Privacy Policy

Last updated:

1) Who is responsible?

Controller: Elimys Technologies, Nairobi, Kenya. Contact: info@elimys.com.

Role with Institutions: For listings and public institution pages, Elimys is a controller. For application submissions and forms sent to an Institution, Elimys typically acts as a processor for that Institution (the controller of those submissions). Each Institution controls its own copies and follow-up processing.

2) What data we collect

  • Account & Profile: name, email, phone, institution details, role, credentials, preferences.
  • Listings & Submissions: institution content; course, job, intake, tender, scholarship, research, innovation details; dynamic form answers; uploaded files/photos; messages.
  • Device & Usage: IP address, device/browser type, pages viewed, referral URLs, timestamps, and diagnostic logs.
  • Mobile App Device Data (when you use the App): device model, operating system and version, app version, language/region, network and carrier information, unique device/application identifiers (such as an app instance identifier), and diagnostic data such as crash reports and performance logs.
  • Push Notifications Data (if enabled): a device push token to deliver notifications; notification interaction events (e.g., delivered/opened) where supported.
  • Cookies & Similar Tech: web cookies and similar technologies for authentication and security; preference storage; and (where enabled and permitted by law) analytics technologies (for example, Microsoft Clarity, Google Analytics, and other measurement tools we may use from time to time).
  • Communications: emails/SMS/notifications you send or receive through the Service.
  • From Others: institutions may submit personal data about applicants; we may verify publicly available institution details.
  • Payments (if applicable): If you purchase paid features, payments may be processed by third-party payment providers (for example, Google Play Billing on Android and/or other payment processors). Payment providers process payment details under their own privacy policies, and we generally receive limited transaction metadata (such as confirmation and status).

3) Why we process data (purposes) & legal bases

  • Provide the Service (accounts, listings, search, forms, messaging) — necessary to perform a contract with you, to take steps at your request, and/or our legitimate business purposes where permitted by applicable law.
  • Improve & secure (analytics, debugging, crash/performance monitoring, preventing abuse/fraud) — our legitimate interests and/or other lawful bases available under applicable law, and consent where required.
  • Communicate (support, service updates, policy notices) — to perform a contract, our legitimate interests, and/or to comply with legal obligations.
  • Marketing (product updates, features) — consent where required by applicable law; you can opt out anytime.
  • Compliance (responding to lawful requests, regulatory requirements, and privacy complaints) — compliance with legal obligations and/or our legitimate interests in protecting rights, safety, and integrity of the Service.

4) Children & minors

  • Children & minors: For purposes of this Policy, a “child” or “minor” is defined by the laws of the child’s country/region of residence. In Kenya, a child is generally a person under 18 years. Institutions and other users of the Service are responsible for obtaining verifiable parental/guardian consent and implementing age-verification where required by applicable law, and must act in the best interests of the child.
  • Elimys provides privacy tools (e.g., optional face-blurring for photos) to reduce exposure. These tools do not replace legal consent obligations.
  • To request removal of a minor’s image or data from Elimys, email info@elimys.com with the URL(s) and any relevant details. We prioritise such requests.

5) Cookies & similar technologies

We use necessary cookies and similar technologies (for example, for authentication, fraud prevention, and security), and—where enabled—preferences and analytics technologies. In some countries/regions, we may request your consent for non-essential cookies/analytics where required by applicable law (for example, EU/UK rules). You can control cookies via your browser and (where available) our consent choices. If you reject necessary cookies, some features will not work. We do not use legacy “Flash cookies.”

5A) Mobile app identifiers & local storage

The App may use device or application identifiers and local storage (similar to cookies on the web) to keep you signed in, maintain session state, remember preferences, measure performance, and prevent fraud/abuse. These identifiers may include an app instance identifier and other identifiers provided by the operating system or by SDKs integrated into the App (where enabled). Depending on your device and settings, you may be able to limit analytics, reset certain identifiers, and manage ad/tracking controls through your device’s privacy settings.

6) Sharing & recipients

  • Institutions: When you submit an application or form, the receiving Institution obtains your submission and may retain it in its own systems as an independent controller.
  • Service providers: We use third-party providers to operate and improve the Service, such as cloud hosting/infrastructure (which may include servers located in the United States or other countries), email delivery providers, SMS/telephony providers, analytics providers, customer support tools, error monitoring and crash reporting tools, and backup/storage providers. Where appropriate, we use contracts and technical/organizational measures intended to impose confidentiality and data-protection obligations.
  • App platform & SDK providers: If you use the App, certain data may be processed by app platform providers and SDKs we enable to operate, secure, and improve the App. Examples may include Google Play Services and (where enabled) app analytics and crash/diagnostics SDKs such as Firebase Analytics and Firebase Crashlytics, or comparable tools. These providers may receive device and usage data (such as app version, device model/OS, app instance identifiers, and crash logs) as part of providing their services. We configure these services to the extent available and use contracts and settings intended to protect personal data.
  • Legal & safety: We may disclose data where required by law or to protect rights, security, or prevent fraud/abuse.
  • Business changes: In a merger, acquisition, or reorganisation, data may transfer subject to this Policy.

7) International data transfers

We may process data in countries outside your country of residence (for example, servers located in the United States). Where we transfer personal data internationally, we use safeguards required by applicable law, which may include contractual protections (such as standard contractual clauses where applicable), vendor due diligence, and appropriate technical and organisational measures. Where Kenya law applies, we apply safeguards required under Kenya’s Data Protection Act and related regulations. Institutions receiving submissions are responsible for ensuring any onward transfers they make are lawful.

8) Retention

  • Account data: kept while the account is active, then retained for a reasonable period for backups, audits, and fraud-prevention.
  • Listings & public pages: retained while published and for integrity/audit/dispute resolution.
  • Applications & form submissions: typically up to 24 months unless law requires longer or an Institution requests earlier deletion consistent with law.
  • Logs & analytics: typically 12–24 months.

9) Security

We implement reasonable technical and organisational measures (e.g., HTTPS/TLS in transit, least-privilege access, audit logging). No system is 100% secure; use strong passwords and protect your account.

9A) Mobile app permissions

The App may request certain device permissions (including at runtime). We request permissions only when needed for the feature you choose to use, and you can decline optional permissions:

  • Internet / Network access: to connect to the Service and sync content.
  • Notifications (optional): to send service updates and alerts; you can disable notifications in device settings.
  • Photos/Media/Storage (optional): to upload files/photos you choose to submit through forms or messages.
  • Camera (optional): to capture and upload a photo/document you choose to provide.
  • Location (optional, if enabled): to support location-based features (we will indicate in-app when location is used).

You can control permissions at any time through your device settings. If you deny optional permissions, some features may not function, but you should still be able to access basic Service functionality where feasible.

10) Your rights

Subject to applicable law (which may include the EU/UK GDPR, Kenya’s Data Protection Act, and other regional privacy laws depending on your location), you may have rights to:

  • access, correct, and delete your personal data;
  • object to or restrict certain processing;
  • data portability (receive a copy);
  • withdraw consent where processing relies on consent.

To exercise rights, email info@elimys.com. If your request relates to data held by an Institution (e.g., an application), contact that Institution directly for its copy. We will respond within statutory timelines.

Deletion requests: include the email and/or phone number associated with your account and (if possible) your profile or institution name and relevant URLs/content references. We may request additional information to verify your identity and help locate your data. We will complete deletion requests subject to applicable law, including permitted retention for security, fraud prevention, backups, dispute resolution, and legal compliance.

Optional (some jurisdictions): You may be able to submit certain requests through an authorized agent, subject to identity verification and applicable law.

11) Automated decision-making

Elimys does not make decisions that produce legal or similarly significant effects on you solely by automated means. Admission/hiring decisions are made by Institutions.

12) Controller–processor arrangements

Where Elimys processes personal data on behalf of an Institution, we act under a written data-processing agreement that includes obligations required by applicable law (confidentiality, security, sub-processor controls, assistance with rights, deletion/return at end of processing).

13) Regulatory registrations & DPIAs

Depending on the country/region and the nature of processing, controllers and processors may be required to register with a data-protection authority and/or conduct data protection impact assessments (DPIAs) for higher-risk processing (e.g., children’s data, large-scale profiling). In Kenya, this may include registration with the Office of the Data Protection Commissioner (ODPC) where applicable. Institutions using Elimys are responsible for their own compliance, including registrations and DPIAs where required.

14) Data breaches

If we become aware of a personal data breach, we will assess the risk and notify affected users and/or the relevant supervisory authority where required by applicable law. Where Kenya law applies, this may include notifying the ODPC where required.

15) Third-party sites

Links to external sites are provided for convenience; those sites are governed by their own privacy policies and terms.

16) Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, for material changes, provide additional notice (e.g., email to account holders).

17) Questions, requests, or complaints

Contact us at info@elimys.com. You may also have the right to lodge a complaint with your local data-protection authority/supervisory authority (for example, an EU/EEA authority under the GDPR, the UK ICO under the UK GDPR, or other regulators depending on your location). In Kenya, this includes the Office of the Data Protection Commissioner (ODPC).

This document is for product readiness and does not constitute legal advice. Consider obtaining legal review in the jurisdictions where you operate (including, where relevant, Kenya under the DPA 2019 and 2021 Regulations) before publishing.