Privacy Policy

Introduction

Moringa School Limited (‘Moringa’) understands that your privacy is important to you and
that we care about how your personal data is used. We respect and value the privacy of all
our customers and users and we will only collect and use personal data in ways that are
described here, and in a way that is consistent with our obligations and your rights under the
Data Protection legislation (as defined herein below).

This is MORINGA Privacy Notice (“Privacy Notice”) which may be accessed from webpage
https://moringaschool.com/ where you submit personal data to access the service or may be
obtained as a hard copy when you submit personal data at our medical laboratory. MORINGA
is a Moringa School is a multi-disciplinary learning-accelerator committed to closing the skills-gap in Africa’s job markets by delivering transformative tech-based learning to high-potential jobseekers; and on graduation connecting them to local and international employers who desire high-quality tech talent.

We are referred to in this Privacy Notice as “MORINGA”, “We” or “Our” or “Us”. An individual
who is the subject of the personal data is referred to as “Customer”, “User” or “You”.

This Privacy Notice only covers users of our website and the retail stores. MORINGA’s
employees or third-party vendors personal details are handled in-line with the terms of
employment agreement or contractual relationships, or our separate policies that we provide,
as relevant, independent of this Privacy Notice.

Information about us
MORINGA LIMITED a limited company registered in the Republic of Kenya.
Registered Postal Address: P.O. Box 28860 – 00100,
Ngong Lane, Ngong Lane Plaza,
1st Floor,
Nairobi, Kenya

Email address: contact@moringaschool.com
admissions@moringaschool.com
corporate@moringaschool.com
Telephone number: 0205002167 (General Enquiries)
020 7643533 (Admissions)
0738368319 (Corporate Inquiries)
Website: https://moringaschool.com/

What does this Privacy Notice Cover?

1.1 This Privacy Notice explains how we use your personal data: how it is collected, how
it is held and how it is processed. It also explains your rights under the law relating to
your personal data.
1.2 We will process any personal data we collect from you in accordance with this Privacy
Notice and our Terms and Conditions of Service (together with any other documents
referred to in it). Kindly carefully read this Notice carefully so that you can understand
how we handle your personal data.

What Is Personal data?

2.1 Processing of personal data is governed by the Data Protection Act, 2019(‘the Act’),
The Data Protection General Regulations 2021, The Data Protection (Registration of Data
Controllers and Data Processors) 2021, The Data Protection (Complaints Handling and
Enforcement Procedures) Regulations 2021 as may be amended from time to time, and
any other regulations made thereunder (collectively, “the Data Protection Legislation”).
2.2 Personal data refers to any information about you that enables you to be identified
as an individual such as your name, contact details, identification numbers but it also
covers less obvious information such as, electronic location data, and other online
identifiers.
The personal data that we collect and use is set out as below.

How do we collect your personal data?

Data Collected How we collect the Data
Personal Information
For individuals – Names, referee details,
date of birth, next of kin, gender, dependants,
nationality, health information, marital status,
criminal record, education, photographs,
property details.

For companies – company name and company
contact person’s name.
Relevant Application forms both physical
and online (For example, corporate
application forms, employee recruitment
forms, vendor application forms and any
other application forms we may use from
time to time)
Contact information
For individuals –Email, telephone.

For companies –company
contact person’s name and email.
Relevant Application forms both physical
and online (For example, corporate
application forms, employee recruitment
forms, vendor application forms and any
other application forms we may use from time to time)
Identification details and documents
For individuals – copy of
national identification card or
passport, driving licence, vehicle
registration certificate.

For companies –Company CR12, Vehicle registration
number
Relevant Application forms (For example,
corporate application forms, employee
recruitment forms, vendor application
forms and any other application forms we
may use from time to time)
Financial Information
For individuals – Bank account
numbers, Kenya Revenue Authority PIN numbers,
National Health Insurance Fund details, National
Social Security Fund details, debit or credit cards.

For companies –Company CR12, Vehicle registration number
Relevant Application forms (For example,
corporate application forms, employee
recruitment forms, vendor application
forms and any other application forms we
may use from time to time)
Tracking Information
For individuals – CCTV Images
and footages
CCTV Cameras at various MORINGA
premises
Details of Personal Data Collected

How do we use your personal data?

