Privacy and Security

1. Introduction

Welcome to Finndemy platform. This Privacy and Security Manual outlines how we protect your personal information, maintain platform security, and ensure compliance with data protection regulations. This document applies to all users including learners, trainers, administrators, and visitors.

Our Commitment

We are committed to:

  • Protecting your personal information and privacy
  • Maintaining the highest security standards
  • Being transparent about our data practices
  • Complying with applicable privacy laws and regulations
  • Providing you with control over your personal data

2. Data Collection and Usage

Personal Information We Collect

Registration Data

  • Full name
  • Email address
  • Username and password
  • Profile photograph (optional)
  • Contact information (phone number, address if required)
  • Professional information (job title, organization)

Learning Activity Data

  • Course enrollment and completion status
  • Quiz scores and assignment submissions
  • Learning progress and time spent on courses
  • Forum posts and discussion participation
  • Certificate and badge achievements
  • Login history and last activity timestamps

Technical Data

  • IP address and geographic location
  • Browser type and version
  • Device information (type, operating system)
  • Website usage patterns and navigation data
  • Cookies and tracking data
  • Error logs and system diagnostics

Communication Data

  • Messages sent through platform messaging system
  • Support ticket communications
  • Email communications related to your account
  • Feedback and survey responses.

How We Use Your Information

Educational Purposes

  • Delivering course content and tracking progress
  • Generating completion certificates
  • Personalizing learning experiences
  • Providing progress reports to trainers/administrators
  • Facilitating peer-to-peer learning interactions

Platform Operations

  • Creating and managing user accounts
  • Authenticating user access
  • Providing customer support
  • Improving platform functionality
  • Troubleshooting technical issues

Communication

  • Sending course-related notifications
  • Platform updates and maintenance notices
  • Marketing communications (with consent)
  • Security alerts and important account information

Legal and Compliance

  • Meeting regulatory requirements
  • Protecting against fraud and abuse
  • Enforcing terms of service
  • Responding to legal requests

Legal Basis for Processing

We process your personal data based on:

  • Contract Performance: Processing necessary to provide educational services
  • Legitimate Interest: Platform security, improvements, and analytics
  • Consent: Marketing communications and optional features
  • Legal Obligation: Compliance with applicable laws and regulations

3.User Rights and Control

Your Privacy Rights

Under applicable data protection laws, you have the right to:

Access Rights

  • Request a copy of all personal data we hold about you
  • Receive information about how your data is processed
  • Access your learning records and progress data

Correction Rights

  • Update or correct inaccurate personal information
  • Complete incomplete data records
  • Modify profile information at any time

Deletion Rights

  • Request deletion of your personal data (right to be forgotten)
  • Remove optional information from your profile
  • Delete your account and associated data

Portability Rights

  • Receive your personal data in a machine-readable format
  • Transfer your learning records to another platform
  • Export course completion certificates and transcripts

Objection Rights

  • Opt-out of marketing communications
  • Object to processing based on legitimate interest

Withdraw consent for optional data processing

How to Exercise Your Rights

Self-Service Options

  • Update profile information through account settings
  • Modify privacy preferences in your dashboard
  • Download your learning data and certificates
  • Unsubscribe from marketing emails

Contact Support

  • Submit requests through our support system
  • Email our Data Protection Officer
  • Use the privacy request form on our website
  • Contact us by phone during business hours

Response Timeframes

  • Account Updates: Immediate through self-service
  • Data Requests: Within 30 days of verification
  • Deletion Requests: Within 30 days (may take longer for complete removal)

Urgent Security Issues: Within 72 hours

4. Security Measures

Technical Safeguards

Data Encryption

  • In Transit: All data transmitted using TLS 1.3 encryption
  • At Rest: Database encryption using AES-256 standards
  • Backup Encryption: All backups encrypted and securely stored
  • Password Protection: Passwords hashed using bcrypt algorithm

Access Controls

  • Multi-factor authentication (MFA) available for all users
  • Role-based access control (RBAC) system
  • Principle of least privilege implementation
  • Regular access reviews and permission audits

Network Security

  • Web Application Firewall (WAF) protection
  • DDoS protection and rate limiting
  • Intrusion detection and prevention systems
  • Regular security scanning and vulnerability assessments

Infrastructure Security

  • Secure hosting environment with 24/7 monitoring
  • Regular security patches and updates
  • Isolated database servers
  • Backup systems with geographic redundancy

Administrative Safeguards

Staff Training

  • Regular security awareness training for all staff
  • Data handling and privacy training programs
  • Incident response training and drills
  • Background checks for personnel with data access

Policies and Procedures

  • Comprehensive information security policies
  • Data classification and handling procedures
  • Incident response and breach notification protocols
  • Vendor management and third-party security requirements

Monitoring and Auditing

  • 24/7 security monitoring and alerting
  • Regular security audits and assessments
  • Compliance monitoring and reporting
  • User activity logging and analysis

Physical Safeguards

Data Center Security

  • Biometric access controls
  • 24/7 physical security monitoring
  • Environmental controls and disaster protection
  • Secure destruction of physical media

5. Account Security Guidelines

Password Requirements

Minimum Standards

  • At least 8 characters in length
  • Combination of uppercase and lowercase letters
  • At least one number and one special character
  • Cannot contain personal information or common dictionary words
  • Must be unique and not reused from previous passwords

Best Practices

  • Use unique passwords for each online account
  • Consider using a password manager
  • Change passwords if you suspect compromise
  • Avoid sharing passwords with others

Multi-Factor Authentication (MFA)

Available Methods

  • SMS text message codes
  • Authenticator app (Google Authenticator, Authy)
  • Email verification codes
  • Hardware security keys (FIDO2/WebAuthn)

Setup Instructions

  1. Navigate to Account Settings > Security
  2. Click “Enable Multi-Factor Authentication”
  3. Choose your preferred method
  4. Follow the setup wizard
  5. Save backup codes in a secure location

Account Security Tips

Safe Login Practices

  • Always log out when using shared computers
  • Verify the website URL before entering credentials
  • Be cautious of phishing emails and suspicious links
  • Use secure, private networks when possible

Recognizing Security Threats

  • Phishing Emails: Unexpected requests for login credentials
  • Suspicious Activity: Unfamiliar login locations or times
  • Social Engineering: Requests for personal information via phone/email
  • Malware: Unexpected software installations or computer behaviour

Reporting Security Concerns

  • Immediately report suspected account compromise
  • Forward suspicious emails to our security team
  • Use the security incident reporting form
  • Contact support for any security-related questions

6. Data Storage and Retention

Data Storage Locations

Primary Storage

  • Secure cloud infrastructure with enterprise-grade security
  • Data centers located in [specify regions based on your setup]
  • Redundant storage across multiple geographic locations
  • Regular backup and disaster recovery procedures

Data Residency

  • User data stored in compliance with local data residency requirements
  • Option to specify preferred data storage regions (where available)
  • Cross-border data transfer protections in place
  • Compliance with international data transfer regulations

Retention Periods

Active User Data

  • Account Information: Retained while account is active plus 90 days after deletion request
  • Learning Records: Retained for 7 years for educational compliance purposes
  • Communication Data: Retained for 3 years unless longer retention required by law
  • Technical Logs: Retained for 1 year for security and troubleshooting purposes

Inactive Accounts

  • Accounts inactive for 3 years receive deletion warning
  • Data deleted 90 days after final deletion notice
  • Essential records retained as required by law
  • Users can reactivate accounts before deletion deadline

Legal Requirements

  • Some data may be retained longer to comply with legal obligations
  • Court orders or regulatory requirements may extend retention periods

Users will be notified of extended retention when legally permissible

Data Deletion Process

User-Initiated Deletion

  1. Submit deletion request through account settings or support
  2. Identity verification required for security
  3. 30-day grace period before permanent deletion
  4. Final confirmation required before processing
  5. Deletion confirmation sent to registered email

Automatic Deletion

  • Temporary files deleted within 30 days
  • Log files deleted according to retention schedule
  • Backup data deleted according to backup retention policy
  • Anonymized data may be retained for analytics

7. Third-Party Integrations

Integrated Services

Payment Processing

  • Service: [Specify payment processors used]
  • Data Shared: Payment information, transaction records
  • Security: PCI DSS compliant processing
  • Privacy Policy: Available at processor’s website

Analytics and Performance

  • Service: [Specify analytics tools used]
  • Data Shared: Usage statistics, performance metrics (anonymized)
  • Purpose: Platform improvement and optimization
  • Control: Users can opt-out through privacy settings

Communication Tools

  • Email Services: For platform notifications and communications
  • Video Conferencing: For live sessions and webinars
  • Chat Systems: For real-time support and communication
  • Data Sharing: Limited to functional requirements only

