Effective 19 June 2026
Last updated 19 June 2026
Privacy Policy
CRADEUM
PRIVACY AND DATA PROTECTION POLICY
1. INTRODUCTION
This Privacy and Data Protection Policy (“Policy”) governs the collection, processing, storage, and protection of personal data arising from the CRADEUM Pilot Project (“Product”). The Product is provided by the Provider to the Customer strictly for pilot testing and evaluation purposes.
This Policy is developed in compliance with Article 31 of the Constitution of Kenya, 2010 and the Data Protection Act, 2019 (Kenya). The Provider recognizes the right to privacy and is committed to ensuring that personal data relating to students, teachers, administrators, and other users is processed lawfully, fairly and transparently.
2. SCOPE AND APPLICATION
This Policy applies to all personal data processed through the CRADEUM system during the pilot period. It applies to:
a. Students using the system.
b. Teachers and academic staff.
c. School administrators.
d. Any other authorized users interacting with the Product.
The Policy covers personal data in electronic or manual form collected, stored, transmitted, or otherwise processed through the system.
3. CATEGORIES OF PERSONAL DATA COLLECTED
During the pilot period, the system may collect and process the following categories of personal data:
(a) Identification data (name, admission number, staff number);
(b) Contact details (email address, phone number where applicable);
(c) Login credentials and authentication information;
(d) Library usage records (books accessed, borrowing history, search history);
(e) Device and system logs, including IP address and browser information;
(f) Feedback submitted during the pilot phase.
Sensitive personal data shall not be intentionally collected unless strictly necessary and permitted by law. Where data relates to minors, parental or guardian consent shall be obtained by the Customer as required under the Data Protection Act.
4. PURPOSE OF DATA PROCESSING
Personal data is processed strictly for the following purposes:
(a) To provide and maintain the CRADEUM system;
(b) To enable user authentication and account management;
(c) To monitor system performance and usage;
(d) To collect feedback for improvement of the Product;
(e) To ensure system security and prevent unauthorized access;
(f) To comply with legal and regulatory obligations.
Personal data shall not be processed for purposes incompatible with the above objectives.
5. LEGAL BASIS FOR PROCESSING
Processing of personal data under this Policy is based on:
(a) Consent of the data subject or, in the case of minors, consent of a parent or guardian;
(b) Performance of an obligation under the Pilot memorandum of understanding
(c) Legitimate interests of the Provider in improving and securing the Product;
(d) Compliance with applicable laws.
Consent shall be informed, specific, and freely given.
6. DATA MINIMIZATION AND ACCURACY
The Provider shall ensure that personal data collected is adequate, relevant and limited to what is necessary for the stated purposes. Reasonable steps shall be taken to ensure that personal data is accurate and kept up to date. Inaccurate data shall be corrected or deleted upon request.
7. DATA RETENTION
Personal data shall be retained only for the duration of the pilot period unless a longer retention period is required by law or agreed upon in writing. Upon termination or expiration of the Pilot Agreement, personal data shall be deleted within sixty (60) days, unless otherwise required by law.
8. DATA SECURITY
The Provider shall implement appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, destruction, alteration, or disclosure. Such measures include:
(a) Secure authentication mechanisms;
(b) Encryption where appropriate;
(c) Access controls and role-based permissions;
(d) Secure hosting infrastructure;
(e) Regular system monitoring and updates.
Access to personal data shall be restricted to authorized personnel only.
9. DATA SUBJECT RIGHTS
Data subjects have the following rights under the Data Protection Act, 2019:
(a) The right to be informed of the use of their personal data;
(b) The right to access their personal data;
(c) The right to request correction of inaccurate or misleading data;
(d) The right to request deletion of false or misleading data;
(e) The right to object to processing;
(f) The right to data portability where applicable.
Requests to exercise these rights shall be made in writing to the designated contact person of the Provider or through the Customer.
10. DISCLOSURE AND THIRD PARTIES
Personal data shall not be disclosed to third parties except:
(a) Where required by law;
(b) With the consent of the data subject;
(c) To authorized service providers acting on behalf of the Provider under strict confidentiality obligations.
Any third-party processing shall comply with the Data Protection Act, 2019.
11. CROSS-BORDER TRANSFERS
Personal data shall not be transferred outside Kenya unless adequate safeguards are in place and in compliance with applicable data protection laws.
12. DATA BREACH MANAGEMENT
In the event of a data breach, the Provider shall take prompt corrective action and, where required by law, notify the Office of the Data Protection Commissioner and affected data subjects within the prescribed timelines.
13. ACCOUNTABILITY AND GOVERNANCE
The Provider shall maintain internal data protection procedures and designate a responsible officer to oversee compliance with this Policy. Records of processing activities shall be maintained as required by law.
14. REVIEW AND AMENDMENT
This Policy may be reviewed and updated from time to time to ensure compliance with legal and regulatory requirements. Any material changes shall be communicated to the Customer.