4.1 We process your personal data for one of the lawful bases of processing (“Lawful
Basis”) depending on the specific purpose or purposes for which we are using your data
(see table below).

Category of usePurpose of use
To provide our product and services:
We may use your personal information and financial information to:
· Make our products and services available to you.
· Onboard you as a student, customer, supplier or vendor
· Provide products and services available to you, process your
payment.
· Responding and engaging with your inquiries, delivery and service
updates or feedback, including contacting you where necessary.
Performance of our
contract with you.
To identify you:
We may use your personal information, including identification
information and contact information, to:
· Identity verification, establishing and administering customer
care services.
· Processing payments for services offered.
Performance of our
contract with you.
For Marketing:
We may use your personal information, including contact
information, to:
· Keeping you informed about our services and any promotions
we may be running at the school, including direct marketing.

Note we will not use any information deemed as sensitive
personal information for Direct Marketing purposes and you may
withdraw your consent at any time.
Consent
(You can withdraw
your consent at any
time see more
information here)
Improving Website Experience:
We may use your personal information, including identification
information, to:
· Understand you so we can provide you with a great
website experience, personalized offers and online advertising.
· Understanding how you use our website, where and when you
browse from, the products and services you view
Legitimate Interest
of the Data
Controller
For safety and security:
We may use your personal information, including tracking
information personal information to:
· Help provide safe and secure environments for you
in our classrooms, our employees to work in and for our
businesses to be conducted.
· We use CCTV footage and carry out checks to help
us ensure that our students are safe within the premises.

Please see our CCTV policy in Part 7.
Legitimate Interest
of the Data
Controller
Government Requirements:
We may use your personal information, including financial
information personal information, to:
· Submit the relevant statutorily required information
to various institutions of the Government of Kenya, for
example, KRA, NHIF, NSSF.
Legal Obligation
Lawful bases of processing

4.2 ‘Vital Interests’ can be used as a lawful basis where we need to share your personal
data in emergency circumstances or where it is a matter of life and death.
4.3 We will not use your personal data for any other purpose other than the purpose(s)
for which it was originally collected, unless we reasonably believe that another purpose
is compatible with that or those original purpose(s). If we do use your personal data in
this way and you wish us to explain how the new purpose is compatible with the original,
please contact us.
4.4 If we need to use your personal data for a purpose that is unrelated to, or incompatible
with, the purpose(s) for which it was originally collected, we will inform you and explain
the legal basis which allows us to do so or seek your consent.
4.5 In some circumstances, where permitted or required by law, we may disclose your
personal data without your knowledge or consent. This will only be done within the
bounds of the Data Protection Legislation and your legal rights.

What are your rights under the Data Protection Legislation?

Under the Data Protection Legislation, you have the following rights, which we will always
work to respect and uphold:
i. The right to be informed about our collection and use of your personal data. This
Privacy Notice should tell you everything you need to know, but you can always contact us
to find out more.
ii. The right to access the personal data we hold about you.

iii. The right to have your personal data corrected if any of your personal data held
by us is false, erroneous or misleading.
iv. The right to ask us to delete or otherwise dispose of any of your personal data
that we hold.
v. The right to restrict (i.e., prevent) the processing of your personal data.
vi. The right to object to us to our use of your personal data for a particular purpose
or purposes.
vii. The right to withdraw consent. This means that, if we are relying on your consent
as the lawful basis for using your personal data, you are free to withdraw that consent at any
time.
viii. The right to data portability. You have a right to request your personal data,
which you have provided to us in a structured and commonly used format for your own use
across different services.
ix. Rights relating to automated decision-making and profiling. We do not use your
personal data in this way.

For more information about our use of your personal data or exercising your rights as outlined
above, please contact us by email as set out in Part 13. Note that the above rights are subject
to exceptions and conditions set out under the Data Protection Legislation, and your positive
identification as an individual for whom we process personal data.
It is important that your personal data is kept accurate and up-to-date. If any of the personal
data we hold about you changes, please keep us informed as long as we have that data.
If you have any cause for complaint about our use of your personal data, you have the right
to lodge a complaint with the Office of the Data Protection Commissioner. We would
welcome the opportunity to resolve your concerns ourselves, however, so please contact us
first.

