Privacy Policy

Pen & Paper Foundation (“we”, “us”, “our”) operates the Hisaab school fee management platform for use by Islamic schools in Canada. Our primary contact for privacy matters is info@pnpfoundation.ca.

We collect the following categories of personal information:

• Parent / Guardian: name, email address, phone number, home address
• Student: first name, last name, grade level, enrollment status
• Financial: fee amounts, payment history, installment plan details, payment method (e.g., PAD, cheque, e-transfer)
• Account: hashed password (we never store plaintext passwords), login timestamps

We do not collect Social Insurance Numbers, health information, or any sensitive personal information beyond what is listed above.

We collect and use this information solely to:

• Administer school fee collection and payment plans
• Communicate payment status, reminders, and receipts to families
• Generate financial statements for school administration
• Provide families with a secure online portal to view their account

• Data is hosted on Vercel (application, Canada/US edge) and Neon Postgres (database, US-East-1 region, AWS)
• All connections use TLS/HTTPS in transit
• Passwords are hashed using bcrypt and are never recoverable
• School SMTP credentials are encrypted at rest using AES-256-GCM before database storage
• Access is limited to school administrators and the parent account associated with each family — no cross-family data access is possible
• Authentication tokens use HttpOnly, SameSite=Strict cookies and expire after 8 hours

• Financial records (payments, installments, fee schedules) are retained for a minimum of 7 years to meet Canada Revenue Agency (CRA) requirements
• Account access may be removed on written request — see Section 6
• We do not sell, rent, or share your personal information with third parties for marketing purposes

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

• Access — request a copy of the personal information we hold about you or your family
• Correct — ask us to correct inaccurate or incomplete information
• Delete — request deletion of your account and non-financial personal information (financial records subject to retention requirements above)
• Withdraw consent — withdraw consent for us to use your information for purposes beyond fee administration (note: this may limit our ability to provide the service)

To exercise any of these rights, email info@pnpfoundation.ca. We will respond within 30 days.

If we discover a security breach that is likely to result in significant harm to individuals whose information was involved, we will:

• Notify affected individuals and the Office of the Privacy Commissioner of Canada as soon as feasible, and no later than 72 hours after becoming aware of the breach
• Provide a description of the breach, the information involved, steps taken to mitigate harm, and steps you can take to protect yourself

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the platform after a policy change constitutes acceptance of the updated policy. For material changes, we will notify administrators by email.

Questions or concerns about this privacy policy or our privacy practices? Contact us at: