This Privacy Policy is written for Badawy Nexus as a SaaS and digital services platform. It is designed to support compliance with Kenyan data protection requirements and international privacy expectations, but it must match your actual technical, operational, security, billing, support, and data-handling practices.
1. Introduction
Badawy Nexus (“Badawy Nexus,” “we,” “our,” or “us”) respects your privacy and is committed to protecting personal data entrusted to us by customers, users, website visitors, administrators, students, parents, staff, businesses, institutions, and service partners.
This Privacy Policy explains how we collect, use, disclose, store, transfer, protect, and retain personal data when you use our websites, SaaS platform, school ERP, business management tools, finance and billing modules, communication tools, registration flows, support channels, web design services, and related services.
By using Badawy Nexus, creating an account, subscribing to a plan, submitting information, contacting support, or using our services, you acknowledge that your personal data may be processed as described in this Privacy Policy.
2. Scope of This Policy
This policy applies to:
- Visitors to Badawy Nexus websites and public pages.
- Registered customers, tenants, administrators, staff users, and account holders.
- Students, parents, guardians, employees, suppliers, and other records managed inside customer accounts.
- Users of our school ERP, business SaaS, finance, reports, communication, subscription, payment, and support services.
- People who contact us by email, phone, WhatsApp, forms, demo requests, support requests, or other communication channels.
Controller and processor position: For our own website, account registration, billing, security, support, marketing, and business administration, Badawy Nexus may act as a data controller. For personal data uploaded or managed by a customer inside a tenant account, Badawy Nexus may act as a data processor/service provider on behalf of that customer, unless the law or the facts require another role.
3. Personal Data We Collect
3.1 Information You Provide Directly
- Account details: name, email address, phone number, username, password, role, organization name, country, city, and business details.
- Business registration details: organization name, registration number, address, business type, certificates, documents, and verification information.
- School or institutional records: student information, parent/guardian details, staff details, classes, admissions, attendance, examination records, fee records, communication records, library, transport, hostel, clinic, discipline, and related data.
- Payment and subscription information: selected plan, billing cycle, invoices, payment references, transaction status, amount, currency, and payment method metadata.
- Support and communication data: messages, help requests, demo requests, contact forms, emails, WhatsApp communication, feedback, complaints, and support history.
- Uploaded files: profile images, ID documents, business certificates, school documents, reports, receipts, certificates, and other files uploaded by users or organizations.
3.2 Information Collected Automatically
- Device information: IP address, browser type, operating system, device identifiers, screen size, language, time zone, and approximate location derived from technical data.
- Usage data: pages visited, actions taken, login attempts, session events, error logs, feature usage, timestamps, and diagnostic information.
- Security data: audit logs, suspicious activity indicators, failed login attempts, device binding information, session IDs, and security event records.
- Cookies and similar technologies: cookies, local/session identifiers, analytics tools, and tracking technologies used for security, preferences, performance, and user experience.
3.3 Sensitive or Special Categories of Data
Depending on how a customer uses the platform, certain information may be sensitive, such as health records in clinic modules, identification documents, children’s records, student disciplinary data, or payment-related information. We process such data only where necessary, authorized, contractually required, or permitted by law, and we apply additional safeguards where appropriate.
4. Why We Process Personal Data
We process personal data for the following purposes:
- To create, verify, operate, and manage user accounts and tenant organizations.
- To provide SaaS services, school ERP, business dashboards, finance modules, reports, communication tools, and other platform features.
- To process subscriptions, payments, invoices, billing records, renewals, upgrades, downgrades, refunds, and payment status updates.
- To provide support, respond to inquiries, schedule demos, investigate issues, and improve customer experience.
- To secure the platform, prevent fraud, monitor suspicious activity, protect accounts, maintain audit logs, and enforce access controls.
- To send important service notices, security alerts, administrative messages, policy updates, and support communications.
- To improve platform performance, fix errors, develop new features, test systems, analyze usage, and enhance reliability.
- To comply with legal, regulatory, tax, accounting, audit, contractual, and dispute-resolution obligations.
- To send marketing or product updates where allowed by law or where the user has opted in, with the ability to opt out.
5. Legal Bases for Processing
Where applicable, we rely on one or more legal bases for processing personal data, including:
| Legal basis | Examples of processing |
|---|---|
| Contractual necessity | Creating accounts, providing platform access, managing subscriptions, processing service requests, and delivering SaaS features. |
| Consent | Optional marketing, certain cookies, voluntary uploads, and communications where consent is legally required. |
| Legal obligation | Tax records, accounting obligations, regulatory compliance, lawful requests, and legally required retention. |
| Legitimate interests | Security monitoring, fraud prevention, service improvement, analytics, support quality, and business administration where not overridden by user rights. |
| Vital or public interest where applicable | Limited circumstances involving safety, emergency, or lawful public-interest obligations. |
6. Children’s and Student Data
Badawy Nexus may process student and children’s data where our platform is used by schools, parents, guardians, or institutions. Such data is processed for educational administration, attendance, examinations, finance, communication, safeguarding, reporting, and legitimate institutional purposes.
- Schools and institutions remain responsible for ensuring they have the necessary authority, consent, notices, or lawful basis to upload and manage student records.
- We do not knowingly use children’s data for unrelated marketing.
- We apply access controls, role-based permissions, and security safeguards to protect student data.
- Parents, guardians, or eligible students may request access, correction, or deletion through the relevant institution or by contacting us where legally appropriate.
7. How We Share Personal Data
We do not sell personal data. We may share personal data only where necessary and lawful, including with:
- Service providers who help us host, secure, maintain, support, analyze, or operate the platform.
- Payment providers and financial service partners for payment processing, transaction verification, fraud prevention, and billing.
- Email, SMS, notification, WhatsApp, or communication service providers used to deliver platform messages.
- Customer organizations and authorized administrators who control tenant accounts and user access.
- Professional advisers, auditors, insurers, accountants, or legal representatives where necessary.
- Government authorities, regulators, courts, or law enforcement where required by law, lawful process, or legitimate legal protection.
- Successors or parties involved in a merger, acquisition, restructuring, sale of assets, or transfer of business, subject to appropriate safeguards.
8. Service Providers, Processors, and Sub-Processors
Where we use third-party service providers to process personal data on our behalf, we require appropriate confidentiality, security, and data protection obligations. Where required, we use written agreements or contractual terms that define processing instructions, confidentiality, security measures, breach reporting, deletion/return of data, and restrictions on unauthorized use.
Examples may include hosting providers, cloud storage, email delivery, SMS/communication gateways, payment processors, analytics providers, support tools, backup providers, and security monitoring tools.
9. Data Storage and Security
We apply administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.
- Role-based access controls and permission management.
- Authentication controls, password protection, and secure login processes.
- Encryption in transit and, where applicable, encryption or protective controls at rest.
- Audit logs, activity records, and security monitoring.
- Backups, recovery procedures, and operational resilience measures.
- Access limitation based on business need and authorized roles.
- Security reviews, vulnerability management, and incident response planning.
Important: No online system can be guaranteed 100% secure. Users and tenant administrators must protect their credentials, use strong passwords, limit access to authorized persons, and promptly report suspected unauthorized access.
10. Data Retention and Deletion
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law, contract, audit, tax, accounting, dispute resolution, security, or legitimate business needs.
| Data type | Typical retention approach |
|---|---|
| Account and tenant records | Retained while the account is active and for a reasonable period after closure for support, audit, security, and legal purposes. |
| Billing and payment records | Retained as required for tax, accounting, audit, financial reporting, dispute, and legal obligations. |
| Student, staff, parent, and institutional records | Controlled by the customer/institution and retained according to the customer’s instructions, legal obligations, or platform settings. |
| Security and audit logs | Retained for security monitoring, fraud prevention, incident investigation, and compliance purposes. |
| Support communications | Retained for service quality, dispute handling, and customer support history. |
Where deletion is requested and legally permitted, we will delete, anonymize, or restrict the relevant data within a reasonable time, subject to backups, legal duties, and technical limitations.
11. Your Rights and Choices
Depending on applicable law and your relationship with Badawy Nexus, you may have rights to:
- Request access to personal data we hold about you.
- Request correction of inaccurate or incomplete data.
- Request deletion of personal data where legally permitted.
- Object to or restrict certain processing.
- Withdraw consent where processing is based on consent.
- Request data portability where applicable.
- Opt out of non-essential marketing communications.
- Lodge a complaint with a relevant data protection authority.
Where your data is controlled by a customer organization, such as a school or business using Badawy Nexus, we may direct your request to that organization or assist them in responding.
12. Cookies and Tracking Technologies
We may use cookies and similar technologies to operate the website and platform, keep users signed in, remember preferences, improve performance, analyze usage, secure accounts, prevent fraud, and improve services.
- Essential cookies: required for login, security, routing, and platform functionality.
- Preference cookies: remember language, interface, or account preferences.
- Analytics cookies: help us understand usage and improve performance.
- Security cookies: support fraud detection, session protection, and suspicious activity monitoring.
You can usually manage cookies in your browser settings. Blocking some cookies may affect platform functionality.
13. International Transfers
We may process, host, store, or transfer personal data in Kenya or other countries where our service providers, cloud infrastructure, or technical partners operate. Where personal data is transferred internationally, we use safeguards designed to protect the data in accordance with applicable law, contractual obligations, and recognized security practices.
14. Data Breach and Incident Response
If we become aware of a data security incident affecting personal data, we will assess the incident, take reasonable containment and remediation steps, document relevant facts, and notify affected customers, users, regulators, or authorities where required by law or contract.
- We investigate unauthorized access, disclosure, loss, alteration, or destruction of personal data.
- We prioritize containment, evidence preservation, remediation, and communication.
- We may provide guidance to affected customers or tenant administrators.
- We maintain internal records of relevant incidents where required.
15. Customer and Administrator Responsibilities
Customers, tenant owners, schools, businesses, and administrators are responsible for how they use Badawy Nexus and for the data they upload or manage. They must:
- Ensure they have a lawful basis, authority, consent, or notice for personal data uploaded to the platform.
- Assign user roles carefully and remove access when staff or users leave.
- Use strong passwords and protect login credentials.
- Keep records accurate, relevant, and up to date.
- Respond to data subject requests where they are the controller of the data.
- Avoid uploading unlawful, excessive, unnecessary, or unauthorized data.
- Comply with applicable education, employment, tax, financial, privacy, and data protection laws.
16. Marketing and Communications
We may send service-related messages that are necessary for account management, security, billing, product changes, or support. We may also send optional product updates, newsletters, offers, or educational content where permitted by law or where you have opted in.
You can opt out of marketing communications by using the unsubscribe option where available or by contacting us. We may still send essential service, billing, legal, or security messages.
17. Analytics, Automation, and Decision Support
Badawy Nexus may provide analytics, reports, alerts, recommendations, dashboard summaries, risk indicators, attendance trends, finance insights, or performance indicators. These tools are designed to support decision-making, not to replace lawful human oversight where important decisions affect individuals.
Customers remain responsible for reviewing reports, verifying accuracy, applying fair decision-making processes, and complying with relevant legal obligations.
18. Third-Party Links and Services
Our website or platform may contain links to third-party websites, payment services, communication tools, app stores, maps, or integrations. We are not responsible for the privacy practices of third parties. You should review their privacy policies before using their services.
19. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements, or business practices. We will update the “Last updated” date and may provide additional notice for significant changes. Continued use of our services after changes take effect means you acknowledge the updated policy.
20. Contact Us
If you have questions, concerns, complaints, access requests, deletion requests, correction requests, or data protection questions, contact us using the details below: