School Data Manager

School Data Manager

Features

How it works

Integrations

Pricing

For partners

Docs

Sign inRegister

Legal

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Condactis sp. z o. o. ("we", "us", "Condactis") collects, uses, and protects personal data processed through School Data Manager ("SDM", "the Service"). We operate SDM as a data processor on behalf of partners and schools that subscribe to the Service.

1. Who we are

Condactis sp. z o. o. — registered at Święty Marcin 29/8, 61-806 Poznań, Poland. Tax ID (NIP): PL7272854300. You can contact us at info@sdmanager.io for questions about this Policy or about your data.

2. What data we process

SDM is a middleware platform. On behalf of a school, we ingest roster data from a Student Information System (such as Vulcan UONET+, Librus, Microsoft SDS, or an OneRoster API), transform it, and publish it to a target system such as Apple School Manager. In the normal course of operation we process:

  • Student data: name, student identifier, class assignment, grade level, enrollment status. Demographic fields are processed only when required by the target system.
  • Staff data: teacher name, staff identifier, email address, class assignment.
  • Organization data: school name, address, identifier codes (RSPO, similar).
  • Account data: for users of SDM (IT coordinators, partner staff) — email address, name, role, authentication tokens.
  • Technical data: sync run logs, validation errors, timestamps, and IP addresses associated with API calls.

3. Legal basis for processing

When SDM processes personal data on behalf of a school, the school is the data controller and we are the data processor under Article 28 GDPR. The school's legal basis is typically public task (Article 6(1)(e) GDPR), as school roster management is part of their statutory function. For partner account data we rely on contract performance (Article 6(1)(b) GDPR).

4. Where your data is stored

All personal data is stored and processed within the European Union. We use EU-hosted infrastructure for our database, object storage, and background job processing. We do not transfer personal data outside the EU/EEA unless a specific customer explicitly opts into a cross-region integration.

5. How long we keep data

Roster data is processed in-memory during each sync run. Source data is retained only for the duration of an execution and for debugging purposes (typically 30 days). Account data is retained for the duration of your subscription plus a short retention window required for billing and legal compliance. You can request deletion at any time by writing to info@sdmanager.io.

6. Who we share data with

We share data only with sub-processors required to operate the Service, and only to the extent necessary. These include our EU-based hosting provider, our transactional email provider, and — at the school's direction — the target system they configure (for example, Apple School Manager). A current list of sub-processors is available on request.

7. Security

We encrypt data in transit using TLS and at rest. Credentials for source systems and target SFTP endpoints are encrypted at the application layer before being written to storage. Access to production systems is limited to authorized personnel and logged. In case of a personal data breach we will notify the affected customer without undue delay, and at the latest within 72 hours of becoming aware, in accordance with Article 33 GDPR.

8. Your rights

Under the GDPR, data subjects have the right to access, rectify, erase, restrict, and port their personal data, as well as to object to processing. Because SDM is a processor, most data-subject requests should be directed to the school that holds the data. For data we hold as controller (partner account data), you may contact us at info@sdmanager.io.

You also have the right to lodge a complaint with a supervisory authority — in Poland, this is the President of the Personal Data Protection Office (UODO).

9. Cookies

The Service uses strictly necessary cookies for authentication and session management. We do not use advertising or third-party tracking cookies on the application. The marketing website does not set tracking cookies.

10. Changes to this policy

We may update this policy to reflect changes in the Service or applicable law. Material changes will be communicated to subscribed customers by email. The current version and its last-updated date are always published on this page.

11. Contact

For privacy questions, data-subject requests, or to request our DPA template, contact us at info@sdmanager.io or by post at Condactis sp. z o. o., Święty Marcin 29/8, 61-806 Poznań, Poland.