ShuleSoft Privacy Policy

Scope and Applicability

This Privacy Policy applies to all ShuleSoft products, services, websites, mobile applications, and communication channels, including but not limited to:

• Academic Management System – Student records, class management, timetables, attendance, grading, and academic reporting
• Accounts & Finance System – Fee management, billing, invoicing, payment processing, financial reconciliation, and accounting
• Operations Management – Staff management, procurement, inventory, asset tracking, and administrative workflows
• Digital Learning Platform – E-learning content, assignments, assessments, learning analytics, and educational resources
• Communications Suite – Messaging, announcements, notifications, email services, and SMS gateway
• Parent Experience Mobile App – Parent-teacher communication, student progress tracking, payment portals, and notifications
• SMS Gateway Application – Bulk SMS services, delivery reports, and communication management
• Web Applications and APIs – All web-based platforms and integration endpoints
• Support and Customer Service – Help desk, ticketing, live chat, and technical support channels

ShuleSoft operates under both B2B (Business-to-Business) and B2B2C (Business-to-Business-to-Consumer) models. We serve schools and institutions as our direct customers while also serving end users including parents, students, teachers, and staff members who access our services through their institutions.

About ShuleSoft and Operating Jurisdictions

ShuleSoft is an international education technology and fintech company with operations in multiple countries. Our principal offices are located in:

• Tanzania (Head Office) – Primary operational headquarters
• United States of America – Secondary operations and technical infrastructure

We serve customers globally across Africa, Europe, Asia, North America, and other regions. Because of this international presence, personal data may be processed, stored, and transferred across multiple jurisdictions in accordance with applicable laws, data protection regulations, and contractual obligations.

For operations connected to the United Republic of Tanzania, ShuleSoft is committed to full compliance with the Personal Data Protection Act, 2022 and all regulations, guidelines, and directives issued by the Personal Data Protection Commission of Tanzania or other competent supervisory authorities.

For fintech and payment services operations, ShuleSoft aligns with regulations set forth by the Bank of Tanzania (BOT), Tanzania Communications Regulatory Authority (TCRA) for SMS and communication services, and other relevant financial regulators in jurisdictions where we operate.

Data Controller vs. Data Processor Roles

Depending on the context of service provision, ShuleSoft may act as:

• Data Controller – When we determine the purposes and means of processing personal data (e.g., processing data for our own marketing, website analytics, customer support, billing, and service improvement purposes)
• Data Processor – When we process personal data on behalf of our customers (schools and institutions) according to their instructions (e.g., student records, parent information, staff data managed within our systems by the institution)
• Joint Controller – In certain scenarios where we jointly determine the purposes and means of processing with our customers

This distinction is important because it affects your rights and how you can exercise them. We clearly identify our role in each processing activity throughout this policy.

1. What Information We Collect as Controller

We collect personal information from you directly, automatically through your use of our services, and from third parties. We collect only the information necessary for legitimate business purposes.

A. Information You Provide Directly

• Account Registration – Name, email address, phone number, institution name, role/position, country, preferred language, time zone, username, and encrypted password when you create an account or subscribe to our services
• Payment and Billing Information – Billing name, address, email, phone, company tax ID, and payment method details. We store cardholder name, expiry date, and last four digits of credit/debit cards but never store full card numbers. Payment processing is handled by PCI-DSS compliant payment gateway providers
• Profile Information – Optional information such as profile photo, bio, preferences, notification settings, and communication preferences
• Communications with Us – Content of emails, support tickets, live chat messages, feedback forms, survey responses, event registrations, webinar attendance, and any other communications you send to ShuleSoft
• Marketing and Event Information – Information submitted when downloading whitepapers, registering for events, subscribing to newsletters, requesting product demos, or participating in promotions

B. Information Collected Automatically

• Device and Browser Information – IP address, browser type and version, operating system, device type, device ID, screen resolution, language preference, referring URL, and access times
• Usage and Analytics Data – Pages visited, features accessed, click patterns, navigation paths, session duration, interaction frequency, error logs, performance metrics, and service usage statistics
• Location Information – General location derived from IP address and, with your permission, precise location data from mobile devices for location-based features
• Cookies and Tracking Technologies – We use first-party cookies, local storage, session storage, and similar technologies to maintain login sessions, remember preferences, analyze usage, and improve security. See our detailed cookie policy below
• Mobile Application Data – With your permission, our mobile apps may access device features including camera (for document scanning and profile photos), photo library, push notification tokens, and device identifiers for app analytics

C. Information from Third Parties

• Referrals and Partners – If referred to us by a partner institution, reseller, or referral program participant, we receive your name, email, phone, and institution details
• Social Media and Public Sources – When you interact with our social media profiles or mention us publicly, we may collect publicly available profile information and interaction data
• Authentication Services – If you sign in using Google, Microsoft, or other federated authentication providers, we receive basic profile information (name, email, profile picture) that they share with us according to your authorization
• Business Intelligence Sources – We may enrich our customer and prospect data with business information from public databases, business directories, and data providers to better understand institutional needs

2. How We Use Your Information as Controller

We use the information we collect for the following legitimate business purposes:

• Service Provision and Account Management – To create and maintain your account, authenticate your identity, provide access to services, process transactions, and deliver the features and functionality you've requested
• Billing and Payment Processing – To process subscription payments, generate invoices, manage billing cycles, handle refunds, maintain payment records, and fulfill tax and accounting obligations
• Customer Support – To respond to inquiries, troubleshoot technical issues, provide training assistance, maintain support ticket history, and improve support quality
• Product Improvement and Development – To analyze usage patterns, identify bugs and errors, test new features, conduct research, improve user experience, optimize performance, and develop new products and services
• Communication and Marketing – To send transactional emails (account notifications, password resets, billing alerts), service announcements, product updates, newsletters, promotional offers, event invitations, and educational content. You can opt out of marketing communications at any time
• Security and Fraud Prevention – To detect and prevent unauthorized access, fraudulent transactions, abuse, spam, security incidents, and violations of our Terms of Service. This includes monitoring login attempts, analyzing transaction patterns, and maintaining audit logs
• Compliance and Legal Obligations – To comply with applicable laws, regulations, court orders, government requests, tax obligations, financial reporting requirements, and regulatory audits
• Business Operations – To manage our business relationships, conduct internal audits, perform analytics, maintain records, enforce contracts, and protect our legal rights

3. Legal Basis for Processing (Controller Capacity)

For individuals in jurisdictions requiring specific legal bases for data processing (including Tanzania under the Personal Data Protection Act, 2022, and the European Economic Area under GDPR), we rely on the following legal grounds:

• Contractual Necessity – Processing is necessary to perform our contract with you (Terms of Service) or to take steps at your request before entering into a contract
• Legitimate Interests – Processing is necessary for our legitimate business interests or those of third parties, provided these interests do not override your fundamental rights and freedoms. Legitimate interests include fraud prevention, network security, direct marketing to existing customers, and business development
• Legal Obligation – Processing is necessary to comply with legal obligations under Tanzanian law, US law, or other applicable jurisdictions (tax, financial reporting, law enforcement requests, regulatory requirements)
• Consent – Where required by law, we obtain your explicit consent for specific processing activities such as marketing communications, cookies, or sensitive data processing. You have the right to withdraw consent at any time without affecting prior lawful processing
• Vital Interests – In rare cases, processing may be necessary to protect your vital interests or those of another person (emergency situations)

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the limited circumstances described below, and only with parties that maintain appropriate security measures and confidentiality obligations.

• Within ShuleSoft Group – Shared among ShuleSoft entities and subsidiaries for purposes described in this policy, including service delivery, support, and business operations
• Service Providers and Subprocessors – Shared with carefully vetted third-party vendors who assist us with: hosting infrastructure (cloud services), email delivery, SMS gateway services, payment processing, customer support tools, analytics platforms, marketing automation, and security services. These providers are contractually obligated to use data only for specified purposes and maintain appropriate safeguards. You can request our current list of subprocessors by contacting [email protected]
• Financial Partners and Payment Ecosystem – For fintech services, we share necessary information with banks, microfinance institutions, payment service providers (PSPs), mobile money operators, card networks, and payment gateways to facilitate transactions, settlements, reconciliation, and regulatory reporting required by the Bank of Tanzania and other financial regulators
• Business Partners and Resellers – If you engage with an authorized ShuleSoft reseller or partner, we share your contact information and service details to enable them to provide localized support and services. You can opt out of partner communications at any time
• Professional Advisors – Shared with lawyers, auditors, accountants, insurance providers, and consultants who require access for professional services
• Regulatory Authorities and Law Enforcement – Disclosed to government agencies, regulators (including Bank of Tanzania, Tanzania Communications Regulatory Authority, Personal Data Protection Commission), courts, and law enforcement when required by law, legal process, court order, subpoena, or government request, or when necessary to protect safety and prevent illegal activities
• Business Transfers – In the event of a merger, acquisition, reorganization, asset sale, or similar corporate transaction, personal data may be transferred to the successor entity, subject to the same privacy commitments. We will notify you via email and/or prominent website notice before any such transfer
• With Your Consent – We may share your information with third parties when you explicitly authorize us to do so

5. Data Retention (Controller Data)

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal and regulatory obligations, resolve disputes, enforce agreements, and maintain business records.

Typical retention periods include:

• Account Data – Retained while your account is active, plus 6-12 months after account closure for record-keeping and legal purposes
• Billing and Financial Records – Retained for 7-10 years as required by tax laws and accounting standards in Tanzania and other jurisdictions
• Support Communications – Retained for 3-5 years to maintain service history and quality records
• Marketing Data – Retained until you unsubscribe or request deletion (excluding suppression lists maintained to honor opt-out requests)
• Security and Audit Logs – Retained for 1-3 years for security monitoring, incident investigation, and compliance auditing

When data is no longer needed, we securely delete or anonymize it. Backups are retained according to our disaster recovery schedule (typically 3-6 months) and then permanently deleted.

6. Your Rights and Choices

You have significant rights with respect to personal information we hold about you as a controller. ShuleSoft extends these rights to all users worldwide, regardless of location.

Data Subject Rights

• Right to Access – You have the right to request confirmation of what personal information we hold about you, obtain a copy of that information, and receive details about how we process it (categories, purposes, recipients, retention periods, sources)
• Right to Rectification – You have the right to request correction of inaccurate or incomplete personal information. You can update many details directly in your account settings
• Right to Erasure ("Right to be Forgotten") – You have the right to request deletion of your personal information in certain circumstances (when no longer necessary, consent withdrawn, unlawfully processed, or legal obligation to delete). This right is subject to limitations where we have legal obligations to retain data
• Right to Restriction of Processing – You have the right to request that we restrict processing of your personal information in specific circumstances (accuracy disputed, processing unlawful but you oppose deletion, data no longer needed for our purposes but you need it for legal claims, pending objection resolution)
• Right to Data Portability – Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller
• Right to Object – You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests
• Right to Withdraw Consent – Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal
• Right to Lodge a Complaint – You have the right to lodge a complaint with a supervisory authority, particularly in Tanzania with the Personal Data Protection Commission or in your country of residence if different

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] or [email protected]. Please include:

• Your full name and email address associated with your account
• Your institution name (if applicable)
• Specific right(s) you wish to exercise
• Details of your request
• Country of residence

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request to protect your privacy and security.

Additional Choices

• Marketing Opt-Out – Unsubscribe from marketing emails using the "unsubscribe" link in any promotional email, or manage preferences in your account settings. You will continue to receive essential transactional and service-related communications
• Cookie Management – Manage cookie preferences through your browser settings. Note that disabling essential cookies may affect website functionality
• Mobile App Permissions – Control app permissions (camera, location, notifications) through your device settings
• Push Notifications – Disable push notifications in app settings or device settings

1. Service Data We Process as Processor

When schools and institutions use ShuleSoft products to manage their operations, they entrust us with personal data belonging to their students, parents, teachers, staff, and other stakeholders. This data is called "Service Data" and includes:

• Student Information – Names, date of birth, gender, student ID numbers, admission details, class assignments, academic records, grades, attendance, disciplinary records, health information, special educational needs, parent/guardian details, and photos
• Parent/Guardian Information – Names, relationships, contact details (email, phone, address), occupation, emergency contacts, and communication preferences
• Teacher and Staff Information – Names, employee ID, contact details, employment history, qualifications, certifications, salary information, payroll data, performance evaluations, and attendance records
• Financial and Payment Data – Fee structures, payment records, invoices, receipts, balances, debt records, and banking information for disbursements
• Communication Content – Messages, announcements, emails, SMS content, notification content sent through our platforms
• Learning Data – Assignment submissions, assessment results, learning progress, digital content, education resources, and learning analytics
• Administrative Records – Procurement records, inventory data, asset information, facility management data, and operational documents
• Mobile App Data – With permission, data from mobile device features (photos from library, camera captures, contacts) that users upload or share through our apps

Important: Your school or institution, not ShuleSoft, determines what Service Data is collected, how it is used, who has access to it, and how long it is retained. ShuleSoft processes this data only according to the institution's instructions and our service agreement.

