Version 3.0 | Effective Date: 6 March 2026 | www.koloso.app
Koloso Ltd ("Koloso", "we", "us", or "our") is an educational technology company registered in Zambia. We operate the Koloso Teaching Support System — a digital platform designed to support primary school teachers with lesson planning, curriculum-aligned guidance, formative assessment, and progress reporting.
Koloso is the data controller for personal data processed through our platform. In jurisdictions where a local representative is required, details are provided in Section 9.
Contact: Data Protection
Data Protection Officer: Siphiwe Munsaka (COO) | Email: sowi@koloso.com
This policy applies to all personal data we collect and process in connection with the Koloso platform. The individuals whose data we process include:
Children's data — our absolute commitment
Koloso processes data relating to children (students under 18) only for the purpose of supporting their education. Children's data is never used for advertising, marketing, commercial profiling, or any purpose unrelated to the educational service. This commitment is unconditional and non-negotiable.
| Category | Examples |
|---|---|
| Account data | School name, address, head teacher name, billing contact, email address, phone number |
| Teacher profile data | Name, email address, subject(s) and grade(s) taught, teaching competency records |
| Usage data | Login times, features used, lesson plans created, assessments administered, reports generated |
| Communications | Support requests, feedback, survey responses |
Student data is processed only through the school's subscription and only under the instruction of the subscribing school (which is the data processor for student data in its institutional context). We process:
| Category | Examples |
|---|---|
| Identity data | First name, grade/class, student identifier (as assigned by the school) |
| Assessment data | Responses to formative assessment items, scores, learning gap analysis results |
| Progress data | Performance over time against specific curriculum learning objectives |
| Report data | Aggregated progress summaries shared with school leaders and parents |
We do not collect student surnames, home addresses, contact details, photographs, biometric data, health data, or any sensitive personal data as defined under the Zambia Data Protection Act 2021, unless this is expressly required and consented to for a specific purpose.
When you visit koloso.app we may collect standard analytics data (page views, session duration, device type, browser type, approximate location) through privacy-preserving analytics tools. We do not use third-party advertising trackers.
| Purpose | Legal basis |
|---|---|
| Providing the Koloso service to subscribing schools | Contract (performance of agreement with the school) |
| Teacher account management and authentication | Contract |
| Processing student assessment and progress data to generate reports | Contract (school instructs us as data processor for student data) |
| Sending service communications (updates, receipts, support) | Contract / Legitimate interests |
| Improving and developing the Koloso platform | Legitimate interests (product development) — data anonymised before use |
| Compliance with legal obligations (tax, regulatory) | Legal obligation |
| Fraud prevention and platform security | Legitimate interests |
| Research and evidence of educational impact (anonymised and aggregated only) | Legitimate interests / Consent where required |
| Marketing communications to schools (not students) | Consent (opt-in) |
We do not rely on legitimate interests as a basis for processing children's personal data in any way that is not directly necessary for the delivery of the educational service.
UNICEF EdTech for Good Framework alignment
Koloso is committed to full compliance with UNICEF's EdTech for Good Framework child data protection principles. The following commitments are absolute and apply regardless of jurisdiction.
Children's data processed through Koloso is subject to the following absolute restrictions:
All third-party services used by Koloso (cloud hosting, analytics) are contractually prohibited from using student data for any purpose other than providing the service to Koloso.
Personal data is stored on secure cloud infrastructure. We take reasonable steps to ensure data relating to Zambian users is stored within Zambia or in jurisdictions with equivalent or stronger data protection standards. Where data is stored or processed outside Zambia, we ensure appropriate contractual safeguards are in place, consistent with Section 70–71 of the Zambia Data Protection Act 2021.
We implement technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:
We retain personal data for as long as the school's subscription is active and for a minimum of one year thereafter, consistent with Section 51 of the Zambia Data Protection Act 2021. Schools may request earlier deletion. Student data is deleted (or anonymised for research purposes, with school consent) within 30 days of a school's subscription termination.
We do not sell, rent, or trade personal data. We may share data only in the following circumstances:
Data subjects (teachers, school staff, and students through their schools) have the following rights under the Zambia Data Protection Act 2021 and applicable laws in South Africa (POPIA), Nigeria (NDPR), and Uganda (Data Protection and Privacy Act 2019):
| Right | What it means in practice |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request that inaccurate or incomplete data be corrected |
| Erasure | Request deletion of your data (subject to legal retention requirements) |
| Objection | Object to processing of your data, including for direct marketing |
| Restriction | Request that we limit how we use your data in certain circumstances |
| Portability | Request your data in a structured, machine-readable format |
| Withdraw consent | Where processing is based on consent, withdraw it at any time without penalty |
To exercise any right, contact us at privacy@koloso.com. We will respond within 30 days. Schools may exercise rights on behalf of their students by contacting us directly.
Koloso operates across multiple African jurisdictions. In addition to the Zambia Data Protection Act 2021 (our primary regulatory framework), we align with:
| Jurisdiction | Applicable framework |
|---|---|
| Zambia | Data Protection Act No. 3 of 2021; Cyber Security and Cyber Crimes Act No. 2 of 2021 |
| South Africa | Protection of Personal Information Act (POPIA) 2013, effective 1 July 2021 |
| Nigeria | Nigeria Data Protection Regulation (NDPR) 2019; Nigeria Data Protection Act 2023 |
| Uganda | Data Protection and Privacy Act 2019 |
| International (UNICEF) | UNICEF EdTech for Good Framework child data protection principles |
Where requirements across jurisdictions differ, we apply the most protective standard.
Our website uses essential cookies required for the site to function, and optional analytics cookies to understand how the site is used. We do not use advertising cookies or third-party tracking technologies. You can manage cookie preferences through the cookie settings panel on our website.
We will notify subscribing schools of any material changes to this policy by email at least 30 days before changes take effect. The current version will always be published at koloso.app/privacy-policy. The version date appears at the top of this page.
For any data protection enquiries: sowi@koloso.app
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant regulatory authority:
Koloso Ltd | Data Privacy and Protection Policy | Version 3.0 | Effective: 6 March 2026