← Gradika

Privacy Policy

Last updated: July 2026 · Applies to gradika school spaces and this website.

1. Who we are, and our role

Gradika provides schools with a learning-management platform for CBC assessment, exams, attendance, fees, and parent communication. Under Kenya's Data Protection Act, 2019 (the "DPA"), your school is the data controller of the learner, guardian, and staff information it records, and Gradika acts as the data processor, handling that information only on the school's instructions to run the service.

2. What we process

  • Learners: name, admission number, class, assessment and exam records, attendance, fee statements, and learning activity (practice and tests).
  • Parents & guardians: name and phone number (your sign-in identity), the learners you are linked to, and messages the school sends you. Your PIN is stored only as a one-way cryptographic hash — we cannot read it.
  • School staff: name, work email, role, and teaching assignments.
  • Payments: M-Pesa transaction references for school subscriptions. We never see or store M-Pesa PINs.

We do not sell personal data, and we show no advertising.

3. Children's data

Learner records are entered by the school under its legal mandate as an educational institution, and parental access is granted only through the school linking a guardian's phone number to a learner. We process children's data solely to deliver the school's educational service, consistent with section 33 of the DPA.

4. Where data is stored (cross-border transfer)

Gradika runs on reputable cloud infrastructure whose data centres are located outside Kenya (currently in the United States). This is a cross-border transfer under sections 48–49 of the DPA. We transfer only what the service needs, under contracts with our hosting providers that require appropriate security safeguards, and we are working toward regional hosting options as they become available.

5. How we protect it

  • Encrypted connections (HTTPS) for all traffic.
  • Every school's data is isolated to its own space; one school can never read another's records.
  • Role-based access: subject teachers, class teachers, and admins each see only what their role allows.
  • PINs and passwords stored as salted one-way hashes; sign-in attempts are rate-limited.

6. Retention

We keep records for as long as the school maintains its Gradika space, so learners' academic history stays available across terms and years. When a school leaves, it may request export and deletion of its data; we then delete it within a reasonable period, except where the law requires longer retention.

7. Your rights

Under the DPA you may ask to access, correct, or delete personal data about you or your child. Because the school is the controller, the fastest route is your school's office — they can correct records directly (for example a misspelled name or a wrong phone number). You may also contact us, and you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya.

8. Contact

Questions about this policy or our data handling: collab@kiungor.com. We will update this page as the service evolves; material changes will be dated above.