Trust, security & privacy

MadrasaOne uses email and password authentication for staff accounts. Administrative actions — reviewing applications, printing ID cards, managing classes and settings — are restricted to users with an admin role on the specific madrasa.

Role assignments are stored separately from user profiles and evaluated server-side on every protected request.

The public application form collects the student's name, parent name, place, class, contact number, UID number, a photo, and a payment proof. Submissions are created in a pending state and can only be edited or approved by an admin of the receiving madrasa.

Applicants can look up the status of their own application using the application code shown to them at submission. No other applicant data is exposed through the public tracker.

Student photos, payment proofs, and madrasa assets are stored in private buckets. Uploaded files are organized per madrasa, and access is scoped to that madrasa: only admins (or members, for student photos) can read, update, or delete files belonging to their madrasa.

Admin interfaces generate short-lived signed URLs on demand instead of exposing direct file links.

Row Level Security is enabled on every table that stores madrasa data. Policies are scoped per madrasa and per role, so a user with access to one madrasa cannot read or modify data belonging to another.

Secret keys (service role, database credentials) are server-only and never reach the browser. Privileged operations run through authenticated server functions.

MadrasaOne runs on the Lovable platform with a managed Postgres database, managed authentication, and managed object storage. Platform-level capabilities such as encryption in transit, managed backups, and infrastructure operations are provided by the underlying platform; this page describes how MadrasaOne uses them, not an independent verification of them.

MadrasaOne is currently running as a single-madrasa pilot for real-world testing. The data model is designed to support additional institutions in the future, but no other tenants are provisioned today.

If you believe you have found a security or privacy issue, please contact the MadrasaOne team directly. Include steps to reproduce and any supporting details. Please do not test against real applicant data.