Privacy Policy

This Privacy Policy explains how Juwam International Training College (JITC) (“we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you use our website, learning management systems, portals, mobile interfaces, and related education and administration services (together, the “Services”). We are committed to complying with the Data Protection Act, No. 24 of 2019 of Kenya (the “Act”), the Constitution of Kenya (including the right to privacy under Article 31), and subsidiary instruments issued by the Office of the Data Protection Commissioner (ODPC), including the Data Protection (General) Regulations, 2021, where they apply to our processing activities.

1. Who we are and how to contact us

For the purposes of the Act, Juwam International Training College (JITC) typically acts as the data controller in respect of personal data processed for our own institutional purposes (for example, admissions, student records, examinations, alumni relations, and institutional communications). Where we instruct another organisation to process personal data strictly on our instructions, that organisation may act as a data processor, and we will ensure appropriate contractual and oversight measures are in place.

2. Scope of this policy

This policy applies to personal data processed in connection with the Services offered by Juwam International Training College (JITC), including where processing occurs through our staff, systems, contractors, or authorised partners acting on our behalf.

It does not govern third-party platforms that are not operated by us (for example, a social network you choose to visit independently). Where we embed or link to third-party tools, their own privacy notices apply.

3. Definitions

• Personal data means any information relating to an identified or identifiable natural person, as understood under the Act.
• Sensitive personal data includes categories of data designated as sensitive under the Act and related regulations (for example, health information, biometric data, and other prescribed categories where applicable).
• Processing means any operation or set of operations performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• Data subject means the identified or identifiable person to whom the personal data relates (for example, a student, applicant, parent/guardian, staff member, alumnus, website visitor, or contractor).

4. Personal data we collect and how we collect it

Depending on your relationship with us and the Services you use, we may process categories of personal data including (without limitation):

• Identity and demographic data: name, date of birth, gender, nationality, identification or registration numbers where lawfully required, photographs, and similar identifiers.
• Contact data: postal address, email addresses, telephone numbers, emergency contacts, and next-of-kin details where relevant.
• Academic and training data: applications, enrolment records, attendance, assessments, results, transcripts, certifications, portfolios, placements, and communications with academic or support staff.
• Financial data: fee accounts, invoices, receipts, bursary or scholarship information, and limited payment-related information processed through our bank or payment partners (we do not store full card details where a compliant payment service tokenises such data).
• Employment and human-resource data (for staff and contractors): recruitment records, payroll-related identifiers, performance information, and training undertaken as part of employment or engagement.
• IT and usage data: IP address, device identifiers, browser type, pages viewed, timestamps, authentication logs, and security telemetry reasonably necessary to operate and protect our systems.
• Communications: emails, portal messages, helpdesk tickets, recorded calls where lawfully recorded with notice, and similar correspondence metadata and content.

We collect personal data directly from you, automatically through your use of the Services, from parents/guardians where applicable, from examination or accreditation bodies where permitted, from referees you nominate, and occasionally from public sources where lawful and relevant.

5. Sensitive personal data

We only process sensitive personal data where the Act permits us to do so, for example where processing is necessary for substantial public interest in the area of education, employment, social protection, health, equality monitoring (where applicable and proportionate), or where you have given explicit consent where consent is the appropriate basis.

Examples may include health or disability-related information required to provide reasonable adjustments, biometric authentication where deployed with appropriate safeguards, or other categories prescribed under Kenyan law. We apply stricter access controls and purpose limitation to such data.

6. Purposes and lawful bases for processing

We process personal data for purposes that are lawful, specific, explicit, and legitimate, including:

• Contractual necessity: to perform our contract with you (for example, to deliver a course you enrolled in) or to take steps at your request before entering a contract (for example, processing an application).
• Legal obligation: to comply with laws and regulatory directions applicable to educational institutions, taxation, financial reporting, court orders, and lawful requests from competent authorities.
• Legitimate interests: to manage and improve the Services, ensure IT and campus security, prevent fraud, plan resources, maintain alumni relations where appropriate, and evidence quality assurance and accreditation—balanced against your rights and freedoms.
• Vital interests: in genuine emergencies affecting health or safety.
• Public interest tasks: where processing is necessary for tasks carried out in the public interest or in the exercise of official authority vested in us, where applicable.
• Consent: where we rely on consent (for example, certain optional communications or non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We do not use personal data for incompatible secondary purposes without a fresh lawful basis and, where required, appropriate notice.

7. Consent and preferences

Where we rely on consent, we seek it in a clear and granular manner where practicable. You may withdraw consent using the same channel you provided it (for example, an “unsubscribe” link in emails or your portal preferences) or by contacting us using the details in Section 1.

Withdrawal of consent may affect our ability to provide optional features, but core statutory or contractual services will continue only where another lawful basis applies.