What sensitive personal data do we collect and how?

6.1 We may collect any ‘sensitive’ personal data like data relating to your race, health
status, religious beliefs, social origin, conscience, biometric data, GPS Location Data,
property details, marital status, bank details, marital/family details including names of
your children, parents, spouse or spouses, sex or the sexual orientation. We will only
collect sensitive data about you if we have your explicit consent, or if authorized under
the Data Protection Legislation.

Closed Circuit Television (C.C.T.V.)

7.1 We use the C.C.T.V. system to capture an overview of our school premises for
purposes of security within the school.

7.2 The C.C.T.V. the data we collect is for the purposes of security in the interest of the public
and visitors of our school premises.

7.3 The lawful basis for processing personal data collected by the system is our legitimate
interest as set out in Section 30(1)(b)(vii) of The Data Protection Act 2019 for purposes
of security of our premises, students and visitors.

7.4 The C.C.T.V. data is retained for 3 months, except where an incident has been reported
in which case it will be stored for a reasonable period for purposes of evaluating and
concluding any incident and then deleted.

7.5 We may share C.C.T.V. data in limited circumstances as follows:
a) For detection, prevention or resolution of crime on at our premises;
b) Where required to share under any statute or a court order of competent jurisdiction;

Do we share your personal data?

All data sharing will be undertaken in line with the Data Protection Legislation.

8.1 Transfer of your personal data outside of the Republic of Kenya.
a) Subject to one or more appropriate safeguards set out in the Data Protection
Legislation, we may from time to time transfer your personal data to our suppliers
and service providers based outside of the Republic of Kenya for the purposes
described in this Privacy Notice.
b) When transferring your personal data, we will ensure that it is protected in the
same way as if it was being processed in the Republic of Kenya.
c) We will ensure that the recipient country of your personal data has equivalent data
protection laws in place and we will put in place a written contract with the recipient
that means they must protect it to the same standards as the Republic of Kenya.

8.2 Within MORINGA
For administrative and operational purposes, we share data internally across our
departments in MORINGA as the departments need to access data. The sharing across
our departments is reasonable, is in line with Data Protection Legislation, and respects your rights.

We hold your personal data record for you in our service stores to provide
and fulfill our obligations to you and have the most up-to-date contact details for you
across services to support your right to accurate data.

8.3 Outside MORINGA
A number of organizations assist us in delivering our services to you and will share your
information with these organizations. We will provide them reasonable access to your
personal data for purposes of facilitating our service to you. For example:
8.3.1 With our partners to deliver our course content;
8.3.2 With our professional advisors, such as lawyers and consultants;
8.3.3 Security and fraud prevention companies to ensure the safety and security of
our customers, employees and business;
8.3.4 Companies who provide student support services to our students;
8.3.5 With companies that assist in marketing our products to you

We are responsible for your personal data and ensure that appropriate safeguards are in
place. Where obliged by law, we will share some personal data with Government, law and
enforcement agencies. Where possible, we make this anonymous and only share statistics.

Where your consent is needed to transfer the data, we will make this clear to you in simple
and clear language so you may make an informed decision. We will never share your
information if it’s not legal to do so, and will always consider your rights, and whether there
is another way of achieving our aim, before doing so.

We keep your personal data safe:

We use a high level of protection, both organizational and technical measures, to ensure
we process our customers’ data safely. Some of the measures are:
a) Servers that meet the highest standards for security using firewalls, secure content
delivery, network mechanisms and secure architecture.
b) Access to data via secure log-in, to which is restricted by our IT teams.
c) Buildings and areas that have access only through staff passes, and secure files
stored in areas that are further restricted by passes and keys.
d) Systems are only available through strictly controlled security processes. We ensure
that only the right people have access to systems.
e) Encryption of passwords using industry-accepted hashing algorithms such as SHA
256, SSL Encryption and RSA Encryption)

How long do we keep your personal data?

