Privacy Policy
Last updated: 11 June 2026
NEYO (“we”) provides school management software to institutions in Kenya. This policy explains how we handle personal data in line with the Kenya Data Protection Act, 2019.
Who controls your data
Each school using NEYO is the data controller for its students, parents and staff. NEYO acts as the data processor, handling data on the school’s instructions. NEYO is registered with the Office of the Data Protection Commissioner (ODPC) and has designated a Data Protection Officer (DPO).
What we collect
- Account details (name, phone, email, role).
- School records you enter (students, attendance, fees, results).
- Payment references from M-Pesa (we never store full card or PIN data).
- Security logs (sign-ins) to protect accounts.
How we protect it
- Strict per-school data isolation — one school can never see another’s data.
- Passwords hashed with Argon2id; sensitive credentials encrypted (AES-256-GCM) with per-school keys.
- Encrypted connections (HTTPS), security headers, and rate limiting.
- An immutable audit log of sensitive actions.
Your rights
You may request access, correction, erasure, or a portable copy of your data. Schools can export their full data at any time from Settings → Data. To exercise rights, contact your school administrator or NEYO’s DPO at dpo@neyo.co.ke.
Data breaches
If a breach affecting personal data occurs, we will notify the ODPC and affected schools within 72 hours of becoming aware, as required by law.
Contact
NEYO Data Protection Officer — dpo@neyo.co.ke