Privacy Policy

Elimu Bora School Management Platform

Effective Date: Wed 8 Apr, 2026 Last Updated: Mon 1 Jun, 2026

1. Introduction

Elimu Bora (“we”, “us”, “our”) operates a school management platform accessible at elimuboraerp.com and its subdomains (the “Platform”). This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our Platform or interact with our services.

This Policy is issued in compliance with the Kenya Data Protection Act, 2019 (Act No. 24 of 2019) (“the DPA”), the Data Protection (General) Regulations, 2021, the Constitution of Kenya, 2010 (Article 31), and the Consumer Protection Act, 2012.

We process personal data of adults and children (persons under the age of 18). Because our Platform is used in educational settings, we take the protection of children’s personal data with the highest level of care.

If you have any questions about this Policy, please contact us using the details in Section 14 below.

2. Definitions

For the purposes of this Policy:

  • “Data Controller” means the school or educational institution that subscribes to and uses the Platform to manage its operations. Each school determines the purposes and means of processing personal data within the Platform.
  • “Data Processor” means Elimu Bora, which processes personal data on behalf of the Data Controller (the school) in accordance with the school’s instructions and the terms of our Data Processing Agreement.
  • “Data Subject” means any identified or identifiable natural person whose personal data is processed through the Platform, including students, parents, guardians, teachers, and school staff.
  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Section 2 of the DPA.
  • “Sensitive Personal Data” includes health data, biometric data, and data relating to children, as defined in Section 2 of the DPA.
  • “Platform” means the Elimu Bora web application, marketing website, APIs, and all associated services.

3. Roles and Responsibilities

3.1 Schools as Data Controllers

Each school that subscribes to Elimu Bora acts as the Data Controller for the personal data of its students, guardians, teachers, and staff. The school determines what data to collect, how it is used within the Platform, and who has access to it. Schools are responsible for:

  • Obtaining and maintaining lawful bases for processing personal data, including parental or guardian consent for children’s data
  • Ensuring the accuracy of personal data entered into the Platform
  • Responding to data subject requests in accordance with the DPA
  • Registering with the Office of the Data Protection Commissioner (ODPC) as required under the Registration Regulations

3.2 Elimu Bora as Data Processor

Elimu Bora processes personal data solely on behalf of subscribing schools, in accordance with their instructions and the terms of our Data Processing Agreement. As a Data Processor, Elimu Bora:

  • Processes personal data only for the purposes instructed by the school
  • Implements appropriate technical and organisational security measures
  • Assists schools in responding to data subject access requests
  • Notifies schools promptly of any personal data breaches
  • Does not sell, rent, or trade personal data to third parties
  • Does not use personal data for advertising or to build marketing profiles, and processes data only to operate, support, and improve the Platform for schools

4. Personal Data We Collect

4.1 Data Collected Through the Platform (on behalf of schools)

The following categories of personal data may be entered into the Platform by school administrators, teachers, or guardians:

Student Data:

  • Full name, date of birth, gender
  • Admission number and enrolment details (admission date, admission type)
  • Curriculum assignment (CBC or 8-4-4), grade level, and stream
  • Blood group and health conditions (sensitive personal data, collected only where the school determines it is necessary for student welfare)
  • Academic records: assessment scores, grades, report cards, teacher remarks
  • Attendance records: presence, absence, lateness, follow-up notes
  • Financial records: invoices, payments, wallet balance and transactions
  • Photographs (student avatar)
  • Event participation records

Guardian and Parent Data:

  • Full name, email address, phone number
  • Relationship to student (parent, guardian, relative)
  • Mobile money phone number (for fee payments)
  • Payment transaction records

Teacher and Staff Data:

  • Full name, email address, phone number
  • Employee number
  • Role and department assignment
  • Timetable and lesson schedules
  • Attendance records (as employees)

4.2 Data Collected Directly by Elimu Bora

Account and Authentication Data:

  • Email address, password (hashed; we never store plaintext passwords)
  • Role and permission assignments
  • Login timestamps and session data

Marketing Website Visitors:

  • Contact form submissions: first name, last name, email, phone number, school name, role, message
  • Newsletter subscriptions: email address (where you choose to subscribe to updates)
  • Usage and analytics data collected via cookies and our analytics provider, PostHog, including pages viewed, interactions, and device/browser metadata. Where you submit a form or subscribe, we also link an identifier to your email address (see Section 11)

Platform Operator Data:

  • Elimu Bora admin user accounts (name, email, credentials) for internal platform management

4.3 Data Collected Automatically

  • IP address and browser/device information (for security and access logging)
  • Activity logs within the Platform (for audit trail purposes; see Section 9)

5. Lawful Basis for Processing

We process personal data on the following lawful bases under Section 30 of the DPA:

PurposeLawful Basis
Providing the Platform to subscribing schoolsPerformance of a contract (subscription agreement)
Processing student data on behalf of schoolsLegitimate interest of the school (educational administration) and, for children’s data, parental/guardian consent obtained by the school
Processing mobile money and other payment transactionsPerformance of a contract and compliance with a legal obligation (KRA record-keeping)
Processing health data (blood group, health conditions)Explicit consent obtained by the school, and necessary for the vital interests of the student
Sending transactional notifications (email, in-app)Performance of a contract (core Platform functionality)
Contact form enquiries and demo requestsConsent of the data subject
Newsletter subscriptionsConsent of the data subject
Security logging and audit trailsLegitimate interest (platform security and regulatory compliance)
Product and website analytics (PostHog)Legitimate interest in operating, securing, and improving our website and the Platform. Website visitors are shown a cookie notice; we do not use these cookies for advertising

6. Processing of Children’s Data

Elimu Bora processes personal data of children (persons under 18 years of age) exclusively in the context of educational administration. We recognise the heightened obligations under Section 33 of the DPA and apply the following safeguards:

  • Parental or guardian consent: Schools are responsible for obtaining verifiable consent from a parent or guardian before entering a child’s personal data into the Platform. Elimu Bora’s Guardian Portal is designed so that guardians can view their own children’s data, reinforcing transparency.
  • Purpose limitation: Children’s data is used strictly for educational purposes: academic management, attendance tracking, fee billing, event coordination, and welfare monitoring. We do not sell children’s data or use it for marketing, advertising, or commercial profiling. We use first-party product analytics to measure how signed-in users (such as guardians and staff) navigate the Platform so that we can improve it; this is described in Section 11.
  • Data minimisation: The Platform collects only the data necessary for school operations. Health data (blood group, health conditions) is optional and collected only at the school’s discretion for welfare purposes.
  • Access controls: Role-based access ensures that only authorised school personnel can view student data. Guardians can only access data relating to their own linked children. Elimu Bora staff access a school’s data only for technical support purposes and under strict access controls.
  • No direct collection from children: Elimu Bora does not collect personal data directly from children. All student data is entered by school administrators, teachers, or guardians.
  • Retention and deletion: When a student’s record is soft-deleted by the school, it is retained in archived form for the school’s record-keeping obligations but is no longer accessible through active Platform interfaces. Schools can request permanent deletion of student data.

7. How We Use Personal Data

We use personal data exclusively for the following purposes:

  1. Platform delivery: Operating the school management platform, including academic management, attendance tracking, fee billing, inventory management, event coordination, and notifications.
  2. Payment processing: Facilitating fee payments via mobile money (through our mobile payment provider), bank transfers, and cash. This includes recording transactions, updating invoice statuses, and maintaining financial records.
  3. Notifications: Sending transactional notifications to guardians (e.g., attendance alerts, payment confirmations, report card availability) and to staff (e.g., grading reminders, low stock alerts) via email and in-app channels.
  4. Audit and compliance: Maintaining activity logs, inventory movement records, payment trails, and grade snapshots for accountability and regulatory compliance.
  5. Technical support: Accessing school data (with appropriate authorisation) to diagnose and resolve technical issues.
  6. Lead capture: Processing contact form submissions from prospective schools to respond to enquiries and schedule demonstrations.
  7. Product improvement: Using product analytics (see Section 11) to understand how the Platform and marketing website are used and to improve them. Where this involves a signed-in user, or a visitor who submits a form or subscribes, the analytics may be linked to that individual. We do not use this data for advertising or to build marketing profiles.

We do not:

  • Sell, rent, lease, or trade personal data to any third party
  • Use personal data for targeted advertising, advertising networks, or social media tracking pixels
  • Use student data for any purpose other than educational administration
  • Share personal data between schools (each school’s data is completely isolated)

8. Data Sharing and Third Parties

We share personal data only with the following categories of recipients, and only to the extent necessary:

8.1 Service Providers (Sub-processors)

To operate the Platform, we rely on a small number of trusted service providers (sub-processors) who process personal data on our behalf. These fall into the following categories:

  • Cloud hosting and storage: securely hosting school information and uploaded files
  • Payment processing: facilitating mobile money fee collection
  • Transactional email delivery: sending notifications and account emails
  • Product and website analytics: understanding and improving how the Platform and website are used
  • Security, DNS, and content delivery: protecting the Platform and serving it reliably

Our Sub-processors page gives the current, named list of these sub-processors, including each provider’s purpose, the data it processes, and its location.

We enter into data processing agreements with all sub-processors that handle personal data, requiring them to implement appropriate security measures and process data only for the purposes we specify. We will update the Sub-processors page, and notify subscribing schools, before adding or replacing a sub-processor that handles personal data.

8.2 Schools (Data Controllers)

As Data Processor, we provide each school with access to its own data through the Platform. School administrators and authorised staff can view, export, and manage their own school’s data.

We may disclose personal data where required by law, regulation, or court order, including to the Kenya Revenue Authority (KRA), the Office of the Data Protection Commissioner (ODPC), or law enforcement agencies.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: Information sent between your device and the Platform is encrypted, using the same kind of secure connection (HTTPS) that protects online banking.
  • Encryption at rest: Stored information is encrypted while it is held by our infrastructure providers.
  • Separation of each school’s data: Each school’s information is kept strictly separate from every other school’s. Our systems are designed so that one school can never access, view, or change another school’s data. This separation is enforced automatically by the system itself, not only by staff procedures.
  • Role-based access: Within each school, access is limited by role, so each user (for example a principal, teacher, or guardian) can only see the information their role requires. Schools can adjust these roles to suit their needs.
  • Password protection: Passwords are protected using strong, one-way encryption; we never store them in plain, readable form.
  • Audit logging: Important actions, such as attendance changes, follow-ups, grade entries, and inventory movements, are recorded so they can be traced for accountability.
  • Safe deletion: Important records (such as users, students, and financial data) are first moved to a recoverable state rather than being immediately and permanently erased, which helps prevent accidental data loss.
  • Limited staff access: Access by Elimu Bora’s own staff is restricted and does not automatically include a school’s data. Such data is accessed only when necessary for authorised technical support.

9.1 Data Breach Response

In the event of a personal data breach, we will:

  1. Notify the affected school(s) without undue delay, and in any case within 72 hours of becoming aware of the breach
  2. Provide details of the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach
  3. Notify the ODPC as required under Section 43 of the DPA
  4. Cooperate with the school in notifying affected data subjects where the breach is likely to result in a high risk to their rights and freedoms

10. International Data Transfers

Elimu Bora’s primary operations take place in Kenya. However, some of our sub-processors store or process personal data outside Kenya, currently in the United States and the European Union:

  • Cloud hosting and storage: School information and uploaded files are stored in the United States.
  • Email delivery: Notification emails may be sent through providers based in the United States.
  • Analytics: Information about how the Platform and website are used is processed in the European Union.
  • Security and content delivery: These services operate from a global network of data centres.

The specific providers behind each of these categories, and their precise locations, are named on our Sub-processors page.

In accordance with Section 48 of the DPA, we ensure that any transfer of personal data outside Kenya is subject to adequate data protection safeguards, including:

  • Data processing agreements with each sub-processor that impose obligations equivalent to or exceeding those under the DPA
  • Assessment that the receiving jurisdiction provides adequate data protection, or that the sub-processor maintains appropriate contractual and technical safeguards
  • Ensuring that personal data is encrypted in transit and at rest

We are actively evaluating infrastructure options to host all school data within Kenya or the East African region, and will update this Policy as our infrastructure evolves.

11. Cookies and Website Analytics

11.1 Marketing Website (elimuboraerp.com)

Our marketing website uses the following technologies:

  • PostHog (product analytics): Helps us understand how visitors use the website, for example which pages are viewed and which calls-to-action are clicked. PostHog sets first-party cookies and processes usage events and device/browser metadata. If you submit the contact form or subscribe to our newsletter, the analytics record is linked to your email address. This data is processed on PostHog Cloud’s European Union infrastructure and is used only to operate and improve our website and services.
  • Cloudflare Turnstile: An invisible CAPTCHA service used on the contact form to prevent spam. This processes IP addresses and browser metadata. No tracking cookies are placed.

When you first visit our website, we display a notice informing you that we use cookies. Because these cookies serve our legitimate interest in operating and improving the site, and are not used for advertising, we do not block them pending consent; you can control or delete cookies at any time through your browser settings.

We do not use advertising cookies, advertising networks, or social media tracking pixels on our marketing website, and we do not sell visitor data.

11.2 Platform Application (*.elimuboraerp.com)

The Platform application uses:

  • Strictly necessary session cookies that keep you securely signed in, maintain your login state, and help protect your account against certain web-based attacks. These cookies are set only by Elimu Bora, last only for your session, and are deleted when you close your browser or your session expires.
  • PostHog product analytics. When you are signed in to the Platform, we use PostHog to understand how the application is used so that we can improve it. This records your in-app actions together with an identifier linked to your account (including your name and email) and your school. It applies to all signed-in users, including staff and guardians. It is used solely for product improvement and is never used for advertising or sold to third parties.

We do not use advertising cookies or social media tracking pixels within the Platform.

12. Data Subject Rights

Under the DPA, data subjects (students, guardians, teachers, staff) have the following rights:

  1. Right of access: You have the right to request confirmation of whether we process your personal data, and to obtain a copy of that data.
  2. Right to rectification: You have the right to request correction of inaccurate or incomplete personal data.
  3. Right to erasure: You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
  4. Right to restriction: You have the right to request that we restrict processing of your personal data in certain circumstances.
  5. Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  6. Right to object: You have the right to object to processing of your personal data where processing is based on legitimate interest.
  7. Right not to be subject to automated decision-making: Elimu Bora does not make decisions based solely on automated processing that produce legal or similarly significant effects on data subjects.

How to Exercise Your Rights

If you are a student, parent, guardian, teacher, or staff member of a subscribing school: Your school is the Data Controller. Please direct your request to your school’s administration in the first instance. Your school can manage most requests directly through the Platform (e.g., correcting records, exporting data). If the school requires our assistance to fulfil your request, we will cooperate promptly.

If you submitted a contact form or enquiry directly to Elimu Bora: You may contact us directly using the details in Section 14.

We will respond to data subject requests within 30 days, or inform you if additional time is required. We will not charge a fee for processing reasonable requests, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

13. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Data CategoryRetention PeriodBasis
Student academic recordsDuration of the school’s subscription, plus 7 years after the student leaves the school (or as directed by the school)Educational record-keeping obligations
Financial records (invoices, payments, mobile money logs)7 years from the date of the transactionKRA tax record requirements
Attendance recordsDuration of the school’s subscription, plus 2 yearsSchool operational requirements
Teacher and staff recordsDuration of employment at the school, plus 2 years after departure (or as directed by the school)Employment record-keeping
Guardian contact informationDuration of association with the school (linked to student enrolment)Necessary for Platform operation
Contact form submissions2 years from submissionLead management
Audit logs and activity trails7 yearsRegulatory compliance and dispute resolution
Soft-deleted recordsRetained in archived state for the applicable retention period aboveData integrity and legal compliance

When a school terminates its subscription, we will:

  1. Provide the school with an opportunity to export all its data
  2. Retain the data for a transition period of 90 days
  3. After the transition period, permanently delete the school’s data, both its records and its stored files, unless a longer retention period is required by law or requested by the school

14. Contact Information

If you have questions about this Privacy Policy, wish to exercise your data subject rights, or need to report a data protection concern, please contact us:

Elimu Bora Email: legal@elimuboraerp.com Phone: +254 798 646 579 Address: Ongata Rongai, Kajiado County, Kenya

Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Office of the Data Protection Commissioner (ODPC) Website: https://www.odpc.go.ke Email: complaints@odpc.go.ke

15. Payment Processing Disclosure

Elimu Bora is not a payment service provider or a licensed financial institution. Fee payments processed through the Platform are facilitated via:

  • Mobile money: Processed through a third-party mobile payment provider. Elimu Bora sends the payment request to the guardian and receives the provider’s confirmation once payment is made. All mobile money transactions are governed by that provider’s terms and conditions. Elimu Bora keeps a record of the transaction references so that payments can be matched to invoices.
  • Other methods: Cash and bank transfer payments are recorded manually by school staff within the Platform.

Payment data (transaction references, amounts, dates, payer phone numbers) is retained for a minimum of 7 years in compliance with KRA requirements.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the DPA’s regulatory guidance. When we make material changes:

  • We will update the “Last Updated” date at the top of this Policy
  • We will notify subscribing schools via email or in-app notification
  • The updated Policy will be published on our website at elimuboraerp.com/privacy-policy

We encourage you to review this Policy periodically.

17. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Kenya, including the Data Protection Act, 2019, the Constitution of Kenya, 2010, and the Consumer Protection Act, 2012.

Any disputes arising from this Policy shall be subject to the jurisdiction of the courts of Kenya.

This Privacy Policy was last reviewed on Mon 1 Jun, 2026.