Privacy Policy - St. Andrew's Turi Student Tracker

1. Introduction

This Privacy Policy applies to the St. Andrew's Turi Student Tracker mobile application (the "App"), provided for use by St. Andrew's Turi School staff. In this policy, "we," "our," and "us" refer to St. Andrew's Turi School. This policy explains what information we collect, how we use it, how we protect it, and when it may be shared.

Purpose: The App is designed exclusively for authorized school staff to track student movements between boarding houses and school activities (chaplaincy, medical centre, gymnasium, etc.) for safety and administrative purposes.

            Important: This App is intended solely for use by authorized St. Andrew's Turi School staff members. It is not designed for or directed at children under 13 years of age.
        

2. Data We Collect

2.1 Staff Account Information

Email Address: Your school email (@turimail.co.ke) for authentication
Display Name: Your name as shown in the app
User Role: Your role (admin, tutor, teacher) for access control

2.2 Student-Related Data

What We Store in Our Database:

Student ID Numbers: Ed-Admin system identification numbers only
Boarding House Assignments: Which house each student belongs to
Movement Records: Timestamp, origin, destination, and activity type
RFID Card Mappings: Association between RFID cards and student IDs (if applicable)

What We Do NOT Store:

❌ Student names (fetched dynamically from Ed-Admin system)
❌ Year groups (fetched dynamically from Ed-Admin system)
❌ Gender information
❌ Email addresses
❌ Birth dates
❌ Phone numbers
❌ Home addresses
❌ Parent/guardian information
❌ Academic records or grades

            Privacy-Compliant Architecture: Student names and year groups are retrieved in real-time from the school's Ed-Admin system and cached temporarily (7 days) on the device only. This data is never permanently stored in our database.
        

3. How We Use Your Information

We use the collected information for the following purposes:

Student Safety: Track student whereabouts for safety and accountability
Administrative Records: Maintain attendance and movement logs
Access Control: Ensure only authorized staff can access the system
Activity Management: Coordinate student participation in school activities
Reporting: Generate reports on student attendance and movements
System Functionality: Enable features like RFID card scanning, manual admission, and session management

4. Data Storage and Security

4.1 Where Data is Stored

Cloud Database: Google Firebase Firestore (hosted in the United States)
Authentication: Google Firebase Authentication
Device Cache: Temporary student name/year group cache (7-day expiry, stored locally on device)

4.2 Security Measures

✅ Encryption: All data transmitted between the app and servers is encrypted using industry-standard SSL/TLS
✅ Secure Authentication: Email/password authentication with minimum 8-character password requirement
✅ Access Control: Role-based permissions - only authorized @turimail.co.ke email addresses can access
✅ Firebase Security Rules: Database-level access restrictions prevent unauthorized reads/writes
✅ Audit Trails: All student movements are timestamped and attributed to the staff member who recorded them

5. Data Sharing and Disclosure

We do NOT sell, rent, or trade student or staff data to third parties.

5.1 Internal Sharing

Data is accessible only to authorized St. Andrew's Turi School staff members
Access levels are controlled by user roles (admin, tutor, teacher)

5.2 Third-Party Services

We use the following third-party services to operate the App:

Google Firebase: Cloud database, authentication, and hosting services
Ed-Admin System: School's student information system (for retrieving student names/year groups)

5.3 Legal Requirements

We may disclose information if required by law, court order, or governmental regulation, or to protect the rights, safety, or property of the school, staff, or students.

6. Data Retention

Movement Records: Retained for the current academic year plus historical archival as required by school policy
Staff Accounts: Retained while the staff member is employed at the school
Student ID Mappings: Retained while the student is enrolled at the school
Cached Data: Automatically expires after 7 days and is refreshed from Ed-Admin system

7. Your Rights and Choices

7.1 Staff Members

Access: You can view your account information in the app settings
Deletion: Contact the school administrator to request account deletion upon leaving employment
Corrections: Update your display name through the app settings

7.2 Parents/Guardians

If you are a parent or guardian and have questions about how your child's data is handled:

Contact the school administration for information about student data practices
Request details about what movement records exist for your child
Request correction or deletion of inaccurate information

8. Children's Privacy (COPPA Compliance)

This App is NOT intended for use by children. It is designed exclusively for authorized school staff members (ages 18+).

Student Data: While the App tracks student movements, students themselves do not use the App, do not create accounts, and do not directly provide any information. All data entry is performed by authorized staff members.

Minimal Data Collection: We deliberately minimize student data collection by storing only student ID numbers and house assignments, while fetching names and year groups dynamically from the school's existing Ed-Admin system.

9. International Data Transfers

Your data may be transferred to and stored on servers located outside Kenya, specifically in the United States where Google Firebase servers are located. By using the App, you consent to this transfer. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the updated policy in the App
Updating the "Last Updated" date at the top of this policy
Sending an email notification to staff members (for significant changes)

Your continued use of the App after changes are posted constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

St. Andrew's Turi School
P.O. Box 86
Molo, 20106
Kenya

Email: info@turimail.co.ke
Phone: +254 709 891 000

Data Protection Officer / IT Administrator:
Email: geraldmuthui@gmail.com

12. Consent

By using the St. Andrew's Turi Student Tracker App, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

For Staff Members: Your use of the App with your school-issued @turimail.co.ke email address constitutes your consent to the collection and use of information as described in this policy.