Content Delivery

  • CDN Services: For fast content delivery worldwide
  • Cloud Storage: For course materials and user uploads
  • Security: Encrypted transmission and storage
  • Access Controls: Restricted to authorized personnel only

Third-Party Security Standards

Vendor Requirements

  • All vendors must meet our security standards
  • Regular security assessments and audits required
  • Data processing agreements in place
  • Incident notification requirements established

Data Sharing Principles

  • Minimum necessary data sharing only
  • Purpose limitation for all shared data
  • Contractual data protection requirements
  • Regular review of data sharing practices

User Control Over Third-Party Data

Opt-Out Options

  • Disable non-essential integrations
  • Limit data sharing where possible
  • Access third-party privacy controls
  • Request data deletion from third-party services

8. Compliance Standards

Regulatory Compliance

GDPR (General Data Protection Regulation)

  • Lawful basis for all data processing activities
  • Privacy by design and default implementation
  • Data Protection Impact Assessments (DPIA) conducted
  • EU representative appointed where required

CCPA (California Consumer Privacy Act)

  • Consumer rights notifications provided
  • Opt-out mechanisms for data sales (we do not sell data)
  • Disclosure of data sharing practices
  • Non-discrimination policies in place

FERPA (Family Educational Rights and Privacy Act)

  • Educational record protection for eligible institutions
  • Directory information policies established
  • Parental consent procedures for minors
  • Record access and correction procedures

Other Applicable Laws

  • PIPEDA (Canada), LGPD (Brazil), and other regional privacy laws
  • Industry-specific regulations as applicable
  • Accessibility standards compliance (WCAG 2.1 AA)
  • Data localization requirements where applicable

Security Frameworks

ISO 27001

  • Information Security Management System (ISMS) implemented
  • Regular internal and external audits conducted
  • Continuous improvement processes in place
  • Risk management procedures established

SOC 2 Type II

  • Independent security audits completed annually
  • Controls for security, availability, and confidentiality
  • Third-party validation of security practices
  • Audit reports available to enterprise customers

Educational Standards

Quality Standards

  • Course content quality assurance processes
  • Accessibility standards for educational content
  • Learning outcome measurement and reporting
  • Continuous improvement based on feedback

9. Incident Response

Security Incident Types

Data Breaches

  • Unauthorized access to personal data
  • Accidental disclosure of user information
  • System compromises affecting user data
  • Third-party vendor security incidents

System Security Issues

  • Malware or virus infections
  • Unauthorized system access attempts
  • Denial of service attacks
  • Application security vulnerabilities

Privacy Incidents

  • Inappropriate data collection or use
  • Failure to honor user privacy choices
  • Third-party privacy violations
  • Data retention policy violations

Incident Response Process

Detection and Analysis

  1. Immediate Assessment: Severity and scope evaluation
  2. Impact Analysis: Affected users and data types identified
  3. Root Cause Analysis: Investigation of incident origin
  4. Documentation: Detailed incident recording and tracking

Containment and Eradication

  1. Immediate Containment: Stop ongoing unauthorized access
  2. System Isolation: Isolate affected systems if necessary
  3. Threat Removal: Remove malicious software or close vulnerabilities
  4. Security Enhancement: Implement additional protective measures

Recovery and Lessons Learned

  1. System Restoration: Restore systems to normal operation
  2. Monitoring: Enhanced monitoring for recurring issues
  3. Process Improvement: Update policies and procedures
  4. Training Updates: Additional staff training if needed

User Notification

Notification Timeline

  • Immediate: Critical security threats requiring user action
  • 72 Hours: Regulatory notification requirements
  • 30 Days: Comprehensive incident reports to affected users
  • Ongoing: Regular updates during extended incidents

Notification Methods

  • Email alerts to affected users
  • Platform notifications and banners
  • Website announcements for major incidents
  • Direct contact for high-risk situations

Information Provided

  • Nature and scope of the incident
  • Types of information involved
  • Steps taken to address the incident
  • Actions users should take
  • Contact information for questions

Prevention Measures

Proactive Security

  • Regular security assessments and penetration testing
  • Automated vulnerability scanning and patching
  • Security awareness training for all staff
  • Incident simulation and response drills

Continuous Monitoring

  • 24/7 security monitoring and alerting
  • User behavior analytics and anomaly detection
  • System performance and availability monitoring
  • Third-party security monitoring services

10. Contact Information

General Support

  • Email: info@finndemy.com
  • Phone: +254719560656