Legal & Compliance

Privacy Policy &
Terms of Service

Tiptons Analytics is committed to protecting the privacy and security of personal data entrusted to us by schools, students, parents, and staff. This policy explains what data we collect, how we use it, and your rights.

Last Updated: 25 June 2026 Effective Date: 25 June 2026 Covers Web App & Mobile Applications
1

Who We Are

Tiptons Analytics ("we", "us", "our") is a Kenyan technology company that develops and operates the Tiptons Analytics School Management System — a cloud-based platform and suite of mobile applications used by primary schools, secondary schools, and educational institutions across Kenya and East Africa.

Our registered business address is in Nairobi, Kenya. We act as a data processor on behalf of schools (our clients, who are the data controllers) and, in limited circumstances, as a data controller in our own right in relation to account and billing information.

This Privacy Policy applies to:

Our web application at tiptonsanalytics.com and all subdomains
Our Android and iOS mobile applications (parent app, teacher app, admin app)
All modules within the Administration & Communication Suite, Academic Module, Finance Module, and any add-ons
Any communications we send to users and prospective clients
For Schools (Data Controllers) If you are a school administrator, your school is responsible for determining how student, parent, and staff data is used within the platform. Tiptons Analytics processes that data only on your instruction under the terms of your service agreement.
2

Data We Collect

The categories of personal data we collect depend on the role of the user and the modules subscribed to by the school. The table below summarises all categories of personal data that may be processed through our platform.

Data Category Data Subject Examples Module
Identity & Bio-Data Students, Staff, Parents Full name, date of birth, gender, nationality, ID/birth certificate number, passport photo Administration
Contact Information Students, Staff, Parents, Guardians Phone number, email address, physical address, next-of-kin details Administration, Communications
Academic Records Students Grades, exam results, attendance records, class allocations, co-curricular activities, disciplinary records Academic, Administration
Health & Medical Data Students Nurse visit logs, presenting complaints, treatment notes, medication dispensed, lab results, medical history, allergies Nursing Add-On
Financial Data Students / Parents Fee records, payment history, outstanding balances, M-Pesa transaction references Finance Module
Employment Data Staff Employment contract, TSC number, qualifications, salary details, bank account for payroll, leave records, performance appraisals HR Module
Biometric Data Staff (optional) Fingerprint templates or facial recognition data used solely for time and attendance tracking HR Module (biometric integration)
Visitor Data Visitors Name, ID number, purpose of visit, host, check-in/out time, photo capture Visitors Add-On
Admissions & Enquiry Data Prospective Students / Parents Application details, uploaded documents, interview notes, admission decisions Admissions, Front Desk CRM
Device & Usage Data All App Users IP address, device type, operating system, browser type, pages visited, session duration, crash reports All Modules / Mobile App
Communication Logs Parents, Staff SMS delivery status, email open/click data, WhatsApp message delivery, in-app message history Communications Module
Account & Billing Data School Administrators School name, contact person, subscription plan, billing address, payment method Platform (Tiptons as Controller)
Data We Do Not Collect
We do not collect or store raw fingerprint images — only encrypted biometric templates generated by approved devices.
We do not store full payment card numbers (PCI-DSS compliant payment processing is handled by third-party providers).
We do not sell personal data to advertisers or third-party marketers under any circumstances.
3

How We Use Personal Data

We use personal data only for the specific purposes for which it was collected or as required by applicable law. The primary purposes are:

Service Delivery — to provide, operate, and maintain the school management platform and all subscribed modules on behalf of the school.
Communications — to send authorised school communications to parents and staff via SMS, email, WhatsApp, and in-app notification.
Health & Safety — to maintain student health records, issue parent health alerts, and support early detection of health concerns (Nursing Add-On).
HR & Payroll Processing — to manage staff attendance, leave, performance, and salary calculations on instruction from the school.
Admissions Management — to manage the full admissions pipeline from enquiry to enrolment on behalf of the school.
Campus Security — to maintain visitor logs and issue host notifications for safeguarding compliance (Visitors Add-On).
AI Health Analytics — to identify patterns in nurse visit data that may indicate health risks, using anonymised or pseudonymised aggregated data where possible.
Platform Improvement — to analyse aggregate, anonymised usage data to improve our product features, performance, and reliability.
Legal Compliance — to comply with applicable Kenyan laws, respond to lawful requests from regulatory authorities, and exercise our legal rights.
5

Data Sharing & Disclosure

We do not sell, rent, or trade personal data. We may share personal data only in the following limited circumstances:

With the Subscribing School

All data entered into the platform is available to the authorised administrators, teachers, and staff of the subscribing school according to role-based access controls configured by the school.

