Legal

Privacy Policy

This policy explains how InnoLearn Limited (trading as "Msingi") collects, processes, stores, and protects personal data in connection with our school management platform.

Effective: 14 June 2026Last updated: 14 June 2026Applies to: msingi.io and all school subdomains

1. Introduction

InnoLearn Limited (trading as "Msingi", "we", "us", "our") is committed to protecting the personal data of every individual whose information is processed through our platform. This Privacy Policy sets out the basis on which we collect, use, store, and share personal data.

This policy is published in compliance with the following legislation:

  • Kenya: Data Protection Act, 2019 (KDPA); Data Protection (General) Regulations, 2021
  • Uganda: Data Protection and Privacy Act, 2019 (DPPA)
  • Tanzania: Personal Data Protection Act, 2022 (PDPA)
  • Rwanda: Law No. 058/2021 on the Protection of Personal Data and Privacy
  • International: EU General Data Protection Regulation (GDPR) and UK GDPR — where schools have EU/UK connections
Who this policy applies to: School administrators, teachers, parents, students, and any individual whose personal data is processed by or uploaded to the Msingi platform. If you are a student or parent, your primary point of contact for data rights is the school you are enrolled in, as the school is the Data Controller for your records.

2. Our Role in Data Processing

The legal distinction between Data Controller and Data Processor is fundamental to understanding how responsibility is allocated for your personal data on the Msingi platform.

Msingi as Data Processor (school-uploaded data)

When a school subscribes to Msingi and uploads or generates student, parent, teacher, and staff data within the platform, the school acts as the Data Controller. The school determines the purposes and means of that processing. Msingi acts as the Data Processor, processing such data only on the documented instructions of the school as governed by our Data Processing Agreement (DPA).

Msingi as Data Controller (platform account data)

In respect of school administrator accounts, platform usage logs, and billing records, Msingi is the Data Controller and is solely responsible for how that data is handled.

What this means for you: If you are a student, parent, or teacher and you want to access, correct, or delete your records on the school's Msingi platform, you should contact your school directly. The school, as Data Controller, is responsible for fulfilling your rights. Msingi will support schools in doing so.

3. Information We Collect

3.1 Data processed on behalf of schools (Msingi as Processor)

When a school subscribes, the school uploads and manages the following categories of personal data:

CategoryData Elements
Student personal dataFull name, date of birth, gender, admission number, national ID / birth certificate number, photograph, current class and section, academic history
Student sensitive dataMedical notes, dietary requirements, disabilities, special educational needs — classified as sensitive personal data under KDPA s.2 and GDPR Art. 9
Student academic dataGrades, examination scores, assessment marks, attendance records, behaviour incidents and awards, report cards, growth profile and co-curricular records, lesson coverage
Parent / guardian dataFull names, relationship to student, phone numbers, email addresses, M-Pesa phone numbers for fee payment prompts
Teacher / staff dataFull names, email addresses, national ID numbers, staff numbers, subjects taught, class assignments
Financial dataFee invoices, payment records, M-Pesa transaction confirmation codes, receipt numbers. We do not store full bank account numbers or payment card details.

3.2 Data collected directly by Msingi (Msingi as Controller)

  • School administrator accounts: email address, full name, role, school association
  • Platform usage logs: features accessed, session timestamps, IP addresses (for security monitoring only)
  • Technical data: browser type, device type, operating system (for platform optimisation — not profiling)
  • Billing and subscription data: contact name, email, subscription tier, payment history

3.3 Data we do NOT collect

  • Full bank account or payment card numbers
  • Government-issued biometric data (fingerprints, iris scans)
  • Social media profiles or third-party tracking identifiers
  • Data from children directly — all student data is uploaded by schools on the basis of the school's lawful authority

4. How We Use Your Information

4.1 As Data Processor (on behalf of schools)

We process school-uploaded data exclusively to deliver the Msingi services to that school, including:

  • Displaying student, attendance, financial, and academic data within the platform
  • Generating report cards, invoices, and analytical dashboards
  • Facilitating M-Pesa STK Push payment prompts to parent phone numbers
  • Sending automated notifications (fee reminders, absence alerts, report card publication)
  • Creating and maintaining AES-256-encrypted daily backups of school data
  • Providing authorised technical support when requested by the school

We do not use school-uploaded data for our own marketing, profiling, model training, or any purpose beyond the contracted service.

4.2 As Data Controller (our own data)

  • Creating and maintaining school administrator accounts
  • Delivering and improving the Msingi platform
  • Sending service-related communications (security alerts, billing notifications, major updates)
  • Ensuring platform security and preventing fraud or abuse
  • Meeting our legal and regulatory obligations
  • Resolving disputes and enforcing our Terms of Service
Our commitment: We do not sell, rent, trade, or otherwise disclose personal data to third parties for their marketing or commercial purposes. Your data is not the product.

6. Children's Data

Our platform processes personal data of school students, the majority of whom are minors under the age of 18. We treat children's data with the highest level of care and impose enhanced protections.

School's responsibility as Data Controller

Schools, as Data Controllers, are solely responsible for:

  • Ensuring they have the appropriate legal basis — typically written parental or guardian consent — to collect and upload student personal data to Msingi
  • Compliance with the Kenya Children's Act, 2022, Basic Education Act, 2013, and any applicable national laws governing the processing of data relating to minors in their jurisdiction
  • Providing parents and guardians with notice of how their children's data is used on the platform

Msingi's commitments for children's data

  • We will not process student data for any purpose other than delivering the contracted service to the school
  • We will not use student data for advertising, commercial profiling, or training AI/ML models
  • We apply enhanced technical security measures to all data that may relate to minors
  • We will support schools in responding to parental access, rectification, and erasure requests relating to student records
  • Student data is never shared with third parties except sub-processors required to deliver the service (see Section 7)
Msingi does not knowingly collect personal data directly from children. All student data is entered into the platform by school staff (administrators and teachers) on the basis of the school's lawful authority over enrolled students.

7. Data Sharing and Disclosure

7.1 Sub-processors (service providers)

We engage the following categories of sub-processors to deliver our services. All are bound by data processing agreements requiring data protection standards equivalent to our own:

CategoryPurposeLocation
Database hosting (MongoDB Atlas)Storing all school data at rest, encryptedConfigurable region; EU/US available
Cloud backup storage (S3-compatible)Storing AES-256-GCM encrypted daily backup filesConfigurable; school may specify
Email delivery (SMTP)Sending system notifications, fee reminders, password resetsKenya / International
Error monitoring (optional)Capturing anonymous error traces to improve platform stability. No personal data included in payloads.International

A current list of sub-processors is available on request at privacy@msingi.io.

7.2 Disclosure required by law

We may disclose personal data where required by a court order, government authority (including the Kenya Revenue Authority, Directorate of Criminal Investigations, or equivalent), or regulatory authority acting under lawful authority. We will notify the affected school of any such requests to the extent permitted by law before complying.

7.3 Business transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to a successor entity. We will provide at least 60 days' notice to schools and ensure equivalent data protection commitments are maintained by any successor.

7.4 We do NOT share personal data with

  • Advertisers or advertising networks
  • Data brokers or data aggregators
  • Third-party marketers or research firms
  • Any other school on the Msingi platform — tenant data is architecturally isolated

8. International Data Transfers

Msingi primarily stores and processes data within cloud infrastructure. Where data is transferred outside Kenya or the processing school's country, we ensure one or more of the following safeguards is in place:

  • Processing only in countries recognised by the Kenya Data Protection Commissioner (ODPC) as providing adequate data protection
  • Standard contractual clauses (SCCs) approved by the relevant supervisory authority incorporated into sub-processor agreements
  • Data Processing Agreements with all sub-processors requiring equivalent standards to those we apply

Our database infrastructure (MongoDB Atlas) may replicate data across geographic regions for high availability and disaster recovery. All such replication is encrypted in transit (TLS 1.2+) and at rest (AES-256). Schools may request that their data be confined to a specific region where the technical configuration permits.

9. Data Security

We implement the following technical and organisational measures in accordance with KDPA Section 41 and international best practices:

Technical measures

MeasureDetail
Backup encryptionAES-256-GCM authenticated encryption on all backup files. Encryption keys never stored alongside data.
Data in transitTLS 1.2 minimum enforced across all connections. HTTP Strict Transport Security (HSTS) enabled.
Password storageBcrypt hashing with salt. Plain-text passwords are never stored or logged.
Access controlRole-based access control (RBAC) enforced at the API layer. Teachers see their classes only; parents see their children only; cross-tenant access is architecturally prevented.
Tenant isolationEvery school's data is isolated at the database layer. No cross-school queries are possible.
Audit trailEvery login, grade entry, payment record, and approval action is permanently logged with attribution, timestamp, and IP address.
Security headersContent Security Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers active on all responses.
Rate limitingAuthentication endpoints are rate-limited to prevent brute-force attacks.
OTP / token generationAll one-time tokens are generated using cryptographically secure random number generation (Node.js crypto.randomInt — never Math.random).

Organisational measures

  • Access to production infrastructure is restricted to authorised Msingi personnel only
  • Regular internal security reviews of authentication, authorisation, and data handling code
  • Documented incident response procedure
  • All new personnel with data access undergo security awareness training
No system is completely immune to security incidents. We maintain controls proportionate to the sensitivity of the data processed. In the event of a security incident affecting your data, we will respond as described in Section 10.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, Msingi will:

  • Within 72 hoursNotify the Kenya Data Protection Commissioner (ODPC) and relevant East African supervisory authorities, as required by KDPA Section 42 and equivalent national legislation.
  • Without undue delayNotify affected schools with sufficient detail to enable the school to assess the scope and risk of the breach.
  • Within 72 hours of school notificationProvide schools with the information they need to notify affected data subjects (students, parents, staff) where required by law.
  • OngoingMaintain an internal breach register recording all incidents, their scope, and remediation actions, retained for a minimum of 5 years.

