Privacy Policy
1. Who We Are
Pathways ("we," "us," or "our") is an educational application developed by PathwaysKe, a company incorporated in Kenya. We help parents and children navigate the Competency-Based Curriculum (CBC) and Competency-Based Education (CBE) through structured notes, quizzes, AI-assisted learning, and progress tracking.
Contact:
Email: support@pathways.ke
Postal: PathwaysKe, Nairobi, Kenya
2. Scope of This Policy
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights available to you. It applies to:
- The Pathways mobile application (Android and iOS).
- All services provided through the app, including AI chat, payments, and learning analytics.
By creating an account or using the app, you agree to the practices described in this policy. If you are creating an account on behalf of a child, you confirm that you have the authority to do so as a parent or legal guardian.
3. Information We Collect
3.1 Account and Profile Data (Parent/Guardian)
| Data | Why |
|---|---|
| Full name | To personalise your account and receipts |
| Email address | Account authentication, password reset, service notices |
| Phone number | M-PESA payment initiation |
| Account type (parent or child) | To determine your app experience |
3.2 Child Profile Data
| Data | Why |
|---|---|
| Child's first name | To personalise the child's learning experience |
| School grade (e.g., Grade 4) | To display curriculum-appropriate content |
| Optional username | To allow the child to log in independently |
| Avatar choice | Visual personalisation; stored as a key (no photo is taken) |
We do not collect a child's date of birth, home address, photograph, or any government ID.
3.3 Learning and Academic Data
As a user interacts with the app, we record:
- Reading progress — scroll position (as a percentage) within each note.
- Quiz attempts — question-by-question answers, marks awarded, and total score.
- Test results — generated test responses and scores.
- Streaks and XP — daily activity streaks and experience points.
- Badges — achievements earned within the app.
- Subject and strand browsing history — which topics were accessed.
3.4 AI Chat Messages
The AI tutor feature stores the full text of messages you send and the AI's responses, linked to your account. Messages are transmitted to our AI processing service to generate a response. We do not use your chat messages to train third-party AI models.
3.5 Payment Data
When you subscribe or make a purchase, your M-PESA phone number is sent to Safaricom's M-PESA API to trigger a payment prompt. We store the M-PESA receipt number and transaction status. We do not store your M-PESA PIN or any raw financial credentials.
3.6 Crash Reports and Analytics
In production builds only, we collect anonymised crash logs via Firebase Crashlytics and anonymised usage events via Firebase Analytics. Both are disabled entirely in debug builds. No names, emails, or child data are sent to Firebase Analytics.
3.7 Device and Technical Data
Our servers may receive your device's IP address (retained in server logs for up to 30 days) and app/OS version. We do not collect device advertising identifiers.
4. How We Use Your Information
| Purpose | Legal basis (Kenya DPA 2019) |
|---|---|
| Provide, operate, and personalise the app | Performance of contract |
| Process M-PESA subscription payments | Performance of contract |
| Show parents their child's learning progress | Legitimate interest |
| Generate AI tutor responses | Performance of contract |
| Send transactional notices | Performance of contract |
| Fix bugs and improve stability | Legitimate interest |
| Understand feature usage to improve the product | Legitimate interest |
| Comply with legal obligations | Legal obligation |
We do not use your data for advertising, sell your data to third parties, or use it for any purpose not listed above.
5. Children's Privacy
A child account is always created by a parent or guardian. Children using the app in "child mode" can only access learning content — they cannot change account settings, add payment methods, or view billing information.
We do not serve behavioural advertising and do not share children's data with advertisers. A child's name, progress, or chat messages are never publicly visible.
Parents can view a child's complete progress, delete a child's profile, or delete the entire household account from Profile → Settings.
6. Sharing Your Information
| Recipient | Data shared | Why |
|---|---|---|
| Supabase | All structured data (profiles, progress, messages) | Backend infrastructure |
| Firebase / Google | Anonymised crash reports and usage events | Stability and analytics |
| Safaricom M-PESA | Phone number, amount, transaction reference | Payment processing |
| AI service | Chat messages and curriculum context | AI tutor responses |
| Law enforcement | As required by Kenyan law | Legal compliance |
We do not sell, rent, or trade your personal data.
7. Third-Party Services
- Supabase — supabase.com/privacy — Database and authentication
- Google Firebase — firebase.google.com/support/privacy — Crash reporting and analytics
- Safaricom M-PESA — safaricom.co.ke/privacy-policy — Mobile money payments
- OpenAI — openai.com/privacy — AI language model
8. Your Rights
Under the Kenya Data Protection Act 2019, you have the right to access, correct, object to, and erase your data, as well as data portability and the right to withdraw consent.
You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya at odpc.go.ke.
9. Data Retention
| Data | Retention period |
|---|---|
| Parent and child profiles | Until account deletion, then deleted within 30 days |
| Learning progress and quiz attempts | Until account deletion |
| AI chat messages | Until account deletion, or on request |
| M-PESA transaction records | 7 years (financial records requirement) |
| Crash logs (Crashlytics) | 90 days |
| Server access logs | 30 days |
| Anonymised analytics events | 14 months |
10. Data Security
- Encryption in transit: All communication uses HTTPS/TLS 1.2 or higher.
- Encryption at rest: Data stored in Supabase is encrypted using AES-256.
- Row-Level Security: Database access controls ensure each household can only read their own data.
- Authentication: Short-lived JWTs issued by Supabase Auth.
- Payment security: No raw payment credentials are stored on our servers.
11. Changes to This Policy
When we make material changes, we will update the "Last updated" date and display a notice inside the app. If a change materially affects how we use children's data, we will require a fresh acknowledgement from the parent or guardian.
12. Contact Us
PathwaysKe
Email: support@pathways.ke
Office of the Data Protection Commissioner
odpc.go.ke