Legal
Privacy Policy
Last updated: April 2026. This policy explains how Elymica Limited collects, uses, stores, and protects personal data across all platform portals.
1. Who We Are
Elymica Limited (“Elymica”, “we”, “us”) operates a mobile-first education platform connecting schools, publishers, teachers, parents, and students across Africa. Our data controller contact is available at elymica.com/contact.
For institutional customers (schools, colleges, publishers), Elymica acts as a data processor on your behalf. You remain the data controller for your learners’ personal information. Our Data Processing Agreement governs that relationship — see elymica.com/dpa.
2. Data We Collect
Account Information
When you register or are registered by an institution, we collect your full name, email address, phone number (optional), role (student, teacher, parent, admin, publisher), and the institution or tenant you are associated with. Passwords are stored as salted bcrypt hashes — never in plain text.
Usage and Learning Data
We record how you interact with the platform: lessons started and completed, quiz attempts and scores, certificates earned, content searched, modules visited, and time-on-task. For students this data forms the learning record used to generate progress reports and certificates. For teachers it informs class-level dashboards.
Device and Technical Data
We collect browser type, operating system, screen resolution, and IP address for security, fraud prevention, and platform optimisation. We do not build advertising profiles from device data.
Payment Information
Subscription payments are processed by Paystack, Pesapal, and Stripe — PCI-compliant providers that tokenise card data before it reaches our systems. We store transaction IDs, subscription status, and billing country. We never store raw card numbers or bank account credentials.
Communications
If you contact us via our support form or email, we retain those messages to resolve your query and improve our service. You may opt out of non-essential communications at any time.
3. How We Use Your Data
- Platform delivery — Authenticating your session, displaying enrolled courses, tracking progress, and generating certificates.
- Analytics and improvement — Understanding which features work well, identifying performance issues, and prioritising product development. Analytics are aggregated where possible and never sold.
- Safety and security — Detecting unauthorised access attempts, rate-limiting abusive requests, and maintaining audit trails for administrative actions.
- Billing and subscription management — Processing payments, sending receipts, and managing subscription lifecycle events.
- Communications — Sending transactional notifications (password resets, OTP codes, certificate emails) and, where you have opted in, product updates.
We do not sell personal data. We do not use learner data for advertising. We do not apply automated decision-making that produces legal or similarly significant effects without human review.
4. Storage and Security
Data is hosted on Hetzner infrastructure in Germany. All data in transit is encrypted via TLS 1.2+. Tenant data is isolated at the database layer using PostgreSQL Row-Level Security (RLS) — one tenant’s data cannot be accessed by queries running in another tenant’s context, regardless of application behaviour.
Access to production systems is restricted to authorised engineers, protected by SSH key authentication and two-factor verification. Administrative actions are logged with actor identity and timestamp. Full technical detail is in our Security Overview.
5. Data Retention
We retain account data for as long as your account is active. If you close your account, we delete or anonymise personal data within 90 days unless a longer retention period is required by law or by a contract with your institution.
Certificates and learning records may be retained longer at the request of the issuing institution. Payment transaction records are retained for seven years for accounting compliance. Audit logs are retained for three years.
6. Your Rights
Depending on your jurisdiction, you have the following rights over your personal data:
- Access — Request a copy of the personal data we hold about you.
- Correction — Request correction of inaccurate data.
- Deletion — Request erasure of your account and associated personal data, subject to legal retention requirements.
- Portability — Request your data in a machine-readable format (CSV or JSON) where technically feasible.
- Objection — Object to processing based on legitimate interests.
- Restriction — Request that we restrict processing while a dispute is resolved.
To exercise any of these rights, email [email protected] or use the privacy request form. We respond within 30 days. For minors, requests must be submitted by a parent or guardian.
7. Cookies
We use strictly necessary cookies to maintain your authenticated session. We use first-party analytics cookies (aggregated, not cross-site) to understand platform usage. We do not use advertising or third-party tracking cookies. Disabling non-essential cookies in your browser will not break core platform functionality.
8. Third-Party Processors
We share data with the following sub-processors to operate the platform. Each is bound by a data processing agreement:
| Processor | Purpose | Location |
|---|---|---|
| Paystack | Payment processing (Africa) | Nigeria / South Africa |
| Pesapal | Payment processing (East Africa) | Kenya |
| Stripe | Payment processing (non-Africa) | United States / Ireland |
| Hetzner | Cloud infrastructure and hosting | Germany (EU) |
| Cloudflare | CDN and DDoS protection | United States (global edge) |
We do not share personal data with advertisers or data brokers. We will not disclose data to government authorities except where compelled by law, and will notify you unless prohibited from doing so.
9. Children and Minor Learners
Elymica is used in primary and secondary schools. Student accounts for minors are created and managed by their institution or parent. We do not knowingly collect data from children under 13 without institutional or parental consent. If you believe a minor’s data has been collected without appropriate consent, contact us immediately at [email protected].
10. Changes to This Policy
We may update this policy as the platform evolves or as legal requirements change. Material changes will be communicated via email to account holders and via a notice on the platform at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.
11. Contact
Privacy requests, complaints, and questions:
- Email: [email protected]
- Form: elymica.com/contact?type=privacy
Questions about your data?
Our privacy team responds to all requests within 30 days.