Legal

Privacy
Policy

Last updated: 30 May 2026

We are committed to protecting your personal data in compliance with the Kenya Data Protection Act 2019.

Quick Links

1. Data We Collect 2. How We Use It 3. Legal Basis 4. Data Sharing 5. Data Retention 6. Data Security 7. Your Rights 8. Cookies 9. Children's Privacy 10. Policy Changes 11. Contact

1. Data We Collect

Identity: full name, email address, role.
Payment: M-Pesa phone number and transaction reference (no PINs or card numbers).
Usage: materials viewed, courses enrolled, quiz scores, notes, comments, ratings.
Technical: IP address, browser type, encrypted session identifiers.
Communications: messages sent via our Contact form.

2. How We Use Your Data

Create and manage your account and deliver Platform services.
Process payments and issue confirmation emails.
Issue and verify Certificates of Completion.
Send transactional emails (password resets, payment confirmations).
Detect and prevent fraud or unauthorised access.

We do not sell your data or use it for advertising profiling.

3. Legal Basis for Processing

Contract performance: delivering subscribed Platform services.
Legitimate interests: security monitoring and fraud prevention.
Consent: non-essential communications (opt out any time).

4. Data Sharing

Safaricom M-Pesa: payment processing only.
Email provider: transactional delivery only.
Legal obligation: where required by Kenyan law or court order.

5. Data Retention

Account data is retained while your account is active. Payment and certificate records are kept for a minimum of 7 years as required by Kenyan financial regulations. You may request deletion of non-statutory data at any time.

6. Data Security

All data transmitted over HTTPS (TLS encryption).
Sessions are encrypted with secure, HttpOnly cookies.
Passwords hashed using bcrypt, never stored in plain text.
Personal data access restricted to authorised personnel only.

7. Your Rights (KDPA 2019)

Under the Kenya Data Protection Act 2019 you have the right to:

Access a copy of data we hold about you.
Rectify inaccurate or incomplete data.
Erasure of data without a lawful basis to retain.
Object to certain types of processing.
Portability in a structured, machine-readable format.

Contact us at our Contact page to exercise these rights. We respond within 30 days. You may also lodge a complaint with the ODPC, Kenya.

8. Cookies

We use a single session cookie strictly necessary for authentication. It does not track you across third-party sites. We use no advertising or analytics cookies.

9. Children's Privacy

The Platform is not directed to children under 13. We do not knowingly collect data from under-13s. If you believe a child has created an account, contact us immediately and we will delete it.

10. Policy Changes

We may update this Policy from time to time. Material changes will be communicated via in-platform announcements. Continued use constitutes acceptance of the updated policy.

11. Contact the Data Controller

BluePulseEdu, Data Controller
Email: hub@bluepulseedu.co.ke
Contact: bluepulseedu.co.ke/contact

PrivacyPolicy