Skip to main content

Privacy Policy

Version 3 Effective: April 25, 2026 Last updated: April 25, 2026 Region: Kenya (KE)

Privacy Policy

Effective Date: April 25, 2026
Version: 3
Data Controller: Ctrl+Shift
ODPC registration reference: {{ odpc_registration_reference }}

1. Who we are

Ctrl+Shift (trading as Ctrl+Shift) is the data controller for personal data processed through https://ctrlshiftapp.org/ and all related Services. Our registered office is at {{ registered_office_address }}.

For the purposes of the Kenya Data Protection Act, 2019 ("KDPA"), we are registered with the Office of the Data Protection Commissioner under reference {{ odpc_registration_reference }}.

Data Protection Officer: Sue (dpo@ctrlshiftapp.org).

2. Scope

This Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, how long we keep it, and your rights. It applies to all Users of the Platform — Learners, Instructors, Moderators, Support and Sales agents, Admins, and Organization administrators.

Where an Organization has its own privacy notice for the members of its tenant workspace, that notice applies to the Organization's internal processing in addition to this Policy.

3. Personal data we collect

3.1. Data you provide

  • Account registration data: email address, username, password (stored hashed), first name, last name, phone number, and role selection.
  • Profile data: biography, avatar image URL, location, social-media links (GitHub, LinkedIn, website, and optional multi-platform social links), and user preferences.
  • Identity / KYC data (Instructors, Organizations, and for withdrawals): legal name, national ID or passport number, tax ID, bank or mobile-money account details, proof-of-address documents.
  • Course and learning activity: courses viewed, enrolled, completed; lesson progress; quiz attempts and scores; certificates issued; chat messages; blog comments; user-generated Course and lesson content (for Instructors).
  • Payment data: amounts, currencies, timestamps, and payment gateway references. We do not store full payment card numbers; those are tokenised and held by our payment gateway partners.
  • Communications: emails, in-app notifications, support chat messages, content of tickets raised with support.

3.2. Data we collect automatically

  • Geolocation derived from IP (country, city, approximate latitude/longitude, currency code) — collected at registration and refreshed on each login to detect network changes and support regional pricing. The Wallet currency, however, is locked at registration and is not changed by subsequent geolocation data.
  • Device and technical data: IP address, browser user-agent, operating system, time-zone, pages visited, referring URL, time-stamps, session identifiers.
  • Cookies and similar technologies (see Cookie Policy).
  • Authentication telemetry: failed login attempts, password-reset events, rate-limit trips, OTP issuance and verification events — retained to detect abuse.

3.3. Data we receive from third parties

  • Payment gateways: success / failure status, masked payment method details.
  • IP geolocation service: resolved country, city and currency (currently ip-api.com, subject to change; see DPA Annex for current list).
  • Referral programme: where a User registers through a referral code, we receive that code and associate the referrer with the new registration.
  • Social sign-on providers (if enabled): the profile fields you authorise the provider to share.

4. Purposes and lawful bases

We process your personal data for the following purposes, relying on the lawful bases set out below (KDPA §30 / GDPR Article 6):

Purpose Lawful basis
Creating and managing your account; verifying email ownership; issuing OTPs Performance of a contract (our Terms)
Delivering Courses, tracking progress, issuing certificates Performance of a contract
Processing payments, refunds and withdrawals Performance of a contract; legal obligation (tax and anti-money-laundering)
Detecting fraud, abuse, currency manipulation, unauthorised access Legitimate interests (security of the Platform)
Refreshing geolocation at login to detect risky sessions Legitimate interests
Sending service announcements, security alerts, policy updates Performance of a contract / legal obligation
Sending marketing communications and newsletters Consent (opt-in; withdrawable at any time)
Publishing leader-boards, Instructor profiles and public courses Legitimate interests (service promotion) — you control the visibility of your profile
Responding to legal requests, court orders, and regulatory enquiries Legal obligation
Research, analytics and improving the Services Legitimate interests (with aggregation / pseudonymisation where practical)

For any processing based on consent, you may withdraw consent at any time via your account preferences or by emailing dpo@ctrlshiftapp.org. Withdrawal does not affect the lawfulness of processing before withdrawal.

5. Sharing your personal data

We share personal data only where necessary and under written data-processing agreements:

  • Payment processors (for processing your transactions).
  • Cloud infrastructure providers (hosting, storage and backups).
  • Email service providers (transactional and, where you have consented, marketing email).
  • Cloudinary or equivalent CDN (for avatar and course media storage).
  • IP-geolocation service (currency, country detection).
  • Professional advisers (legal, audit, insurance), subject to professional confidentiality obligations.
  • Organizations — if you join an Organization's tenant workspace, your name, email, profile and learning activity within that tenant are visible to the Organization's admins and instructors.
  • Law-enforcement and regulators where we are legally compelled to disclose.
  • Acquirers in the event of a merger, acquisition or asset sale — subject to equivalent privacy commitments.

A current list of sub-processors is maintained at /legal/data-protection/ (Annex A) and is updated when sub-processors change.

Sub-processor change notification. Where you are an Organization customer, we will give you at least 30 days' notice before engaging a new sub-processor with access to personal data belonging to your tenant, via email to the primary administrator on the Organization account. You may object in writing within that 30-day window; if we cannot accommodate a reasonable objection we will work in good faith to identify an alternative, and failing that you may terminate the affected Services without penalty in accordance with clause 8 of our Data Processing Addendum.

5A. We do not sell or "share" personal data

5A.1. No sale. We do not sell personal data in exchange for monetary consideration. We do not now operate any such sale and we have no plan to.

