Privacy Policy

1. Who this notice is for

This Privacy Policy describes how Otters Kenya Academy of Swimming Limited("we", "us", "the club") processes personal data through the swim club management website and application (the "Platform") built on this codebase. It is intended to support transparency and audit readiness in line with the Kenya Data Protection Act, 2019 and guidance from the Office of the Data Protection Commissioner (ODPC). It is not legal advice; the club should obtain qualified legal review for its specific operations.

2. Data controller

The data controller for personal data processed for club operations through the Platform is Otters Kenya Academy of Swimming Limited. For data protection requests, use the club's official contact details (published by the club). The Platform may also surface tools to help you exercise rights (see section 9).

3. Categories of personal data the Platform handles

The following reflects categories of data stored or transmitted by the application as implemented in this repository (registration flows, profiles, Supabase schema, and payment integration).

• Account and authentication: Email address and password (handled by the authentication provider), account identifiers, and role (e.g. parent, admin, coach). Sign-in with Googleis optional; Google's processing is governed by Google's policies.
• Parent / guardian profile: Full name, phone number, relationship to the swimmer, emergency contact name, relationship, and phone number; email may be stored on the profile record where configured for club operations.
• Swimmer (minor) records: Name, date of birth, gender, squad assignment and related club fields (e.g. payment preference, gala opt-in, sessions per week where collected at registration), registration status, and operational links (e.g. facility, coach assignment) as used by the club in the database.
• Billing and payments: Invoice and line-item details, payment status, amounts, references, timestamps, phone number on payment records (e.g. for mobile money flows), and related metadata. Payment initiation uses Paystack; webhook payloads are processed to update payment status in the club database.
• Training and attendance: Session dates, times, locations/facilities, squad linkage, and attendance records (including timestamps and whether attendance was recorded as self or coach-led, where those fields exist).
• Consents: Registration consent flags (data accuracy, code of conduct, optional media consent), a copy of the consent text shown at registration, and technical metadata such as timestamp, IP address, and browser user-agent string when submitted to the registration API.
• Club operational data: Additional tables used by admins and coaches (e.g. meets, reports, coach-related records) may contain further personal data depending on how the club uses those features.

4. How we use personal data (purposes)

Personal data in the Platform is used to:

• Create and manage parent accounts and swimmer memberships.
• Process registrations, assign squads, and operate training sessions and attendance.
• Issue and collect payment for fees through Paystack.
• Record consents and demonstrate what was accepted at registration.
• Provide role-based access for parents, coaches, and administrators (access rules are enforced in the database layer via row-level security policies).
• Meet legal, regulatory, and accounting obligations that apply to the club.

Lawful basis under the Kenya Data Protection Act may include, depending on the processing activity: performance of a contract, compliance with legal obligation, consent (where explicitly collected), or legitimate interests of the club, balanced against your rights. The club should document lawful basis in its internal records of processing.

5. Disclosure and international transfers

Personal data is processed using service providers that power this application. Based on the codebase and typical deployment:

• Supabasehosts the database and authentication service. Data is stored and processed according to Supabase's terms and privacy policy; processing may occur outside Kenya.
• Paystackprocesses payments; transaction data you submit at checkout is subject to Paystack's privacy policy. The application sends data such as payer email, amount, reference, and descriptive metadata (e.g. parent name, phone, swimmer names for display in Paystack metadata) when initializing a transaction.
• Hosting provider (e.g. Vercel or similar) may process HTTP requests and application logs when the Platform is deployed there.
• Maps: Facility addresses may be opened in external maps (e.g. Google Maps directions links). Those services apply their own terms when you choose to open them.

Where personal data is transferred outside Kenya, the club should ensure appropriate safeguards required by law (for example standard contractual clauses or adequacy decisions) are in place with processors. This Policy does not list every sub-processor contract; maintain an internal register for ODPC and audit purposes.

6. Cookies and similar technologies

The Platform uses cookies (or similar mechanisms) managed by the authentication layer to keep you signed in securely. These are necessary for the operation of the service. This codebase does not implement a separate third-party advertising or analytics pixel; if the club adds such tools later, the Policy and consent mechanisms should be updated.

7. Security

The application uses HTTPS in production, database row-level security to restrict access by role, and verifies Paystack webhook signatures before trusting payment events. Administrative operations that bypass RLS use tightly controlled server-side credentials. No system is perfectly secure; the club should maintain patching, access control, and incident response procedures.

8. Retention

The Platform does not, in this codebase, define automatic deletion schedules for all data categories. Retention should be governed by the club's policies and legal requirements (e.g. tax, child safeguarding, litigation hold). Contact the club to discuss deletion or anonymisation when no longer needed.

9. Your rights (Kenya DPA)

Subject to applicable law, you may have rights to be informed, to access, rectify, erase or restrict processing, to object, to withdraw consent where processing is based on consent, and to lodge a complaint with the ODPC. You may also have rights regarding automated decision-making where applicable.

The Platform's Settings area allows parents to review and update profile and consent information where implemented. A third-party Privacy.kedata-rights widget may be embedded on settings pages; if present, its operation is subject to that service's terms and the configuration chosen by the club.

10. Children

Swimmers are often minors. Parents or guardians provide their child's personal data through registration and the account. The club should ensure parental authority and appropriate notices are in place.

11. Changes

We may update this Policy when the Platform or legal requirements change. The "Last updated" date at the top will be revised when the text is materially changed. Continued use after notice may constitute acceptance where permitted by law.