Data Privacy Policy

1. Introduction

Welcome to the Data Privacy Policy for Celebra Education Limited, operating under the trade name Celebra ("Celebra", "we", "us", "our").

We maintain the utmost respect for your privacy and remain unequivocally committed to safeguarding the information that is collected or disclosed to us, hereinafter referred to as "personal data" as elucidated below. In our endeavour to empower you to make judicious decisions pertaining to your privacy and personal data, we have rendered this Privacy Policy as perspicuous and transparent as practicable, thereby ensuring your comprehensive understanding of the rights afforded to you under applicable law.

This Privacy Policy delineates the manner in which Celebra processes personal data concerning individuals with whom we establish contact (hereinafter referred to as "you" or "your") throughout the course of our professional engagements.

This Policy encompasses:

• All users of Celebra's applications, software, databases, websites, social media platforms, and all ancillary resources.
• Third parties associated with the users of Celebra's applications, software, databases, websites, social media platforms, and all supplementary resources.
• Celebra's affiliated parties, including but not limited to trustees, implementing partners, vendors, contractors, regional branches, and any other third party who handles and utilises Celebra's information; and
• Members of the general public.

It is of paramount importance that you peruse this Privacy Policy meticulously and comprehend how we intend to utilise your personal data. This Privacy Policy shall inform you regarding the methodologies we employ to collect, use, disclose, transfer, and store your personal data when you interact with us. Furthermore, it shall apprise you of your privacy rights and the legal protections afforded to you in accordance with the provisions of the Data Protection Act of Kenya, 2019 ("the Act").

2. Statutory Framework: The Data Protection Act of Kenya, 2019

This Privacy Policy is promulgated in strict accordance with the provisions of the Data Protection Act of Kenya, 2019 (No. 24 of 2019). The following statutory provisions constitute the legal foundation upon which our data processing activities are predicated:

3. Who is Responsible for Your Personal Data and How to Contact Them?

Celebra serves as the data processor in relation to the processing activities delineated hereinbelow. This designation signifies that we process your personal data on behalf of the data controller.

Should you harbour any concerns regarding the utilisation of your personal data or possess enquiries pertaining to this Privacy Policy, including any requests to exercise your legal rights under applicable law, or wish to lodge complaints, please direct your correspondence to our Data Protection Officer utilising the contact particulars enumerated below:

4. What Types of Personal Data Do We Process?

When employed within the context of this Privacy Policy, the term "personal data" denotes any information that may be utilised to identify an individual natural person. Please be cognisant that there exist "special categories" of personal data that are of a more sensitive nature and necessitate an elevated level of protection. The personal data we collect shall vary in accordance with the circumstances surrounding our relationship with you.

We may collect, use, store, and transfer the following categories of personal data pertaining to you or persons connected to you where absolutely necessary:

• Personal Details: Including your name, national identity card number or passport number, date of birth, gender, Kenya Revenue Authority (KRA) PIN, nationality, title, children's names, name of the educational institution, names of educators within the respective institutions;
• Contact Information: Encompassing email address, telephone number, and postal address;
• Academic Records: Such as examination results, attendance records, performance analytics, and educational progress data;
• Interaction Information: Pertaining to your interactions with Celebra, including when you utilise our applications, software, databases, websites, social media platforms, and other resources; when you communicate with us through emails or calls which we might record and monitor; or when you participate in our educational programs.

Should we require information concerning other individuals connected to you, we may request you to furnish such information. If you are providing information about another person, we expect you to ensure that they are apprised of your actions and consent to the disclosure by you of their information to us.

5. How Do We Collect Your Personal Data?

We may collect or receive your personal data through a multiplicity of different avenues:

• Direct Provision: Where you provide the personal data directly to us, for example by:
  • Corresponding with us via telephone or electronic mail;
  • Utilising or registering to use our applications, software, databases, websites, social media platforms, and other resources;
  • Entering into a contractual agreement with us.
• Third-Party Sources: From third parties, such as individuals who operate on our behalf and our associated partners; and
• Publicly Available Sources: Including but not limited to internet search engines, public records and registers, and social media accounts (e.g., Facebook, LinkedIn, and Instagram).

Generally, you bear no obligation to provide us with your personal data; however, should you elect not to furnish us with the information we require, we may be unable to render assistance and collaborate with you. We shall endeavour to minimise the quantum of information we request, limiting it solely to that which is necessary to perform the relevant function or service at the time.

6. Cookies and Similar Technologies

Please be advised that in order to enhance our internet service to you, we shall occasionally employ a "cookie" and/or other analogous technologies which may deposit certain information on your computer's hard drive when you visit our website or any of Celebra's online platforms.

A cookie constitutes a small quantum of data that our web server transmits to your web browser when you visit certain portions of our site.

We utilise cookies to perform a multitude of different functions, including facilitating efficient navigation between pages, identifying you subsequent to logging in by storing a temporary reference number in the cookie, enabling you to access stored information if you register for any of our online platforms, and generally ameliorating your online experience.

7. Why Do We Process Your Personal Data?

We shall process your personal data for the following purposes:

• To provide educational products and services to our clients and to communicate with you and/or our clients regarding them;
• To manage, administer, and enhance our business operations, client and service provider engagements and relationships, and for corporate marketing, business development, analysis, and operational purposes;
• To monitor and analyse the utilisation of our products and services for system administration, operation, testing, and support purposes;
• To manage our information technology infrastructure and to ensure the security of our systems and premises;
• To establish, exercise, and/or defend legal claims or rights and to protect, exercise, and enforce our rights, property, or safety, or to assist our clients or others in doing so;
• To investigate and respond to complaints or incidents relating to us or our business, to maintain service quality, and to train staff to handle complaints and disputes;
• To cooperate with, respond to requests from, and to report transactions and/or other activities to government, tax, or regulatory bodies, courts, or other third parties;
• For any additional purposes expressly authorised by you; and
• To comply with applicable laws and regulations.

8. What Legal Basis Do We Rely On for Processing Your Personal Data?

We shall rely upon the following lawful bases for processing your personal data:

• Legitimate Interests: We shall process your personal data to pursue our legitimate business interests and other interests, or those of a third party, except where the processing is unwarranted in any particular case having regard to the harm and prejudice to your rights, freedoms, or legitimate interests.
• Legal and Regulatory Obligations: We shall process your personal data for the purpose of complying with a legal or regulatory obligation, such as when it is necessary to pursue our legitimate interests in cooperating with our regulators and other government authorities, complying with applicable laws, and protecting our businesses.
• Contractual Performance: We shall process your personal data to perform our obligations with respect to the contract we have with you or to take steps prior to entering into such a contract with you.
• Consent: We shall rely on your consent as a lawful basis for processing personal data relating to a minor, processing sensitive personal data outside Kenya, and processing your personal data for the purpose of direct marketing to you. Where you have provided your consent to the processing of your personal data for a specific purpose, you retain the right to withdraw your consent for that specific processing at any time. Please note that by withdrawing your consent, the withdrawal shall not render unlawful our prior processing of your personal data or the processing which is predicated upon other legal bases for processing of your personal data.
• Vital Interests: We shall process your personal data to protect your vital interests or those of another natural person.
• Public Interest: We shall also process your personal data for the performance of a task carried out in the public interest.

9. To Whom Do We Disclose Your Personal Data?

We may disclose your personal data to:

• Third parties such as external accountants, external legal teams, regulators, and other professional bodies;
• Third parties to establish, exercise, or defend our legal rights;
• Public authorities or governments when required by law, public interest, national security, regulation, legal process, or enforceable governmental request;
• Our external service providers with whom we contract for various functions, including but not limited to our IT and office systems, administrative services providers, universities, and research organisations (who may contact you to gather information relating to our products and services). We shall only disclose personal data to our external service providers when it is essential for them to provide their service and we have a contract in place that requires them to maintain the security of your information and not to use it other than in accordance with our specific instructions; and
• Authorised third parties.

10. Where Do We Transfer Your Personal Data?

We may transfer your personal data to regulatory, prosecuting, tax, and governmental authorities, courts and other tribunals, service providers, and other business counterparties located in countries outside Kenya, including countries which maintain different data protection standards to those applicable in Kenya. When we transfer personal data to entities in these countries, we shall take reasonable steps to ensure that they protect your personal data in accordance with appropriate safeguards and other requirements of the Act.

In order to mitigate risks associated with the transfer of data to third parties, Celebra shall only transfer data to a third party if:

• The data is divested of personal and identifiable information where appropriate;
• We possess a lawful basis for such transfer;
• The third party maintains an elevated level of data security that protects personal data against the risk of accidental or unlawful/illegitimate destruction, loss, alteration, unauthorised disclosure of, or access to it.

11. Data Security

We shall undertake and implement appropriate technical and organisational security procedures and measures to protect the security and confidentiality of personal data and to prevent the unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data.

We shall implement the following measures:

• Personal data shall be filed and stored in a manner that is accessible only to authorised personnel and transferred only utilising protected means of communication;
• Our staff members who are permitted access to the personal data shall execute a non-disclosure agreement prohibiting them from utilising the content for business other than the company's core mandate; and
• Private email accounts shall not be employed to transfer personal data.

12. How Long Do We Retain Your Personal Data?

We shall only retain your personal data for such duration as may be reasonably necessary to fulfil the purpose for which it was collected, including to comply with any legal, regulatory, tax, accounting, or reporting information requirements. We may retain your personal data for a longer period if the retention is:

• Required or authorised by law;
• Reasonably necessary for a lawful purpose;
• Authorised or consented to by you;
• For personal data that has been anonymised; or
• For historical, statistical, journalistic, literature and art, or research purposes.

13. What Are Your Rights in Relation to Your Personal Data?

Pursuant to Section 26 of the Data Protection Act of Kenya, 2019 (as reproduced in Section 2 above), you are vested with the following fundamental rights:

• Right to be Informed: Of the use to which your personal data is to be put, as we have endeavoured to outline in this Privacy Policy.
• Right of Access: To your personal data in our custody and to receive a copy of the personal data we hold about you.
• Right to Object: To the processing of all or part of your personal data.
• Right to Correction: Of any false or misleading personal data that we hold about you.
• Right to Deletion: Of any false or misleading personal data about you.

In accordance with Section 27 of the Act, these rights may be exercised by a parent or guardian where the data subject is a minor, by an authorised guardian or administrator where the data subject has a mental or other disability, or by a duly authorised representative in any other case.

To exercise any of these rights, please direct your written correspondence to our Data Protection Officer via the contact details provided in Section 3 above.

14. Other Terms and Conditions

There may exist specific terms and conditions that govern the collection, use, and disclosure of your personal data. Please note that such terms and conditions must be perused in conjunction with this Privacy Policy.

15. Promotional Communications

We may utilise your Personal Data to contact you with newsletters, marketing or promotional communications pertaining to our products, and other information that may be of interest to you. You retain the right to opt out of such communications at any time by following the unsubscribe instructions provided in our emails or by contacting us directly.

16. Amendments to This Privacy Policy

We may update our Privacy Policy from time to time. We shall notify you of any changes by posting the new Privacy Policy on this page. We shall update the "Last Updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Policy are effective when they are posted on this page.