Privacy Policy

Last updated: 11 June 2026

NEYO (“we”) provides school management software to institutions in Kenya. This policy explains how we handle personal data in line with the Kenya Data Protection Act, 2019.

Who controls your data

Each school using NEYO is the data controller for its students, parents and staff. NEYO acts as the data processor, handling data on the school’s instructions. NEYO is registered with the Office of the Data Protection Commissioner (ODPC) and has designated a Data Protection Officer (DPO).

What we collect

  • Account details (name, phone, email, role).
  • School records you enter (students, attendance, fees, results).
  • Payment references from M-Pesa (we never store full card or PIN data).
  • Security logs (sign-ins) to protect accounts.

How we protect it

  • Strict per-school data isolation — one school can never see another’s data.
  • Passwords hashed with Argon2id; sensitive credentials encrypted (AES-256-GCM) with per-school keys.
  • Encrypted connections (HTTPS), security headers, and rate limiting.
  • An immutable audit log of sensitive actions.

Your rights

You may request access, correction, erasure, or a portable copy of your data. Schools can export their full data at any time from Settings → Data. To exercise rights, contact your school administrator or NEYO’s DPO at dpo@neyo.co.ke.

Data breaches

If a breach affecting personal data occurs, we will notify the ODPC and affected schools within 72 hours of becoming aware, as required by law.

Contact

NEYO Data Protection Officer — dpo@neyo.co.ke