Data Protection & Privacy Policy

1. Data controller and contact

The data controller is the licensed school using this platform. Prepare Education Uganda acts as the data processor on the school's behalf, and is registered with the National Information Technology Authority — Uganda (NITA-U) as required under section 29 of the Data Protection and Privacy Act, 2019.

2. Personal data we process

For each student record created by a counsellor: full name, gender, age, class, O-Level achievement levels (A–E under the new NCDC / UNEB grading), individual interests, passions, career aspirations, reading habits, RIASEC personality responses, learning style, and at progressive review S.5 Term 1 marks, daily routine, conduct and any special circumstances disclosed.

For each counsellor account: name, school, email or school access code, role and last sign-in.

3. Lawful basis — informed and explicit consent

In line with sections 7 and 8 of the Data Protection and Privacy Act, no student record is stored unless the counsellor confirms, on the consent screen, that the student (and parent or legal guardian where the student is a minor) has been informed and has freely consented to the processing. Consent may be withdrawn at any time by writing to the school.

4. Purpose limitation

Personal data is processed solely to produce A-Level combination guidance and progressive academic reviews. It is not used for marketing, profiling outside this purpose, or any automated decision with legal effect on the student. Counsellors retain final professional judgement on every recommendation.

5. Access controls and confidentiality

Each student record is tied to the originating counsellor account. Row-level security on the database prevents any other counsellor, school, or third party from accessing another counsellor's records. Platform administrators only access aggregated billing data, support tickets the user raises, and the schools they have onboarded; they do not read individual student records except when required by law or by a written request from the licensed school.

6. AI processing and cross-border transfer

Personal data is transmitted to a third-party AI gateway (Lovable AI) only at the moment a recommendation is requested. The data is not used to train any AI model. Where the AI provider processes data outside Uganda, this transfer is permitted under section 19 of the Data Protection and Privacy Act because the receiving jurisdiction provides adequate protection, processing is necessary for the contracted service, and the school has obtained the data subject's consent.

7. Retention and deletion

Records are retained for as long as the school holds an active licence or until the counsellor deletes them. A student or guardian may request deletion in writing through the school; the counsellor can remove the record from the dashboard immediately on receipt. Backups are purged within 30 days of deletion.

8. Your rights

Under Part IV of the Data Protection and Privacy Act, data subjects have the right to: access their personal data, rectify inaccurate data, erase data, restrict processing, object to processing, and lodge a complaint. Requests should be made in writing to the school counsellor in the first instance, and may be escalated to the Personal Data Protection Office (PDPO) at NITA-U.

9. Security measures

Data is encrypted in transit (HTTPS / TLS) and at rest. Authentication uses salted password hashes. Counsellors authenticate via a school-issued access code or registered email; platform administrators authenticate via an additional role check on every privileged action. Suspected security incidents are notified to the controller within 72 hours, in line with the Data Protection and Privacy Regulations, 2021.

10. Children's data

Where the student is a minor (under 18), processing is only undertaken with the consent of a parent or legal guardian, recorded by the counsellor. The data minimised to what is strictly necessary to recommend an A-Level combination.

11. Subscriptions and billing data

Subscription payments are recorded by Prepare Education Uganda administrators after offline confirmation. The platform stores plan, amount in UGX, payment date and validity period; it does not store card details or mobile money credentials.

12. Complaints

Schools and counsellors may raise complaints through the Support tab in their dashboard. Unresolved complaints can be escalated in writing to Prepare Education Uganda, and ultimately to the Personal Data Protection Office at NITA-U, Uganda.

13. Updates

This policy may be updated to reflect changes in Ugandan law or the platform's features. The effective date appears at the top of the page; material changes will be notified in-product.