Privacy Policy

Introduction

BVUNZO ("the Platform," "we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, platform, and related services (collectively, "the Service").

This Privacy Policy is designed to comply with the Cyber and Data Protection Act [Chapter 12:07] of Zimbabwe (the "Act") and the Cyber and Data Protection (General) Regulations, Statutory Instrument 155 of 2024. By using the Service, you consent to the data practices described in this policy.

Information We Collect

2.1 Personal Information You Provide

During registration and use of the Service, we may collect the following personal information:

2.2 Information Automatically Collected

As you navigate through and interact with our Service, we may automatically collect certain information using cookies and similar technologies:

2.3 Information from Third Parties

We may receive information about you from third parties, including:

• Educational institutions (if you use the Service through your school)
• Payment processors (if applicable in the future)
• Authentication services

Legal Basis for Processing

Under the Cyber and Data Protection Act [Chapter 12:07], we process your personal information based on the following lawful grounds:

How We Use Your Information

4.1 Service Provision

• To create and manage your account
• To provide access to exam questions, assessments, and learning materials
• To filter content based on your selected exam board
• To track your progress and generate performance analytics
• To enable forum participation and comments

4.2 Service Improvement

• To analyze usage patterns and improve the Platform
• To develop new features and content
• To conduct research on learning patterns and assessment effectiveness
• To identify and fix technical issues

4.3 Communication

• To send administrative information (account verification, password resets)
• To respond to your feedback and inquiries
• To notify you of changes to our terms or policies
• To send service-related announcements

4.4 Security and Compliance

• To protect against unauthorized access and fraudulent activity
• To enforce our Terms of Service
• To comply with legal obligations under Zimbabwean law
• To respond to lawful requests from Zimbabwean authorities

Data Minimization and Storage Limitation

In accordance with section 16 of the Cyber and Data Protection Act, we adhere to the following principles:

5.1 Data Retention Periods

Upon deletion of your account, we create a DeletedAccount record for audit purposes before permanently removing your personal information, in compliance with the Act's requirements for data security and record-keeping.

Data Security

Section 18 of the Cyber and Data Protection Act requires data controllers to secure the integrity and confidentiality of personal data. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.1 Technical Measures

• Encryption of data in transit using TLS 1.3
• Encrypted storage of sensitive information
• Secure authentication protocols
• Regular security assessments and penetration testing
• Firewalls and intrusion detection systems
• Pseudonymization where appropriate

6.2 Organizational Measures

• Access controls based on the principle of least privilege
• Staff training on data protection
• Data processing agreements with third-party processors
• Incident response procedures
• Regular review of security practices

6.3 Breach Notification (Act s. 19)

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) and affected users within 72 hours, as required by section 19 of the Act.

Your Rights Under Zimbabwean Law

The Cyber and Data Protection Act grants you specific rights regarding your personal data:

7.1 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@bvunzo.com
• Address: BVUNZO Data Protection Officer, Harare, Zimbabwe
• Feedback Form: Available in your dashboard when logged in

We will respond to your request within 30 days, as required by the Act. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

Data Controller and Data Protection Officer

8.1 Data Controller

NOSANT TECHNOLOGIES is the data controller for your personal information. Our contact details are:

8.2 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this policy or our data practices, please contact our DPO at dpo@bvunzo.com.

International Data Transfers

Section 32 of the Cyber and Data Protection Act regulates the transfer of personal data outside Zimbabwe. We may transfer your personal data to the following categories of recipients:

When we transfer your data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses approved by POTRAZ, binding corporate rules, adequacy decisions, or your explicit consent where appropriate.

Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. We use cookies and similar technologies to keep you logged in, remember your preferences, analyze usage patterns, and improve your experience.

10.2 Types of Cookies We Use

10.3 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may affect your ability to use some features of the Platform.

Children's Privacy

Section 14 of the Cyber and Data Protection Act contains specific provisions regarding the processing of children's personal data. Our practices are as follows:

• The Service is not directed at children under 13 years of age
• Users between 13 and 16 require parental or guardian consent
• We do not knowingly collect personal information from children under 13 without parental consent
• If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will delete that information

Sharing and Disclosure

12.1 When We Share Your Information

12.2 What We Do Not Do

• We do not sell your personal information to third parties
• We do not use your data for advertising or marketing without consent
• We do not share sensitive personal information without explicit consent

Third-Party Services

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

Each third-party service is subject to a data processing agreement that complies with the Cyber and Data Protection Act.

Data Protection Impact Assessments

Section 29 of the Act requires data controllers to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities. We conduct DPIAs when introducing new technologies, processing sensitive data on a large scale, systematic monitoring, or making automated decisions with legal effects.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting notice on the Platform, sending email to your registered address, or requiring acknowledgment of updated terms.

The "Last Updated" date at the top of this policy indicates when it was last revised. Your continued use of the Service after changes constitutes acceptance of the revised policy.

Complaints and Regulatory Authority

16.1 Right to Lodge a Complaint

If you believe that we have violated your data protection rights, you have the right to lodge a complaint with the regulatory authority:

16.2 Contact Us First

Before filing a complaint with POTRAZ, we encourage you to contact us directly so we can address your concerns:

• Email: dpo@bvunzo.com
• Feedback Form: Available in your dashboard

Specific Provisions Under Zimbabwean Law

17.1 Consent Requirements (Act s. 14)

Under section 14 of the Act, consent must be freely given, specific, informed, unambiguous, and demonstrated by a clear affirmative action. Our registration process requires explicit consent through checkboxes and clear affirmative actions.

17.2 Processing of Special Categories (Act s. 13)

The Act defines special categories of personal data requiring enhanced protection. We do not process biometric data, genetic data, health information, political opinions, religious beliefs, or trade union membership.

17.3 Automated Decision-Making (Act s. 27)

Section 27 gives you the right not to be subject to a decision based solely on automated processing that produces legal effects. While we use automated systems to generate performance insights, significant decisions (such as account suspensions) involve human review.

17.4 Data Protection by Design and Default (Act s. 30)

Section 30 requires us to implement data protection principles by design and default. Our platform incorporates privacy settings configured to the highest level by default, data minimization in all features, purpose limitation in data collection, and secure development practices.

Contact Information

For questions about this Privacy Policy or our data practices, please contact:

For General Inquiries: privacy@bvunzo.com

Acknowledgment

Appendix A: Definitions

Appendix B: Data Processing Record

In compliance with section 32A of the Act, we maintain a record of processing activities including: