1. Introduction
InnoLearn Limited (trading as "Msingi", "we", "us", "our") is committed to protecting the personal data of every individual whose information is processed through our platform. This Privacy Policy sets out the basis on which we collect, use, store, and share personal data.
This policy is published in compliance with the following legislation:
- Kenya: Data Protection Act, 2019 (KDPA); Data Protection (General) Regulations, 2021
- Uganda: Data Protection and Privacy Act, 2019 (DPPA)
- Tanzania: Personal Data Protection Act, 2022 (PDPA)
- Rwanda: Law No. 058/2021 on the Protection of Personal Data and Privacy
- International: EU General Data Protection Regulation (GDPR) and UK GDPR — where schools have EU/UK connections
2. Our Role in Data Processing
The legal distinction between Data Controller and Data Processor is fundamental to understanding how responsibility is allocated for your personal data on the Msingi platform.
Msingi as Data Processor (school-uploaded data)
When a school subscribes to Msingi and uploads or generates student, parent, teacher, and staff data within the platform, the school acts as the Data Controller. The school determines the purposes and means of that processing. Msingi acts as the Data Processor, processing such data only on the documented instructions of the school as governed by our Data Processing Agreement (DPA).
Msingi as Data Controller (platform account data)
In respect of school administrator accounts, platform usage logs, and billing records, Msingi is the Data Controller and is solely responsible for how that data is handled.
3. Information We Collect
3.1 Data processed on behalf of schools (Msingi as Processor)
When a school subscribes, the school uploads and manages the following categories of personal data:
| Category | Data Elements |
|---|---|
| Student personal data | Full name, date of birth, gender, admission number, national ID / birth certificate number, photograph, current class and section, academic history |
| Student sensitive data | Medical notes, dietary requirements, disabilities, special educational needs — classified as sensitive personal data under KDPA s.2 and GDPR Art. 9 |
| Student academic data | Grades, examination scores, assessment marks, attendance records, behaviour incidents and awards, report cards, growth profile and co-curricular records, lesson coverage |
| Parent / guardian data | Full names, relationship to student, phone numbers, email addresses, M-Pesa phone numbers for fee payment prompts |
| Teacher / staff data | Full names, email addresses, national ID numbers, staff numbers, subjects taught, class assignments |
| Financial data | Fee invoices, payment records, M-Pesa transaction confirmation codes, receipt numbers. We do not store full bank account numbers or payment card details. |
3.2 Data collected directly by Msingi (Msingi as Controller)
- School administrator accounts: email address, full name, role, school association
- Platform usage logs: features accessed, session timestamps, IP addresses (for security monitoring only)
- Technical data: browser type, device type, operating system (for platform optimisation — not profiling)
- Billing and subscription data: contact name, email, subscription tier, payment history
3.3 Data we do NOT collect
- Full bank account or payment card numbers
- Government-issued biometric data (fingerprints, iris scans)
- Social media profiles or third-party tracking identifiers
- Data from children directly — all student data is uploaded by schools on the basis of the school's lawful authority
4. How We Use Your Information
4.1 As Data Processor (on behalf of schools)
We process school-uploaded data exclusively to deliver the Msingi services to that school, including:
- Displaying student, attendance, financial, and academic data within the platform
- Generating report cards, invoices, and analytical dashboards
- Facilitating M-Pesa STK Push payment prompts to parent phone numbers
- Sending automated notifications (fee reminders, absence alerts, report card publication)
- Creating and maintaining AES-256-encrypted daily backups of school data
- Providing authorised technical support when requested by the school
We do not use school-uploaded data for our own marketing, profiling, model training, or any purpose beyond the contracted service.
4.2 As Data Controller (our own data)
- Creating and maintaining school administrator accounts
- Delivering and improving the Msingi platform
- Sending service-related communications (security alerts, billing notifications, major updates)
- Ensuring platform security and preventing fraud or abuse
- Meeting our legal and regulatory obligations
- Resolving disputes and enforcing our Terms of Service
5. Legal Basis for Processing
Under KDPA Section 26 and equivalent East African data protection legislation, all processing must have a lawful basis. Our primary lawful bases are:
| Processing Activity | Lawful Basis | Relevant Law |
|---|---|---|
| School-uploaded student, parent, staff data (as processor) | Performance of the Data Processing Agreement; Controller's documented instructions | KDPA s.44; GDPR Art. 28 |
| School administrator accounts | Performance of the subscription contract | KDPA s.26(b); GDPR Art. 6(1)(b) |
| Platform security monitoring and fraud prevention | Legitimate interests — protecting data and platform integrity | KDPA s.26(f); GDPR Art. 6(1)(f) |
| Service communications (billing, security alerts) | Performance of contract; Legal obligation | KDPA s.26(b)(c) |
| Billing and financial records | Legal obligation — tax and financial regulations | KDPA s.26(c); Kenya Revenue Authority Act |
| Backup and disaster recovery | Legitimate interests; Security of data obligation | KDPA s.41; GDPR Art. 32 |
| Processing sensitive student data (medical notes etc.) | Explicit consent obtained by the school from parents/guardians as Data Controller | KDPA s.29; GDPR Art. 9(2)(a) |
Where processing is based on consent, the relevant data subject has the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
6. Children's Data
Our platform processes personal data of school students, the majority of whom are minors under the age of 18. We treat children's data with the highest level of care and impose enhanced protections.
School's responsibility as Data Controller
Schools, as Data Controllers, are solely responsible for:
- Ensuring they have the appropriate legal basis — typically written parental or guardian consent — to collect and upload student personal data to Msingi
- Compliance with the Kenya Children's Act, 2022, Basic Education Act, 2013, and any applicable national laws governing the processing of data relating to minors in their jurisdiction
- Providing parents and guardians with notice of how their children's data is used on the platform
Msingi's commitments for children's data
- We will not process student data for any purpose other than delivering the contracted service to the school
- We will not use student data for advertising, commercial profiling, or training AI/ML models
- We apply enhanced technical security measures to all data that may relate to minors
- We will support schools in responding to parental access, rectification, and erasure requests relating to student records
- Student data is never shared with third parties except sub-processors required to deliver the service (see Section 7)
8. International Data Transfers
Msingi primarily stores and processes data within cloud infrastructure. Where data is transferred outside Kenya or the processing school's country, we ensure one or more of the following safeguards is in place:
- Processing only in countries recognised by the Kenya Data Protection Commissioner (ODPC) as providing adequate data protection
- Standard contractual clauses (SCCs) approved by the relevant supervisory authority incorporated into sub-processor agreements
- Data Processing Agreements with all sub-processors requiring equivalent standards to those we apply
Our database infrastructure (MongoDB Atlas) may replicate data across geographic regions for high availability and disaster recovery. All such replication is encrypted in transit (TLS 1.2+) and at rest (AES-256). Schools may request that their data be confined to a specific region where the technical configuration permits.
9. Data Security
We implement the following technical and organisational measures in accordance with KDPA Section 41 and international best practices:
Technical measures
| Measure | Detail |
|---|---|
| Backup encryption | AES-256-GCM authenticated encryption on all backup files. Encryption keys never stored alongside data. |
| Data in transit | TLS 1.2 minimum enforced across all connections. HTTP Strict Transport Security (HSTS) enabled. |
| Password storage | Bcrypt hashing with salt. Plain-text passwords are never stored or logged. |
| Access control | Role-based access control (RBAC) enforced at the API layer. Teachers see their classes only; parents see their children only; cross-tenant access is architecturally prevented. |
| Tenant isolation | Every school's data is isolated at the database layer. No cross-school queries are possible. |
| Audit trail | Every login, grade entry, payment record, and approval action is permanently logged with attribution, timestamp, and IP address. |
| Security headers | Content Security Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers active on all responses. |
| Rate limiting | Authentication endpoints are rate-limited to prevent brute-force attacks. |
| OTP / token generation | All one-time tokens are generated using cryptographically secure random number generation (Node.js crypto.randomInt — never Math.random). |
Organisational measures
- Access to production infrastructure is restricted to authorised Msingi personnel only
- Regular internal security reviews of authentication, authorisation, and data handling code
- Documented incident response procedure
- All new personnel with data access undergo security awareness training
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, Msingi will:
- Within 72 hoursNotify the Kenya Data Protection Commissioner (ODPC) and relevant East African supervisory authorities, as required by KDPA Section 42 and equivalent national legislation.
- Without undue delayNotify affected schools with sufficient detail to enable the school to assess the scope and risk of the breach.
- Within 72 hours of school notificationProvide schools with the information they need to notify affected data subjects (students, parents, staff) where required by law.
- OngoingMaintain an internal breach register recording all incidents, their scope, and remediation actions, retained for a minimum of 5 years.
Where a breach is determined to pose no risk to data subjects, we will document the incident internally but may not be required to notify supervisory authorities. Our assessment will be documented and available to the ODPC on request.
11. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data Category | Retention Period | Basis |
|---|---|---|
| Active school data — students, staff, finances, academic records | Duration of active subscription | Contract performance |
| School data after subscription termination | 30-day export window, then permanent and irreversible deletion | Data minimisation; KDPA s.40 |
| School administrator accounts (after school offboards) | 90 days from termination date, then deletion | Legitimate interests (dispute resolution) |
| Encrypted backup files | The 7 most recent daily backups (rolling — older backups are automatically deleted) | Security obligation |
| Platform audit logs and security logs | 12 months from date of generation | Security; legal obligation |
| Billing and financial records | 7 years from transaction date | Kenya Revenue Authority requirements; Tax Procedures Act |
| Data breach records | 5 years minimum | KDPA regulatory requirement |
| Consent records | Duration of the relationship + 3 years | Legal obligation to evidence lawful basis |
Schools may request deletion of their data at any time. On termination, a 30-day export window is provided before permanent deletion is triggered. After deletion, recovery is not possible — this is intentional and consistent with KDPA erasure obligations.
12. Your Rights as a Data Subject
Under KDPA Section 34 and equivalent East African data protection legislation, you have the following rights in relation to your personal data:
| Right | What it means | How to exercise |
|---|---|---|
| Access (KDPA s.34(a)) | Request a copy of personal data we hold about you | Contact privacy@msingi.io; or contact your school for school-held data |
| Rectification (KDPA s.34(b)) | Request correction of inaccurate or incomplete personal data | Contact your school (for school records); or privacy@msingi.io (for account data) |
| Erasure (KDPA s.34(c); s.40) | Request deletion of your data where no longer necessary or where consent is withdrawn | Contact privacy@msingi.io; note that legal obligations may require retention of some records |
| Restriction (KDPA s.34(d)) | Request that we limit processing of your data in certain circumstances | Contact privacy@msingi.io with your specific request |
| Data Portability (KDPA s.34(e)) | Receive your data in a structured, machine-readable format (e.g., JSON or CSV) | Schools may export all their data using the built-in backup function; individuals may request via privacy@msingi.io |
| Object (KDPA s.34(f)) | Object to processing based on legitimate interests or for direct marketing | Contact privacy@msingi.io with the specific processing you object to |
| Withdraw consent | Withdraw consent at any time where processing is consent-based, without affecting prior lawful processing | Contact privacy@msingi.io or your school depending on whose processing is consent-based |
Important: For requests relating to data held within a school's Msingi platform (e.g., a parent requesting access to their child's records, or a teacher requesting their own employment data), the school is the Data Controller and is the correct first point of contact. Msingi will support the school in fulfilling valid requests but will not override the school's lawful authority over that data.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in the law, our data processing practices, or the platform's features. When we make changes, we will:
- Update the "Last Updated" date at the top of this page
- For material changes: notify school administrator email addresses with at least 30 days' notice before changes take effect, clearly describing what has changed and why
- For minor clarifications: update the page without separate notification, but note the change in the version history
Continued use of the platform after the effective date of material changes constitutes acceptance of the updated policy. If you do not accept a material change, you may terminate your subscription in accordance with the Terms of Service.
15. Contact and Supervisory Authorities
Contact Msingi on privacy matters
InnoLearn Limited (trading as Msingi)
Privacy enquiries: privacy@msingi.io
General: support@msingi.io
Website: msingi.io
Supervisory Authorities
If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:
| Country | Authority | Contact |
|---|---|---|
| Kenya | Office of the Data Protection Commissioner (ODPC) | odpc.go.ke |
| Uganda | Personal Data Protection Office (PDPO) | pdpo.go.ug |
| Tanzania | Personal Data Protection Commission (PDPC) | Official government portal |
| Rwanda | National Cyber Security Authority (NCSA) | ncsa.gov.rw |
| EU/EEA | Your national supervisory authority (e.g., ICO for UK; CNIL for France) | edpb.europa.eu |