Privacy Policy

1. Introduction

Skulink ("we," "us," or "our") operates a school fee management platform accessible at skulink.co.zw (the "Platform"). We are committed to protecting the privacy and personal information of our users, including schools, students, parents, and guardians.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information in accordance with the laws of Zimbabwe, including the Cyber and Data Protection Act [Chapter 12:07] ("Zimbabwe Data Protection Act"), the European Union General Data Protection Regulation ("GDPR"), and the Protection of Personal Information Act, 2013 ("POPIA") of South Africa.

Our contact details:
Skulink
608 Borrowdale Brooke Road, Harare, Zimbabwe
Email: info@skulink.co.zw

2. Information We Collect

2.1 Information Provided by Schools

When schools register and use our Platform, we collect:

• School Information: School name, registration details, physical address, contact telephone numbers, email addresses, banking details for payment settlements
• Administrator Information: Names, email addresses, telephone numbers, and login credentials of school administrators and authorized staff
• Student Records: Student names, identification numbers, grade/class information, parent/guardian contact details, fee structures, payment history, outstanding balances
• Fee Item Data: Descriptions of fee items (tuition, uniforms, activities, etc.), amounts, due dates, installment plan terms

2.2 Information Provided by Parents and Guardians

When parents or guardians make payments through our Platform, we collect:

• Personal Information: Full names, email addresses, telephone numbers
• Student Information: Name and identification of the student for whom payment is being made
• Payment Information: Payment method selection (card, Ecocash, InnBucks, cash, bank deposit), transaction amounts, payment dates, payment references
• Transaction Data: Payment confirmations, receipt downloads, email communication preferences

2.3 Automatically Collected Information

When you access our Platform, we automatically collect:

• Technical Data: IP address, browser type and version, device type, operating system, referring website URLs
• Usage Data: Pages visited, time spent on pages, click patterns, search queries within the Platform
• Session Data: Login timestamps, session duration, security tokens for authentication

2.4 Information We Do Not Collect

We do not directly collect or store full credit card numbers, CVV codes, or banking passwords. Payment card information is processed securely by PesePay, our authorized payment service provider, using industry-standard encryption and tokenization. We only receive confirmation of successful or failed transactions.

3. How We Use Your Information

We process personal information for the following lawful purposes:

3.1 Service Provision (Contractual Necessity)

• Creating and maintaining school accounts
• Managing student ledgers, tracking fees, payments, and balances
• Processing payments and generating receipts
• Facilitating installment plan management and payment reminders
• Recording cash deposits and bank reconciliation
• Providing customer support and responding to inquiries

3.2 Communication (Legitimate Interest)

• Sending payment confirmations and receipts via email
• Sending payment reminders and balance notifications
• Providing system updates, security alerts, and service announcements
• Responding to support requests and inquiries

3.3 Platform Improvement (Legitimate Interest)

• Analyzing usage patterns to improve Platform functionality
• Identifying and fixing technical issues
• Developing new features based on user needs
• Conducting aggregated statistical analysis (anonymized data)

3.4 Legal Compliance (Legal Obligation)

• Complying with financial record-keeping requirements
• Responding to lawful requests from law enforcement or regulatory authorities
• Detecting, preventing, and addressing fraud or security incidents
• Enforcing our Terms and Conditions

4. Legal Basis for Processing (GDPR)

Under GDPR, we process personal data on the following legal bases:

• Contract Performance: Processing necessary to fulfill our service agreement with schools and process payments from parents
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving services, fraud prevention, and customer support, provided these interests do not override data subject rights
• Legal Obligation: Processing required to comply with Zimbabwean law, tax regulations, and financial reporting requirements
• Consent: Where explicitly obtained for specific purposes such as marketing communications (if applicable)

5. Information Sharing and Disclosure

5.1 Third-Party Service Providers

We share personal information with the following categories of third-party service providers who process data on our behalf under strict confidentiality and security obligations:

• Payment Processor: PesePay processes online payments (card, Ecocash, InnBucks). They handle payment card data in compliance with PCI-DSS standards. We only receive transaction confirmations and do not have access to full card details.
• Cloud Infrastructure: Our Platform and database are hosted on secure cloud servers located in Europe, operated by reputable providers with ISO 27001 certification and GDPR compliance.
• Email Service Provider: We use email services to send receipts, notifications, and communication. These providers process email addresses and message content only for delivery purposes.

5.2 Schools and Parents

Information is shared between schools and parents/guardians as necessary for fee management:

• Schools can view student payment history, balances, and parent contact details they have provided
• Parents can access their own payment records and student balance information
• Payment receipts are shared with both the paying parent and the school

5.3 Legal Disclosures

We may disclose personal information when required by law or in response to:

• Valid court orders, subpoenas, or legal processes from Zimbabwean authorities
• Requests from law enforcement or regulatory bodies investigating suspected illegal activity
• Situations involving potential threats to public safety or security
• Protection of our legal rights, property, or safety, or that of our users

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy. We will notify affected users via email and Platform notice before any such transfer occurs.

6. Data Security

We implement industry-standard technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction:

6.1 Technical Security Measures

• Encryption: All data transmitted between your device and our servers is encrypted using TLS/SSL encryption (HTTPS)
• Database Security: Student and payment data is stored in encrypted databases with access controls and authentication
• Password Protection: User passwords are hashed using industry-standard algorithms; we cannot retrieve plaintext passwords
• Secure Infrastructure: Our servers are hosted in secure data centers with physical security, firewalls, intrusion detection, and regular security audits
• Access Controls: Personal data is accessible only to authorized personnel who require it for their job functions

6.2 Organizational Security Measures

• Regular security assessments and vulnerability testing
• Employee training on data protection and confidentiality obligations
• Data breach response procedures and incident management protocols
• Regular backups to prevent data loss

6.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and relevant authorities within 72 hours as required by GDPR and Zimbabwe Data Protection Act. Notifications will include the nature of the breach, likely consequences, and measures taken to address it.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods

• Active School Accounts: Student and payment data is retained for the duration of the school's active subscription
• Financial Records: Payment transaction records are retained for a minimum of 7 years to comply with tax and accounting regulations in Zimbabwe
• Inactive Accounts: If a school account becomes inactive, data is retained for 2 years before archival or deletion, unless the school requests earlier deletion
• Backups: Data in backup systems may persist for up to 90 days after deletion from active systems

7.2 Deletion Process

When retention periods expire or upon receiving a valid deletion request, we securely delete or anonymize personal information using irreversible methods. Anonymized data may be retained indefinitely for statistical analysis as it no longer constitutes personal data.

8. Your Data Protection Rights

Under the Zimbabwe Data Protection Act, GDPR, and POPIA, you have the following rights regarding your personal information:

8.1 Right of Access

You have the right to request a copy of the personal information we hold about you. We will provide this information in a commonly used electronic format within 30 days of your request, free of charge for the first request.

8.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal information. Schools can update most information directly through the Platform. Parents can request corrections by contacting us or the relevant school.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal information in certain circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where consent was the legal basis for processing)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: We may be required to retain certain financial records for legal compliance, even after a deletion request.

8.4 Right to Restrict Processing

You have the right to request that we limit how we use your personal information while a dispute about accuracy or lawfulness is being resolved.

8.5 Right to Data Portability

You have the right to request that we transfer your data to another service provider in a structured, commonly used, machine-readable format (e.g., CSV export of payment records).

8.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

8.7 How to Exercise Your Rights

To exercise any of these rights, please contact us at:
Email: info@skulink.co.zw
Subject line: "Data Protection Request - [Your Name]"

We will respond to your request within 30 days. We may request additional information to verify your identity before processing your request to protect against unauthorized access to your data.

9. International Data Transfers

Your personal information is stored on secure servers located in Europe. This means your data is transferred from Zimbabwe to the European Union, which is recognized as providing an adequate level of data protection under GDPR.

We ensure that all international data transfers comply with applicable data protection laws through:

• Using cloud service providers that are GDPR-compliant and ISO 27001 certified
• Implementing appropriate technical and organizational security measures
• Ensuring contractual obligations with service providers include data protection clauses equivalent to those required under GDPR

10. Children's Privacy

Our Platform is designed for use by schools and parents/guardians. While we process information about students (including minors), we do not knowingly collect personal information directly from children under the age of 18 without parental or school consent.

Student information is provided by schools or parents/guardians who have legal authority over the child. Schools are responsible for obtaining appropriate consents from parents/guardians before adding student information to the Platform.

Parents/guardians have the right to access, review, and request deletion of their child's information by contacting the school or us directly at info@skulink.co.zw.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Platform.

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our Platform. They help us recognize your device and remember your preferences.

11.2 Types of Cookies We Use

• Essential Cookies: Necessary for the Platform to function (e.g., session management, authentication). These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Platform (e.g., Vercel Analytics) to improve functionality. These are anonymized and do not identify individual users.

11.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect Platform functionality and prevent you from accessing certain features.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform functionality. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify schools via email to their registered email address
• Display a prominent notice on the Platform for 30 days

Continued use of the Platform after changes become effective constitutes acceptance of the updated policy. If you do not agree to the changes, you may discontinue use of the Platform and request deletion of your data.

13. Complaints and Regulatory Authorities

If you believe we have not handled your personal information in accordance with this Privacy Policy or applicable data protection laws, you have the right to lodge a complaint with:

• Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)
  Data Protection Unit
  Website: www.potraz.gov.zw
• European Data Protection Supervisor (if you are in the EU)
  Website: edps.europa.eu

We encourage you to contact us first at info@skulink.co.zw so we can attempt to resolve your concern directly.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: