Privacy Policy

1. Introduction and Scope

ROAN Learning Designs Ltd (“ROAN,” “we,” “our,” or “us”) is a Nairobi-based education technology corporation registered under the laws of the Republic of Kenya (Registration No. BN-DLZSRRKYE). We operate the ROAN Learning Operating System (“L-OS”), a competency graph engine that maps and tracks student learning outcomes across the Competency-Based Curriculum (CBC) framework, accessible through our website at roanldt.co.ke and associated digital platforms (collectively, the “Platform”).

This Privacy Policy describes how we collect, use, store, disclose, and protect personal data when you interact with our Platform, whether as an individual visitor to our website, a school administrator, teacher, parent, guardian, student, or any other stakeholder (“you” or “user”). This Policy applies to all services offered through the Platform, including the L-OS dashboards, competency tracking tools, assessment reporting engines, early warning systems, and all associated analytics and communication features.

We are committed to protecting the privacy and security of all personal data entrusted to us, with particular care afforded to the data of children and minors. This Policy has been drafted in compliance with the following legal frameworks:

• The Kenya Data Protection Act, 2019 (DPA 2019) — the primary data protection legislation governing the processing of personal data in Kenya, administered by the Office of the Data Protection Commissioner (ODPC).
• The Kenya Data Protection (General) Regulations, 2021 — subsidiary regulations that prescribe detailed requirements for data controllers and processors.
• The Kenya Data Protection (Compliance and Enforcement) Regulations, 2021 — enforcement mechanisms and complaint handling procedures.
• The General Data Protection Regulation (EU GDPR) — applicable where we process personal data of individuals located within the European Economic Area or where our services are offered to such individuals.
• The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014) — the continental framework for data protection across African Union member states.
• The United Nations Convention on the Rights of the Child (UNCRC) — principles governing the best interests of the child, informing our approach to children’s data.
• The Kenya Children Act, 2022 — provisions relating to the protection of children’s personal information in digital environments.
• The Computer Misuse and Cybercrimes Act, 2018 (Kenya) — provisions on unauthorised access and cybersecurity.

By accessing or using our Platform, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree to this Policy, you must not access or use the Platform.

2. Data Controller Information

For the purposes of the Kenya Data Protection Act 2019 and the GDPR (where applicable), the data controller responsible for your personal data is:

Where ROAN processes personal data on behalf of a subscribing school or educational institution, ROAN acts as a Data Processor and the subscribing institution acts as the Data Controller. In such cases, a separate Data Processing Agreement (DPA) shall govern the relationship between ROAN and the institution.

3. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below:

“Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”), including but not limited to a name, identification number, location data, online identifier, or any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person, as defined under Section 2 of the DPA 2019.

“Sensitive Personal Data” means personal data revealing a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, sex, or the sexual orientation of the data subject, as defined under Section 2 of the DPA 2019.

“Child” or “Minor” means any person under the age of eighteen (18) years, in accordance with the Kenya Children Act, 2022 and the Constitution of Kenya, Article 260.

“Data Subject” means the identified or identifiable natural person to whom personal data relates.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

“Consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, as defined under Section 2 of the DPA 2019.

“Platform” means the ROAN website (roanldt.co.ke), the ROAN L-OS application, all associated dashboards (administrator, teacher, parent, student, publisher), APIs, and any other digital service provided by ROAN.

“School” or “Institution” means any educational establishment that subscribes to or uses the ROAN L-OS platform.

4. Categories of Personal Data We Collect

We collect and process the following categories of personal data, depending on your role and interaction with our Platform:

4.1 Student Data

• Full legal name, date of birth, gender, nationality, and student identification number
• Grade level, class/section assignment, and academic programme enrolment
• Competency assessment scores (formative and summative), mastery levels (EE/ME/AE/BE), and progression records
• Attendance records, behavioural observations, and intervention history
• Learning disability or special educational needs data (classified as Sensitive Personal Data)
• Platform usage data, login timestamps, and activity logs

4.2 Parent/Guardian Data

• Full name, email address, mobile phone number, and physical address
• Relationship to the student (parent, legal guardian, or authorised representative)
• National identification document or passport number (for verification purposes only)
• Communication preferences and notification settings

4.3 Teacher/Staff Data

• Full name, TSC (Teachers Service Commission) number, email address, and phone number
• Qualifications, teaching subjects, and class/grade assignments
• Assessment input records, grading activity, and platform usage data
• Professional development records and performance analytics

4.4 School Administrator Data

• Name, designation, institutional email, phone number, and official role
• School name, registration number, county, and sub-county
• Subscription tier, billing information, and contract details

4.5 Website Visitor Data

• IP address, browser type, operating system, device type, and screen resolution
• Pages visited, time spent on pages, referral source, and clickstream data
• Contact form submissions (name, email, phone number, enquiry type, message content)
• Cookies and similar tracking technologies (see Section 12)

5. Lawful Basis for Processing

In accordance with Section 30 of the Kenya DPA 2019 and Article 6 of the GDPR, we process personal data only where we have a valid lawful basis. The lawful bases upon which we rely are:

5.1 Consent (Section 32, DPA 2019 / Article 6(1)(a), GDPR)

Where you have given clear, affirmative consent for us to process your personal data for specific purposes. This applies particularly to marketing communications, newsletter subscriptions, and the processing of optional data fields. Consent for processing children’s data is obtained from the parent, guardian, or the subscribing school acting in loco parentis, in accordance with Section 33 of the DPA 2019.

5.2 Performance of a Contract (Section 30(1)(b), DPA 2019 / Article 6(1)(b), GDPR)

Processing necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This applies to the provision of the L-OS platform services, including account creation, competency tracking, assessment reporting, and all core platform functionalities.

5.3 Legal Obligation (Section 30(1)(c), DPA 2019 / Article 6(1)(c), GDPR)

Processing necessary for compliance with a legal obligation to which ROAN is subject, including obligations under the Kenya Basic Education Act, 2013, tax laws, and any directives from the Ministry of Education or KICD requiring the maintenance and reporting of student academic records.

5.4 Legitimate Interest (Section 30(1)(f), DPA 2019 / Article 6(1)(f), GDPR)

Processing necessary for the purposes of the legitimate interests pursued by ROAN or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Our legitimate interests include platform security, fraud prevention, service improvement, anonymised research and analytics, and communication with existing users about service updates.

5.5 Vital Interest (Section 30(1)(d), DPA 2019)

Processing necessary to protect the vital interests of the data subject or of another natural person. This may apply in emergency situations concerning student welfare.

5.6 Public Interest (Section 30(1)(e), DPA 2019)

Processing necessary for the performance of a task carried out in the public interest, particularly in the context of education delivery and curriculum implementation in alignment with national education policy.

6. Purposes of Processing

We process personal data for the following specific purposes:

• To provide, maintain, and improve the ROAN L-OS platform and all associated services
• To create and manage user accounts, authenticate identities, and enforce role-based access controls
• To track, record, and report student competency progression against the KICD curriculum framework and KNEC assessment standards
• To generate the Mastery Score within the 40:60 School-Based Assessment (SBA) to Summative assessment framework
• To operate the Early Warning System (EWS), which notifies parents and teachers of Below Expectations (BE) or Approaching Expectations (AE) ratings in real time
• To trigger Mastery Progression Blocks and targeted interventions when a student records a BE rating
• To generate academic reports, transcripts, analytics dashboards, and data visualisations for authorised stakeholders
• To communicate with users regarding account activity, system updates, service announcements, and support requests
• To process payments, manage subscriptions, and issue invoices
• To conduct anonymised and aggregated research for the purposes of improving educational outcomes, subject to ethical review
• To ensure the security and integrity of the Platform, prevent fraud, detect abuse, and respond to security incidents
• To comply with applicable laws, regulations, court orders, and governmental requests

7. Protection of Children’s Data

Given that the ROAN L-OS platform is designed to serve educational institutions and directly impacts the learning journeys of children from Pre-Primary 1 through Grade 10, the protection of children’s personal data is a paramount concern. We observe the following principles and safeguards:

7.1 Consent for Children’s Data

In accordance with Section 33 of the Kenya DPA 2019, we do not knowingly collect or process personal data directly from children without verifiable consent from a parent, legal guardian, or the subscribing school acting in loco parentis. Where a school subscribes to the L-OS platform, the school acts as the Data Controller for student data and is responsible for obtaining all necessary parental consents prior to onboarding student records onto the Platform.

7.2 Best Interests of the Child

All processing of children’s data is conducted with the best interests of the child as a primary consideration, in accordance with Article 3 of the United Nations Convention on the Rights of the Child and Section 4 of the Kenya Children Act, 2022.

7.3 Data Minimisation

We collect only the minimum amount of children’s personal data necessary to deliver the educational services described in this Policy. We do not collect data that is irrelevant to educational outcomes, and we do not use children’s data for marketing, advertising, profiling for commercial purposes, or any purpose unrelated to their education.

7.4 Restricted Access

Access to children’s personal data is restricted through role-based access controls (RBAC). Only authorised users — specifically, the child’s assigned teachers, school administrators, and the child’s parents or legal guardians — can view a specific child’s data. No third party is granted access to identifiable student data without explicit authorisation from the Data Controller (the subscribing school).

7.5 No Sale of Children’s Data

ROAN does not sell, rent, lease, trade, or otherwise commercially exploit children’s personal data under any circumstances. This prohibition is absolute and applies regardless of whether data is identifiable or de-identified.

7.6 Parental Rights

Parents and legal guardians have the right to review their child’s personal data held on the Platform, request corrections, request deletion (subject to applicable retention obligations), and withdraw consent for future processing. These rights may be exercised by contacting the subscribing school or by writing to ROAN directly at privacy@roanldt.co.ke.

8. Data Sharing and Disclosure

We do not sell personal data to third parties. We may share personal data only in the following circumstances:

8.1 With Subscribing Institutions

Personal data is shared with the subscribing school or educational institution that has enrolled users on the Platform, in accordance with the terms of the applicable subscription agreement and Data Processing Agreement.

8.2 With Service Providers

We may engage trusted third-party service providers to perform functions on our behalf, including cloud hosting, payment processing, email delivery, analytics, and customer support. All such providers are contractually bound to process personal data only on our instructions, maintain appropriate security measures, and comply with applicable data protection laws. We conduct due diligence to ensure that all sub-processors provide sufficient guarantees of compliance.

8.3 With Government and Regulatory Authorities

We may disclose personal data to government authorities, including the Ministry of Education, KICD, KNEC, the Office of the Data Protection Commissioner (ODPC), or any court of competent jurisdiction, where required by law, regulation, court order, or lawful governmental request. Anonymised and aggregated data may also be shared with county or national education authorities for policy planning purposes.

8.4 For Legal Protection

We may disclose personal data where we believe in good faith that such disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of our users or others, to investigate fraud or respond to a government request, or to enforce our Terms of Service.

8.5 Business Transfers

In the event of a merger, acquisition, reorganisation, asset sale, or similar corporate transaction, personal data may be transferred to the successor entity, provided that the successor agrees to honour the terms of this Privacy Policy and applicable data protection laws.

9. Cross-Border Data Transfers

ROAN primarily stores and processes personal data within the Republic of Kenya. However, where our service providers or cloud infrastructure operate in jurisdictions outside Kenya, personal data may be transferred to, stored, or processed in those jurisdictions.

In accordance with Section 48 of the Kenya DPA 2019, we shall only transfer personal data outside Kenya where the recipient country or territory has been determined to have adequate data protection safeguards, or where one of the following derogations applies:

• The data subject has given explicit consent to the proposed transfer after having been informed of the possible risks
• The transfer is necessary for the performance of a contract between the data subject and ROAN
• Appropriate safeguards are in place, including Standard Contractual Clauses, binding corporate rules, or an approved certification mechanism
• The transfer is necessary for important reasons of public interest

Where data is transferred to jurisdictions within the European Economic Area, we rely on adequacy decisions or Standard Contractual Clauses approved by the European Commission.

10. Data Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in compliance with Section 41 of the Kenya DPA 2019. These measures include but are not limited to:

10.1 Technical Safeguards

• Encryption of personal data both in transit (TLS 1.2 or higher) and at rest (AES-256 encryption)
• Multi-factor authentication (MFA) for all administrative and privileged accounts
• Role-Based Access Control (RBAC) ensuring that users can only access data appropriate to their role
• Regular penetration testing and vulnerability assessments
• Automated intrusion detection and prevention systems
• Regular automated backups with encrypted storage in geographically separate locations
• Secure API endpoints with OAuth 2.0 authentication and rate limiting

10.2 Organisational Safeguards

• Mandatory data protection training for all ROAN employees and contractors
• Confidentiality agreements with all personnel who have access to personal data
• Data protection impact assessments (DPIAs) conducted prior to the introduction of new data processing activities
• Documented incident response and breach notification procedures
• Periodic internal audits of data processing activities and access logs

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

Upon expiry of the applicable retention period, personal data shall be securely deleted or irreversibly anonymised. Where data is anonymised, it may be retained indefinitely for statistical and research purposes.

12. Cookies and Tracking Technologies

Our website and Platform use cookies and similar tracking technologies to enhance user experience, analyse usage patterns, and deliver relevant content. A cookie is a small text file that is placed on your device when you visit a website.

12.1 Types of Cookies We Use

Strictly Necessary Cookies: These cookies are essential for the operation of our Platform. They enable core functionalities such as authentication, session management, and security. They cannot be disabled.

Performance and Analytics Cookies: These cookies collect aggregated information about how users interact with the Platform, including pages visited, time spent, and error messages. We use this data to improve the Platform.

Functional Cookies: These cookies remember your preferences and settings (such as language, display preferences, and role selections) to provide a personalised experience.

12.2 Cookie Consent

In accordance with the DPA 2019 and best practice under the GDPR, we obtain your consent before placing non-essential cookies on your device. You may manage your cookie preferences through the cookie consent banner displayed on first visit, or through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform.

13. Your Rights as a Data Subject

Under the Kenya DPA 2019 (Part IV) and the GDPR (Chapter III), you have the following rights in relation to your personal data:

Right to be Informed (Section 26, DPA 2019): You have the right to be informed about the collection and use of your personal data, the purposes of processing, the retention periods, and your rights. This Privacy Policy fulfils this obligation.

Right of Access (Section 26(a), DPA 2019 / Article 15, GDPR): You have the right to request access to the personal data we hold about you, and to receive a copy of that data in a structured, commonly used, and machine-readable format.

Right to Rectification (Section 26(b), DPA 2019 / Article 16, GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete personal data.

Right to Erasure (Section 26(c), DPA 2019 / Article 17, GDPR): You have the right to request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to any overriding legal obligations requiring retention.

Right to Restriction of Processing (Article 18, GDPR): You have the right to request that we restrict the processing of your personal data in certain circumstances, including where the accuracy of data is contested or where processing is unlawful.

Right to Data Portability (Section 26(d), DPA 2019 / Article 20, GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.

Right to Object (Section 26(e), DPA 2019 / Article 21, GDPR): You have the right to object to the processing of your personal data where processing is based on legitimate interests or public interest. You also have the right to object to processing for direct marketing purposes at any time.

Right Not to be Subject to Automated Decision-Making (Section 35, DPA 2019 / Article 22, GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is authorised by law or based on explicit consent.

Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), P.O. Box 1927-00100, Nairobi, Kenya (complaints@odpc.go.ke). If you are located in the EEA, you may also lodge a complaint with your local supervisory authority.

To exercise any of these rights, please contact us at privacy@roanldt.co.ke or by writing to ROAN Learning Designs Ltd, Nairobi, Kenya. We will respond to your request within thirty (30) days of receipt, in compliance with the DPA 2019. We may request verification of your identity before processing your request.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, ROAN shall:

• Notify the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours of becoming aware of the breach, in accordance with Section 43 of the DPA 2019
• Notify the subscribing school (as Data Controller) without undue delay where ROAN acts as a Data Processor
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, including the facts, its effects, and the remedial action taken, maintaining a comprehensive breach register

15. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or applications that are not operated by ROAN. We are not responsible for the privacy practices or content of such third-party services. We encourage you to review the privacy policies of any third-party service before providing personal data. ROAN shall not be liable for any data processing carried out by third parties through external links accessible from the Platform.

16. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations. Where material changes are made, we will notify affected users by email or through a prominent notice on the Platform at least thirty (30) days prior to the changes taking effect. The “Effective Date” at the top of this Policy indicates when it was last revised. Continued use of the Platform after the effective date of any updated Policy constitutes acceptance of the revised terms.

17. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of Kenya, including the Data Protection Act, 2019. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Kenya, unless otherwise required by mandatory provisions of applicable law (including the GDPR for data subjects located in the EEA).