8. Cookies and similar technologies

We use cookies, local storage, pixels, and similar technologies that may be strictly necessary for security and session management, functional preferences, analytics, and—only with appropriate consent where required—marketing measurement.

You can control cookies through your browser settings and any cookie banner or preference centre we provide. Blocking certain cookies may limit some features of the Services.

9. Recipients, processors, and sharing

We may disclose personal data to:

• Service providers who host our systems, provide email delivery, learning platforms, payment processing, identity verification, or other operational functions, under written terms that require protection of personal data and processing only on documented instructions where they act as processors;
• Professional advisers (lawyers, auditors, insurers) bound by confidentiality;
• Government, regulatory, accreditation, examination, or law-enforcement bodies where required or permitted by law;
• Parents or guardians where appropriate for minors or where legally required;
• Potential employers, placement partners, or awarding bodies only where permitted by law or by agreement with you (for example, verified transcripts or references you request us to share).

We do not sell personal data. Any disclosure for commercial marketing by third parties will occur only with a valid lawful basis and appropriate transparency.

10. Cross-border transfers

Some of our processors or cloud providers may process personal data outside Kenya. Where we transfer personal data to another country, we implement safeguards required under the Act and ODPC guidance, which may include adequacy assessments, appropriate contractual clauses, and supplementary technical measures, taking into account the nature of the data and the processing risks.

Upon request, we will provide further information about such transfers to the extent permitted by law and commercial confidentiality.

11. Retention

We retain personal data only for as long as necessary for the purposes set out in this policy, including to satisfy legal, regulatory, tax, accounting, or reporting requirements, and for legitimate institutional needs such as academic record integrity and alumni verification.

Retention periods vary by record type. When retention expires, we securely delete or anonymise personal data where feasible, unless a narrow statutory exception requires longer retention.

12. Security of personal data

We implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including access controls, authentication, logging, backups, patching, vendor due diligence, and staff training. No method of transmission or storage is completely secure; we encourage you to use strong passwords and protect your account credentials.

13. Your rights as a data subject

Subject to the Act, applicable regulations, and any limitations (for example, where another person’s rights or legal privilege would be affected), you may have the following rights in relation to your personal data:

• Right to be informed of processing through notices such as this Policy and supplementary notices at the point of collection;
• Right of access to confirmation of whether we process your personal data and to obtain a copy in accordance with the law;
• Right to rectification of inaccurate data or completion of incomplete data;
• Right to erasure in certain circumstances (for example, where data is no longer necessary for the purpose, consent is withdrawn and no other basis applies, or processing is unlawful);
• Right to restriction of processing in defined situations while complaints or accuracy disputes are resolved;
• Right to data portability for data you provided where processing is based on consent or contract and is carried out by automated means, where technically feasible;
• Right to object to processing based on legitimate interests or for direct marketing, where the Act permits;
• Rights relating to automated decision-making that produces legal or similarly significant effects, where applicable under the Act;
• Right to withdraw consent at any time where processing is based on consent;
• Right to lodge a complaint with the ODPC (see Section 20).

To exercise your rights, contact us as set out in Section 1. We may need to verify your identity before responding. We will respond within timelines required by the Act and related instruments, or otherwise without undue delay.

14. Automated decision-making and profiling

We may use automated tools to support administrative and academic integrity tasks (for example, similarity checks on submitted work, timetable optimisation, or fraud risk signals). Where a decision that significantly affects you is taken solely by automated means, we will ensure appropriate human oversight, transparency, and avenues for review as required by law.

15. Personal data breaches

We maintain procedures to detect, investigate, and respond to suspected personal data breaches. Where required by the Act, we will notify the ODPC and affected data subjects without undue delay, describing the nature of the breach, likely consequences, and measures taken or proposed to mitigate harm, subject to law enforcement constraints.

16. Children and minors

Where Services are directed at or used by individuals under 18 years of age, we obtain parental or guardian consent where the Act requires, and we process personal data in the best interests of the child and for legitimate educational purposes. Parents or guardians may exercise certain rights on behalf of minors as permitted by law.

17. Direct marketing

We may send information about courses, events, or institutional updates where permitted. Where consent is required for electronic direct marketing, we will obtain it separately and clearly. You may opt out of marketing communications at any time using the unsubscribe mechanism or by contacting us.

18. Third-party websites and services

Our Services may contain links to third-party sites, plug-ins, or applications. Clicking those links or enabling those connections may allow third parties to collect or share data about you. We do not control those websites and are not responsible for their privacy statements. Please read their notices before you submit personal data to them.

19. Changes to this policy

We may update this Privacy Policy to reflect legal, regulatory, operational, or technical changes. We will publish the updated version on our website and, where changes are material, provide additional notice as appropriate (for example, a banner or email to registered users).

20. Complaints and supervisory authority (ODPC)

If you believe we have infringed your data protection rights, you may contact us first so we can try to resolve the matter. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), the independent supervisory authority for data protection in Kenya.