Privacy Policy

Skolrun is a school management software-as-a-service (SaaS) platform built for Nigerian private schools. Our registered place of business is Lagos, Nigeria. For data protection purposes, Skolrun acts as a Data Processor. The school that subscribes to our platform is the Data Controller and is responsible for the personal data it enters into the system.

We collect and process the following categories of personal data on behalf of schools:

• Student data: Full name, class/grade, date of birth, guardian names, guardian phone numbers and email addresses, academic results, and fee payment records.
• Staff data: Full name, role, phone number, email address, salary, and hire date.
• School administrator data: Name, email address, and password (stored as a bcrypt hash — we never store plaintext passwords).
• Parent/guardian data: Name, email address, and phone number, used to grant portal access and send fee reminders and announcements.
• Usage data: Browser type, IP address, pages visited, and session duration — collected automatically to maintain platform security and performance.
• Payment records: Fee amounts, payment method (Cash, Bank Transfer, or POS), and payment date. We do not store card numbers. Online payments are processed by Paystack, which is PCI-DSS certified.

We process personal data under the following lawful bases as defined by the Nigeria Data Protection Act (NDPA) 2023:

• Contract performance: To deliver the school management services you subscribed to.
• Legitimate interest: To improve platform stability, prevent fraud, and send service-related communications.
• Legal obligation: To retain financial records as required by Nigerian law.
• Consent: Schools are responsible for obtaining consent from parents/guardians before entering student data into the platform, as required by the NDPA.

Many of our users manage records of children under 18 (students). We treat this data with the highest level of care. Student data is:

• Accessible only to authenticated administrators of the same school.
• Never sold, shared, or used for advertising.
• Only processed for the educational purposes authorised by the school.

Schools (as Data Controllers) are responsible for ensuring they have appropriate parental consent before entering student data into Skolrun.

We do not sell personal data. We share it only with the following third-party sub-processors, strictly to operate the platform:

All sub-processors are contractually bound to process data only on our instructions and to maintain appropriate security measures.

Some of our sub-processors are based outside Nigeria. By using Skolrun, the school (as Data Controller) acknowledges that its data may be transferred to and stored in the United States or the European Union. These transfers are made under appropriate safeguards, including standard contractual clauses and sub-processors' compliance with applicable data protection laws (including GDPR, where applicable).

We retain school data for as long as the school has an active subscription. When a subscription is terminated, we will:

• Retain data for 90 days after termination to allow for reactivation or data export.
• Permanently delete all school data after the 90-day grace period, unless required by law to retain it longer.
• Financial records (payment logs) may be retained for up to 7 years to comply with Nigerian tax and accounting regulations.

We implement the following technical and organisational measures to protect personal data:

• All data is encrypted in transit (HTTPS/TLS) and at rest.
• Every database query is scoped to the school's unique identifier — no school can access another school's data.
• Passwords are hashed using bcrypt and never stored in plaintext.
• Access to the platform requires authenticated sessions with JWT tokens.
• All input is validated server-side using Zod schema validation.

Under the Nigeria Data Protection Act 2023, you (and the students/parents whose data a school manages) have the following rights:

• Right to access: Request a copy of the personal data we hold.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your data (subject to legal retention obligations).
• Right to restriction: Request that we limit how we use your data.
• Right to data portability: Request your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interest.

To exercise any of these rights, email us at privacy@skolrun.com. We will respond within 30 days.

In the event of a personal data breach that is likely to result in risk to individuals, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required by the NDPA. We will also notify affected schools without undue delay.

We may update this Privacy Policy from time to time. If we make material changes, we will notify school administrators by email at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or how we handle personal data, contact our Data Protection Officer at:

Skolrun — Data Protection
Lagos, Nigeria
Email: privacy@skolrun.com