Recess

Privacy Policy

Last Updated: March 2026

1. Introduction

Recess (“we”, “our”, “us”) is committed to protecting the privacy of all users of our platform, with particular care for the data of children and students. This Privacy Policy explains how we collect, use, store, and protect personal information through our platform and services (the “Platform”).

This Policy applies to all users: school administrators, teachers, students, parents/guardians, and partners.

2. Information We Collect

2.1. Information Provided by Schools

When a school registers and uses the Platform, the school provides:

  • School Information: School name, address, contact details, curriculum, and academic configuration
  • Student Information: Names, dates of birth, gender, class/stream assignments, academic records, attendance records, behavioural assessments, and parent/guardian contact details
  • Teacher/Staff Information: Names, email addresses, phone numbers, subject assignments, qualifications, and employment details
  • Parent/Guardian Information: Names, email addresses, phone numbers, relationship to student, and occupation

2.2. Information Generated Through Platform Use

  • Academic Data: Assessment scores, homework submissions, grades, and progress reports
  • Behavioural Data: Behaviour notes, character assessments, and teacher observations
  • Attendance Data: Daily attendance records including timestamps
  • Engagement Data: Login activity, feature usage, resource access, and communication interactions
  • Financial Data: Fee structures, invoice records, payment amounts, and payment method references (we do not store full payment card numbers)

2.3. Technical Information

  • Device type and operating system
  • Browser type and version
  • IP address
  • Usage patterns and session data

3. How We Use Information

We use personal information to:

  • Provide the Platform: Manage school operations, academic tracking, attendance, communication, and fee management
  • Support Users: Respond to enquiries, provide technical support, and facilitate onboarding
  • Send Notifications: Deliver email, SMS, push, and in-app notifications related to academic updates, events, and account activity
  • Generate Analytics: Produce academic reports, student snapshots, engagement metrics, and institutional insights (always presented at the school level or to authorised users only)
  • Improve the Platform: Analyse aggregated, anonymised usage patterns to enhance features, performance, and user experience
  • Ensure Security: Detect and prevent fraud, unauthorised access, and abuse
  • Meet Legal Obligations: Comply with applicable laws, regulations, and legal processes

4. Children’s Privacy

4.1. We take children’s privacy seriously. Student data is provided to the Platform by the school, acting in its capacity as the educational institution responsible for the student.

4.2. Schools are responsible for obtaining appropriate parental/guardian consent for student data to be processed on the Platform, in accordance with applicable law.

4.3. Student data is accessible only to:

  • The school’s authorised administrators and teachers
  • The student’s linked parent(s)/guardian(s)
  • The student themselves (through age-appropriate interfaces)
  • Recess staff for support purposes, under strict access controls

4.4. We do not sell children’s data. We do not use children’s data for advertising. We do not create marketing profiles based on student information.

4.5. Parents/guardians may request access to, correction of, or deletion of their child’s data by contacting their school or by writing to us directly.

5. How We Share Information

We do not sell personal information to third parties. We may share information only in the following circumstances:

  • Within the School Ecosystem: Student data is shared between the school’s administrators, assigned teachers, and linked parents/guardians — in accordance with each user’s role and permissions.
  • Service Providers: We use trusted third-party services to operate the Platform, including cloud hosting and storage (with data encryption at rest and in transit), email delivery services, payment processing providers (M-Pesa, MTN, PayStack, Stripe, etc.), and SMS delivery services. These providers process data solely on our behalf and under contractual obligations to protect it.
  • Legal Requirements: We may disclose information if required by law, court order, or government regulation.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction, with equivalent privacy protections maintained.

6. Data Storage and Security

6.1. Data is stored on secure cloud infrastructure with encryption at rest and in transit.

6.2. Access to personal data is restricted to authorised personnel on a need-to-know basis.

6.3. We implement technical and organisational safeguards including:

  • Encrypted data transmission (TLS/SSL)
  • Secure authentication with token-based access
  • Role-based access controls
  • Regular security assessments
  • Automated monitoring for unauthorised access

6.4. While we take all reasonable measures to protect data, no system is completely secure. We cannot guarantee absolute security but will notify affected users promptly in the event of a data breach.

7. Data Retention

7.1. We retain personal data for as long as the school’s account is active and as necessary to provide the Services.

7.2. Upon account termination, we retain data for up to 90 days to allow for data export. After this period, data is permanently deleted unless retention is required by law.

7.3. Aggregated, anonymised data (which cannot identify individuals) may be retained indefinitely for analytics and platform improvement.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data, subject to legal retention requirements
  • Restriction: Request that we limit processing of your data in certain circumstances
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to certain types of processing
  • Withdrawal of Consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@recess.school. We will respond within 30 days.

For student data, parents/guardians may exercise these rights on behalf of their children. Schools may also facilitate data requests.

9. International Data Transfers

9.1. Our servers and service providers may be located in different countries. Where data is transferred across borders, we ensure appropriate safeguards are in place, including contractual protections consistent with applicable data protection laws.

10. Cookies and Tracking

10.1. We use essential cookies to maintain your session and ensure the Platform functions correctly.

10.2. We may use analytics cookies to understand how users interact with the Platform. These collect aggregated, anonymised information.

10.3. We do not use advertising or tracking cookies.

10.4. You can manage cookie preferences through your browser settings.

11. Changes to This Policy

11.1. We may update this Privacy Policy from time to time. Material changes will be communicated via email or Platform notification at least 30 days before they take effect.

11.2. Continued use of the Platform after changes take effect constitutes acceptance of the revised Policy.

12. Data Protection for Specific Regions

Kenya (Data Protection Act, 2019): We comply with the Kenya Data Protection Act. Our Data Protection Officer can be contacted at dpo@recess.school.

Nigeria (NDPR): We comply with the Nigeria Data Protection Regulation. Schools using Recess in Nigeria are responsible for conducting Data Protection Impact Assessments where required.

South Africa (POPIA): We comply with the Protection of Personal Information Act. Users may lodge complaints with the Information Regulator.

European Union / UK (GDPR): Where applicable, we process data in accordance with GDPR requirements. Legal bases for processing include contract performance, legitimate interests, and consent.

13. Contact Us

For privacy questions, data requests, or concerns:

  • Email: privacy@recess.school
  • Data Protection Officer: dpo@recess.school