How do you get my consent?

When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.

If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.

WE DO NOT OWN YOUR ASSOCIATION DATA. WE DO NOT SEND MESSAGES DIRECTLY TO YOUR MEMBERS WITHOUT YOU OR THEIR EXPLICIT REQUEST AND ACKNOWLEDGEMENT.

When you capture data of your members into Alumnipad, such data as with personal information to complete a transaction, verify your credit card, make a donation, arrange for a delivery or return a donation, we imply that you consent to our storing it and protecting it on your behalf.

When an app user joins or follows an association on the web app, specific user data which includes phone number, email, first name, last name, profile picture and gender is shared with the association that has been joined. This enables the association to serve the user with information and updates.
When an app user decides to unfollow an association on the web app, their data is removed from the association.

If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.

How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection of you or your association members information, at any time, by contacting us at [email protected] or deleting your account instantly from the system.

Deletion of your account will be considered as a withdrawal of your consent.

Since we do not own your data, we cannot disclose your association data information even if we are required by law. You will bear responsibility of disclosing your association data if it is requested by law.

However, we will disclose your (the creator of the Alumnipad account) identity if we are requested by law to do so.

Our software is hosted on Amazon Web Services. They provide us with the online infrastructure platform that allows us to store and give you access to your data in real time over the internet.

Your data is stored through AlumniPad’s data storage, databases and the general Alumnipad application. We store your data on a secure server behind a firewall.

Payment:
If you choose a direct payment gateway to complete your donation, then Alumnipad will not store your credit card data. It will be encrypted through the platform that may apply in your location. Your donation amount and date of payment is stored against your membership data. This is done for any member stored in your association database.

All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.

PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.

However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.

For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.

In particular, remember that certain providers may be located in or have facilities that are located a different jurisdiction than either you or us. So, if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.

As an example, if you are located in Kenya and your transaction is processed by a payment gateway located in the Uganda, then your personal information used in completing that transaction may be subject to disclosure under Uganda legislation.

Once you leave Alumnipad’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.

Links
When you click on links on our website, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.

To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.

If you provide us with member data, the information is encrypted using secure socket layer technology (SSL) and stored with a connection that uses T.L.S 1.2. and the connection is encrypted and authenticated using AED_128_GCM and uses ECDHE_RSA as the key exchange mechanism.

Alumnipad currently does not use cookies.

By using our website, you represent that you are at least the age of majority in your state or country of residence, you are setting up the account for an association or that you are the age of majority in your state or country of residence and you have given us your consent to allow any of your minor dependents to use this site.

We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on our website. If we make material changes to this policy, we will notify you on our website that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

If our company is acquired or merged with another company, your data may be managed by the new owners in accordance to the privacy policy stated in this document.

Effective November 25, 2019, the Data Protection Act expands Kenyan residents’ (Data Subjects) rights concerning their personal data. Alumnipad stands ready to assist our customers to become or remain compliant with the Data Protection Act after this crucial transition.

1. Lawful, fair and transparent processing
   Alumnipad is to process the personal data in a lawful, fair and transparent manner. Lawful means all processing should be based on a legitimate purpose. Fair means companies take responsibility and do not process data for any purpose other than the legitimate purposes. Transparent means that companies must inform data subjects about the processing activities on their personal data.
2. Limitation of purpose, data and storage
   Alumnipad is expected to limit the processing, collect only that data which is necessary, and not keep personal data once the processing purpose is completed. This would effectively bring the following requirements:
   • forbid processing of personal data outside the legitimate purpose for which the personal data was collected
   • mandate that no personal data, other than what is necessary, be requested
   • ask that personal data should be deleted once the legitimate purpose for which it was collected is fulfilled
3. Data subject rights
   The data subjects have been assigned the right to ask the company what information it has about them, and what the company does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.
4. Consent
   As and when the company has the intent to process personal data beyond the legitimate purpose for which that data was collected, a clear and explicit consent must be asked from the data subject. Once collected, this consent must be documented, and the data subject is allowed to withdraw his consent at any moment. Also, for the processing of children’s data, the act requires explicit consent of the parents (or guardian) if the child’s age is under 18.
5. Personal data breaches
   Alumnipad must maintain a Personal Data Breach Register and, based on severity, the regulator and data subject should be informed within 72 hours of identifying the breach. The subject and the regulator may then take steps to properly handle the breach according to the Act.
6. Privacy by Design
   Alumnipad should incorporate organisational and technical mechanisms to protect personal data in the design of new systems and processes; that is, privacy and protection aspects should be ensured by default.
7. Data Protection Impact Assessment
   To estimate the impact of changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product. The Data Protection Impact Assessment is a procedure that needs to be carried out when a significant change is introduced in the processing of personal data. This change could be a new process, or a change to an existing process that alters the way personal data is being processed.
8. Data transfers
   The controller of personal data has the accountability to ensure that personal data is protected and Data Protection requirements respected, even if processing is being done by a third party. This means controllers have the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the company, to a third party and / or other entity within the same company.
9. Data Protection Officer
   When there is significant processing of personal data in an organisation, (like what happens in Alumnipad), the organisation should assign a Data Protection Officer. When assigned, the Data Protection Officer would have the responsibility of advising the company about compliance with Data Protection requirements.
10. Awareness and training
    We must create awareness among employees about key Data Protection requirements, and conduct regular training to ensure that employees remain aware of their responsibilities with regard to the protection of personal data and identification of personal data breaches as soon as possible.

If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact us at [email protected]