2. How We Process Service Data

We process Service Data strictly to provide the services requested by the institution:

• Storing and organizing student, parent, teacher, and staff records
• Generating reports, transcripts, certificates, and administrative documents
• Processing fee payments, generating invoices, and managing financial records
• Sending notifications, messages, emails, and SMS on behalf of the institution
• Hosting e-learning content and tracking learning progress
• Facilitating communication between institution, parents, students, and teachers
• Managing timetables, attendance tracking, and grade calculations
• Enabling collaboration and workflow automation
• Providing technical support when institutions request assistance
• Maintaining backups and disaster recovery copies for data protection

3. Ownership and Control of Service Data

Your institution owns and controls its Service Data. ShuleSoft does not:

• Use Service Data for our own marketing or advertising purposes
• Sell, rent, or share Service Data with third parties for their purposes
• Make decisions about Service Data without institutional authorization
• Retain Service Data longer than necessary or instructed

Institutions have full control to:

• Access, view, download, and export their Service Data at any time
• Configure user permissions and data access controls
• Delete or modify Service Data directly within the system
• Integrate with third-party services they choose
• Request data exports in machine-readable formats
• Terminate services and request deletion of all Service Data

4. Data Retention (Service Data)

We retain Service Data for as long as the institution maintains an active account with ShuleSoft. Upon account termination or expiration:

• Service Data remains accessible for 30 days to allow for data export and transition
• After 30 days, Service Data is deleted from active production systems
• Backup copies are deleted within 6 months following normal backup rotation cycles
• Critical financial and audit records may be retained longer where required by law (Tanzania tax laws, BOT regulations)

Institutions can request immediate deletion or specific retention schedules by contacting us at [email protected] before account termination.

5. Your Rights Regarding Service Data

If you are a student, parent, teacher, or staff member whose information is processed through ShuleSoft by your school or institution:

Please contact your school or institution first to exercise your data rights (access, correction, deletion, portability, etc.). Your institution is the data controller for Service Data and is best positioned to respond to your requests.

If your institution asks us to assist in responding to your request, we will cooperate and provide necessary support within a reasonable timeframe. You can also contact us directly at [email protected], and we will coordinate with your institution to address your request.

1. Data Security and Protection Measures

ShuleSoft takes data security extremely seriously. We implement comprehensive technical, organizational, and administrative safeguards to protect personal data from unauthorized access, disclosure, alteration, and destruction.

Technical Security Measures

• Encryption – HTTPS/TLS encryption for data in transit; encryption at rest for sensitive data including passwords, payment information, and personally identifiable information
• Access Controls – Role-based access control (RBAC), multi-factor authentication (MFA) options, password complexity requirements, and session management
• Network Security – Firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, and network segmentation
• Infrastructure Security – Hosting with industry-leading cloud providers with ISO 27001, SOC 2, and other certifications; regular security patch management
• Database Security – Database access logging, query monitoring, SQL injection prevention, and encrypted connections
• Application Security – Secure coding practices, input validation, output encoding, CSRF protection, and security testing

Organizational Security Measures

• Access Management – Least privilege principle, need-to-know basis, regular access reviews, and immediate revocation upon employee departure
• Employee Training – Mandatory security and privacy training for all employees; specialized training for technical staff
• Confidentiality Obligations – All employees and contractors sign confidentiality and data protection agreements
• Vendor Management – Thorough security assessments of all subprocessors and service providers; contractual security obligations
• Incident Response – Documented incident response plan, security monitoring, breach notification procedures, and forensic capabilities
• Backup and Recovery – Regular automated backups, geographically distributed backup storage, tested disaster recovery procedures
• Security Testing – Regular vulnerability assessments, penetration testing, code reviews, and security audits

For detailed information about our security practices, certifications, and compliance frameworks, visit our Security Center or contact [email protected].

2. International Data Transfers

ShuleSoft operates globally with infrastructure and personnel in multiple countries. When you use our services, your personal data may be transferred to, stored in, and processed in countries outside your country of residence, including:

• Tanzania – Primary data processing and business operations
• United States – Infrastructure, technical operations, and support services
• Other Countries – Through carefully vetted cloud infrastructure providers and service partners

These countries may have data protection laws different from those in your country. When we transfer personal data internationally, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs) – We use SCCs approved by competent supervisory authorities for transfers between ShuleSoft entities and with processors
• Data Processing Agreements (DPAs) – Contractual obligations requiring processors to maintain appropriate security and comply with data protection laws
• Adequacy Decisions – We rely on adequacy decisions by competent authorities where available
• Consent – Where required, we obtain explicit consent for international transfers
• Technical Safeguards – Encryption, access controls, and security measures regardless of data location

To request a copy of the safeguards we use for international transfers, contact [email protected].

3. Fintech Services and Regulatory Compliance

ShuleSoft provides fintech-enabled services including fee payment processing, mobile money integrations, bank integrations, electronic fund transfers, and financial reconciliation services. These services are subject to specialized regulatory requirements.

Bank of Tanzania (BOT) Compliance

For fintech operations in Tanzania, ShuleSoft complies with regulations issued by the Bank of Tanzania, including:

• Payment Systems Regulations – Requirements for electronic payment services, security standards, settlement procedures, and consumer protection
• Anti-Money Laundering (AML) Requirements – Customer due diligence, transaction monitoring, suspicious activity reporting, and record-keeping obligations
• Know Your Customer (KYC) Standards – Identity verification and customer identification procedures
• Data Protection for Financial Services – Enhanced security requirements for financial and payment data
• Audit and Reporting Requirements – Regulatory reporting, audit trails, and compliance monitoring

Financial Data Processing

We process financial data for the following purposes:

• Processing tuition fee payments, invoicing, and receipts
• Facilitating mobile money payments (M-Pesa, Tigo Pesa, Airtel Money, etc.)
• Bank account reconciliation and settlement
• Payment gateway integrations for card and mobile payments
• Transaction monitoring for fraud prevention and AML compliance
• Financial reporting and reconciliation for institutions
• Tax compliance and regulatory reporting

Financial Data Protection

• PCI DSS Compliance – We do not store full credit card numbers; payment processing uses PCI DSS Level 1 certified payment gateways
• Enhanced Encryption – Additional encryption layers for financial data both in transit and at rest
• Transaction Logging – Comprehensive audit trails for all financial transactions with tamper-proof logging
• Access Restrictions – Strict access controls limiting financial data access to authorized personnel only
• Fraud Monitoring – Real-time transaction monitoring, anomaly detection, and automated fraud prevention systems

Third-Party Financial Partners

We share necessary financial data with authorized partners including:

• Licensed banks and microfinance institutions
• BOT-regulated payment service providers and mobile network operators
• PCI DSS certified payment gateways and card processors
• Tanzania Revenue Authority (TRA) for tax compliance
• External auditors as required by financial regulations

All financial partners are contractually obligated to maintain equivalent or higher security standards and comply with applicable financial regulations.

4. Children's Data and Student Privacy

ShuleSoft services are widely used in educational settings involving children and minors. We recognize the heightened privacy sensitivity of children's personal information.

Age Threshold and Consent

• Our direct services (account registration, website) are not intended for children under 16 years of age
• We do not knowingly collect personal information directly from children under 16 without parental or guardian consent or school authorization
• If we learn we have collected information from a child under 16 without proper authorization, we will delete it promptly

Educational Context Processing

When schools use ShuleSoft to manage student information, the school (not ShuleSoft) is responsible for:

• Obtaining necessary parental consent and providing required notices under applicable laws
• Determining what student information is collected and how it is used
• Ensuring compliance with educational data protection laws and student privacy regulations
• Maintaining appropriate records of consent and authorization
• Responding to parent and student data rights requests

ShuleSoft's Commitments for Student Data

• We process student data only as authorized and instructed by the educational institution
• We do not use student data for marketing, advertising, or behavioral profiling
• We do not sell or share student data with third parties except as necessary to provide services
• We apply enhanced security measures to protect children's information
• We support schools in responding to parental requests regarding student data
• We facilitate data portability and deletion when schools request it

Parental Rights

If you are a parent or guardian and believe your child's data is processed by ShuleSoft:

• Contact your child's school first to review, correct, or delete their information
• Contact us at [email protected] if you believe we have improperly collected your child's information
• You can request deletion of any data we hold about your child (subject to the school's retention requirements)

5. Mobile Apps and App Store Compliance

ShuleSoft distributes mobile applications through Google Play Store and Apple App Store. Our data practices comply with developer policies and requirements of both platforms.