We are required under the Data Protection Legislation to keep your personal data only for a
specific period as lawfully required. Moringa School will retain your Personal Information for
as long as you have a relationship with us, and for a period after your relationship with us has ended as determined by our records retention program. When determining how long this
retention period will last, some of the considerations we take into account to keep your data
include:
a) Where it is stipulated under the law; and
b)The necessary time your data is needed for us to deliver the service to you.
c) Continue to develop, tailor, upgrade, and improve our Services;
d)Maintain business records for analysis and/or audit purposes;
e)Comply with record retention requirements under the law;
f) Defend or bring any existing or potential legal claims; or
g)Address any complaints regarding the Services.
On completion of the purpose for which your data was originally collected, we delete or deidentify your personal data.

How we use Cookies

Cookies
A cookie is a small text file that a website can place on your computer’s hard drive for recordkeeping or other administrative purposes. Our website may use cookies to help to personalize
your experience on the Website. Although most web browsers accept cookies automatically,
usually you can modify your browser setting to decline cookies. If you decide to decline
cookies, you may not be able to fully use the features of the Website. Cookies may also be
used at certain sites accessible through links on the Website.

Google and Other Third-Party Analytics.
We use a tool called “Google Analytics” to collect information about the use of our Website
Services (e.g., Google Analytics collects information such as how often users visit the
Website Services, what pages they visit when they do so, and what other sites they used
prior to coming to the Website Services).

Google Analytics collects only the IP address assigned to you on the date that you visit the
Website Services, rather than your name or other identifying information. You can learn more
about how Google Analytics collects and processes data and opt-out options at
http://www.google.com/policies/privacy/partners/. We also may use other third-party
analytics tools to collect similar information about use of certain online Services.

Data Breaches Resolution

Any individual who suspects that a theft, breach or exposure of Moringa School Personal
data has occurred must immediately provide a description of what occurred via email to
DPO@moringaschool.com or by calling +254 712 293 878 (General Enquiries). This email is and
phone number is monitored by the Tech and Data team. This team will investigate all
reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has
occurred. If a theft, breach or exposure has occurred, the Tech and Data team will follow the
appropriate procedure depending on the class of data involved.

Our Data Protection Officer will communicate with all affected data subjects within 48 hours
of the incidence with information regarding how the breach or exposure occurred, the types
of data involved, any protective measures around the involved data (such as encryption), and
the number of internal/external individuals and/or organizations impacted and will work with
the appropriate parties to remediate the root cause of the breach or exposure.

Applicable Law and Jurisdiction:

By visiting this Website, you agree that these Terms for all purposes shall be governed and
construed in accordance with the laws of Kenya, without regard to principles of conflict of
law, and that any action based on or alleging a breach of these provisions must be brought
in a court located in Kenya. In addition, you agree to submit to the personal jurisdiction and
venue of such courts.

How to Contact Us:

If you wish to contact us in respect of part of this Privacy Notice or have any questions or
would like further information regarding our handling of your personal data, please contact
us by email:

Designation: Data Protection Officer
Physical Address: 1st Floor, Ngong Lane, Ngong Lane Plaza,
Postal Address: P.O. Box 28860 – 00100,
Nairobi, Kenya
Email address: DPO@moringaschool.com or contact@moringaschool.com

Amendments to this Privacy Notice

Amendments to this Privacy Notice

We may change, modify or adopt a new Privacy Notice from time to time. If we do so, we
will post it on our website and on our social media platforms. It’s your responsibility to check
the Privacy Notice every time you submit your personal data to us. This version was last
updated on Tuesday, 1st April 2024.

Changes to your personal data

Please keep us informed of any changes to your personal data by emailing us with full details
of the changes at DPO@moringaschool.com.

Further, a data subject shall have the right to withdraw consent at any time. However, such
withdrawal of consent shall not affect the lawfulness of processing based on prior consent
before its withdrawal. To exercise your rights, we have provided you with a Data Deletion
Request form where you can request to be informed of the personal data we hold, correct,
and/or delete

The processing of personal data described in this privacy notice is based on users’ consent.
Users can provide their consent by accepting this privacy notice (selecting the ‘I accept’
checkbox) prior to submitting the registration form.

Users can withdraw such consent by requesting Moringa School to stop the processing. This
will not affect the legitimacy of the personal data processing that took place prior to the
withdrawal of user consent.
Users will can be able to withdraw their consent at any time:
· by sending an email to Moringa School DPO at: DPO@moringaschool.com
· If users choose to withdraw their consent, they understand and agree that
they will no longer be part of our database.