Contents
Who We Are (Data Controller)
Nexara Labs is the Data Controller for all personal data processed through Zula Path. We are registered in Kenya under the Companies Act (Cap. 486) and operate Zula Path at zulapath.com.
As Data Controller, we determine the purposes and means of processing your personal data and are responsible for ensuring it is handled lawfully in accordance with the Kenya Data Protection Act, 2019 ("the Act").
Data We Collect
We collect personal data in the following categories:
| Category | Data Points | Collection Method |
|---|---|---|
| Account Data | Full name, email address, password (hashed), account creation date | Registration form |
| Profile Data | Academic background, preferred study destination, nationality, KCSE/A-Level grades | Onboarding and profile settings |
| Usage Data | Pages visited, search queries, content interactions, session duration | Automatically via platform |
| Device and Technical Data | IP address, browser type, operating system, device identifiers | Automatically via platform |
| Payment Data | Transaction reference numbers. We do not store full payment card or M-Pesa PIN data. | Payment processor |
| Communications | Support requests, feedback submissions, email correspondence | Direct submission |
How We Use Your Data
We use the personal data we collect for the following purposes:
- Service Delivery: Creating and managing your account, personalizing your university discovery experience, and providing guidance content relevant to your academic profile.
- Communications: Sending account-related emails (verification, password resets), service updates, and, where you have consented, newsletters or product announcements.
- Platform Improvement: Analyzing usage data to understand how users interact with the platform and improve features and content quality.
- Security: Detecting, investigating, and preventing fraudulent or unauthorized access.
- Legal Compliance: Meeting obligations under Kenyan law, including the Data Protection Act, 2019.
- Payments: Processing transactions and maintaining billing records.
Legal Basis for Processing
Under the Kenya Data Protection Act, 2019, we process your personal data on the following legal bases:
- Contract performance: Processing necessary to deliver our services to you under these Terms.
- Consent: Marketing communications, newsletters, and optional analytics where you have opted in.
- Legitimate interests: Platform security, fraud prevention, and service analytics where those interests are not overridden by your rights.
- Legal obligation: Compliance with applicable Kenyan law.
Data Sharing and Disclosure
We do not sell your personal data. We may share data with third parties only in the following circumstances:
- Service Providers: We use third-party processors (such as Supabase for database infrastructure, Vercel for hosting, Resend for email delivery) who process data on our behalf under data processing agreements. These providers only process data as instructed by us.
- Payment Processors: Transaction data is handled by our payment processing partners (such as M-Pesa via Safaricom) who operate under their own security and compliance frameworks.
- Analytics: Aggregated, anonymized usage data may be shared or analyzed for product improvement. No individually identifiable data is shared externally for analytics purposes without consent.
- Legal Requirements: We may disclose data where required by Kenyan law, court order, or lawful government request.
- Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of that transaction, subject to equivalent privacy protections.
International Data Transfers
As Zula Path serves students applying to universities across 36 countries, some of our infrastructure providers (including Supabase and Vercel) may process data in servers outside Kenya. Where data is transferred internationally, we ensure appropriate safeguards are in place, including contractual data processing agreements that meet the standards required under the Kenya Data Protection Act, 2019.
Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy:
- Active accounts: Data is retained for the duration of your account.
- Deleted accounts: We will delete or anonymize your data within 30 days of account deletion, unless retention is required by law.
- Financial records: Transaction records may be retained for up to 7 years to comply with Kenyan tax and financial regulations.
- Communication records: Support correspondence may be retained for up to 2 years for quality and compliance purposes.
Security
We implement technical and organizational security measures appropriate to the nature of the data we process, including:
- Encrypted data transmission using HTTPS/TLS across the platform.
- Bcrypt hashing for stored passwords.
- Row-level security and access controls enforced at the database level via Supabase.
- Access to production systems restricted to authorized personnel only.
- Regular review of security configurations and third-party service credentials.
No method of data transmission or storage is 100% secure. If you suspect your account has been compromised, please contact us immediately at [email protected].
Your Rights
Under the Kenya Data Protection Act, 2019, you have the following rights regarding your personal data:
Request a copy of the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your personal data where no legal basis for retention exists.
Object to processing based on legitimate interests, including direct marketing.
Withdraw consent for processing at any time where consent is the legal basis.
Request your data in a structured, machine-readable format.
To exercise any of these rights, contact us at [email protected]. We will respond within 21 days. We may request identity verification before processing your request.
Cookies and Tracking
Zula Path uses cookies and similar technologies to operate the platform and understand usage patterns. For full details, please see our Cookie Policy.
You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect platform functionality.
Children's Privacy
Zula Path is intended for use by students aged 16 and above. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent. If you believe a child has provided us with data without such consent, please contact us immediately and we will take steps to delete that data.
Changes to This Policy
We may update this Privacy Policy periodically. Changes will be published on this page with an updated effective date. For material changes, we will notify registered users via email or in-platform notification. Continued use of Zula Path after changes take effect constitutes your acknowledgment of the revised policy.
Contact and Complaints
Data Privacy Inquiries
To exercise your rights, submit a data request, or raise a privacy concern:
Email: [email protected]
Nexara Labs, Nairobi, Kenya
If you believe your data rights have been infringed and we have not resolved your complaint, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya at odpc.go.ke.