Privacy Policy

Effective · Last updated

HighMarks (“we”, “us”) is a Kenyan exam-preparation platform operated from Nairobi. This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the Kenya Data Protection Act, 2019 (the “DPA”).

We have written this in plain English. If anything is unclear, email us at support@highmarks.io and we’ll explain it.

1. Who we are

Data controller: HighMarks, Nairobi, Kenya.
Contact: support@highmarks.io

2. What we collect

We collect only what we need to run the service:

  • Account info: name, email, phone number (optional), form/year, school (optional), the qualification you’re studying for (KCSE or CPA), and a hashed password.
  • Study activity: tests you take, questions you answer, topics you practise, mastery scores per topic, time spent, streaks, and question feedback you submit (the “Improve” button).
  • Payment info: when you subscribe, our payment partner (PesaPal) processes your M-Pesa or card transaction. We store the transaction reference, amount, and status — we do NOT store your M-Pesa PIN, full card number, or bank details. Those stay with PesaPal.
  • Device + log info: IP address, browser type, pages visited, and timestamps. Used for security (rate-limiting, fraud detection) and to debug issues.
  • Communication preferences: whether you’ve opted in to email and SMS reminders. You can toggle both anytime from /settings.
  • Cookies: we use a few essential cookies (auth tokens to keep you signed in, anti-CSRF tokens). We do not use third-party advertising cookies.

3. How we use your data

  • To personalise your study plan — the questions you see, the difficulty mix, and the lessons we recommend are driven by your past performance.
  • To send you account-related emails: welcome, password reset, payment receipts, subscription status, and similar transactional messages. You cannot opt out of these — they’re required to operate the service.
  • To send you study reminders, weekly progress recaps, and one practice question per day — ONLY if you’ve opted in. You can opt out anytime from /settings.
  • To improve the product: we look at aggregate patterns (e.g. “which topics do students find hardest?”) to decide what to build next. Individual identification is stripped from these analyses where possible.
  • To prevent fraud, abuse, and bot activity.
  • To comply with Kenyan law — including the DPA and any lawful request from authorities.

4. Who we share data with

We never sell your personal data. We only share it with the third-party processors we need to run the service:

  • PesaPal — payment processing for M-Pesa and card subscriptions. They receive your name, phone, and transaction amount.
  • Resend — transactional and lifecycle email delivery. They receive your name and email.
  • Neon (PostgreSQL) — our database host. Your account data lives here, encrypted at rest. Hosted in the EU.
  • Vercel — our application host. Receives request logs (IP, user agent) to serve pages.
  • Upstash (Redis) — rate-limit + session caching.
  • OpenAI — when you use AI features (personalised explainers, AI tutor), the text of your question and your prior wrong answers are sent to OpenAI to generate a response. OpenAI does not train its models on this data per their API terms.

Some of these processors operate outside Kenya (EU, USA). By using HighMarks, you consent to your data being transferred and processed in those jurisdictions. We use providers that maintain industry-standard security and have written agreements protecting your data.

5. Children and minors

Many KCSE candidates are under 18. If you are under 18, you may only use HighMarks with the consent of a parent or guardian. If we discover a user under 13 has signed up without parental consent, we will delete the account and any associated data on request from a parent or guardian. Parents can email support@highmarks.io to request a child’s account or data be deleted.

6. How long we keep your data

  • Active accounts: we keep your data for as long as your account is active.
  • Inactive accounts: if you have not logged in for 24 months, we may delete your study activity but retain your account identifiers (email, hashed password) in case you return.
  • Deleted accounts: when you delete your account, we remove your personal data within 30 days. Aggregated, anonymised study statistics may be retained for research and product improvement.
  • Payment records: we keep payment records for 7 years to comply with Kenyan tax law.

7. Your rights under the DPA

Under the Kenya Data Protection Act, 2019, you have the right to:

  • Know what personal data we hold about you.
  • Receive a copy of your data in a portable format.
  • Correct any inaccurate or incomplete data.
  • Delete your data (subject to legal retention obligations above).
  • Object to processing for direct marketing.
  • Withdraw consent for any processing that requires it.
  • Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.

To exercise any of these rights, email support@highmarks.io from the address associated with your account. We’ll respond within 30 days.

8. Security

We use HTTPS for every connection, hash passwords with bcrypt, encrypt sensitive data at rest, and run on infrastructure (Vercel, Neon) that maintains SOC 2 / ISO 27001 certifications. No system is perfect — if you discover a security issue, please report it to support@highmarks.io and we’ll act on it quickly.

9. Changes to this policy

If we change this policy materially, we’ll email every active user at least 7 days before the change takes effect. Minor edits (typos, clarifications) may be made without notice — the “last updated” date at the top of this page is the source of truth.

10. Contact us

For privacy questions, data requests, or anything else: support@highmarks.io.