Privacy Policy

1. Who We Are

Centre of Corporate Studies (CCS) is an online professional learning platform operating under Global Leadership Institute Group, registered in Kenya. We deliver online courses, professional certifications and corporate training at www.corporate.co.ke.

Data Controller: Global Leadership Institute
Address: Repen Complex, Suite 205, Mombasa Road, Nairobi, Kenya
Email: privacy@corporate.co.ke
Phone: +254 722 223 084

2. Data We Collect

2.1 Account and Registration Data

When you create an account or enrol in a course, we collect:

• Full name and email address
• Phone number / WhatsApp number
• Organisation name (optional)
• Password (stored in encrypted form — we never store plain-text passwords)
• Account type (individual or corporate)

2.2 Payment Data

When you make a payment, we collect:

• M-Pesa phone number and transaction reference (processed via Safaricom Daraja API)
• Card payment tokenised reference (processed via Paystack — we do not store full card numbers)
• Invoice and receipt records including amounts, dates and course purchased

2.3 Learning Activity Data

When you use our LMS platform, we collect:

• Courses enrolled in and progress percentages
• Lesson completion records and timestamps
• Quiz and exam scores and attempt history
• Notes you create within the platform
• Discussion forum posts and comments
• Certificates issued and their unique IDs

2.4 Technical and Usage Data

We automatically collect certain technical data when you visit our website:

• IP address and approximate location (country/city)
• Browser type, version and device type
• Operating system
• Pages visited, time on page and navigation paths
• Referring website or search query

2.5 Communications Data

When you contact us via email, WhatsApp, phone or our contact forms, we retain records of those communications to provide customer support and improve our service.

3. How We Use Your Data

We use your personal data to:

• Deliver the service: Create and manage your account, process enrolments, grant course access, track learning progress and issue certificates
• Process payments: Initiate and verify M-Pesa STK push transactions, Paystack card charges and bank transfers; issue VAT invoices and receipts
• Provide customer support: Respond to enquiries, resolve technical issues and assist with NITA reimbursement documentation
• Send service communications: Transactional emails (enrolment confirmation, payment receipts, certificate issuance, progress reminders) — these are not optional as they are necessary to deliver the service
• Send marketing communications: New course announcements, special offers and educational content — you can opt out at any time
• Improve our platform: Analyse usage patterns, improve course content and user experience
• Comply with legal obligations: Maintain financial records as required by the Kenya Revenue Authority, Kenya Data Protection Act and other applicable laws
• Prevent fraud and ensure security: Detect and prevent unauthorised access, fraudulent transactions and misuse of the platform

4. Legal Basis for Processing

Under the Kenya Data Protection Act 2019 and GDPR (for EU/UK users), we process your data on the following legal bases:

• Performance of a contract: Processing necessary to deliver the courses and services you have paid for
• Legal obligation: Tax compliance, financial record-keeping, regulatory reporting
• Legitimate interests: Platform security, fraud prevention, improving our service quality
• Consent: Marketing emails and non-essential cookies — you can withdraw consent at any time

5. Sharing Your Data

We do not sell your personal data to any third party. We share data only with:

• Safaricom (M-Pesa Daraja API): To process M-Pesa payments — only your phone number and transaction amount are shared
• Paystack: To process card payments — governed by Paystack's own privacy policy and PCI-DSS compliance
• Email service providers: To send transactional and marketing emails — subject to data processing agreements
• Google Analytics: Anonymised usage data for website performance analysis — no personally identifiable information is shared
• Our parent company (Global Leadership Institute): For operational purposes, subject to the same data protection standards
• Legal authorities: Where required by Kenyan law, court order or regulatory requirement
• Corporate clients: If you were enrolled by your employer through our corporate portal, we share your course progress and completion data with your employer's designated administrator

6. Payment Data and Financial Records

All payment transactions on the CCS platform are processed by regulated third-party payment processors. We adhere to the following principles:

• We never store full payment card numbers on our servers
• M-Pesa transactions are processed via Safaricom's secure Daraja API
• Card transactions are processed via Paystack, which is PCI-DSS Level 1 compliant
• We retain payment records (amounts, dates, course, receipt numbers) for 7 years as required by the Kenya Revenue Authority
• VAT invoices and ETR receipts are stored securely and available to you on request

7. Cookies and Tracking

7.1 Essential Cookies

These are strictly necessary for the platform to function and cannot be disabled:

• Session cookies (keep you logged in while using the platform)
• Security cookies (protect against CSRF attacks)
• Load balancing cookies

7.2 Analytics Cookies

We use Google Analytics to understand how visitors use our website. This sets cookies that collect anonymised data about pages visited and time spent. You can opt out via your browser settings or Google's opt-out tool.

7.3 Marketing Cookies

With your consent, we may use cookies to show you relevant advertisements on other websites. You can withdraw this consent at any time.

7.4 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies will affect your ability to use the platform. To opt out of Google Analytics, visit tools.google.com/dlpage/gaoptout.

8. Data Retention

Data Type	Retention Period	Reason
Account data	Duration of account + 2 years	Service delivery
Payment records	7 years	KRA requirement
Certificate records	Indefinitely	Verification purposes
Learning progress	Duration of account	Service delivery
Communication logs	3 years	Customer support quality
Marketing consent	Until withdrawn	Consent record
Analytics data	26 months	Performance analysis

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• HTTPS encryption on all pages (TLS 1.2 or higher)
• Encrypted storage of passwords (bcrypt hashing)
• No storage of complete payment card numbers
• Access controls limiting staff access to personal data on a need-to-know basis
• Regular security reviews and updates
• Secure cloud hosting with regular backups

While we implement strong security measures, no system is entirely secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the Office of the Data Protection Commissioner (ODPC) within 72 hours as required by the Kenya Data Protection Act.

10. Your Rights

Under the Kenya Data Protection Act 2019 (and GDPR for EU/UK users), you have the following rights:

• Right of access: Request a copy of all personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to data portability: Request your data in a structured, machine-readable format
• Right to object: Object to processing of your data for marketing purposes
• Right to restrict processing: Request restriction of processing in certain circumstances
• Right to withdraw consent: Withdraw marketing consent at any time via the unsubscribe link in emails or by contacting us

To exercise any of these rights, email privacy@corporate.co.ke with subject "Data Rights Request." We will respond within 30 days. You also have the right to lodge a complaint with Kenya's Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.

11. Children's Privacy

Our platform is intended for adults aged 18 and above. We do not knowingly collect personal data from children under 18. If we discover we have inadvertently collected data from a minor, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@corporate.co.ke.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Send an email notification to registered users if changes significantly affect how we use your data
• Display a notice on our website

Your continued use of the CCS platform after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

For any privacy-related questions, requests or complaints, please contact our Data Protection Officer: