Pathways

Privacy Policy

Effective date: 7 June 2026  ·  Last updated: 7 June 2026

1. Who We Are

Pathways ("we," "us," or "our") is an educational application developed by PathwaysKe, a company incorporated in Kenya. We help parents and children navigate the Competency-Based Curriculum (CBC) and Competency-Based Education (CBE) through structured notes, quizzes, AI-assisted learning, and progress tracking.

Contact:
Email: support@pathways.ke
Postal: PathwaysKe, Nairobi, Kenya

2. Scope of This Policy

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights available to you. It applies to:

By creating an account or using the app, you agree to the practices described in this policy. If you are creating an account on behalf of a child, you confirm that you have the authority to do so as a parent or legal guardian.

3. Information We Collect

3.1 Account and Profile Data (Parent/Guardian)

DataWhy
Full nameTo personalise your account and receipts
Email addressAccount authentication, password reset, service notices
Phone numberM-PESA payment initiation
Account type (parent or child)To determine your app experience

3.2 Child Profile Data

DataWhy
Child's first nameTo personalise the child's learning experience
School grade (e.g., Grade 4)To display curriculum-appropriate content
Optional usernameTo allow the child to log in independently
Avatar choiceVisual personalisation; stored as a key (no photo is taken)

We do not collect a child's date of birth, home address, photograph, or any government ID.

3.3 Learning and Academic Data

As a user interacts with the app, we record:

3.4 AI Chat Messages

The AI tutor feature stores the full text of messages you send and the AI's responses, linked to your account. Messages are transmitted to our AI processing service to generate a response. We do not use your chat messages to train third-party AI models.

3.5 Payment Data

When you subscribe or make a purchase, your M-PESA phone number is sent to Safaricom's M-PESA API to trigger a payment prompt. We store the M-PESA receipt number and transaction status. We do not store your M-PESA PIN or any raw financial credentials.

3.6 Crash Reports and Analytics

In production builds only, we collect anonymised crash logs via Firebase Crashlytics and anonymised usage events via Firebase Analytics. Both are disabled entirely in debug builds. No names, emails, or child data are sent to Firebase Analytics.

3.7 Device and Technical Data

Our servers may receive your device's IP address (retained in server logs for up to 30 days) and app/OS version. We do not collect device advertising identifiers.

4. How We Use Your Information

PurposeLegal basis (Kenya DPA 2019)
Provide, operate, and personalise the appPerformance of contract
Process M-PESA subscription paymentsPerformance of contract
Show parents their child's learning progressLegitimate interest
Generate AI tutor responsesPerformance of contract
Send transactional noticesPerformance of contract
Fix bugs and improve stabilityLegitimate interest
Understand feature usage to improve the productLegitimate interest
Comply with legal obligationsLegal obligation

We do not use your data for advertising, sell your data to third parties, or use it for any purpose not listed above.

5. Children's Privacy

A child account is always created by a parent or guardian. Children using the app in "child mode" can only access learning content — they cannot change account settings, add payment methods, or view billing information.

We do not serve behavioural advertising and do not share children's data with advertisers. A child's name, progress, or chat messages are never publicly visible.

Parents can view a child's complete progress, delete a child's profile, or delete the entire household account from Profile → Settings.

6. Sharing Your Information

RecipientData sharedWhy
SupabaseAll structured data (profiles, progress, messages)Backend infrastructure
Firebase / GoogleAnonymised crash reports and usage eventsStability and analytics
Safaricom M-PESAPhone number, amount, transaction referencePayment processing
AI serviceChat messages and curriculum contextAI tutor responses
Law enforcementAs required by Kenyan lawLegal compliance

We do not sell, rent, or trade your personal data.

7. Third-Party Services

8. Your Rights

Under the Kenya Data Protection Act 2019, you have the right to access, correct, object to, and erase your data, as well as data portability and the right to withdraw consent.

To request deletion of your account and data, visit our data deletion page or email support@pathways.ke with the subject "Data Rights Request." We will respond within 21 days.

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya at odpc.go.ke.

9. Data Retention

DataRetention period
Parent and child profilesUntil account deletion, then deleted within 30 days
Learning progress and quiz attemptsUntil account deletion
AI chat messagesUntil account deletion, or on request
M-PESA transaction records7 years (financial records requirement)
Crash logs (Crashlytics)90 days
Server access logs30 days
Anonymised analytics events14 months

10. Data Security

11. Changes to This Policy

When we make material changes, we will update the "Last updated" date and display a notice inside the app. If a change materially affects how we use children's data, we will require a fresh acknowledgement from the parent or guardian.

12. Contact Us

PathwaysKe
Email: support@pathways.ke

Office of the Data Protection Commissioner
odpc.go.ke