With Authorised Sub-Processors

We use carefully selected third-party service providers who process data on our behalf. All sub-processors are bound by data processing agreements and are required to maintain appropriate security standards:

Cloud Hosting — infrastructure providers for server and database hosting within secure data centres.
SMS Gateway Providers — for delivery of SMS messages to parents and staff (message content is shared with the gateway for delivery only).
Email Service Providers — for transactional and broadcast email delivery.
Payment Processors — for processing school subscription payments (Tiptons does not receive or store full card details).
Analytics Providers — aggregate, anonymised platform usage data only; no personal data is shared for advertising purposes.
With Law Enforcement or Regulatory Authorities

We may disclose personal data if required to do so by law, court order, or governmental authority, or where we believe disclosure is necessary to protect the rights, safety, or security of individuals.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction. We will notify affected schools prior to any such transfer.

We Never Sell Data Tiptons Analytics does not sell, licence, or otherwise transfer personal data of students, parents, or staff to advertisers, data brokers, or third parties for commercial purposes.
6

Data Retention

We retain personal data for as long as necessary to fulfil the purposes outlined in this policy, to comply with legal obligations, and to resolve disputes or enforce agreements. The following general retention periods apply:

Data TypeRetention PeriodBasis
Active student recordsDuration of enrolment + 7 years after graduation or transferLegal / Educational compliance
Student health recordsDuration of enrolment + 7 yearsMedical record obligations
Staff employment recordsDuration of employment + 7 yearsEmployment law
Biometric attendance dataDuration of employment + 1 yearContractual / HR
Visitor logs2 years from date of visitSafeguarding / security
Admissions / enquiry data (not admitted)2 years from last contactLegitimate interest
Communication logs3 yearsOperational / audit
Billing & account data7 years after contract endFinancial / tax obligations
Device & usage logs12 monthsSecurity / product improvement

When a school's subscription is terminated, we will retain data for a period of 90 days to allow the school to export their records. After that period, data will be securely deleted from our active systems. Backups are purged within 180 days of deletion from the active system.

7

Security Measures

We implement industry-standard technical and organisational security measures to protect personal data against unauthorised access, disclosure, loss, or destruction:

Encryption in transit — all data transmitted between users and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest — sensitive data, including health records, biometric templates, and financial information, is encrypted at rest using AES-256.
Role-based access control (RBAC) — users can only access data relevant to their assigned role; school principals cannot access payroll details of other schools.
Multi-factor authentication (MFA) — available for all administrator accounts and required for accounts with access to sensitive data categories.
Audit logging — all significant data access, modifications, and exports are logged with user ID and timestamp for security review.
Regular backups — automated daily encrypted backups stored in geographically separate locations.
Security testing — regular penetration testing and vulnerability assessments conducted by qualified security professionals.
Data Breach Notification In the event of a personal data breach that is likely to result in risk to the rights and freedoms of individuals, we will notify the affected school(s) within 72 hours of becoming aware of the breach. Schools are responsible for notifying their own data subjects as required.
8

Children's Privacy

Our platform is designed for use by educational institutions and necessarily involves the processing of data about children under the age of 18. We treat this responsibility with the utmost seriousness.

Student data is entered and managed exclusively by school administrators and authorised staff — students do not directly create accounts or self-register on our platform.
Schools (as data controllers) are responsible for obtaining parental or guardian consent for the collection and processing of student data as required under Kenyan law and school admission policies.
Student data is never used for advertising, profiling for commercial purposes, or shared with third parties for any purpose other than service delivery.
Sensitive student data (health records, disciplinary records) is subject to additional access restrictions within the platform beyond standard role-based controls.
We comply fully with the Kenya Children Act and the Kenya Data Protection Act, 2019 with respect to the processing of children's personal data.
Google Play & App Store Compliance Our mobile applications that may be used in connection with student data comply with Google Play's User Data Policy and Apple App Store Review Guidelines, including requirements relating to children's data and sensitive permissions.
9

Your Rights as a Data Subject

Under the Kenya Data Protection Act, 2019, individuals whose personal data we process have the following rights. Because schools are the data controllers for most data on our platform, requests from students, parents, and staff should generally be directed to the relevant school in the first instance. We will support schools in fulfilling data subject requests.

Right of Access — you have the right to request a copy of personal data held about you.
Right to Rectification — you have the right to have inaccurate or incomplete data corrected.
Right to Erasure — in certain circumstances, you may request deletion of your personal data.
Right to Restrict Processing — you may request that we restrict the processing of your data in certain circumstances.
Right to Data Portability — you have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to Object — you may object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise your rights in relation to data where Tiptons Analytics acts as data controller (such as account and billing data), please contact us using the details in Section 14. We will respond within 30 days.

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC) at www.odpc.go.ke if you believe your data protection rights have been violated.

10

Cookies & Tracking Technologies

Our web application uses cookies and similar tracking technologies to operate the platform and improve user experience.

Cookie TypePurposeCan Be Disabled?
Strictly NecessarySession management, authentication, security (CSRF protection). Required for the platform to function.No — essential for login
FunctionalRemembering user preferences (language, theme, date format), personalising the dashboard experience.Yes — may affect experience
AnalyticsAggregate, anonymised usage data to understand feature adoption and improve the platform. No personal identifiers shared.Yes — opt-out available
SecurityDetecting and preventing fraud, bot activity, and unauthorised access attempts.No — required for security

Our mobile applications do not use browser cookies. Mobile app sessions are managed through secure, encrypted tokens stored in the device's secure storage. The mobile app does not use advertising identifiers (IDFA/GAID) or share data with advertising networks.

11

Third-Party Services & Integrations

Our platform integrates with the following categories of third-party services. Each integration is governed by a data processing agreement and subject to review:

M-Pesa (Safaricom) — for parent fee payments. Transaction data is processed by Safaricom under their privacy policy; Tiptons receives only the payment confirmation reference.
WhatsApp Business API — for school-to-parent communications. Message content is transmitted through Meta's infrastructure subject to Meta's privacy policy.
Biometric Device Manufacturers — hardware integrations for fingerprint/face recognition; biometric processing occurs on the device or in encrypted templates only.
Cloud Infrastructure Providers — our servers are hosted in secure cloud environments; all data remains within access-controlled environments subject to our security standards.

We are not responsible for the privacy practices of third-party services or external websites linked from our platform. We encourage users to review the privacy policies of any third-party services they access.

12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Send a notification to registered school administrators via email and in-app notification at least 14 days before the changes take effect.
For significant changes affecting the rights of data subjects, seek renewed confirmation of acceptance from school account holders.

Continued use of the platform after the effective date of changes constitutes acceptance of the updated policy. Previous versions of this policy are available upon request.

13

Terms of Service (Summary)

Full Terms of Service Complete Terms of Service governing your subscription to Tiptons Analytics are provided in your service agreement upon onboarding. Key provisions are summarised below.
Acceptance of Terms

By accessing or using the Tiptons Analytics platform, you (the subscribing school or its authorised representatives) agree to be bound by these terms and our Privacy Policy. If you do not agree, you must not use the platform.

Permitted Use

The platform may only be used for lawful educational administration purposes by the subscribing school. You may not use the platform to process data for any purpose not related to the management of your school community.

School Responsibilities
Schools are responsible for ensuring all data entered into the platform has been collected lawfully and with appropriate consent where required.
Schools must maintain the confidentiality of all system credentials and promptly notify us of any suspected unauthorised access.
Schools are responsible for training authorised users on appropriate use of the platform and this privacy policy.
Intellectual Property

All software, platform features, designs, and content provided by Tiptons Analytics remain the intellectual property of Tiptons Analytics. Schools retain ownership of all data they input into the platform.

Limitation of Liability

To the extent permitted by applicable law, Tiptons Analytics shall not be liable for any indirect, incidental, special, or consequential damages arising from use of the platform. Our total liability shall not exceed the total fees paid by the school in the 12 months preceding the claim.

Governing Law

These terms are governed by the laws of the Republic of Kenya. Any disputes shall be subject to the exclusive jurisdiction of the courts of Kenya.

Termination

Either party may terminate the service agreement with 30 days' written notice. Upon termination, data export is available for 90 days after which data is securely deleted as outlined in Section 6.

14

Contact Us & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us:

Company
Tiptons Analytics
General Contact
Contact Form
Location
Nairobi, Kenya
Data Subjects' Rights Requests
Please direct all data access, rectification, erasure, or objection requests to your school administrator in the first instance. For matters where Tiptons Analytics acts as data controller, email us at the address above with the subject line "Data Rights Request".

We aim to respond to all privacy-related enquiries within 5 business days and to fulfil data subject requests within 30 days.

To file a complaint with the Kenyan data protection regulator: Office of the Data Protection Commissioner (ODPC), visit www.odpc.go.ke.