Privacy Policy
Last updated: March 2026 · Version 1.0
1. Who We Are
CHIVARA is a Shona-language education platform dedicated to preserving and promoting Shona heritage through technology. References to "CHIVARA", "we", "us", or "our" in this policy refer to the platform operator.
Privacy contact: privacy@chivara.co.zw
2. Scope & Applicable Law
This policy applies to all users of the CHIVARA platform, regardless of location. We comply with:
- GDPR — EU/EEA General Data Protection Regulation 2016/679
- POPIA — South Africa's Protection of Personal Information Act 4 of 2013
- CCPA/CPRA — California Consumer Privacy Act / California Privacy Rights Act
- UK GDPR — post-Brexit UK data protection law
3. Data We Collect
| Category | Examples | Why collected |
|---|---|---|
| Account data | Name, email address, role, password (hashed) | To create and manage your account |
| Profile data | Display name, learning preferences, guardian info (students) | To personalise your experience |
| Usage data | Pages visited, searches made, answers submitted | To deliver the service and detect errors |
| Analytics data | Anonymised event data via Google Analytics 4 (if consented) | To understand platform usage aggregately |
| Technical data | IP address (anonymised), browser type, session token | Security, session management, fraud prevention |
| Communications | Emails you send us, support requests | To respond to you |
We do not collect sensitive personal data (race, health, biometrics, financial data) unless explicitly required and with separate consent.
4. Legal Basis for Processing
- Contract performance — processing necessary to provide the service you signed up for
- Legitimate interests — security, fraud prevention, platform stability
- Consent — analytics cookies (withdraw any time via Cookie Settings)
- Legal obligation — compliance with applicable laws
5. How We Use Your Data
- Provide, operate, and improve the platform
- Manage your account, enrollments, certificates, and progress
- Send transactional emails (account confirmations, password resets)
- Detect and prevent fraud, abuse, and security incidents
- Conduct anonymised analytics to improve content and navigation (only with consent)
- Comply with legal obligations
We do not use your data for automated profiling or decisions with legal/significant effects, nor do we sell or rent your data to third parties.
6. Data Sharing & Third Parties
| Recipient | Purpose | Safeguards |
|---|---|---|
| Google LLC (Analytics) | Aggregated usage analytics (if consented) | IP anonymisation enabled; GDPR DPA in place; EU–US Data Privacy Framework |
| Hosting providers (e.g. Render.com) | Platform infrastructure | SOC 2 compliant; DPA in place |
| Email providers | Transactional email delivery | DPA in place; minimal data transfer |
| Tutor / Institution | Your enrolled courses and progress visible to your tutor | Governed by platform Terms of Service |
7. Data Retention
- Account data: retained while your account is active; deleted within 90 days of account closure on request
- Certificates & academic records: may be retained for 7 years for verification purposes
- Analytics data: Google Analytics retains aggregated data for 14 months (our configuration)
- Security logs: retained for 12 months
8. Your Rights
Depending on your jurisdiction you have some or all of the following rights:
Request a copy of your personal data
Correct inaccurate or incomplete data
Delete your account and personal data
Restrict how we process your data
Receive your data in a machine-readable format
Object to processing based on legitimate interests
Withdraw analytics consent any time via Cookie Settings
Complain to your local data protection authority
To exercise any right, email privacy@chivara.co.zw. We will respond within 30 days.
9. California Residents (CCPA/CPRA)
California residents have additional rights under the CCPA/CPRA:
- The right to know what personal information is collected, used, or disclosed
- The right to delete personal information (with exceptions)
- We do not sell or share your personal information for cross-context behavioural advertising
- The right to non-discrimination for exercising your privacy rights
To submit a verifiable consumer request, email privacy@chivara.co.zw with subject "CCPA Request".
10. Security
We implement industry-standard measures including TLS encryption in transit, bcrypt password hashing, CSRF protection, and monitoring for anomalous access. No transmission over the internet is 100% secure; please use a strong, unique password.
11. Children & Students
The platform supports students under 18 within educational institutions. Where a student is under 18, enrollment requires guardian/parental consent managed by the enrolling institution or tutor. We do not knowingly collect personal data from children under 13 without verifiable parental consent.
12. Changes to This Policy
We may update this policy periodically. Material changes will be notified by email (registered users) and/or a prominent notice on the platform. The "Last updated" date at the top reflects the current version.