Privacy Policy
Last updated: 29 June 2026
1. What Data We Collect
Account information: your full name, email address, account type (student or employer), and password (stored securely hashed by our authentication provider, Supabase — we never see or store your plain-text password).
Payment information: when you pay for a course or an employer unlock, your payment is processed directly by Pesapal (for M-Pesa and card payments in Kenya) or Stripe (for international cards). We receive and store only the transaction reference, amount, and status — never your full card number, M-Pesa PIN, or banking credentials.
Course activity: enrolments, lesson completion progress, quiz and sandbox answers, assessment scores, and capstone project submissions.
Self-reported profile data: if you choose to build a talent profile, the headline, bio, skills, years of experience, availability, and portfolio links you enter yourself, plus a phone number if you provide one for employer contact purposes.
2. How We Use Your Data
We use your data to: deliver the courses and features you have paid for; grade your sandbox, assessment, and capstone submissions using Anthropic's Claude API and generate feedback and certificates; build and display your talent profile if you opt in, and match you to relevant job postings; process payments and prevent fraud; and, only if you opt in, send you marketing communications about new courses or features. You can opt out of marketing emails at any time without affecting your access to paid course content.
4. Data Retention
We retain your account and course data for as long as your account remains active, so that you keep access to your course history, certificates, and talent profile. If you request account deletion, we will delete or anonymise your personal data within 30 days, except where we are required to keep certain records (such as payment records) for longer to comply with Kenyan tax or financial regulations. Certificate verification records may be retained indefinitely in anonymised or minimal form (certificate ID, course, and completion date) so employers can continue to verify certificates you have already shared with them.
5. Your Rights Under the Data Protection Act
As a data subject under Kenya's Data Protection Act, 2019, you have the right to: access the personal data we hold about you; request correction of inaccurate or outdated data; request deletion of your data, subject to the retention exceptions described above; object to or restrict certain processing of your data, including marketing communications; and request a copy of your data in a portable format.
6. How to Exercise Your Rights
To exercise any of the rights above, email hello@tundemy.com from the email address associated with your account. We will verify your identity and respond within the timeframes required under the Data Protection Act (generally within 7 days to acknowledge, and without undue delay to fulfil a valid request).
8. Data Security
We use industry-standard measures to protect your data, including encrypted connections (HTTPS) for all traffic, row-level access controls on our database so users can only access their own data, hashed password storage, and restricted internal access to payment and personal data. No system is completely secure, but we work to keep these protections current.
9. Children's Privacy
Tundemy is not intended for, and is not directed at, anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that a user under 18 has created an account, we will close the account and delete the associated data.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. We will update the "Last updated" date above when we do, and for material changes we will make reasonable efforts to notify active users by email.
11. Contact
Questions about this policy or your data can be sent to hello@tundemy.com.