Privacy Policy

📋 Table of Contents

1. Introduction & Scope

Welcome to Sama Tech Institute Kenya ("we," "our," or "us"). We are committed to protecting your privacy and ensuring your personal data is handled securely, transparently, and in full compliance with the Kenya Data Protection Act, 2019 and other applicable laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website samatech.co.ke, enroll in our IT certification courses (CCNA, CCNP, Cyber Security, Python, Linux), contact us via WhatsApp, or interact with our services.

2. Data We Collect

We collect information that you voluntarily provide to us, as well as information automatically collected when you use our services:

What we DON'T collect: We do not collect sensitive personal data such as national ID numbers, KRA PINs, bank account details (beyond M-Pesa transaction references), health information, or biometric data unless explicitly required for certification exam registration (and only with your explicit consent).

3. How We Use Your Data

We use your personal data for the following lawful purposes under the Kenya Data Protection Act:

• Course Enrollment & Delivery: To process your registration, provide access to learning materials, schedule live sessions, and issue certificates upon completion.
• Payment Processing: To verify M-Pesa transactions, send payment confirmations, and manage installment plans securely.
• Communication: To respond to your inquiries via WhatsApp, email, or phone; send course updates, reminders, and important announcements.
• Personalization: To recommend courses based on your interests, career goals, and learning progress.
• Quality Improvement: To analyze course engagement, gather feedback, and enhance our training programs for Kenyan learners.
• Legal Compliance: To maintain records as required by Kenyan education and data protection regulations.
• Marketing (with consent): To send you relevant offers, new course launches, or career resources. You can opt out anytime.

4. 🔒 M-Pesa Payment Security

We understand that payment security is critical for Kenyan users. Here's how we protect your M-Pesa transactions:

• No Card/Bank Storage: We never store your M-Pesa PIN, bank account numbers, or credit card details on our servers.
• Transaction References Only: We only retain M-Pesa transaction codes (e.g., QHH123XYZ) for payment verification and receipt generation.
• Encrypted Processing: All payment data is transmitted via SSL/TLS encryption (HTTPS) and processed through Safaricom's secure Daraja API.
• PCI-DSS Alignment: While M-Pesa is not card-based, we follow Payment Card Industry security principles for all financial data handling.
• Receipts & Records: You'll receive an SMS and email receipt for every payment. Records are retained for 7 years per Kenyan tax regulations.

For installment plans: We store your agreed payment schedule and send automated reminders via WhatsApp/SMS. You can modify or cancel installments anytime by contacting us.

5. Cookies & Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience. You can manage your preferences via our cookie banner or browser settings.

Managing Cookies: You can disable cookies in your browser settings, but some features (like course progress tracking) may not work optimally. For Google Analytics opt-out, visit: Google Analytics Opt-out.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We may share your information only in the following limited circumstances:

• Certification Bodies: With your explicit consent, we share minimal required data (name, email, exam eligibility) with Cisco, EC-Council, or CompTIA for official exam registration.
• Service Providers: Trusted partners who assist with website hosting (Cloudflare), email delivery (SendGrid), or WhatsApp Business API. All partners sign data processing agreements compliant with Kenyan law.
• Legal Requirements: If required by Kenyan law, court order, or government authority (e.g., ODPC investigation), we may disclose data to the extent legally mandated.
• Business Transfers: In the unlikely event of a merger or acquisition, user data would be transferred under strict confidentiality and privacy safeguards.

7. ✊ Your Rights Under Kenyan Law

As a data subject under the Kenya Data Protection Act, 2019, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete data.
• Right to Deletion: Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
• Right to Restrict Processing: Ask us to pause processing of your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format to transfer to another provider.
• Right to Object: Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is consent-based (e.g., marketing emails).

How to Exercise Your Rights: Contact our Data Protection Officer (details below) with your request. We will respond within 21 days as required by law. No fee is charged unless requests are manifestly unfounded or excessive.

8. 🔐 Data Retention & Security Measures

Retention Periods:

• Enrollment Data: Retained for 7 years after course completion (Kenyan education records requirement).
• Payment Records: Retained for 7 years per Kenya Revenue Authority guidelines.
• Marketing Preferences: Retained until you unsubscribe or request deletion.
• Website Analytics: Aggregated, anonymized data retained indefinitely; personal identifiers deleted after 26 months.

Security Safeguards:

• 🔒 End-to-end encryption for data in transit (TLS 1.3) and at rest (AES-256)
• 🛡️ Regular security audits, vulnerability scanning, and penetration testing
• 👥 Staff training on data protection and confidentiality
• 🔑 Role-based access controls; principle of least privilege
• 📋 Incident response plan for data breaches (notification within 72 hours per ODPC rules)
• ☁️ Secure cloud infrastructure (Cloudflare, AWS Africa regions where applicable)

9. 👶 Children's Privacy

Our courses are designed for professionals and students aged 16 and above. We do not knowingly collect personal data from children under 16 years of age. If you are a parent or guardian and believe your child has provided us with personal data, please contact our Data Protection Officer immediately. We will take steps to delete such information from our records.

For learners aged 16-18, we require parental/guardian consent during enrollment and provide additional privacy safeguards in line with Kenyan child protection guidelines.

10. 🌍 International Data Transfers

Sama Tech Institute Kenya is headquartered in Nairobi. However, some of our service providers (e.g., Cloudflare for CDN, SendGrid for email) may process data outside Kenya.

When we transfer personal data internationally, we ensure:

• ✅ The recipient country has adequate data protection laws (as recognized by the ODPC), OR
• ✅ We implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the ODPC, OR
• ✅ We obtain your explicit consent for the transfer after informing you of potential risks.

All international transfers comply with Part VIII of the Kenya Data Protection Act, 2019.

11. 🔄 Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or Kenyan law. When we do:

• We will update the "Last Updated" date at the top of this page.
• For material changes, we will notify you via email, WhatsApp, or a prominent notice on our website.
• Your continued use of our services after changes constitutes acceptance of the updated policy.

We encourage you to review this policy periodically. The current version is always available at: samatech.co.ke/privacy.html.

12. 📬 Contact Our Data Protection Officer

For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, please contact our Data Protection Officer:

Complaints to Regulator: If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya.