1. Introduction

Riverbank Solutions Ltd. ("we," "us," "our," or "Provider") operates Zed, a Software as a Service (SaaS) payment and invoicing platform ("Software" or "Services"). We are committed to protecting the privacy and security of personal information collected through our platform. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you use our Services, whether you are a school, small or medium enterprise (SME), student, parent, or end customer making payments through our platform.

2. Information We Collect

2.1 Information You Provide Directly

For Business Customers (Schools and SMEs):

• Company/organization name and business information
• Contact details of authorized representatives (name, email, phone number)
• Business registration details and tax information
• Payment and billing information
• Account credentials (username, encrypted authentication data)

For Educational Institution Services:

• Student personal information (name, student ID, class/grade, contact details)
• Parent/guardian contact information (name, email, phone number)
• Academic records relevant to billing and payment processing
• Fee structures and payment history

For Payment Processing:

• Transaction details (amount, date, payment method, product/service purchased)
• Buyer information necessary for transaction completion
• Invoice and receipt data

2.2 Information Collected Automatically

• Device information (IP address, browser type, operating system)
• Usage data (pages visited, features used, time spent on platform)
• Log files and security event data
• Cookies and similar tracking technologies

2.3 Information from Third Parties

• Payment processor information for transaction completion
• Bank verification data through our authorized sales agent, KCB Bank Kenya Limited
• Identity verification information as required by law

3. How We Use Your Information

3.1 Primary Business Purposes

• Service Provision: To provide access to and operation of the Zed platform
• Transaction Processing: To facilitate payments, invoicing, and financial reconciliation
• Account Management: To create, maintain, and manage user accounts
• Customer Support: To provide technical support and respond to inquiries
• Communication: To send invoices, receipts, service updates, and important notices via email, SMS, or WhatsApp

3.2 Educational Institution Specific Uses

• Student Management: To enable schools to manage student information and enrollment
• Parent Communication: To facilitate communication between schools and parents regarding fees and payments
• Academic Administration: To support school ERP functions including reporting and reconciliation

3.3 Legal and Security Purposes

• Compliance: To comply with legal obligations, including financial regulations and data protection laws
• Fraud Prevention: To detect, prevent, and investigate fraudulent activities
• Security: To maintain the security and integrity of our platform
• Record Keeping: To maintain transaction records as required by law

4. Special Protections For Student Data

4.1 Enhanced Security for Minors

We recognize that many students whose data we process are minors under 18 years of age. We implement enhanced security protocols specifically designed for the protection of children's data, including:

• Access Controls: Only authorized personnel have access to student data on a need-to-know basis
• Staff Training: Regular training for staff on handling minors' personal data
• Activity Logging: Detailed logs of all access to and processing of student data
• Immediate Breach Notification: Schools are notified immediately of any suspected or actual data breach involving student information

4.2 Parental Rights

We recognize that many students whose data we process are minors under 18 years of age. We implement enhanced security protocols specifically designed for the protection of children's data, including:

• Access their child's personal information held by us
• Request correction of inaccurate information
• Request deletion of their child's information (subject to legal requirements)
• Withdraw consent for processing where applicable

4.3 Educational Purpose Limitation

Student data is used solely for educational administration purposes and is not used for marketing, advertising, or any commercial purposes unrelated to the educational services provided.

5. Information Sharing and Disclosure

5.1 We May Share Information With:

Service Providers:

• Payment processors and financial institutions for transaction processing
• Cloud hosting providers for data storage and platform operation
• Technical support providers for system maintenance
• Security service providers for fraud prevention and detection

Business Partners:

• KCB Bank Kenya Limited, our authorized sales agent, for customer onboarding and support

Legal Requirements:

• Government authorities and regulatory bodies as required by law
• Law enforcement agencies for legitimate investigations
• Courts and legal professionals in connection with legal proceedings

5.2 We Do NOT Share Information For:

• Marketing purposes by third parties
• Sale of personal data to data brokers
• Advertising targeting (except for our own services)
• Any purpose unrelated to our services

5.3 Student Data Sharing Restrictions

Student personal data is shared only:

• With explicit written consent from the school and, where applicable, parental consent for minors
• As required by law or regulatory authorities
• With service providers under strict confidentiality agreements
• For the specific purpose of providing educational services

6. Data Security

6.1 Technical Safeguards

• Encryption: All data is encrypted in transit and at rest
• Access Controls: Multi-factor authentication and role-based access controls
• Security Monitoring: Continuous monitoring for security threats and vulnerabilities
• Regular Audits: Security audits and vulnerability assessments
• Secure Infrastructure: Hosting on secure, compliant cloud infrastructure

6.2 Organizational Measures

• Training: Regular security awareness training for all employees
• Confidentiality Agreements: All staff and contractors sign confidentiality agreements
• Incident Response: Established procedures for responding to security incidents
• Data Minimization: Collection and retention of only necessary data

6.3 Compliance Standards

We comply with industry standards including:

• Kenya Data Protection Act, 2019
• PCI DSS for payment card data security
• International best practices for child data protection
• ISO 27001 security management principles

7. Data Retention and Deletion

7.1 Retention Periods

• Transaction Records: Retained for 7 years or as required by financial regulations
• Student Academic Records: Retained according to educational authority requirements
• Account Information: Retained for the duration of the customer relationship plus 2 years
• Communication Records: Retained for 3 years for customer support purposes
• Security Logs: Retained for 1 year for security monitoring

7.2 Deletion Process

Upon termination of services:

• Student personal data is securely deleted within 90 days unless legally required to retain
• Business account data is deleted within 180 days after final invoice settlement
• Backup data is purged according to our data retention schedule

7.3 Right to Deletion

You may request deletion of your personal information, subject to:

• Legal retention requirements
• Ongoing transaction processing needs
• Legitimate business purposes (fraud prevention, security)

8. Your Rights and Choices

8.1 Access Rights

You have the right to:

• Access personal information we hold about you
• Receive a copy of your data in a portable format
• Know how your information is being used
• Understand who we share your information with

8.2 Correction Rights

You may:

• Request correction of inaccurate personal information
• Contact customer support for data corrections

8.3 Control Over Communications

You can:

• Opt out of marketing communications (service-related communications will continue)
• Choose preferred communication channels (email, SMS, WhatsApp)

9. Cookies and Tracking Technologies

9.1 Types of Cookies Used

• Essential Cookies: Required for platform functionality and security
• Analytics Cookies: To understand platform usage and improve services
• Preference Cookies: To remember your settings and preferences

9.2 Cookie Control

You can:

• Control cookie preferences through your browser settings
• Opt out of analytics cookies while maintaining essential functionality
• Clear cookies at any time (may affect platform functionality)

10. Children's Privacy

10.1 Age Restrictions

Our services are not intended for children under 18 years of age for direct use. However, we process student data on behalf of educational institutions with appropriate consent and safeguards.

10.2 Parental Consent

For students under 18:

• Schools obtain necessary parental consent before providing student data
• Parents can exercise rights on behalf of their children
• Enhanced protections apply to all minor student data

11. Changes To This Privacy Policy

11.1 Policy Updates

We may update this Privacy Policy to reflect:

• Changes in our business practices
• New legal requirements
• Enhanced privacy protections
• Service improvements

11.2 Notification of Changes

We will notify you of material changes through:

• Email notification to account holders
• Prominent notice on our platform
• Updated effective date on this policy

11.3 Continued Use

Your continued use of our services after policy changes constitutes acceptance of the updated terms.

12. Regulatory Compliance

This Privacy Policy is designed to comply with:

• Kenya Data Protection Act, 2019
• Children's Online Privacy Protection Act principles
• Payment Card Industry Data Security Standards
• International data protection best practices