Skip to main content
Back to Home

Privacy Policy

Last Updated: April 4, 2025

EduXal Labs ("EduXal", "we", "our", or "us") is committed to protecting the privacy and security of the data entrusted to us by schools, educators, guardians, and all users of our platform. This Privacy Policy explains what information we collect, why we collect it, how we use it, and the rights you have over your data.

EduXal is a school management platform designed for Kenyan schools. We comply with the Kenya Data Protection Act, 2019 and the regulations issued by the Office of the Data Protection Commissioner (ODPC).

By using EduXal, you agree to the practices described in this policy. If you are a school director or administrator, you are responsible for ensuring that staff and guardians at your school are aware of how data is handled through the platform.

1. Information We Collect

We collect the following categories of information to provide and improve our school management services:

a) School Information

  • School name, address, registration details, and configuration settings
  • School financial records including fees structure, invoices, and payment records
  • Timetable and academic calendar data

b) Staff and Teacher Information

  • Names, contact details (phone number, email address), and role assignments
  • Teaching subjects, class assignments, and performance-related data

c) Student Information

  • Student names, admission numbers, class/grade levels
  • Academic records including grades, assessment results, and attendance
  • Fee payment status and related financial records

Important: Students do not directly use or interact with the EduXal platform. Student data is entered and managed exclusively by authorised school staff and teachers.

d) Guardian Information

  • Names, phone numbers, and email addresses
  • Relationship to the student
  • Guardian app usage data (for viewing their child's academic and fee information)

e) Payment Information

  • M-Pesa transaction references and payment confirmations
  • Fee payment amounts, dates, and status

We do not store M-Pesa PINs, passwords, or full mobile money account details. Payment processing is handled through secure, authorised payment integrations.

f) Usage and Technical Data

  • Device type, browser information, and IP address
  • Pages visited, features used, and interaction patterns
  • Error logs and performance data

2. How We Use Your Data

We use the information we collect for the following purposes:

a) Providing Our Services

  • Managing student records, attendance, grades, and academic reporting
  • Processing and tracking fee payments through M-Pesa integration
  • Generating timetables and school schedules using AI
  • AI-powered assessment grading — teachers photograph answer sheets and our AI grades them
  • Delivering notifications to guardians about their child's performance and fees
  • Enabling role-based access so each user sees only the data relevant to their role

b) Improving the Platform

We use data to understand how schools interact with EduXal, identify areas for improvement, fix bugs, and develop new features that better serve Kenyan schools. This includes analysing usage patterns and platform performance.

c) Aggregated Insights

We may generate anonymised, aggregated insights from platform data — for example, understanding common timetable patterns or assessment trends across schools. These insights never identify individual students, teachers, or schools. They help us build a better product and may inform educational research in Kenya.

d) Communication

We may contact school administrators about service updates, new features, account-related matters, or support requests.

e) Legal Compliance

We may process data as required to comply with applicable Kenyan laws, respond to lawful requests from authorities, or protect the rights and safety of our users and the public.

3. Your School Owns Its Data

Your school's data belongs to your school. This is a foundational principle of EduXal. Specifically:

  • Full ownership: All data that your school enters into EduXal — student records, grades, attendance, financial records, staff information — remains the property of your school.
  • Access control: You decide who can see and manage your school's data through EduXal's roles and permissions system. You can grant and revoke access at any time.
  • Data export: You can request an export of your school's data at any time by contacting us.
  • Data deletion: If you stop using EduXal, you can request that your school's data be deleted from our systems, subject to any legal retention requirements.

By using EduXal, you grant us a licence to host, process, and transmit your school's data solely as needed to provide and improve the platform's services. We will never sell your school's data to third parties. We will never use your school's identifiable data for advertising. We treat your trust as our most important responsibility.

4. AI Features and Your Data

EduXal uses artificial intelligence to help teachers and administrators work more efficiently. Our current AI features include:

  • AI Assessment Grading: Teachers photograph student answer sheets, and our AI grades them against the marking scheme. The images and results are processed securely and stored as part of the student's academic record.
  • AI Timetable Generation: Our AI analyses school constraints (rooms, teachers, subjects) to generate optimised timetables.

Data processed by our AI features is subject to the same privacy protections as all other data on the platform. We may use anonymised, aggregated data from AI processing to improve our algorithms — for example, improving handwriting recognition accuracy — but we will never expose individual student data in this process.

5. Who We Share Data With

We do not sell your data. We share data only in the following limited circumstances:

  • Service providers: We work with trusted technology partners (cloud hosting, payment processing, AI services) who process data on our behalf under strict contractual obligations to protect your information.
  • Payment processors: Fee payments through M-Pesa are processed by authorised payment service providers regulated by the Central Bank of Kenya.
  • Legal requirements: We may disclose data when required by Kenyan law, a court order, or a lawful request from a government authority.
  • With your consent: We may share data with other parties if you explicitly authorise us to do so.

6. How We Protect Your Data

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Role-based access controls within the platform
  • Regular security assessments and monitoring
  • Secure cloud infrastructure with reputable providers
  • Access to personal data limited to authorised EduXal staff who need it to support the service

While no system is 100% secure, we are committed to using industry best practices to protect the information entrusted to us. If we become aware of a data breach that affects your rights, we will notify you and the relevant authorities as required by the Kenya Data Protection Act.

7. How Long We Keep Data

We retain your school's data for as long as your school maintains an active EduXal subscription. After your subscription ends:

  • Your data remains available for a reasonable wind-down period so you can export it.
  • After the wind-down period, we will securely delete or anonymise your data unless we are legally required to retain it.
  • Anonymised, aggregated data (which cannot identify any individual or school) may be retained indefinitely for product improvement and research purposes.

8. Your Rights Under the Kenya Data Protection Act

Under the Kenya Data Protection Act, 2019, you have the following rights:

  • Right of access: You can request a copy of the personal data we hold about you or your school.
  • Right to rectification: You can ask us to correct inaccurate or incomplete data.
  • Right to deletion: You can request that we delete your personal data, subject to legal retention obligations.
  • Right to object: You can object to certain types of data processing.
  • Right to data portability: You can request your data in a structured, commonly used format.

To exercise any of these rights, contact us using the details below. We will respond to your request within 30 days.

9. Children's Data

EduXal stores academic and administrative records for students, many of whom are children. This data is entered and managed exclusively by authorised school staff — students do not use the platform directly and do not have accounts.

We process student data on behalf of the school, which is responsible for obtaining any necessary consents from guardians in accordance with Kenyan law. We apply the same rigorous security and privacy protections to all student data.

10. Guardian Access

Guardians can view their child's academic progress, attendance, and fee information through the EduXal guardian mobile app. Guardian access is configured and controlled by the school. Guardians can only see data related to their own child.

11. Cookies and Similar Technologies

Our platform may use cookies and similar technologies to maintain your session, remember your preferences, and understand how the platform is used. We use only essential and functional cookies — we do not use third-party advertising trackers.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will notify school administrators through the platform and update the "Last Updated" date at the top of this page.

13. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a concern about how your data is handled, please reach out: