WaveLearn
WaveLearn

Legal

Privacy Policy

Effective: 27 April 2026

WaveLearn (“we”, “us”, “the Platform”) is operated by Wavelink Networks. This policy explains how we collect, use, store, and protect your personal data when you use www.wavelearn.co.ke and related services. We are committed to compliance with the Kenya Data Protection Act, 2019 and the regulations of the Office of the Data Protection Commissioner (ODPC).

1. Information We Collect

Account Information

When you create an account, we collect your email address and, optionally, your name, phone number, and profile image. If you sign in with Google, we receive your name, email, and profile picture from Google’s OAuth service.

Onboarding Preferences

During onboarding you may provide your learning goal, experience level, weekly time commitment, and how you heard about WaveLearn. Instructors may additionally provide qualifications, areas of expertise, and payout details (M-Pesa phone number or bank information).

Learning & Engagement Data

We automatically collect data about how you interact with courses, including:

  • Lesson progress (started, completed, time spent)
  • Video interactions (play, pause, seek, completion)
  • Quiz attempts, answers, and scores
  • Assignment submissions (text, files, or links)
  • Notes and bookmarks you create
  • Discussion posts and replies
  • Live session attendance and chat messages

Payment Data

When you purchase a course or subscription, transaction details (amount, currency, payment method, status, and provider reference) are stored. We do not store your full M-Pesa PIN, card number, or CVV. Payment processing is handled entirely by our third-party providers (see Section 4).

Uploaded Content

Instructors upload course videos, thumbnails, and resources. Learners may upload assignment submissions and profile images. All uploads are stored on our cloud infrastructure.

Technical Data

Our servers automatically log standard request data such as IP address, browser type, device type, and referring URL. We use this for security monitoring and service reliability — not for advertising or user profiling.

2. How We Use Your Data

  • Deliver the platform — authenticate your identity, grant course access, track progress, and issue certificates.
  • Process payments — facilitate M-Pesa, card, and bank-transfer transactions; calculate instructor earnings and revenue splits.
  • Personalise learning — surface relevant courses, remember your progress, and tailor the experience to your preferences.
  • Instructor analytics — provide instructors with aggregated, anonymised insights on student engagement, completion funnels, and quiz performance for their own courses.
  • Institutional features — support classrooms, attendance tracking, group management, and organisation-level reporting for institutional accounts.
  • Communications — send transactional emails (verification links, payment confirmations) and in-app notifications (announcements, assignment updates, live session reminders).
  • Safety & integrity — detect abuse, prevent fraud, enforce our Terms of Service, and maintain audit logs.
  • Improve the platform — diagnose technical issues, understand usage patterns, and enhance features.

3. Legal Basis for Processing

Under the Kenya Data Protection Act 2019, we process your data on the following grounds:

  • Performance of a contract — delivering courses, processing payments, issuing certificates, and maintaining your account.
  • Consent — where you voluntarily provide optional information (e.g., onboarding preferences, profile details) or opt into communications.
  • Legitimate interest — platform security, fraud prevention, analytics for service improvement, and instructor reporting.
  • Legal obligation — compliance with applicable Kenyan law, tax requirements, and regulatory requests.

4. Third-Party Services

We use the following third-party providers to operate WaveLearn. Each processes data only as necessary for their specific function:

ProviderPurposeData Shared
FlutterwavePayments (M-Pesa, card, bank transfer)Email, phone, transaction amount
IntaSendM-Pesa payment fallbackPhone number, transaction amount
GoogleOAuth sign-inEmail, name, profile picture (via OAuth consent)
ResendTransactional emailEmail address, message content
Bunny.netVideo hosting & delivery (VOD)Course video files
CloudflareLive streaming, file storage (R2), securityStream data, uploaded files, request metadata

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

5. Data Sharing & Disclosure

We share personal data only in the following circumstances:

  • Instructors see aggregated analytics for their courses (completion rates, quiz averages, activity trends) and individual student progress within their classrooms. They do not see your payment details.
  • Institutional administrators (for organisation accounts) can view member profiles, attendance, and course progress within their institution.
  • Certificate verification — when you earn a certificate, your name, the course title, the instructor name, and the issue date are publicly verifiable via your certificate’s unique verification code.
  • Legal requirements — we may disclose data if required by Kenyan law, court order, or government authority.
  • Service providers — the third-party services listed in Section 4 receive only the data needed to perform their function.

6. Data Retention

  • Account data is retained for as long as your account is active. If you request deletion, we remove your personal data within 30 days, except where retention is required by law.
  • Learning progress & certificates are retained indefinitely to support certificate verification and learner records, unless you request deletion.
  • Transaction records are retained for 7 years as required by Kenyan tax and financial regulations.
  • Session tokens expire automatically and are removed from our database after expiry.
  • Audit logs are retained for 2 years for security and compliance purposes.

7. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • All connections are encrypted via HTTPS/TLS.
  • Authentication sessions use secure, HTTP-only cookies with expiration.
  • Passwords are never stored — we use passwordless (magic link) and OAuth authentication.
  • File uploads use time-limited presigned URLs that expire after one hour.
  • Payment credentials (M-Pesa PINs, card numbers) are never stored on our servers.
  • Database access is restricted to authorised services only.
  • Administrative actions are logged in a tamper-evident audit trail.

While we take reasonable precautions, no system is completely secure. If you discover a vulnerability, please report it to privacy@wavelearn.co.ke.

8. Your Rights

Under the Kenya Data Protection Act 2019, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data. You can update most information directly in your profile settings.
  • Erasure — request deletion of your personal data, subject to legal retention requirements.
  • Restriction — request that we limit how we process your data in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email privacy@wavelearn.co.ke. We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.

9. Cookies & Similar Technologies

WaveLearn uses only essential cookies required for the platform to function:

  • Session cookie — authenticates your login session. Secure, HTTP-only, expires when your session ends.

We do not use tracking cookies, advertising pixels, or third-party analytics cookies. There is no cross-site tracking.

10. Children’s Privacy

WaveLearn is not directed at children under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, please contact us at privacy@wavelearn.co.ke and we will promptly delete it.

Institutional accounts that serve minors are responsible for obtaining appropriate consent from parents or guardians before enrolling learners under 16.

11. International Data Transfers

Some of our third-party service providers (Cloudflare, Bunny.net, Resend) may process data outside of Kenya. Where this occurs, we ensure that appropriate safeguards are in place in accordance with the Kenya Data Protection Act 2019, including verifying that the receiving jurisdiction provides adequate data protection or that contractual protections are in place.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via an in-app notification or email to the address associated with your account. The “Effective” date at the top of this page reflects the latest revision. Continued use of the Platform after changes constitutes acceptance of the updated policy.

13. Contact Us

For any questions, requests, or concerns about this privacy policy or your personal data:

WaveLearn — Wavelink Networks

Email: privacy@wavelearn.co.ke

Nairobi, Kenya