Google Play Store Compliance

• Data Safety Section – Accurate disclosure of data collection, sharing, and security practices in Google Play listings
• User Data Policy Compliance – Transparent handling of personal and sensitive user data; security requirements; restricted data access
• Permissions – We request only necessary Android permissions; users can review and modify app permissions in device settings
• Families Policy – Additional protections when apps are used by children; parental consent mechanisms

Apple App Store Compliance

• App Privacy Details – Accurate privacy nutrition labels disclosed in App Store listings showing data collection practices
• App Tracking Transparency (ATT) – No cross-app tracking; compliance with iOS 14.5+ requirements
• Permissions – Clear explanations for iOS permissions (camera, photos, location, notifications); users can manage in Settings
• Data Minimization – Collection limited to data necessary for app functionality

Mobile App Data Collection

Our mobile apps may collect and process:

• Account credentials (username, email, encrypted password)
• Device identifiers (device ID, OS version, app version)
• Usage analytics (features used, session duration, error logs)
• Push notification tokens (for sending notifications with your permission)
• Camera and photo library access (with permission, for document scanning and profile photos)
• Location data (with permission, for location-based features like attendance geofencing)

Third-Party SDKs in Mobile Apps

Our mobile apps may include:

• Firebase (Google) – Analytics, crash reporting, push notifications
• Payment SDKs – For in-app payment processing
• Authentication SDKs – For secure login and identity verification

These SDKs are configured with privacy-preserving settings and do not enable cross-app tracking or advertising. You can review their privacy policies independently.

App Permissions Management

You can manage app permissions at any time:

• Android – Settings → Apps → ShuleSoft App → Permissions
• iOS – Settings → ShuleSoft App → Permissions (or Settings → Privacy)

Denying permissions may limit certain app features but will not prevent basic functionality.

6. Cookies and Tracking Technologies

ShuleSoft uses cookies and similar tracking technologies on our websites and web applications to provide functionality, analyze usage, remember preferences, and improve security.

Types of Cookies We Use

• Essential Cookies – Strictly necessary for the website to function; enable login sessions, security features, load balancing, and basic functionality. These cannot be disabled without breaking core features
• Functional Cookies – Remember your preferences (language, theme, dashboard layout) and settings to provide enhanced, personalized features
• Analytics Cookies – Help us understand how visitors use our websites, which pages are most popular, where errors occur, and how we can improve user experience. We primarily use first-party analytics
• Security Cookies – Detect and prevent fraudulent activity, authenticate users, protect against cross-site request forgery (CSRF), and monitor suspicious behavior

Other Tracking Technologies

• Local Storage – Browser-based storage for application state, user preferences, and cached data
• Session Storage – Temporary storage that clears when you close your browser
• Web Beacons/Pixels – Small images that help track email opens and webpage visits
• Log Files – Automatically collected information about your device, browser, and interactions

Third-Party Cookies

We do not use third-party advertising cookies or behavioral tracking. Limited third-party cookies may be set by:

• Payment processors (during checkout)
• Authentication providers (during federated login)
• Support chat services (when you initiate live chat)

Cookie Management

You can control cookies through:

• Browser Settings – Most browsers allow you to block or delete cookies. Consult your browser's help documentation
• Cookie Consent Banner – Manage preferences through our cookie consent tool (where applicable)
• Opt-Out Tools – Use browser extensions or privacy tools to manage tracking preferences

Note: Disabling essential cookies will prevent you from logging in and using core platform features.

7. Third-Party Services and External Links

ShuleSoft integrates with and links to third-party services and websites. This Privacy Policy does not apply to third-party services, which have their own independent privacy policies.

Third-Party Integrations

Our services may integrate with:

• Payment gateways and mobile money providers
• Banks and financial institutions
• SMS gateway providers and telecommunications partners
• Cloud storage services
• Learning management and content platforms
• Video conferencing tools
• Authentication providers (Google, Microsoft)

When you enable third-party integrations, you authorize data sharing with those services according to your integration settings. Please review their privacy policies before enabling integrations.

External Links

Our websites and emails may contain links to external websites for reference, resources, partners, or educational content. We are not responsible for the privacy practices or content of external sites. We recommend reviewing their privacy policies before providing personal information.

Social Media Widgets

Our websites may include social media sharing buttons (Facebook, Twitter, LinkedIn) that allow you to share content. These widgets may collect information about your visit (IP address, page visited) and may set cookies. Your interactions with these widgets are governed by the privacy policies of the respective social media companies.

8. Legal Disclosures and Enforcement

ShuleSoft may disclose personal data when required by law or necessary to protect our legal rights and the safety of our users.