Where a breach is determined to pose no risk to data subjects, we will document the incident internally but may not be required to notify supervisory authorities. Our assessment will be documented and available to the ODPC on request.

11. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.

Data CategoryRetention PeriodBasis
Active school data — students, staff, finances, academic recordsDuration of active subscriptionContract performance
School data after subscription termination30-day export window, then permanent and irreversible deletionData minimisation; KDPA s.40
School administrator accounts (after school offboards)90 days from termination date, then deletionLegitimate interests (dispute resolution)
Encrypted backup filesThe 7 most recent daily backups (rolling — older backups are automatically deleted)Security obligation
Platform audit logs and security logs12 months from date of generationSecurity; legal obligation
Billing and financial records7 years from transaction dateKenya Revenue Authority requirements; Tax Procedures Act
Data breach records5 years minimumKDPA regulatory requirement
Consent recordsDuration of the relationship + 3 yearsLegal obligation to evidence lawful basis

Schools may request deletion of their data at any time. On termination, a 30-day export window is provided before permanent deletion is triggered. After deletion, recovery is not possible — this is intentional and consistent with KDPA erasure obligations.

12. Your Rights as a Data Subject

Under KDPA Section 34 and equivalent East African data protection legislation, you have the following rights in relation to your personal data:

RightWhat it meansHow to exercise
Access (KDPA s.34(a))Request a copy of personal data we hold about youContact privacy@msingi.io; or contact your school for school-held data
Rectification (KDPA s.34(b))Request correction of inaccurate or incomplete personal dataContact your school (for school records); or privacy@msingi.io (for account data)
Erasure (KDPA s.34(c); s.40)Request deletion of your data where no longer necessary or where consent is withdrawnContact privacy@msingi.io; note that legal obligations may require retention of some records
Restriction (KDPA s.34(d))Request that we limit processing of your data in certain circumstancesContact privacy@msingi.io with your specific request
Data Portability (KDPA s.34(e))Receive your data in a structured, machine-readable format (e.g., JSON or CSV)Schools may export all their data using the built-in backup function; individuals may request via privacy@msingi.io
Object (KDPA s.34(f))Object to processing based on legitimate interests or for direct marketingContact privacy@msingi.io with the specific processing you object to
Withdraw consentWithdraw consent at any time where processing is consent-based, without affecting prior lawful processingContact privacy@msingi.io or your school depending on whose processing is consent-based
Response time: We will respond to all data rights requests within 30 days of receipt. Where requests are complex or numerous, we may extend this by a further 60 days with notification and explanation. We do not charge a fee for rights requests unless they are manifestly unfounded or excessive.

Important: For requests relating to data held within a school's Msingi platform (e.g., a parent requesting access to their child's records, or a teacher requesting their own employment data), the school is the Data Controller and is the correct first point of contact. Msingi will support the school in fulfilling valid requests but will not override the school's lawful authority over that data.

13. Cookies and Tracking Technologies

The Msingi platform uses the following session storage technologies:

TechnologyPurposeDuration
Authentication token (browser localStorage)Maintains your login session so you do not have to re-authenticate on every pageUntil you log out or the token expires (typically 7 days)
School slug (browser localStorage)Remembers your school so the correct branded login page is shown on return visitsUntil cleared by the user
Functional session stateMaintains UI state (e.g., selected tab, expanded sections) within a sessionSession only — cleared when browser is closed

What we do NOT use

  • Advertising or retargeting cookies
  • Cross-site tracking technologies
  • Third-party analytics that profile individual user behaviour (such as Google Analytics with advertising features enabled)
  • Fingerprinting or device tracking technologies

You may clear browser storage at any time through your browser settings. This will require you to log in again on your next visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data processing practices, or the platform's features. When we make changes, we will:

  • Update the "Last Updated" date at the top of this page
  • For material changes: notify school administrator email addresses with at least 30 days' notice before changes take effect, clearly describing what has changed and why
  • For minor clarifications: update the page without separate notification, but note the change in the version history

Continued use of the platform after the effective date of material changes constitutes acceptance of the updated policy. If you do not accept a material change, you may terminate your subscription in accordance with the Terms of Service.

15. Contact and Supervisory Authorities

Contact Msingi on privacy matters

InnoLearn Limited (trading as Msingi)

Privacy enquiries: privacy@msingi.io

General: support@msingi.io

Website: msingi.io

Supervisory Authorities

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:

CountryAuthorityContact
KenyaOffice of the Data Protection Commissioner (ODPC)odpc.go.ke
UgandaPersonal Data Protection Office (PDPO)pdpo.go.ug
TanzaniaPersonal Data Protection Commission (PDPC)Official government portal
RwandaNational Cyber Security Authority (NCSA)ncsa.gov.rw
EU/EEAYour national supervisory authority (e.g., ICO for UK; CNIL for France)edpb.europa.eu
We encourage you to contact us at privacy@msingi.io before lodging a formal complaint — most issues can be resolved quickly through direct communication. We are committed to responding within 30 days.