Privacy Policy

Last Updated: April 2026  |  Version: 1.0

This Privacy Policy explains how ASMS ("we", "our", "the Platform") collects, uses, stores, processes, shares, and protects personal data in connection with our school management SaaS platform. We are committed to compliance with the Ghana Data Protection Act 2012 (Act 843) and applicable international data protection principles.

By registering for or using ASMS, you acknowledge that you have read, understood, and agree to this Privacy Policy.

1. Data Controller Identity

ASMS is the Data Controller responsible for personal data collected on this platform. We are registered as required under Act 843 and are subject to oversight by the Data Protection Commission of Ghana.

• Platform: ASMS
• Website: http://localhost:8000
• Data Protection Officer: dpo@africaschoolsystem.com
• Contact: privacy@africaschoolsystem.com

School owners who subscribe to and administer the platform act as Data Controllers for the personal data of their students, parents, and staff. ASMS acts as a Data Processor for that school-level data.

2. Scope of This Policy

This policy applies to:

• Superadministrators and platform staff
• School Owners and School Administrators who subscribe to the platform
• Teachers and non-teaching school staff
• Students and their Parents/Guardians
• Visitors to our website and public pages

3. Categories of Personal Data Collected

3.1 Identity Data

• Full name, date of birth, gender, nationality
• Ghana Card number or other national identification (where supplied)
• Passport-style photographs

3.2 Contact Data

• Email address, phone/mobile numbers, physical address
• Parent or guardian contact information

3.3 Academic & Educational Data

• Class enrolment, academic programmes and programmes of study
• Examination results, marks, grades, transcripts, and report cards
• Attendance records and conduct/disciplinary notes
• Assignments, homework submissions, and assessment scores
• Promotion and academic progression records

3.4 Financial Data

• Subscription plan details, billing information, invoice history
• School fees invoiced and paid, outstanding balances
• Payment transaction references (processed by Paystack — we do not store full card numbers)

3.5 Health & Special Categories Data

• Medical or dietary information where submitted for boarding/welfare purposes
• Disability status or learning support needs

Special categories of personal data are processed only where you have given explicit consent or where processing is required by law.

3.6 Technical & Usage Data

• IP addresses, browser type, device identifiers
• Login timestamps, session activity logs
• Cookies and similar tracking technologies (see Section 11)

3.7 Communications Data

• Messages sent through the platform's internal messaging or SMS features
• Notification preferences and communication history

4. Legal Bases for Processing (Act 843 Compliance)

We process personal data lawfully only on one or more of the following bases, as recognised under Act 843 and aligned with international data protection principles:

• Consent: Where you have freely given, specific, and informed consent — e.g., marketing communications, optional profile data.
• Contractual necessity: To fulfil our service agreement with you — e.g., account creation, subscription management, fee processing.
• Legal obligation: Where processing is required by Ghanaian law — e.g., tax records, regulatory compliance.
• Legitimate interests: Where processing is necessary for our legitimate business interests and does not override your rights — e.g., platform security, fraud prevention, product improvement.
• Vital interests: In extraordinary circumstances to protect life or safety.

5. How We Use Your Personal Data

• To create and manage your account and provide platform services
• To process subscription payments and school fee transactions
• To generate academic records, report cards, and transcripts
• To send notifications (push, in-app, SMS, email) about platform activity
• To support data portability and parent/guardian access to student records
• To respond to your support enquiries
• To comply with audit, legal, and regulatory requirements
• To improve platform security, reliability, and features (using anonymised analytics where possible)
• To send service-related communications — you may not opt out of these
• To send optional marketing communications — you may opt out at any time

6. Data Sharing & Third Parties

We do not sell your personal data. We share data only as follows:

6.1 Payment Processors

Paystack (a Stripe company, operating in Ghana) processes card and mobile money payments on our behalf. Paystack is PCI-DSS compliant. Their privacy policy is available at paystack.com/gh/privacy.

6.2 SMS Gateway Providers

We use licensed SMS aggregators to deliver system notifications and school communications. Only the recipient phone number and message content are shared.

6.3 Cloud Infrastructure

Our platform is hosted on secure cloud servers. Our hosting providers process data on our instructions and are bound by data processing agreements.

6.4 Legal Disclosure

We may disclose personal data where required by a Ghanaian court order, the Data Protection Commission, or another competent authority.

6.5 School-to-School

We do not share a student's personal or academic data with another school without the explicit instruction of the school owner or an authorised administrator.

7. Cross-Border Data Transfers

Some of our cloud infrastructure and third-party processors (e.g., Paystack, cloud hosting) may transfer or store data outside Ghana. Where such transfers occur, we ensure adequate safeguards are in place, including:

• Standard contractual clauses recognised under Act 843 Section 33
• Transfers to countries with equivalent data protection standards

8. Data Retention

We retain personal data only as long as necessary for its original purpose, or as required by law:

• Active accounts: Data is retained for the duration of the subscription.
• Inactive/cancelled accounts: Data is retained for 12 months after cancellation, then permanently deleted or anonymised unless a legal hold applies.
• Academic records: Schools may request export of all academic records before account closure. Transcripts and progression records may be retained for up to 7 years in line with education regulatory requirements.
• Financial records: Payment and invoice records are retained for a minimum of 5 years per Ghana Revenue Authority requirements.
• Audit/security logs: Retained for 1 year.
• Backups: Purged on a rolling 30-day cycle.

9. Your Rights as a Data Subject (Act 843)

Under the Ghana Data Protection Act 2012, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your data where processing is no longer necessary or was unlawful (subject to legal retention obligations).
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing.
• Right to restrict processing: Request limitation of processing in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: Submit a complaint to the Data Protection Commission of Ghana at dataprotection.org.gh.

To exercise these rights, email privacy@africaschoolsystem.com. We will respond within 21 days in accordance with Act 843.

10. Data Security

We implement layered security controls including:

• TLS/HTTPS encryption in transit for all data
• AES-256 encryption at rest for sensitive fields
• Bcrypt password hashing — passwords are never stored in plaintext
• Role-based access controls (RBAC) enforced at every layer
• Audit logging of privileged operations
• Automatic session expiry and re-authentication on privilege escalation
• Regular vulnerability assessments and patching

Despite our measures, no system is entirely immune from breach. In the event of a data breach affecting your rights, we will notify affected users and the Data Protection Commission as required by law.

11. Cookies & Tracking Technologies

We use the following cookies:

• Essential cookies: Session management, CSRF protection — required for platform operation.
• Preference cookies: Store your language or UI preferences.
• Analytics cookies: Anonymised usage statistics to improve the platform (you may opt out).

We do not use third-party advertising tracking cookies.

12. Children's Data

Student data, including that of minors, is processed under the direction of the subscribing school (the Data Controller for school data). Schools are responsible for ensuring appropriate legal bases (parental consent where required) before submitting minor data to the platform. ASMS does not directly market to or collect data directly from children under 13.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, you will be required to re-accept the updated policy via the platform's consent system. The version number and effective date at the top of this document will reflect the latest revision. Continued use of the platform after changes take effect constitutes acceptance.

14. Contact & DPA Officer

For all data protection enquiries, requests, or complaints:

• Email: privacy@africaschoolsystem.com
• Data Protection Officer: dpo@africaschoolsystem.com
• Regulator: Data Protection Commission of Ghana — dataprotection.org.gh