1. Introduction
Sync School Management System ("Sync", "we", "us", or "our") is a product of Bwangubwangu / Livingi Labs, a technology company registered and operating in the Republic of Zambia. We are committed to protecting and respecting your privacy.
This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you use our AI-powered school management platform, website, mobile applications, APIs, and related services (collectively, the "Service").
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are a school administrator registering on behalf of your institution, you confirm that you have authority to consent to data processing on behalf of your school, its staff, students, and parents.
2. Legal Framework & Compliance
This Privacy Policy is drafted in compliance with the following legislation and frameworks applicable in Zambia and across Africa:
πΏπ² Zambian Law
- Data Protection Act No. 3 of 2021 β Zambia's primary data protection legislation, administered by the Office of the Data Protection Commissioner
- Electronic Communications and Transactions Act No. 21 of 2009 β Governing electronic transactions and communications
- Cyber Security and Cyber Crimes Act No. 2 of 2021 β Addressing cybersecurity obligations
- Education Act No. 23 of 2011 β Governing educational institutions and student record-keeping
π African & International Frameworks
- African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014) β Continental framework for data protection
- SADC Model Law on Data Protection β Southern African Development Community guidelines
- ECOWAS Supplementary Act on Personal Data Protection (2010) β West African data protection standards
- EU General Data Protection Regulation (GDPR) β Where we process data of EU/EEA residents
- Kenya Data Protection Act, 2019 & South Africa POPIA, 2013 β Where our services extend to those jurisdictions
Sync is registered as a data controller with the Office of the Data Protection Commissioner, Zambia, as required under Part III of the Data Protection Act, 2021.
3. Data We Collect
We collect and process the following categories of personal data:
3.1 School Administrator & Staff Data
- Full name, job title, and role designation
- Email address and phone number
- Login credentials (passwords stored in hashed/encrypted form)
- National Registration Card (NRC) number or passport number (where required)
- Employment records and qualifications
3.2 Student Data
- Full name, date of birth, gender, and nationality
- Student identification number
- Academic records: grades, results, report cards, attendance history
- Medical information (allergies, conditions β only as provided by the school)
- Photographs (for identification purposes)
- Parent/guardian contact details
3.3 Parent/Guardian Data
- Full name and relationship to student
- Phone number(s) β used for SMS/WhatsApp communications
- Email address (optional)
- Mobile money transaction details (for fee payment reconciliation)
- Fee payment history and outstanding balances
3.4 Technical & Usage Data
- IP address, browser type, device information
- Access timestamps and usage logs
- Cookies and similar tracking technologies (see our Cookie Policy)
- AI interaction logs (e.g., lesson plans generated, AI assistant queries)
4. How We Collect Data
- Directly from you: When schools register, administrators input data, or parents interact with the system
- From institutions: Schools bulk-upload student and staff records
- Automated collection: Through cookies, server logs, and analytics tools when you use our website or application
- Third-party integrations: Mobile money providers (Airtel Money, MTN Mobile Money) for payment reconciliation
- AI processing: When users interact with our AI Teacher Assistant or AI Accountant features
5. Purpose of Data Processing
We process personal data for the following purposes:
| Purpose | Data Used |
|---|---|
| School administration & student management | Student, staff, and parent data |
| AI-powered lesson plan generation | Teacher profiles, curriculum data |
| Fee collection & mobile money reconciliation | Payment data, parent phone numbers |
| SMS/WhatsApp notifications to parents | Parent contact details, student records |
| Academic reporting & analytics | Grades, attendance, performance data |
| Platform security & fraud prevention | Login data, IP addresses, activity logs |
| Customer support & communication | Contact information, support tickets |
| Product improvement & AI model training | Anonymised usage data, AI interaction logs |
6. Legal Basis for Processing
Under Section 25 of the Zambia Data Protection Act, 2021, and in alignment with Article 6 of GDPR, we process personal data based on one or more of the following legal bases:
- Consent: You or your institution has given explicit consent for data processing
- Contractual Necessity: Processing is necessary to perform our service agreement with your school
- Legal Obligation: Processing is required under Zambian law (e.g., educational record-keeping requirements under the Education Act)
- Legitimate Interest: Processing is necessary for our legitimate business interests (e.g., product improvement, security), provided these do not override your fundamental rights
- Public Interest: Processing in the interest of education delivery as a public good
7. Children's Data & Special Protections
In accordance with Section 41 of the Zambia Data Protection Act and the African Charter on the Rights and Welfare of the Child:
- Children's data is only processed with verifiable consent from the school (acting in loco parentis) or the parent/guardian
- We collect only the minimum data necessary for educational administration
- Children's data is never used for marketing or sold to third parties
- Children's data is never used to train external AI models
- Access to student records is restricted to authorised school personnel and respective parents/guardians
- Enhanced encryption is applied to all children's personal data
8. Data Sharing & Disclosure
We do not sell personal data. We may share data with:
- The subscribing school: Administrators and authorised teachers within the institution
- Mobile money operators: Airtel Zambia, MTN Zambia β strictly for payment processing and reconciliation
- SMS/communication providers: For delivering notifications (data limited to phone numbers and message content)
- Cloud infrastructure providers: For hosting and data storage (with Data Processing Agreements in place)
- Regulatory authorities: The Office of the Data Protection Commissioner, Zambia Revenue Authority, or courts of law where legally required
- Ministry of Education: Aggregated, anonymised educational statistics where required by Zambian law
9. International Data Transfers
Where personal data is transferred outside Zambia (e.g., to cloud servers in other jurisdictions), we ensure compliance with Section 50 of the Data Protection Act, 2021, which requires:
- The recipient country has adequate data protection laws, or
- Appropriate safeguards are in place (Standard Contractual Clauses, binding corporate rules), or
- Explicit consent has been obtained from the data subject
We prioritise African-based data centres where feasible, and all cross-border transfers are documented in our Data Transfer Impact Assessments.
10. Data Security
We implement robust technical and organisational measures as required by Section 33 of the Data Protection Act, including:
π Technical Measures
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Bcrypt password hashing
- Regular penetration testing
- Web Application Firewall (WAF)
- Automated backup & disaster recovery
π’ Organisational Measures
- Role-Based Access Control (RBAC)
- Staff data protection training
- Data breach response plan (72-hour notification)
- Data Protection Impact Assessments (DPIAs)
- Appointed Data Protection Officer
- Annual security audits
In the event of a personal data breach, we will notify the Office of the Data Protection Commissioner within 72 hours and affected data subjects without undue delay, as required by Section 36 of the Act.
11. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy:
| Data Type | Retention Period |
|---|---|
| Active student records | Duration of enrolment + 7 years |
| Financial/payment records | 7 years (Zambia Revenue Authority requirement) |
| Staff employment records | Duration of employment + 5 years |
| Communication logs (SMS/WhatsApp) | 3 years |
| AI interaction data | 2 years (then anonymised) |
| Server/access logs | 12 months |
| Contact form submissions | 2 years |
Upon termination of a school's subscription, data is retained for 90 days for retrieval, then securely deleted or anonymised. Schools may request immediate deletion in writing.
12. Your Rights
Under the Zambia Data Protection Act, 2021 (Part V) and equivalent African data protection laws, you have the following rights:
Right of Access
Request a copy of the personal data we hold about you or your child
Right to Rectification
Request correction of inaccurate or incomplete personal data
Right to Erasure
Request deletion of your personal data, subject to legal retention requirements
Right to Restrict Processing
Request limitation of how we process your data
Right to Data Portability
Receive your data in a structured, machine-readable format
Right to Object
Object to processing based on legitimate interests or direct marketing
To exercise any of these rights, contact our Data Protection Officer at privacy@bwangubwangu.net. We will respond within 30 days, as required by the Act.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner, Zambia.
13. Mobile Money & Financial Data
Given the prevalence of mobile money in Zambia and across Africa, we apply additional safeguards:
- Mobile money transaction data is processed solely for fee reconciliation purposes
- We do not store mobile money PINs or passwords
- Transaction data is encrypted and isolated in a separate secure database
- We comply with Bank of Zambia directives on electronic money and the National Payment Systems Act, 2007
- Payment data is shared only with the subscribing school and the relevant mobile money operator
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- The "Last Updated" date at the top of this page will be revised
- Material changes will be communicated via email to school administrators and via an in-app notification
- Continued use of the Service after changes constitutes acceptance of the revised policy
- For significant changes affecting children's data, we will seek renewed consent from schools