Privacy Policy

Effective 20 May 2026 · Version 2026-05-20

This Privacy Policy explains how B-ne Innovations Limited (“EdifyFlow”, “we”, “us”) collects, uses, stores and protects personal data when you or your school uses the EdifyFlow platform. It is written to be consistent with the Data Protection Act, No. 3 of 2021 of the Republic of Zambia (the “DPA”) and the regulations made under it.

1. Who controls the data

The platform supports two distinct controller relationships:

School data (learners, parents, staff, attendance, grades, payments, files): the school that subscribes is the data controller; EdifyFlow is the data processor acting on the school's instructions. The school must obtain a lawful basis under sections 8 to 11 of the DPA before uploading personal data — including, where applicable, parental consent for learner records.
Platform-account data (signup details, billing contacts, marketing leads, usage analytics, support correspondence): EdifyFlow is the data controller. This Policy covers how we handle that data directly.

2. Categories of data we process

Account & identification: name, work email, password (hashed), school name, role assignments, last sign-in.
School records: learner names, dates of birth, contact details, grades, attendance, payment history, photos and uploaded documents. Sensitive fields (names, emails, phone numbers, dates of birth) are stored using AES-256-GCM with school-scoped sub-keys.
Billing: subscription tier, invoices issued, payment confirmations from Lenco / mobile-money / bank-transfer rails. We do not store full payment card details.
Technical & security: IP address, browser user-agent, session tokens, audit-log entries, performance traces.
Communications: support tickets, sales-demo requests, in-app feedback, and email correspondence.

3. Lawful basis under the DPA

For platform-account data we rely on the following lawful bases (DPA section 8):

Consent — when you create an account and tick the consent box at signup.
Contract performance — to provide the Services you have subscribed to.
Legal obligation — to retain billing and tax records as required by Zambian law.
Legitimate interests — to secure the platform, prevent fraud, and improve the Services, where such interests are not overridden by your rights.

For school records, the school is the controller and is responsible for establishing the lawful basis (typically parental consent or statutory authority).

4. How we use personal data

To deliver, support and bill the Services.
To send service-related communications (verification emails, billing reminders, security alerts, scheduled-deletion notices).
To detect, prevent and respond to fraud, abuse and security incidents.
To comply with legal, regulatory and tax obligations.
To improve product quality through aggregated, non-identifying usage analytics.

We do not sell personal data. We do not use Customer Data to train external AI models. We do not target advertising based on Customer Data.

5. Children's data

The platform contains personal data about learners who are children. We process such data only as a processor under the school's instructions and only to the extent strictly necessary to provide the Services. Access is locked to the learner's own school tenant via a multi-tenant isolation layer, and sensitive identifiers are encrypted at rest. Schools must ensure they have a lawful basis (typically parental consent) before uploading children's data and must respect all child-related restrictions under Zambian law.

7. International transfers

Some of our sub-processors operate data centres outside Zambia. Where personal data is transferred across borders we rely on the conditions in sections 70–73 of the DPA — including contractual safeguards equivalent to those required in Zambia and, where applicable, the consent of the data subject. Schools that need a Zambian-region-only deployment should contact us before subscribing.

8. Retention

Active accounts: data is retained for as long as the subscription is active.
Cancelled / deleted schools: scheduled for permanent deletion 30 days after cancellation. After that window every record (including uploaded files) is irreversibly removed.
Billing records: retained for at least 6 years to satisfy Zambian tax law.
Audit-log metadata: retained for up to 7 years for security and regulatory reasons; sensitive payload fields are redacted at write time.

9. Security measures

Encryption in transit (TLS 1.2+) for every connection.
AES-256-GCM with HKDF per-school sub-keys for sensitive fields at rest.
Argon2 / bcrypt password hashing via Better Auth.
Multi-tenant Prisma isolation layer enforcing a tenant scope on every database query.
Role-based access control with permission gates on every API surface.
Audit logging with PII redaction.
Distributed cron locking via Redis to prevent double-execution.
Rate-limiting on public endpoints to mitigate brute force and signup abuse.

10. Your rights under the DPA

Under sections 27 to 35 of the DPA you have the right to:

Be informed about how your data is processed (this Policy).
Access the personal data we hold about you.
Have inaccurate data corrected.
Have your data erased where there is no overriding legal basis for retention.
Restrict or object to certain processing.
Receive a copy of your data in a structured, machine-readable format (portability).
Withdraw consent at any time, without affecting prior lawful processing.
Lodge a complaint with the Office of the Data Protection Commissioner of Zambia.

To exercise any of these rights, email dpo@edifyflow.com. If your data is held by a school as controller, please contact your school directly — we will assist them with your request.

11. Personal data breach

We have an internal incident-response process. Where a breach is likely to result in risk to the rights and freedoms of natural persons we will notify the Office of the Data Protection Commissioner within seventy-two (72) hours and, where applicable, inform affected data subjects and controller schools without undue delay.

12. Cookies and similar technologies

We use strictly necessary cookies to keep you signed in, remember your preferences, and protect against cross-site request forgery. We do not use third-party advertising or tracking cookies.

13. Data Protection Officer

Our DPO is the contact point for any privacy question, request, or complaint. You can reach the DPO at dpo@edifyflow.com.

14. The supervisory authority

The Office of the Data Protection Commissioner (Zambia) supervises compliance with the Data Protection Act, No. 3 of 2021. You may lodge a complaint with the Office directly if you believe your rights have been infringed.

15. Changes to this Policy

We may update this Policy from time to time. Where the change is material we will notify you by email or in-product banner at least fourteen (14) days before the new version takes effect. Each version is published with an effective date and a version tag at the top of this page.

Privacy Policy

Effective 20 May 2026 · Version 2026-05-20

1. Who controls the data

The platform supports two distinct controller relationships:

School data (learners, parents, staff, attendance, grades, payments, files): the school that subscribes is the data controller; EdifyFlow is the data processor acting on the school's instructions. The school must obtain a lawful basis under sections 8 to 11 of the DPA before uploading personal data — including, where applicable, parental consent for learner records.
Platform-account data (signup details, billing contacts, marketing leads, usage analytics, support correspondence): EdifyFlow is the data controller. This Policy covers how we handle that data directly.

2. Categories of data we process

Account & identification: name, work email, password (hashed), school name, role assignments, last sign-in.
School records: learner names, dates of birth, contact details, grades, attendance, payment history, photos and uploaded documents. Sensitive fields (names, emails, phone numbers, dates of birth) are stored using AES-256-GCM with school-scoped sub-keys.
Billing: subscription tier, invoices issued, payment confirmations from Lenco / mobile-money / bank-transfer rails. We do not store full payment card details.
Technical & security: IP address, browser user-agent, session tokens, audit-log entries, performance traces.
Communications: support tickets, sales-demo requests, in-app feedback, and email correspondence.

3. Lawful basis under the DPA

For platform-account data we rely on the following lawful bases (DPA section 8):

Consent — when you create an account and tick the consent box at signup.
Contract performance — to provide the Services you have subscribed to.
Legal obligation — to retain billing and tax records as required by Zambian law.
Legitimate interests — to secure the platform, prevent fraud, and improve the Services, where such interests are not overridden by your rights.

For school records, the school is the controller and is responsible for establishing the lawful basis (typically parental consent or statutory authority).

4. How we use personal data

To deliver, support and bill the Services.
To send service-related communications (verification emails, billing reminders, security alerts, scheduled-deletion notices).
To detect, prevent and respond to fraud, abuse and security incidents.
To comply with legal, regulatory and tax obligations.
To improve product quality through aggregated, non-identifying usage analytics.

We do not sell personal data. We do not use Customer Data to train external AI models. We do not target advertising based on Customer Data.

5. Children's data

7. International transfers

8. Retention

Active accounts: data is retained for as long as the subscription is active.
Cancelled / deleted schools: scheduled for permanent deletion 30 days after cancellation. After that window every record (including uploaded files) is irreversibly removed.
Billing records: retained for at least 6 years to satisfy Zambian tax law.
Audit-log metadata: retained for up to 7 years for security and regulatory reasons; sensitive payload fields are redacted at write time.

9. Security measures

Encryption in transit (TLS 1.2+) for every connection.
AES-256-GCM with HKDF per-school sub-keys for sensitive fields at rest.
Argon2 / bcrypt password hashing via Better Auth.
Multi-tenant Prisma isolation layer enforcing a tenant scope on every database query.
Role-based access control with permission gates on every API surface.
Audit logging with PII redaction.
Distributed cron locking via Redis to prevent double-execution.
Rate-limiting on public endpoints to mitigate brute force and signup abuse.

10. Your rights under the DPA

Under sections 27 to 35 of the DPA you have the right to:

Be informed about how your data is processed (this Policy).
Access the personal data we hold about you.
Have inaccurate data corrected.
Have your data erased where there is no overriding legal basis for retention.
Restrict or object to certain processing.
Receive a copy of your data in a structured, machine-readable format (portability).
Withdraw consent at any time, without affecting prior lawful processing.
Lodge a complaint with the Office of the Data Protection Commissioner of Zambia.

To exercise any of these rights, email dpo@edifyflow.com. If your data is held by a school as controller, please contact your school directly — we will assist them with your request.

11. Personal data breach

12. Cookies and similar technologies

We use strictly necessary cookies to keep you signed in, remember your preferences, and protect against cross-site request forgery. We do not use third-party advertising or tracking cookies.

13. Data Protection Officer

Our DPO is the contact point for any privacy question, request, or complaint. You can reach the DPO at dpo@edifyflow.com.

1. Who controls the data

2. Categories of data we process

3. Lawful basis under the DPA

4. How we use personal data

5. Children's data

6. Sub-processors and disclosures

7. International transfers

8. Retention

9. Security measures

10. Your rights under the DPA

11. Personal data breach

12. Cookies and similar technologies

13. Data Protection Officer

14. The supervisory authority

15. Changes to this Policy

1. Who controls the data

2. Categories of data we process

3. Lawful basis under the DPA

4. How we use personal data

5. Children's data

6. Sub-processors and disclosures

7. International transfers

8. Retention

9. Security measures

10. Your rights under the DPA

11. Personal data breach

12. Cookies and similar technologies

13. Data Protection Officer

14. The supervisory authority

15. Changes to this Policy