Privacy Policy

Kapaciti Learning Platform (hereinafter referred to as "Kapaciti", "we", "us", or "our") is a digital learning management system registered in Nigeria. We operate the website at www.kapaciti.com and its subdomains, as well as any associated mobile applications.

Kapaciti is a Data Controller as defined under the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act 2023 (NDPA). We are registered with and supervised by the Nigeria Data Protection Commission (NDPC).

Contact: info@kapaciti.com · +234 800 000 0000 · 1 Innovation Drive, Victoria Island, Lagos, Nigeria.

We collect personal data only where it is necessary for us to provide our services. The categories of data we may collect include:

2.1 Data You Provide Directly

• Account Registration: Full name, email address, phone number, date of birth, country of residence, and password.
• Profile Information: Profile photo, professional background, educational qualifications, and learning preferences.
• Payment & Wallet: Payment method details (processed securely via our PCI-DSS-compliant payment partners — we do not store card details), transaction history, token balance.
• Course & Exam Activity: Enrolment records, exam submissions, assessment scores, certificates earned, and learning progress.
• Contact Forms: Name, email, phone number, subject, and message content submitted via our contact form.
• Support Interactions: Communications with our support team, including emails, chat logs, and support ticket content.

2.2 Data Collected Automatically

• Usage Data: Pages visited, features used, time spent, click patterns, search queries within the platform.
• Device & Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution.
• Location Data: Country and region inferred from IP address (we do not collect precise GPS location).
• Cookies & Similar Technologies: As described in Section 6 below.

2.3 Data From Third Parties

• If you register or log in using Google, Microsoft, or LinkedIn OAuth, we receive your name, email, and profile picture from those services.
• Partner organisations may share relevant information about you when arranging institutional access.

In accordance with Article 2.2 of the NDPR 2019 and Section 25 of the NDPA 2023, we process your personal data only where we have a lawful basis to do so. The lawful bases we rely on are:

• Contractual Necessity (Art. 2.2(a) NDPR): Processing necessary to perform our contract with you (e.g., creating your account, delivering courses, issuing certificates, processing token transactions).
• Legitimate Interests (Art. 2.2(e) NDPR): Processing necessary for our legitimate interests where those interests are not overridden by your rights (e.g., platform security, fraud prevention, improving our services, analytics).
• Consent (Art. 2.2(a) NDPR): Where you have given specific, informed, freely-given consent — particularly for marketing communications and non-essential cookies. You may withdraw consent at any time.
• Legal Obligation (Art. 2.2(c) NDPR): Where processing is necessary to comply with applicable Nigerian law, including tax, financial, and regulatory obligations.
• Vital Interests: In rare circumstances where processing is necessary to protect the vital interests of you or another individual.

We use the personal data we collect for the following purposes:

• Account Management: Creating, maintaining, and authenticating your account; recovering access; managing subscription and token wallet.
• Service Delivery: Providing access to courses, exams, resources, and certifications; tracking learning progress; issuing digital certificates.
• Payment Processing: Processing token purchases and managing transaction records through our payment partners.
• Communication: Sending transactional emails (purchase confirmations, course access notifications, certificate emails); responding to support queries; sending service announcements.
• Marketing (with consent): Sending newsletters, promotional offers, new course announcements, and learning recommendations. You can opt out at any time.
• Platform Improvement: Analysing usage patterns to improve user experience, fix bugs, develop new features, and optimise content delivery.
• Security & Fraud Prevention: Detecting, investigating, and preventing fraudulent transactions, abuse, and security incidents.
• Legal Compliance: Meeting our obligations under Nigerian law, responding to lawful requests from authorities, and resolving disputes.
• Research & Impact Assessment: Aggregated, anonymised data to measure our educational impact and report to funders and partners.

We do not sell, rent, or trade your personal data to any third party. We may share your data in the following limited circumstances:

• Service Providers (Data Processors): Trusted third-party companies that process data on our behalf, including cloud hosting providers, payment processors, email delivery services, analytics providers, and customer support tools. All processors are bound by data processing agreements.
• Partner Institutions: If you enrolled through an institutional partnership or are claiming an institutional certificate, we share relevant completion data with the partner institution. You will be informed of this at the time of enrolment.
• Legal Authorities: Where required by Nigerian law or a valid court order, or where necessary to protect the rights, property, or safety of Kapaciti, its users, or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of substantially all of our assets, your data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
• With Your Consent: Where you have given explicit consent for a specific sharing arrangement.

We never share your data with third parties for their own marketing purposes without your explicit consent.

We use cookies and similar technologies (including local storage and session storage) to operate and improve the platform. We categorise our cookies as follows:

• Strictly Necessary Cookies: Essential for the platform to function (e.g., authentication session, security tokens, CSRF protection). These cannot be disabled and do not require consent under the NDPR.
• Functional Cookies: Remember your preferences (e.g., language, theme, video playback quality). Enabled by default; you may disable them in your account settings.
• Analytics Cookies (with consent): Help us understand how users interact with the platform so we can improve it. We use privacy-focused analytics tools and anonymise IP addresses where possible.
• Marketing/Targeting Cookies (with consent): Used to show you relevant advertisements on third-party platforms. We obtain your consent before setting these cookies.

You can manage your cookie preferences at any time through our Cookie Preference Centre accessible from the footer of any page, or via your browser settings. Note that disabling certain cookies may affect platform functionality.

We implement robust technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

• Encryption: All data transmitted to and from our platform is encrypted using TLS 1.2 or higher. Sensitive data at rest (including passwords) is encrypted using industry-standard algorithms.
• Access Controls: Role-based access control (RBAC) restricts access to personal data on a strict need-to-know basis. All staff with access to personal data receive privacy and security training.
• Password Security: Passwords are stored as salted hashes using bcrypt. We enforce strong password policies and offer multi-factor authentication (MFA).
• Infrastructure Security: Our platform is hosted on ISO 27001-certified cloud infrastructure with regular penetration testing, vulnerability scanning, and security audits.
• Incident Response: We maintain a documented data breach response plan. In the event of a personal data breach affecting your rights and freedoms, we will notify the NDPC within 72 hours and you without undue delay, as required by the NDPA.

Despite our best efforts, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements:

• Account Data: Retained for the duration of your account and for 3 years after account deletion, to comply with legal and regulatory obligations.
• Transaction & Financial Records: Retained for 7 years from the date of the transaction, in compliance with Nigerian financial regulations and the Companies and Allied Matters Act (CAMA).
• Certificate & Academic Records: Retained indefinitely to allow certificate verification. Anonymised aggregate completion data is retained for research and impact reporting.
• Contact Form Submissions: Retained for 2 years after the query has been resolved, unless required longer for legal purposes.
• Marketing Consent Records: Retained for the duration of your subscription to marketing communications plus 3 years after opt-out.
• Server & Security Logs: Retained for 90 days for security monitoring and fraud prevention purposes.

When data is no longer needed, it is securely deleted or anonymised in accordance with our data retention schedule.

Under the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act 2023, you have the following rights with respect to your personal data:

• Right of Access (Art. 3.1(4) NDPR): You have the right to request a copy of the personal data we hold about you, the purposes of processing, and the categories of data involved — free of charge, within 30 days.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data we hold about you.
• Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where processing is unlawful. Note: we may need to retain some data for legal compliance.
• Right to Restrict Processing: You may request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of data you dispute.
• Right to Data Portability: You may request a structured, machine-readable copy of your personal data to transfer to another service provider.
• Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that significantly affects you.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your rights have been violated.

To exercise any of these rights, please contact our Data Protection Officer at dpo@kapaciti.com. We will respond within 30 days. We may need to verify your identity before processing your request.

The Kapaciti platform is intended for users aged 13 years and above. We do not knowingly collect personal data from children under the age of 13 without verifiable parental or guardian consent.

For users aged 13 to 17, we recommend that a parent or guardian review this privacy policy. Where institutional access is provided to learners under 18, the contracting institution assumes responsibility for obtaining appropriate consent from parents/guardians and notifying us accordingly.

If you believe we have inadvertently collected personal data from a child under 13 without appropriate consent, please contact our DPO immediately at dpo@kapaciti.com and we will take prompt action to delete such data.

Kapaciti is headquartered in Nigeria. Some of our service providers and data processors are located outside Nigeria. Where we transfer personal data outside Nigeria, we ensure adequate protections are in place in accordance with the NDPR and NDPA, including:

• Transferring data only to countries deemed to have adequate data protection laws.
• Using Standard Contractual Clauses (SCCs) or equivalent contractual safeguards with processors in jurisdictions without adequate protection.
• Conducting Transfer Impact Assessments (TIAs) where required.

By using our platform, you acknowledge that your data may be processed in jurisdictions outside Nigeria, subject to the safeguards described above.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Send a notification email to all registered users at least 30 days before the changes take effect.
• Display a prominent banner on the platform announcing the updated policy.

Where changes require fresh consent, we will obtain this from you explicitly before the changes take effect. We encourage you to review this policy periodically. Your continued use of the platform after any changes constitutes acceptance of the updated policy.