Privacy Policy

DiraSchool ("we", "us", "our") is a cloud-based school management platform built for Kenyan Competency Based Curriculum (CBC) schools. We are operated by Dentrix Technologies, registered in Kenya. Our registered address and data controller contact is contact@diraschool.com.

This Privacy Policy explains how we collect, use, store, and share personal data when you use DiraSchool at diraschool.com and its associated APIs. It is written in compliance with the Kenya Data Protection Act, 2019 and its regulations.

We collect data in the following categories depending on who you are:

We do not collect biometric data, health records beyond what the school chooses to enter, or any special categories of personal data as defined under Section 46 of the Data Protection Act unless explicitly provided by the school administrator.

We process personal data under the following lawful bases (Section 30, Data Protection Act 2019):

• Contract performance — processing necessary to deliver the school management service.
• Legitimate interests — security monitoring, fraud prevention, and product improvement.
• Consent — where you explicitly opt in (e.g. marketing emails). You may withdraw consent at any time.
• Legal obligation — compliance with Kenyan law where applicable.

• Providing, maintaining, and improving the DiraSchool platform.
• Generating and publishing CBC-compliant report cards and attendance records.
• Processing fee payments and generating receipts.
• Sending SMS notifications to parents and guardians via Africa's Talking (see Section 5).
• Sending transactional emails (account creation, password reset, subscription alerts).
• Auditing all administrative actions for accountability within your school.
• Responding to support requests.
• Preventing unauthorised access and complying with legal obligations.

We do not sell, rent, or trade your personal data to third parties for marketing. We do not use student data for advertising or profiling.

We share data with the following sub-processors only to the extent necessary to deliver the service:

• Africa's Talking (SMS) — Phone numbers are transmitted to send parent notifications and OTP messages. Africa's Talking operates under their own Privacy Policy and is compliant with applicable Kenyan telecoms regulations.
• DigitalOcean (Hosting & Database) — All data is stored on DigitalOcean managed infrastructure in the AMS3 (Amsterdam) region with encrypted at-rest storage. We are actively working to move to an East Africa region as one becomes available.
• Resend (Transactional Email) — Email addresses are shared solely for delivering transactional messages such as password resets and subscription notices.

We retain personal data for as long as your school's account is active and for 3 years after account closure, after which it is permanently deleted or anonymised. You may request earlier deletion (see Section 9). Financial records may be retained for 7 years in line with Kenyan tax and audit requirements.

Individual audit log entries are retained for 2 years. SMS delivery logs are retained for 90 days. Session cookies expire within 24 hours of inactivity.

We implement the following technical and organisational measures to protect your data:

• TLS encryption for all data in transit.
• Encrypted at-rest storage on managed MongoDB clusters.
• HTTP-only cookies for session tokens (not accessible to JavaScript).
• Role-based access control — every user only sees data for their school (multi-tenant isolation).
• Comprehensive audit logs of all create, update, and delete operations.
• CSRF protection on all mutating API endpoints.
• Rate limiting on authentication endpoints to prevent brute force attacks.

Despite these measures, no internet transmission is completely secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and the Office of the Data Protection Commissioner within 72 hours as required by law.

DiraSchool uses a single HTTP-only authentication cookie (token) that is strictly necessary for you to stay logged in. We do not use third-party tracking cookies or advertising cookies. We do not use Google Analytics or Facebook Pixel.

As a data subject, you have the following rights:

• Right to access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate data.
• Right to erasure — request deletion of your data (subject to legal retention obligations).
• Right to portability — export your school's data in a machine-readable format (CSV export is available within the platform).
• Right to object — object to processing based on legitimate interests.
• Right to restriction — request we limit processing of your data in certain circumstances.

To exercise any of these rights, email us at contact@diraschool.com with the subject line "Data Rights Request". We will respond within 21 days. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC).

DiraSchool processes student data on behalf of schools, which may include data of children under 18. This data is processed under the school's direction and responsibility as the data controller. Schools must ensure they have appropriate consent or lawful basis from parents or guardians in line with their own privacy obligations.

We do not allow children to create DiraSchool accounts directly. Children access the platform only through the parent portal, managed by a responsible adult.

We may update this Privacy Policy from time to time. We will notify all school administrators by email at least 14 days before material changes take effect. Continued use of DiraSchool after the effective date of the revised policy constitutes acceptance. The current version is always available at diraschool.com/privacy.

For privacy-related questions, data requests, or concerns: