System Governance & Compliance

Legal Framework

Kenya Data Protection Act 2019 Compliant

Privacy Policy

Version 1.0Effective: June 1, 2026

Nzureal operates a cloud-based School Enterprise Resource Planning (ERP) platform designed for educational institutions in Kenya. This Privacy Policy outlines how we collect, use, disclose, and protect information when schools, parents, and administrators utilize our platform. In strict adherence to the Kenyan Data Protection Act (2019), Nzureal operates primarily as a Data Processor on behalf of the educational institution (the school), which acts as the Data Controller.

1. Lawful Basis for Processing & Consent

Dynamic FlowParental Consent

For students under the age of 18, processing is initiated dynamically when a parent or legal guardian signs up, creates an account, and explicitly grants consent to onboard their child onto the platform.

AuthorizationInstitutional Warranty

The school warrants that it has the necessary legal authority to utilize our ERP system to process administrative, financial, and academic records across all active terms.

2. Information We Process

We handle data systematically across targeted modules to maintain standard school ecosystem functions:

  • Academic & Administrative Data: Student names, admission numbers, grades, performance analytics, and Ministry of Education/CBC compliance records.
  • Financial Data: M-Pesa transaction IDs, bank reconciliation states, fee payment histories, and outstanding balance tracking logs.
  • Sensitive Personal Data: Medical logs, health notes, and disciplinary records accessible strictly through granular credential permissions.

3. Role-Based Access Controls (RBAC)

To prevent unauthorized internal access, database visibility is strictly compartmentalized based on system roles:

  • Administrative Oversight: Full system visibility and administrative rights are structurally restricted to the Principal, Headmaster, and Director roles.
  • Health Data Isolation: Sensitive student medical records are fenced off and accessible solely by the designated School Nurse and authorized top-tier directors.

4. Data Infrastructure, Hosting & Transfers

Data is processed via encrypted cloud instances, currently utilizing Supabase Cloud infrastructure with a scheduled architecture migration to high-performance dedicated virtual private servers hosted on Contabo VPS. All transaction records and body payloads are programmatically sanitized against structural database injection parameters.

5. Data Retention, Backups & Deletion

30 DAYS

Production data is held for exactly 30 days following contract termination before full server wiping execution.

ARCHIVE DELIVERY

A verified full data compilation layout copy is handed back securely to the school administration inside the offboarding phase.

7 DAYS SNAPSHOTS

Automated midnight backups operate on a strict 7-day rolling cycle, after which older logs are completely destroyed.