Legal and Regulatory Compliance

We may disclose personal information to comply with:

• Legal obligations, court orders, subpoenas, warrants, or legal processes
• Requests from government authorities, law enforcement, or regulatory agencies (Personal Data Protection Commission, Bank of Tanzania, Tanzania Revenue Authority, Tanzania Communications Regulatory Authority)
• Tax reporting, financial audits, and compliance investigations
• National security or public safety requirements

Enforcement of Our Rights

We may disclose personal information to:

• Enforce our Terms of Service, Usage Policies, and other agreements
• Investigate and prevent fraud, security breaches, abuse, spam, or illegal activities
• Protect the rights, property, and safety of ShuleSoft, our users, and the public
• Defend against legal claims and litigation
• Cooperate with investigations by authorities or legal proceedings

Emergency Circumstances

In emergency situations involving imminent danger to life, health, or safety, we may disclose personal information to appropriate authorities or parties without prior notice or consent if we believe in good faith that such disclosure is necessary.

9. Business Transfers and Corporate Transactions

While ShuleSoft has no current plans to sell or transfer its business, in the event of a merger, acquisition, reorganization, bankruptcy, receivership, asset sale, or similar corporate transaction:

• Personal data and Service Data may be transferred to a successor entity or acquirer
• The acquiring entity will be bound to honor the commitments in this Privacy Policy
• We will notify you via email and/or prominent website notice at least 30 days before any transfer of personal data to a new entity
• You will be informed of any changes to data handling practices and given choices regarding your information
• You may have the right to delete your account and data before the transfer (subject to legal retention requirements)

During due diligence for potential transactions, we may share limited information with prospective buyers under strict confidentiality agreements.

10. Data Protection Officer and Contact Information

ShuleSoft has appointed a Data Protection Officer (DPO) to oversee our data protection strategy, ensure compliance with privacy laws, and serve as the point of contact for data protection authorities and data subjects.

How to Contact Us

For privacy, data protection, compliance questions, or to exercise your data rights:

• Email: [email protected] (Privacy inquiries)
• Email: [email protected] (Data Protection Officer)
• Email: [email protected] (General support and data requests)
• Email: [email protected] (Security incidents and concerns)
• Email: [email protected] (Legal, compliance, DPA requests)

When contacting us, please include:

• Your full name and email address
• Your institution name (if applicable)
• Country of residence
• Specific products or services your inquiry relates to
• Detailed description of your question, request, or concern

We will respond to your inquiry within:

• Privacy Rights Requests: 30 days (may be extended to 60 days for complex requests)
• General Inquiries: 5-7 business days
• Security Incidents: 24-48 hours

11. Data Processing Agreements (DPA)

For customers (schools and institutions) who require a formal Data Processing Agreement to comply with their own data protection obligations:

• ShuleSoft provides GDPR-compliant and Tanzania PDPA-compliant DPAs upon request
• DPAs include Standard Contractual Clauses for international data transfers where applicable
• We cooperate with customers in responding to data subject requests and privacy incidents
• We maintain records of processing activities and make them available for audit purposes

To request a DPA or discuss specific contractual requirements for data processing, contact [email protected].

12. Supervisory Authority and Complaints

If you believe ShuleSoft has not adequately addressed your privacy concerns or you wish to lodge a formal complaint:

Tanzania

Contact the Personal Data Protection Commission – the supervisory authority responsible for enforcing the Personal Data Protection Act, 2022 in Tanzania.

European Economic Area

If you are in the EEA, you have the right to lodge a complaint with your national data protection authority or with the lead supervisory authority overseeing ShuleSoft's operations.

Other Jurisdictions

Contact the data protection or privacy authority in your country or jurisdiction. We will cooperate fully with supervisory authorities in investigations and compliance matters.

We encourage you to contact us first at [email protected] so we have an opportunity to address your concerns directly before escalating to a supervisory authority.

13. Changes to This Privacy Policy

ShuleSoft may update this Privacy Policy periodically to reflect changes in our practices, services, legal requirements, or industry standards.

Notification of Changes

• Material Changes – For significant changes that affect your rights or how we use personal data, we will provide at least 30 days' advance notice via email to your registered email address and/or prominent notice on our website and within our applications
• Minor Changes – For non-material changes (clarifications, contact updates, formatting), we will update this page with a new "Last Updated" date. We encourage you to review this policy periodically

Your Consent to Changes

Continued use of ShuleSoft services after the effective date of changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with changes, you can:

• Terminate your account within 30 days of receiving notice of material changes
• Request deletion of your data (subject to legal retention requirements)
• Contact us to discuss concerns at [email protected]

Version History

Previous versions of this Privacy Policy are archived and available upon request. Contact [email protected] to request historical versions.

14. Interpretation and Governing Law

This Privacy Policy should be read in conjunction with our Terms of Service and other applicable policies. In the event of any conflict between translated versions of this policy, the English version shall prevail.

This Privacy Policy is governed by and construed in accordance with the laws of the United Republic of Tanzania. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Tanzania, unless otherwise required by applicable law in your jurisdiction.

4. How We Use Personal Data

• To provide and maintain requested services and product functionality.
• To administer institutions, users, access rights, and service configurations.
• To process communications, alerts, and operational notifications.
• To support invoicing, settlement, payment operations, and financial reconciliation.
• To detect, prevent, and investigate fraud, abuse, and security incidents.
• To comply with legal, regulatory, tax, audit, and reporting obligations.
• To improve service quality, reliability, usability, and product performance.

5. Legal Basis for Processing

Depending on the service and jurisdiction, ShuleSoft processes data based on one or more lawful grounds, including contractual necessity, legitimate interests, legal obligations, protection of vital interests, and consent where required.

6. Data Sharing and Disclosure

ShuleSoft does not sell personal data. Data may be disclosed only to the extent necessary, such as:

• Authorized customers and institutions using the platform.
• Vetted subprocessors and service providers under contractual confidentiality and security obligations.
• Banking, payment, and regulated financial ecosystem partners for legitimate fintech operations.
• Auditors, regulators, courts, law enforcement, or government authorities when legally required.
• Corporate advisors in the context of lawful restructuring, merger, acquisition, or asset transfer.

7. Fintech and Regulatory Compliance

Where ShuleSoft provides or supports fintech-related services (including integrations with banks, microfinance institutions, and payment service providers), data handling follows applicable financial-sector obligations, risk controls, and records requirements, including alignment with Bank of Tanzania (BOT) regulations where applicable.

Financial and payment processing activities are subject to security monitoring, auditability, reconciliation controls, and regulatory cooperation obligations in relevant jurisdictions.

8. International Data Transfers

Because ShuleSoft serves customers worldwide, data may be transferred across borders. Where required, cross-border transfers are protected through lawful transfer mechanisms, contractual safeguards, and security controls appropriate to the destination jurisdiction.

9. Data Security and Integrity

ShuleSoft applies technical and organizational measures designed to protect confidentiality, integrity, and availability of data, including access controls, encryption in transit where appropriate, environment segregation, logging, monitoring, and incident response procedures. No method of transmission or storage is completely risk-free, but we continuously improve safeguards in line with evolving standards.

10. Data Retention

Personal data is retained only for as long as necessary to fulfill business, contractual, legal, educational, accounting, tax, regulatory, and dispute-resolution requirements. Retention periods vary by data category, customer instruction, and legal obligation.

11. Children and Student Data

Many ShuleSoft services are used in education contexts involving minors. Data for students is processed under instruction of the relevant institution, parent/guardian authority, and applicable law. Institutions remain responsible for obtaining required notices, permissions, and lawful grounds for educational records processing.

12. Mobile Apps and App Store Compliance

For apps distributed through Google Play and Apple App Store, ShuleSoft aligns privacy disclosures and data handling practices with applicable platform developer policies, including transparency about data collection, usage purpose, sharing, security, and user choices required during app review and publication.

13. Cookies, Analytics, and Similar Technologies

ShuleSoft may use cookies, local storage, SDK events, and analytics tools to maintain sessions, improve functionality, secure services, and measure performance. Users can manage certain preferences through browser or device settings where available.

14. Your Privacy Rights and Requests

• Request access to personal data and related processing information.
• Request correction of inaccurate or incomplete data.
• Request deletion where applicable and legally permitted.
• Request restriction or objection to processing in specific scenarios.
• Request lawful data portability where applicable.

Where ShuleSoft acts as processor for an institution, requests may be directed to the institution first, and we will support responses according to contract and law.

15. Third-Party Services and Links

ShuleSoft services may connect to third-party systems, including payment gateways, telecom channels, banks, cloud providers, and partner tools. Their independent terms and privacy notices apply to processing under their control.

16. Changes to This Policy

We may update this policy periodically to reflect legal, technical, business, or operational changes. Material updates will be published on this page with an updated effective date.