Sri Lanka, such transfers shall be subject to appropriate safeguards, including contractual clauses, adequacy determinations where applicable, or other lawful transfer mechanisms recognized under the PDPA.

8. Data Retention

Personal data shall be retained:

• For the duration of the Educational Institution’s active subscription; and
• For any additional period required to comply with legal, regulatory, audit or statutory obligations.

Upon termination of services, personal data shall be securely deleted, anonymized, or returned to the Educational Institution within a reasonable period specified in the applicable agreement, unless continued retention is required by law.

9. Data Security

Zuse Technologies implements appropriate technical and organizational measures designed to safeguard personal data, including:

• Encryption of data in transit
• Encryption of data at rest
• Role-based access controls
• Monitoring and audit logging mechanisms

Zuse Technologies maintains business continuity and disaster recovery procedures designed to ensure the availability, resilience, and integrity of processing systems.

10. Data Breach Notification

In the event of a Personal Data Breach, Zuse Technologies shall, without undue delay, notify the relevant Educational Institution (as Data Controller) upon becoming aware of the breach.

Such notification shall include, to the extent available:

• The nature of the Personal Data Breach, including categories and approximate number of data subjects affected;
• The categories and approximate number of personal data records concerned;
• The likely consequences of the breach;
• The measures taken or proposed to address and mitigate the breach.

Zuse Technologies shall:

• Take immediate steps to contain, investigate, and remediate the breach;
• Cooperate fully with the Educational Institution in fulfilling any statutory notification obligations to the Data Protection Authority and affected data subjects under the PDPA;
• Maintain internal records of Personal Data Breaches as required by law.

Where the breach is attributable to Zuse Technologies’ failure to implement appropriate security measures, remedial actions shall be undertaken at its own cost, subject to the applicable service agreement.

11. User Rights

Subject to the PDPA and applicable institutional policies, individuals may exercise the following rights through the Educational Institution:

• Right of access
• Right to rectification
• Right to erasure, where applicable
• Right to withdraw consent, where processing is based on consent
• Right to data portability
• Right to object to processing, where permitted by law

Where Zuse Technologies receives a request directly from a data subject, such request shall be promptly forwarded to the relevant Educational Institution unless legally prohibited. Individuals also have the right to lodge a complaint with the data protection authority in Sri Lanka. Requests shall be addressed within the statutory time frames prescribed under the PDPA.

12. Cookies

The Platform utilizes essential and performance related cookies to ensure functionality and improve system performance. Authorized Users may manage cookie preferences through browser settings.

13. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Democratic Socialist Republic of Sri Lanka.

14. Contact

Privacy related inquiries and data subject requests may be directed to: