River SIS provides software and related services to schools, school groups, and authorised users. Depending on the context, we may process personal data directly for our own business purposes or on behalf of a school customer under the school's instructions.

This distinction matters because some privacy obligations, notices, permissions, and response workflows are managed by the relevant school, while others are managed by River SIS as the provider operating the website, service infrastructure, support operations, billing processes, and vendor relationships.

• When we operate marketing pages, sales forms, or general support channels, River SIS generally determines the purpose of processing for those interactions.

• When a school uses River SIS to manage students, staff, communications, requests, or operational workflows, we generally process that school data as a service provider under the customer relationship.

• This Privacy Policy should be read together with any school-specific notice, contract terms, and internal policies that apply to a school's use of River SIS.

The categories of personal data we collect depend on the way a person interacts with River SIS. We collect information directly from users, from school customers, through support and commercial interactions, and automatically through devices and online services.

Not every category below applies to every person. For example, data associated with a school account administrator may differ from data associated with a parent user, student record, or visitor who only browses the marketing pages.

• Identity and contact data, such as name, email address, phone number, school name, role, account identifier, and other profile information.

• School and platform data, such as user-submitted forms, requests, approvals, uploaded content, school operational records, and configuration data maintained within River SIS.

• Commercial and support data, such as billing contacts, invoices, transaction records, onboarding details, implementation communications, and help desk correspondence.

• Technical and usage data, such as IP address, browser type, device identifiers, session activity, log data, cookies, and analytics information collected when users access our website or services.

We use personal data only where there is a legitimate operational need, a contractual or customer-service requirement, a legal obligation, a security need, or another lawful basis available under applicable privacy law.

Our use of personal data is intended to support service delivery, school operations, platform reliability, fraud prevention, business administration, and responsible communications with current or prospective customers.

• To provide River SIS services, create and manage accounts, authenticate users, maintain permissions, and support school workflows requested by customers.

• To operate, troubleshoot, secure, monitor, and improve our products, APIs, integrations, infrastructure, and support processes.

• To manage commercial relationships, including demos, implementation, billing, payment processing, renewals, and customer communications.

• To comply with law, respond to legal requests, investigate misuse, enforce our agreements, and protect the rights, safety, and integrity of River SIS, schools, and users.

Our website and certain online services may use cookies, pixels, local storage, and similar technologies to support basic functionality, maintain secure sessions, understand usage patterns, and improve the quality of our content and services.

These technologies may be set by River SIS or by service providers acting on our behalf. Where required, we rely on consent mechanisms or other controls that align with the laws applicable to the website visitor or service context.

• Essential technologies help our site function correctly, support navigation, maintain session continuity, and protect against abuse or security threats.

• Analytics technologies help us understand aggregate traffic, user behavior, campaign performance, and service reliability so we can improve the experience over time.

• Users can control many cookie settings through browser tools or other available controls, but disabling certain technologies may affect functionality or performance.

We do not disclose personal data casually or for unrelated third-party marketing purposes. Where we share data, we do so because it is necessary to operate the service, follow customer instructions, satisfy legal obligations, or protect people and systems.

Our service providers and subprocessors are expected to handle personal data only for authorised purposes and subject to contractual, technical, and organisational controls that support confidentiality and security.

• We may share personal data with hosting, infrastructure, cloud storage, analytics, email, security, payment, support, and other operational service providers that help us deliver River SIS.

• We may disclose information at the direction of a school customer, including when the school enables integrations, exports, support access, or related operational workflows.

• We may disclose information if required by law, subpoena, court order, regulatory request, or to investigate or prevent fraud, misuse, security incidents, or threats to rights and safety.

• We may disclose or transfer information in connection with a merger, financing, acquisition, reorganisation, or sale of assets, subject to appropriate protections and notice where required.

River SIS and certain authorised service providers may access or process personal data in countries other than the country where the data was originally collected. This can occur through cloud hosting, support operations, incident response, or other legitimate service activities.

When we transfer personal data across borders, we aim to apply safeguards appropriate to the nature of the data, the customer relationship, and the laws that govern the transfer.

• These safeguards may include contractual protections, access controls, data minimisation, encryption, logging, and vendor due diligence.

• Where school customer agreements require specific transfer or hosting commitments, we expect those commitments to govern the relevant service relationship.

• Questions about transfer arrangements can be directed to River SIS through the contact details listed in this Privacy Policy.

River SIS may process information relating to students and other children because our services are used in school environments. We recognise that child and student data requires heightened care, particularly where education, guardianship, and school operations intersect.

Schools remain responsible for many notice, consent, and records-management obligations that apply to their own communities. River SIS supports those responsibilities by limiting use of school data to authorised service, support, security, and operational purposes.

• We expect school customers to provide any notices, permissions, or internal approvals required for their use of River SIS and related data submissions.

• We do not use student data provided through school services for unrelated advertising or profiling purposes.

• Requests relating to student records, corrections, school notices, or school-specific permissions should normally be directed first to the relevant school or institution.

We maintain administrative, technical, and organisational safeguards designed to reduce the risk of unauthorised access, disclosure, alteration, or destruction of personal data. No system can guarantee absolute security, but we apply layered controls appropriate to the nature of our services and the information involved.

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including service delivery, legal compliance, dispute resolution, auditability, and security operations.

• Security controls may include access management, role-based permissions, encrypted transport, vendor restrictions, logging, monitoring, backup processes, and incident response procedures.

• Retention periods may vary by data category, customer relationship, operational need, and legal or contractual requirements.

• When data is no longer needed, we may delete it, return it to the customer, de-identify it, or retain only the minimum information necessary for lawful recordkeeping or security purposes.

• If a security incident affects personal data, we will follow our incident-response process and provide notice where required by law or contract.

Depending on the jurisdiction and the relationship involved, individuals may have privacy rights relating to access, correction, deletion, restriction, objection, portability, complaint, or withdrawal of consent. Those rights are not absolute and may be subject to lawful exceptions.

Where River SIS acts on behalf of a school, the school may be the appropriate first point of contact because it controls the relevant records and determines the scope of the education or employment relationship involved.

• Individuals may contact us or, where appropriate, the relevant school to request access to, correction of, or deletion of personal data.

• Users can opt out of non-essential marketing communications by following unsubscribe instructions or by contacting us directly.

• We may need to verify identity, authority, and the scope of a request before taking action on a privacy request.

• Where we cannot fulfill a request in full, we may explain the applicable limitation, legal basis, or alternate route for submitting the request.

We may revise this Privacy Policy from time to time to reflect changes in our products, service delivery, legal obligations, or privacy practices. When material changes are made, we will update the effective date shown on this page and provide additional notice where appropriate.

If you have questions about this Privacy Policy, want to submit a privacy-related request, or need help identifying the correct route for a school-related question, please contact SchoolHero.io OÜ using the information below.

• General privacy, legal, and compliance enquiries: info@riversis.com

• School-specific records or account requests should usually be directed first to the relevant school administrator or institution.

• Postal contact: SchoolHero.io OÜ, Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe, 74626, Estonia.