Privacy Policy
Version 2.0. Last updated: 13 July 2026.
This Policy is maintained by Karo Edpay Ltd, operator of the Karo school-operations platform, and is supported by the standalone Data Processing Agreement and the public Data Protection Impact Assessment.
Who this covers
This policy describes how Karo handles information about schools, staff members, students, and guardians whose records the school enters into the platform.
Roles
Each school is the data controller for the records it enters. Karo Edpay Ltd, operator of the Karo platform, is the data processor and acts only on the school's documented instructions. The controller and processor obligations are set out in full in the standalone Data Processing Agreement which every school owner accepts on first sign-in.
What we collect
- Account information: full name, phone number, and email for staff logins.
- School records: student and guardian information the School enters.
- Financial records: invoices, receipts, and payment references processed through the platform.
- Operational metadata: login timestamps and audit-log entries so owners can review activity.
We do not process special-category data (health, religion, biometrics) in the ordinary course of business. Payment card and mobile-money credentials are never stored on Karo; those are held by the regulated payment processor.
Data minimisation for parents
Karo collects only what fee collection needs. A guardian's name and phone number are enough to send an invoice, take a payment, and return a receipt. Karo does not ask parents for identity documents, addresses, or income. Parents pay through a regulated payment processor. Card and mobile-money details are never stored on Karo.
How we use it
Solely to operate the platform for the school. Karo does not sell information. Karo does not share it with advertisers. Karo does not train third-party AI on it.
Sub-processors we use
To run the platform we engage the following categories of sub-processor, each bound by a written data-protection agreement no less protective than our DPA:
- Cloud hosting and database — Supabase, hosted on Amazon Web Services in a region approved for the school's data residency.
- Messaging — Twilio (WhatsApp and SMS), Africa's Talking (SMS alternative where available), Resend (transactional email).
- Payments — Paystack, for card and mobile-money settlement into the school's own bank account.
- PDF generation and delivery — Karo's own document orchestrator and the storage layer above.
Karo notifies schools at least thirty (30) days before adding or changing a sub-processor.
Data isolation between schools
Every school's data is sealed in its own tenant. Row-level rules apply to every read and write. A staff member from one school cannot see another school's students, invoices, payments, or reports. Support access follows the same rules and is logged.
Encryption
All traffic between browsers, phones, and Karo is encrypted in transit. Databases, backups, and file storage are encrypted at rest. Passwords are stored as one-way hashes and are never legible to staff, support, or the platform itself.
Account security
Two-step verification is on for every account. A one-time code is sent to the registered phone at every sign in. Biometric sign-in (Face or fingerprint) is available as a fast alternative on the user's own device. Sensitive actions, such as adding or changing a bank account, require a fresh verification code every time.
Financial record integrity
Invoices and receipts are permanent once issued. Corrections are made by cancelling and re-issuing, so the original record survives. Every action that touches money is written to an append-only audit trail with the user, timestamp, and change. Auditors can be given a read-only export.
Bank detail protection
Only the school owner can add or change bank details. Every change requires a password re-entry and a fresh code to the registered phone. New bank accounts sit on an activation hold before they can receive funds. All owners are notified by email each time a bank change is initiated or completed.
Retention and recovery
We apply the maximum lawful retention period, so records are available for as long as auditors and courts might reasonably need them:
- Financial records — invoices, receipts, payments, payment allocations, and the append-only audit log: retained for 7 years from the date each record was created, in line with Kenyan tax and public-audit statutes.
- Operational records — students, guardians, staff, message logs, branding assets: retained in a 30-day archive after deletion from the app, from which an owner may restore. After 30 days the archive is purged, unless a legal hold applies.
- DPA and Terms acceptance records: retained for 10 years as legal evidence of the version each user signed under.
- Backups: 30-day rolling schedule; after 30 days the backup is overwritten.
Records held for legal reasons persist beyond the archive window. A school may request earlier deletion of its own operational records at any time.
Breach notification
If Karo confirms a personal-data breach affecting a school's data, we notify that school within 72 hours of confirmation with a written description of the incident, the data affected, and the mitigations taken, so the school can meet its own notification duties under the Act or GDPR.
International transfers
Where personal data is transferred outside Kenya, or outside the European Economic Area for GDPR-subject schools, Karo relies on an adequacy decision, the European Commission's Standard Contractual Clauses (2021/914), or the Office of the Data Protection Commissioner-approved safeguards, whichever apply. A copy of the applicable safeguard is available on request.
Your rights and privacy requests
To access, correct, export, or delete personal information held about you, or to raise a privacy question, write to info@karoschool.net . Requests from parents about their own or their children's records are routed to the school that entered the data, since the school is the data controller. Karo assists that school in responding.
See also the Terms of Service, the Data Processing Agreement, and the Data Protection Impact Assessment.
