Privacy Policy

Effective date: 1st February 2026  |  Last updated: 27th May 2026

This Privacy Policy applies to SmartGrade Analytics, accessible at smartgrade.co.ke

1. Overview

SmartGrade Analytics ("we", "us", "our") is a school management platform built for Kenyan schools. We are committed to protecting the privacy and security of all personal data processed through our platform โ€” including data about learners, parents, guardians and school staff.

This policy explains what data we collect, why we collect it, how it is used, and how we protect it. By using SmartGrade Analytics, your school agrees to this policy on behalf of itself and its users.

๐Ÿ“ SmartGrade Analytics operates under Kenyan law including the Kenya Data Protection Act, 2019.

2. Data We Collect

We collect the following categories of personal data:

School Data:

  • School name, address, county, sub-county, phone number, email address
  • School logo and Head of Institution signature/stamp image (uploaded voluntarily)
  • School motto, vision, mission statement

Staff User Data:

  • Full name, username, email address, role (HOI, teacher, etc.)
  • Login activity logs and security audit records
  • Two-factor authentication device information (if enabled)

Learner Data:

  • Full name (surname, first name, other name)
  • Admission number and CBE assessment number
  • Gender, grade level, stream/class
  • Exam marks, computed percentages, CBE grades, class position

Parent/Guardian Contact Data:

  • Name, phone number, relationship to learner (e.g. Mother, Father, Guardian)
  • SMS delivery records

Payment Data:

  • M-Pesa transaction receipt numbers (we do not store card or full M-Pesa account details)
  • Subscription payment records (amount, date, school)

3. How We Use Your Data

We use personal data only for the purposes for which it was collected:

  • Service delivery: To generate exam reports, CBE report cards, learner rankings and term summaries
  • Parent communication: To send SMS results to registered parent contacts via Africa's Talking
  • Account management: To authenticate users, manage roles and send password reset emails
  • Billing: To calculate subscription fees based on active learner count and process M-Pesa payments
  • Security: To detect unauthorised access, maintain audit logs and protect school data
  • Platform improvement: Aggregate, anonymised statistics about platform usage (no individual data)
โš ๏ธ We do not sell, rent or trade personal data to third parties. We do not use learner or parent data for marketing or advertising purposes.

4. Learner Data โ€” Special Protections

We treat learner data with the highest level of care given that it concerns minors.

  • Learner data is only accessible to authorised staff of the school that registered the learner
  • No learner data is visible to staff of other schools or to the general public
  • Learner exam results are sent via SMS only to contacts that the school has explicitly registered for that learner
  • Learner data is never shared with any third party for commercial purposes
  • Schools are responsible for ensuring they have appropriate consent to register learner data on the platform

5. Data Sharing with Third Parties

We share limited data with the following service providers solely to operate the platform:

  • Africa's Talking โ€” SMS gateway provider. Parent phone numbers and result messages are transmitted to deliver SMS notifications. Africa's Talking processes this under their own privacy policy.
  • Safaricom / KCB โ€” Payment processing. M-Pesa STK Push requests include the payer's phone number. We do not store full payment details beyond the M-Pesa receipt number.
  • HostPinnacle / cPanel Hosting โ€” Server infrastructure. Your school data is stored on servers in accordance with their data centre policies.

We may disclose data if required to do so by Kenyan law, court order or regulatory authority.

6. Data Security

We implement the following security measures to protect your data:

  • All passwords are hashed using Django's PBKDF2 algorithm โ€” we never store plaintext passwords
  • Optional Two-Factor Authentication (TOTP) for all staff accounts
  • Role-based access control โ€” staff only see data relevant to their role
  • Session security with automatic expiry and CSRF protection on all forms
  • Multi-school isolation โ€” data from one school is never accessible to another
  • Server access logging and security audit trails

While we take reasonable precautions, no internet-based system can be 100% secure. In the event of a data breach that poses risk to users, we will notify affected schools within 72 hours as required by the Kenya Data Protection Act.

7. Data Retention

We retain data for the following periods:

  • School and learner data: Retained for as long as the school account is active, plus 1 year after account closure
  • Exam results and report cards: Retained for the duration of the school's active subscription
  • Payment records: Retained for 7 years as required by Kenyan financial regulations
  • Security audit logs: Retained for 2 years
  • SMS logs: Retained for 1 year

Schools may request deletion of their data by contacting us at support@smartgrade.co.ke. Deletion requests will be processed within 30 days, subject to legal retention requirements.

8. Your Rights Under the Kenya Data Protection Act

Under the Kenya Data Protection Act, 2019, you have the following rights:

  • Right of access: Request a copy of personal data we hold about you or your school
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your data (subject to legal obligations)
  • Right to portability: Request your data in a portable format
  • Right to object: Object to specific uses of your data

To exercise any of these rights, email us at support@smartgrade.co.ke with the subject line "Data Rights Request". We will respond within 21 days.

9. Cookies

SmartGrade Analytics uses the following cookies:

  • Session cookie: Required for login. Stores your session ID so you stay logged in. Expires when you close the browser or after 24 hours of inactivity.
  • CSRF token cookie: Required for security. Prevents cross-site request forgery attacks on form submissions.
  • Theme cookie: Stores your light/dark mode preference. No personal data.

We do not use tracking cookies, advertising cookies or third-party analytics cookies. We do not use Google Analytics.

10. Children's Privacy

SmartGrade Analytics processes data about learners, many of whom are minors. We are committed to protecting children's privacy:

  • Learner accounts are not created โ€” learners do not log in to SmartGrade
  • Learner data is entered and managed by authorised school staff only
  • Learner results are communicated only to registered parent/guardian contacts
  • We do not collect more data about learners than is necessary for exam analysis and reporting

Schools are responsible for obtaining appropriate parental consent before registering learner data. By using SmartGrade, schools confirm they have the legal basis to process learner personal data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered school administrators by email and update the "Last updated" date at the top of this page.

Continued use of SmartGrade Analytics after changes are published constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related enquiries, data rights requests or to report a concern:

  • Email: support@smartgrade.co.ke
  • Subject line: "Privacy Policy Enquiry" or "Data Rights Request"
  • Website: smartgrade.co.ke/contact

We are committed to resolving all privacy concerns promptly and transparently.