5A.2. No "sharing" in the CPRA sense. We do not disclose personal data to third parties for cross-context behavioural advertising or targeted advertising that would constitute "sharing" under the California Privacy Rights Act, nor for any equivalent purpose under future Kenyan or other applicable law.

5A.3. No behavioural ad profiles. We do not build, sell or transfer behavioural advertising profiles, cross-site tracking identifiers or identity graphs derived from your use of the Services.

5A.4. Opt-out framework. Because we do not sell or "share" in the senses above, the "Do Not Sell or Share My Personal Information" link required in some jurisdictions is not applicable. We honour browser-signalled Global Privacy Control (GPC) headers as a general privacy-preference signal in line with our Cookie Policy.

5B. Sensitive personal data

5B.1. We do not knowingly collect special categories of personal data within the meaning of KDPA §44 or GDPR Article 9 (racial or ethnic origin, political opinion, religious belief, health data, sexual orientation, biometric or genetic data, trade union membership). Users should not upload such data to the Platform.

5B.2. Where we inadvertently receive sensitive personal data (for example, in the free-text fields of a support ticket), we process it only to the extent necessary to respond, never in combination with marketing or advertising features, and we delete it once the originating request has been resolved, subject to the retention rules in §7.

5B.3. Identity documents submitted for KYC verification are held with additional safeguards: access is restricted to trained staff, the documents are encrypted at rest, and they are destroyed 90 days after verification is concluded, except where retention is required by anti-money-laundering or tax law.

6. International transfers

Where we transfer your personal data outside Kenya, we rely on one or more of the safeguards permitted by the KDPA §§48–49:

  1. adequacy decisions by the Data Protection Commissioner;
  2. standard contractual clauses approved by the Commissioner;
  3. binding corporate rules of the recipient;
  4. your explicit consent after being informed of the possible risks;
  5. performance of a contract to which you are a party.

A list of countries to which we transfer data is maintained in the Data Protection Policy (Annex B).

7. How long we keep your data

We retain personal data only for as long as necessary for the purposes set out in this Policy. Indicative retention periods:

Data category Retention period
Account profile and learning activity For the lifetime of the account + 3 years after account closure
Financial and transaction records 7 years (Kenya Tax Procedures Act compliance)
Communications Hub audit log 5 years (see Data Protection Policy §8)
Session logs, IP and geolocation history 12 months
Marketing consent records 3 years from consent withdrawal
Backups Encrypted rolling backups up to 90 days

We may retain data for longer where required by law, court order, or to defend legal claims.

8. Your rights under the KDPA and GDPR

You have the following rights — free of charge, subject to the exceptions and limitations set out in applicable law:

  • Right to be informed about the processing of your personal data (fulfilled by this Policy).
  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification of inaccurate or incomplete data — you can also edit much of this yourself at /profile/edit/.
  • Right to erasure ("right to be forgotten") where there is no overriding legal basis to retain.
  • Right to restrict processing in specified circumstances.
  • Right to data portability — receive a machine-readable copy of data you have provided, where processing is based on consent or contract and is carried out by automated means.
  • Right to object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent at any time (without affecting prior lawful processing).
  • Right not to be subject to a solely automated decision that has a legal or similarly significant effect on you — we do not currently engage in such automated decision-making.
  • Right to lodge a complaint with the Data Protection Commissioner of Kenya (www.odpc.go.ke) or with the supervisory authority of your habitual residence (EU/EEA residents).

To exercise any of these rights, email dpo@ctrlshiftapp.org. We will respond within 7 days (acknowledgement) and complete the request within 30 days as required by KDPA §26, unless the request is complex, in which case we may extend by a further 60 days with notice to you.

9. Children

The Services are not directed to children under 13. We do not knowingly collect personal data from children under 13 without verifiable parental consent. Parents or guardians who believe a child has provided personal data should email dpo@ctrlshiftapp.org so that we can investigate and delete.

Users aged 13–17 may only use the Platform with the verifiable consent of a parent or legal guardian.

10. Security

We apply organisational and technical safeguards proportionate to the risk, including:

  • encryption in transit (HTTPS / TLS) and encryption at rest for sensitive fields;
  • hashed password storage with a modern algorithm;
  • CSRF protection on all state-changing requests;
  • rate-limiting and account-lockout on authentication endpoints;
  • role-based access control (RBAC) restricting Staff access to personal data to what is necessary for their role;
  • append-only audit logs for privileged operations (user administration, communications broadcasts, legal-document publication);
  • periodic penetration tests and vulnerability management;
  • vendor due diligence before engaging sub-processors.

No system is immune to compromise. In the unlikely event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Data Protection Commissioner in accordance with KDPA §43 (within 72 hours where feasible).

11. Automated decision-making and profiling

We do not currently make decisions that produce legal or similarly significant effects on you based solely on automated processing. Where we introduce such processing (for example, automated credential-stuffing detection that can lock an account), we will update this Policy, provide meaningful information about the logic involved, and afford you the right to obtain human intervention.

12. Changes to this Policy

We may amend this Policy from time to time. Where the change is material, we will notify Users via email and in-app notification at least 14 days before the effective date. The current version is always available at /legal/privacy-policy/, together with the change history.

13. Contact

  • Data Protection Officer: Sue — dpo@ctrlshiftapp.org
  • General legal notices: legal@ctrlshiftapp.org
  • Support: support@ctrlshiftapp.org
  • Mailing address: {{ registered_office_address }}

If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner of Kenya, Britam Tower, Hospital Road, Upper Hill, Nairobi — www.odpc.go.ke.