Privacy Policy
Last updated: March 2026 · Effective immediately
Akoto Group Limited ("we", "us", or "the Company") is committed to protecting the privacy of all individuals whose data is processed through the Akoto Shule platform. This Privacy Policy explains how we collect, use, store, and share personal data in accordance with the Kenya Data Protection Act 2019 and related regulations.
1. Data Controller
For the purposes of the Kenya Data Protection Act 2019, the data controller is:
Akoto Group Limited
Nairobi, Kenya
Privacy enquiries: service@akotogrouplimited.com
Schools using the platform act as independent data controllers in respect of the personal data of their students, staff, and parents. Akoto Group Limited acts as a data processor for that data on behalf of the School.
2. Data Protection Officer
We have appointed a Data Protection Officer (DPO) responsible for overseeing our compliance with data protection law. You may contact the DPO at service@akotogrouplimited.com for any data protection queries, requests to exercise your rights, or complaints.
3. Types of Data We Collect
The following categories of personal data are processed through the Platform:
3.1 School Information
- School name, registration number, and physical address
- School logo and branding assets
- Contact details of the school (phone, email)
- Subscription and billing information
3.2 Staff Data
- Full name, date of birth, gender, and photograph
- National ID number and TSC (Teachers Service Commission) number
- Phone number and email address
- Employment details (role, department, date joined, salary grade)
- Qualifications and professional certifications
- Emergency contact information
3.3 Student Data
- Full name, date of birth, gender, and photograph
- Admission number and NEMIS number
- Class, stream, and year of admission
- Medical information (where provided by parents for health and safety purposes)
- Previous school records and transfer information
- Physical address and household information (where provided)
3.4 Parent & Guardian Data
- Full name and relationship to student
- Phone number and email address
- National ID number (where collected for verification)
- Occupation and employer (where provided)
- Physical address
3.5 Academic Records
- Assessment scores and grades
- CBC competency levels and strand reports
- Term and annual report cards
- Attendance records (daily and per subject)
- Timetables and class assignments
3.6 Financial Data
- Fee invoices, balances, and payment history
- M-Pesa transaction references and amounts
- Bank transfer records
- Subscription billing details
3.7 Usage & Technical Data
- Login timestamps and session durations
- IP addresses and device/browser information
- Pages visited and features used within the Platform
- Error logs and performance data
4. How We Use Your Data
We process personal data for the following purposes:
- Service delivery — Providing all Platform features including student management, fee tracking, report card generation, attendance, and communication tools
- Communication — Sending SMS notifications, OTP codes, fee reminders, and school announcements to parents and staff via Africa's Talking
- Payment processing — Facilitating M-Pesa fee payments and sending payment confirmations
- Analytics & reporting — Generating school performance dashboards, fee collection reports, and academic analytics for school administrators and group owners
- Platform improvement — Analysing aggregated, anonymised usage data to improve features and user experience
- Legal compliance — Retaining financial records as required by Kenyan law and responding to lawful requests from regulatory authorities
- Security — Detecting and preventing fraudulent activity, unauthorized access, and security breaches
5. Legal Basis for Processing
We process personal data under the following legal bases under the Kenya Data Protection Act 2019:
- Contract — Processing necessary to deliver the subscription service to Schools
- Consent — Where parents or guardians have provided consent for specific communications or uses of student data
- Legal obligation — Retention of financial records and compliance with government directives
- Legitimate interest — Platform security, fraud prevention, and service improvement using anonymised data
6. Data Sharing
We do not sell, rent, or trade personal data to any third party. We share data only in the following circumstances:
Safaricom (M-Pesa / Daraja API)
Phone number and transaction amount are shared with Safaricom to initiate and confirm fee payments. Safaricom's privacy policy governs their handling of this data.
Africa's Talking (SMS)
Phone numbers and message content are transmitted to Africa's Talking solely for the purpose of sending SMS notifications on behalf of the School.
Cloudflare (CDN & R2 Object Storage)
Uploaded files (logos, report cards, documents) are stored on Cloudflare R2 with free egress. Cloudflare also provides CDN and DDoS protection for the Platform. Cloudflare's data processing terms apply.
Hosting Infrastructure
The Platform runs on cloud infrastructure (AWS or equivalent). Physical data resides on servers accessible only to authorised Company personnel.
Legal Authorities
We may disclose data when required to do so by law, court order, or a lawful request from a government or regulatory authority in Kenya.
All third-party processors are contractually bound to process data only for the specified purpose and to maintain appropriate security standards.
7. Data Storage & Security
We implement technical and organisational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:
- Data encrypted in transit using TLS 1.2 / 1.3 (HTTPS enforced on all endpoints)
- Passwords stored using bcrypt hashing — never in plain text
- JWT-based authentication with short-lived access tokens
- Role-based access controls ensuring staff can only access data appropriate to their role
- Database access restricted to application layer; no direct public database access
- Regular automated database backups stored securely off-site
- Cloudflare R2 storage with server-side encryption at rest
- Security monitoring and error tracking via Sentry
While we take every reasonable precaution, no system is completely immune to security threats. In the event of a data breach likely to affect individuals' rights and freedoms, we will notify affected Schools and, where required, the Office of the Data Protection Commissioner of Kenya within the timeframes specified by applicable law.
8. Data Retention
We retain personal data for as long as a School's subscription is active and as required by law. Specific retention periods include:
| Data Category | Retention Period |
|---|---|
| Student & academic records | Duration of subscription + 30 days after termination (then exportable) |
| Financial records (fees, payments) | 7 years (Kenya Income Tax Act requirement) |
| Staff records | Duration of employment + subscription period |
| Usage & technical logs | 90 days |
| Backup snapshots | 30 days rolling |
After the applicable retention period, data is securely deleted or anonymised. Schools may request early deletion subject to legal obligations.
9. Your Rights Under the Kenya Data Protection Act 2019
Individuals whose data is processed through the Platform have the following rights:
Right of Access
You may request confirmation of whether we hold your personal data and a copy of that data.
Right to Rectification
You may request correction of inaccurate or incomplete personal data held about you.
Right to Erasure
You may request deletion of your personal data where there is no longer a lawful basis for processing it, subject to legal retention requirements.
Right to Data Portability
You may request a copy of your personal data in a structured, commonly used, machine-readable format.
Right to Object
You may object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds that override your interests.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact our DPO at service@akotogrouplimited.com. We will respond within 21 days. Note that most School Data requests should first be directed to the School itself (the data controller for that data). You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya.
10. Children's Privacy
Akoto Shule is designed for use by educational institutions. Student data — including data relating to minors — is entered and managed by Schools and parents/guardians, not collected directly from minors through the Platform.
The Platform does not have any feature that allows minors to independently create accounts, submit data, or communicate without School or parental mediation. All student-facing data is managed by authorized adult users (teachers, principals, or parents).
Parents and guardians may contact their School or our DPO to review, correct, or request deletion of their child's data.
11. Cookies & Local Storage
The Platform uses browser local storage (not cookies in the traditional sense) to enhance user experience. Specifically:
| Key | Purpose |
|---|---|
| akoto-auth | Stores JWT access and refresh tokens to maintain login sessions |
| akoto-theme | Stores your preferred display theme (light, dark, or system) |
| akoto-accent | Stores your chosen accent colour preference for the interface |
No tracking cookies, advertising cookies, or cross-site analytics are used. Auth tokens are stored only in local storage and are never transmitted except to our Platform API. You can clear local storage at any time via your browser settings, which will log you out.
12. International Data Transfers
School Data is primarily stored on infrastructure located in or near Kenya. Some third-party services (Cloudflare, Africa's Talking) may process data outside Kenya. Where this occurs, we ensure appropriate safeguards are in place in line with the Kenya Data Protection Act 2019, including contractual clauses with processors and reliance on adequacy findings where available.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our practices. When we make material changes, we will notify Schools via the registered email address and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the Platform after changes are posted constitutes acceptance of the revised policy.
14. Contact & Complaints
For any questions, concerns, or requests regarding this Privacy Policy or our data practices:
Data Protection Officer — Akoto Group Limited
Nairobi, Kenya
General inquiries: hello@akotogrouplimited.com
Data protection & support: service@akotogrouplimited.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC) at www.odpc.go.ke.