1. Who we are
Edubaze is school-management software for Nigerian schools, operated by EDUBAZE DIGITAL SYSTEMS LTD (RC 9617722), House 30 Janet Fajemigbesin Street, Diamond Estate, Amuwo Odofin, Lagos, Nigeria. In this policy, “we”, “us” and “Edubaze” refer to that company.
2. Our two roles: controller and processor
Edubaze plays two different roles under the NDPA, and it matters for your rights:
- When a school uses Edubaze, the school is the data controller of its students’, parents’ and staff’ personal data (for example names, dates of birth, guardian contacts, photographs, results, attendance and fees). Edubaze acts as the school’s data processor— we process that data only on the school’s instructions, to provide the service. If you are a parent or student, please contact your school first to exercise your rights; we will support the school in responding.
- Edubaze is the data controller for the personal data of the account holders who sign up with us directly — school owners and partners — including their contact details, login information, partner bank details, and how they use the platform.
3. The personal data we collect
Account & contact data (we are controller)
- Name, username, phone number and email address.
- A password, which is stored only as a secure one-way hash — we never see or store it in plain text.
- For partners: state, city and the bank details you give us so we can pay your commission.
School data (the school is controller; we process it)
- Student records: names, other names, gender, date of birth, admission number, class, guardian name/phone/email, and an optional passport photograph.
- Academic data: scores, grades, positions, report cards and attendance.
- Fees data: invoices, and the proof-of-payment documents (bank-transfer receipts) that families upload, which may show bank details.
- Staff records the school creates (name, role, contact details).
Technical data
- Strictly necessary cookies that keep you signed in and protect the service (see our Cookie Policy). We do not use advertising or analytics trackers.
- Basic security logs (for example sign-in events and an audit trail of sensitive actions) and limited technical information such as IP address, needed to keep accounts secure.
4. How we use personal data, and our lawful basis
Under the NDPA we must have a lawful basis for each use. Ours are:
- Performance of a contract — to create and run your account, provide the service to schools and partners, and process subscriptions and commissions.
- Legitimate interests — to keep the platform secure, prevent fraud and abuse, maintain audit logs, and improve the service — balanced against your rights.
- Legal obligation — to comply with Nigerian law, including tax, record-keeping and the NDPA itself.
- Consent— where we rely on consent (for example a school obtaining a parent’s consent to process a child’s data), it can be withdrawn at any time.
5. Children’s data
Edubaze necessarily processes the data of children (students under 18) on behalf of schools. The NDPA requires the consent of a parent or legal guardian to process a child’s personal data. The school, as controller, is responsible for obtaining and recording that consent and for only entering data it is entitled to. Edubaze provides the security and controls to protect this data and processes it solely on the school’s instructions. We do not market to children or use children’s data for any purpose other than delivering the school’s service.
6. Sharing and disclosure
We do not sell personal data. We share it only as follows:
- Service providers (sub-processors) who help us run the platform — principally our hosting provider, Hetzner Online GmbH, in data centres located in the European Union (Germany/Finland) — under contracts that require them to protect the data and use it only as we instruct.
- Between a school and its partner:a partner who onboards a school can see that school’s subscription and billing status, but never its students, results, fees records or staff data.
- Legal and safety: where required by law, court order, or a lawful request from a regulator such as the Nigeria Data Protection Commission (NDPC), or to protect rights, safety and security.
Each school’s data is technically isolated so that no other school — and no partner — can access it.
7. Where your data is stored, and international transfers
Our servers are provided by Hetzner Online GmbH, in data centres located in the European Union (Germany/Finland). This means personal data is transferred to and stored outside Nigeria. The NDPA permits such transfers where the destination provides adequate protection or appropriate safeguards are in place. Our host operates under the European Union’s General Data Protection Regulation (GDPR), which provides a high standard of protection, and processes data for us under a data-processing agreement that includes the European Commission’s Standard Contractual Clauses. We keep this safeguard available on request, and we transfer only the data needed to run the service.
8. How long we keep data
We keep personal data only as long as needed for the purposes above and to meet legal obligations. School data is retained for as long as the school uses Edubaze; when a school leaves, we return or delete its data on request, and otherwise within about 90 days, subject to any legal retention requirement. Financial and billing records (such as invoices and payment confirmations) are kept for up to 6 years to meet Nigerian tax and company-law obligations, after which they are deleted. Backups rotate out of our system on their normal cycle, after which residual copies are overwritten.
9. How we protect personal data
We apply data-protection-by-design and a range of technical and organisational measures, including:
- Strict tenant isolation— every school’s data is walled off at the data layer so it cannot be accessed by another school.
- Passwords stored as secure one-way hashes; encryption of data in transit (HTTPS).
- Role-based access control — people see only what their role allows — plus sign-in rate-limiting against guessing.
- Uploaded files (photos, payment proofs) held in a private store, served only to authorised users of the same school.
- An audit log of sensitive actions, and regular encrypted backups.
10. Your rights under the NDPA
You have the right to:
- be informed about how your data is used (this policy);
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data deleted in certain circumstances;
- restrict or object to certain processing;
- data portability where applicable;
- withdraw consent at any time where we rely on consent; and
- lodge a complaint with the Nigeria Data Protection Commission (NDPC).
To exercise these rights, email privacy@edubaze.com. If your data was entered by a school (for example a student or parent), please contact your school first, as the school controls that data; we will assist the school in responding.
11. Data breaches
We maintain procedures to detect and respond to personal-data breaches. Where a breach is likely to result in a risk to people’s rights, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours where feasible, and inform affected data subjects (or the relevant school) where the law requires.
12. Changes to this policy
We may update this policy as the service or the law changes. We will revise the “Last updated” date above and, for material changes, give notice in the app.
13. Contact us & our DPO
For any privacy question, or to reach our Data Protection Officer, email dpo@edubaze.com (privacy enquiries: privacy@edubaze.com). You may also contact the Nigeria Data Protection Commission (NDPC) at https://ndpc.gov.ng.