Privacy Policy

Last updated:

1) Who is responsible?

Controller: Elimys Technologies, Nairobi, Kenya. Contact: info@elimys.com.

Role with Institutions: For listings and public institution pages, Elimys is a controller. For application submissions and forms sent to an Institution, Elimys typically acts as a processor for that Institution (the controller of those submissions). Each Institution controls its own copies and follow-up processing.

2) What data we collect

  • Account & Profile: name, email, phone, institution details, role, credentials, preferences.
  • Listings & Submissions: institution content; course, job, intake, tender, scholarship, research, innovation details; dynamic form answers; uploaded files/photos; messages.
  • Device & Usage: IP address, device/browser type, pages viewed, referral URLs, timestamps, and diagnostic logs.
  • Cookies & Similar Tech: authentication and preference cookies; analytics cookies (e.g., Microsoft Clarity, Google tools) where enabled.
  • Communications: emails/SMS/notifications you send or receive through the Service.
  • From Others: institutions may submit personal data about applicants; we may verify publicly available institution details.

3) Why we process data (purposes) & legal bases

  • Provide the Service (accounts, listings, search, forms, messaging) — contract / legitimate interests.
  • Improve & secure (analytics, debugging, preventing abuse/fraud) — legitimate interests.
  • Communicate (support, service updates, policy notices) — contract / legitimate interests / legal obligation.
  • Marketing (product updates, features) — consent where required; you can opt out anytime.
  • Compliance (ODPC/other legal duties, takedown/privacy complaints) — legal obligation.

4) Children & minors

  • Children are defined as persons under 18 years in Kenya. Institutions must obtain verifiable parental/guardian consent and implement age-verification before posting or collecting identifying data about minors, and must act in the best interests of the child.
  • Elimys provides privacy tools (e.g., optional face-blurring for photos) to reduce exposure. These tools do not replace legal consent obligations.
  • To request removal of a minor’s image or data from Elimys, email info@elimys.com with the URL(s). We prioritise such requests.

5) Cookies & similar technologies

We use necessary cookies (authentication, security) and, where enabled, preferences and analytics cookies. You can control cookies via your browser. If you reject necessary cookies, some features will not work. We do not use legacy “Flash cookies.”

6) Sharing & recipients

  • Institutions: When you submit an application or form, the receiving Institution obtains your submission and may retain it in its own systems as an independent controller.
  • Service providers: Hosting/infrastructure (including servers located in the United States), email/SMS delivery, analytics, error monitoring, backups. We use contracts that impose confidentiality and data-protection obligations.
  • Legal & safety: We may disclose data where required by law or to protect rights, security, or prevent fraud/abuse.
  • Business changes: In a merger, acquisition, or reorganisation, data may transfer subject to this Policy.

7) International data transfers

We may process data in countries outside Kenya (e.g., United States hosting). Where we transfer personal data internationally, we use appropriate safeguards required by Kenyan law (e.g., contractual protections, technical and organisational measures). Institutions receiving submissions are responsible for ensuring any onward transfers they make are lawful.

8) Retention

  • Account data: kept while the account is active, then retained for a reasonable period for backups, audits, and fraud-prevention.
  • Listings & public pages: retained while published and for integrity/audit/dispute resolution.
  • Applications & form submissions: typically up to 24 months unless law requires longer or an Institution requests earlier deletion consistent with law.
  • Logs & analytics: typically 12–24 months.

9) Security

We implement reasonable technical and organisational measures (e.g., HTTPS/TLS in transit, least-privilege access, audit logging). No system is 100% secure; use strong passwords and protect your account.

10) Your rights

Subject to Kenyan law, you may have rights to:

  • access, correct, and delete your personal data;
  • object to or restrict certain processing;
  • data portability (receive a copy);
  • withdraw consent where processing relies on consent.

To exercise rights, email info@elimys.com. If your request relates to data held by an Institution (e.g., an application), contact that Institution directly for its copy. We will respond within statutory timelines.

11) Automated decision-making

Elimys does not make decisions that produce legal or similarly significant effects on you solely by automated means. Admission/hiring decisions are made by Institutions.

12) Controller–processor arrangements

Where Elimys processes personal data on behalf of an Institution, we act under a written data-processing agreement that includes obligations required by Kenyan law (confidentiality, security, sub-processor controls, assistance with rights, deletion/return at end of processing).

13) ODPC registration & DPIAs

Controllers and processors may be required to register with the Office of the Data Protection Commissioner (ODPC) and to conduct data protection impact assessments (DPIAs) for higher-risk processing (e.g., children’s data, large-scale profiling). Institutions using Elimys are responsible for their own compliance, including registration and DPIAs where applicable.

14) Data breaches

If we become aware of a personal data breach, we will assess the risk and notify affected users and/or the ODPC where required by law.

15) Third-party sites

Links to external sites are provided for convenience; those sites are governed by their own privacy policies and terms.

16) Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, for material changes, provide additional notice (e.g., email to account holders).

17) Questions, requests, or complaints

Contact us at info@elimys.com. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

This document is for product readiness and does not constitute legal advice. Consider a Kenyan counsel review (DPA 2019 and 2021 Regulations) before publishing.