Privacy Policy
Last updated: 2 July 2026
This Privacy Policy explains how Apex, operated by Tunga Technologies Ltd (“Apex”, “we”, “us”), collects, uses, shares and protects personal data when you use our websites, web portal and mobile apps (together, the “Services”). We handle personal data in line with Kenya’s Data Protection Act, 2019 and the guidance of the Office of the Data Protection Commissioner (ODPC), and, where it applies, the EU/UK General Data Protection Regulation (GDPR).
1. Who we are, and our two roles
Apex is provided to educational institutions (schools, colleges, universities, TVET institutions and groups). Our role under data-protection law depends on the data:
- Institution data (we are the data processor). When an institution uses Apex to manage students, guardians, staff, fees and records, the institution is the data controller and Apex processes that data on its documented instructions, under a data-processing agreement.
- Account and marketing data (we are the data controller). For accounts we create, website visitors, demo requests and our own communications, Apex is the data controller.
2. Information we collect
- Account & identity: name, email, phone, role and institution, and sign-in identifiers (including Google sign-in).
- Institution records (on behalf of the institution): learner and guardian profiles, enrolment, attendance, grades and results, timetables, fees and payments, staff records, and communications.
- Payments: transaction references and amounts. Card and mobile-money details are handled by our payment processors (for example, M-Pesa/Safaricom Daraja and card processors); we do not store full card numbers.
- Usage & device: app and page interactions, device and log data, and approximate diagnostics, collected to run and improve the Services.
- Communications: demo requests, support messages, and messages sent through the platform (for example, WhatsApp, push and email notifications).
3. How we use personal data, and our lawful bases
We use personal data to provide, secure and improve the Services, process payments, send service and account communications, provide support, meet legal and regulatory obligations, and prevent fraud and abuse. Depending on the context, our lawful bases are:
- Performance of a contract with you or your institution.
- Consent, which you may withdraw at any time (for example, optional communications).
- Legitimate interests, such as securing and improving the Services, balanced against your rights.
- Legal obligation, such as tax, accounting and regulatory reporting.
4. Children’s and students’ data
Apex is used by institutions that hold data about learners, some of whom are children. The institution, as controller, is responsible for the lawful basis for processing learners’ data, including obtaining any parental or guardian consent required under the Data Protection Act, 2019 and the Data Protection (General) Regulations. Apex processes this data only to provide the Services to the institution and does not use children’s data for advertising or profiling. Student and parent accounts are scoped to their own institution.
5. Payments and mobile money
Where an institution enables payments, fee transactions may be processed through M-Pesa (Safaricom Daraja), other mobile-money providers, card processors or banks. These providers process your payment data as independent controllers or processors under their own terms and privacy notices. Apex stores transaction records (such as references, amounts and status) to reconcile fees, not full payment credentials.
6. Sharing and sub-processors
We do not sell personal data. We share it only with service providers that help us run the Services, under contracts that require appropriate safeguards. Our key sub-processors include:
- Google Cloud Platform & Firebase (hosting, database, authentication, storage and analytics).
- Payment providers (for example, Safaricom M-Pesa and card processors).
- Messaging providers (for example, WhatsApp Business, push and email delivery).
We may also disclose data where required by law, to protect our rights and users, or in connection with a corporate transaction, subject to this Policy.
7. International data transfers
Our infrastructure runs on Google Cloud and some processing may occur outside Kenya. Where personal data is transferred across borders, we rely on appropriate safeguards recognised under the Data Protection Act, 2019 (such as adequacy, appropriate safeguards, or a lawful transfer condition) and, for GDPR-covered data, mechanisms such as Standard Contractual Clauses.
8. Data retention
We keep account and marketing data for as long as needed for the purposes above and to meet legal obligations. Institution data is retained for the duration of the institution’s subscription and then deleted or returned according to our agreement and the institution’s instructions, subject to any legal retention requirements.
9. Security
We apply technical and organisational measures to protect personal data, including encryption in transit and at rest, role-based access controls, tenant isolation between institutions, audit logging and least-privilege access. No system is perfectly secure, but we work to protect your data and to notify affected parties and the ODPC of a notifiable breach as required by law.
10. Your rights
Subject to the Data Protection Act, 2019 and, where applicable, the GDPR, you have the right to:
- be informed about, and access, your personal data;
- have inaccurate data corrected and incomplete data completed;
- have your data deleted (erasure) where the law allows;
- object to, or ask us to restrict, certain processing;
- data portability; and
- withdraw consent at any time, without affecting prior processing.
If your data is held by Apex on behalf of an institution, please contact your institution first, as it is the controller; we will support the institution in responding. To exercise a right against Apex directly, contact us using the details below.
11. Complaints and the Data Protection Commissioner
If you have a concern, please contact us first and we will try to resolve it. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya at www.odpc.go.ke, or, if you are in the EU/UK, with your local supervisory authority.
12. Cookies and analytics
Our website and apps use cookies and similar technologies, and privacy-respecting analytics, to keep you signed in, remember preferences and understand usage. You can control cookies through your browser or device settings.
13. Changes to this Policy
We may update this Policy from time to time. We will post the updated version here with a new “Last updated” date and, where changes are significant, provide additional notice.
14. Contact us
Tunga Technologies Ltd, Nairobi, Kenya.
Data protection enquiries: privacy@apex.co.ke