YoShule Docs

Privacy Policy

Last updated: 10 July 2026

This policy explains how YoShule ("we", "us") processes personal data when a school uses the YoShule school-management platform. It is written for everyone whose data passes through the system: students and their guardians, and school staff.

Schools own their data. Each school (the "tenant") is the controller of the records it keeps in YoShule. We operate the platform on the school's behalf. If you want a record corrected or deleted, your school administrator is usually the fastest route; you can also contact us directly at info@yoshule.com.

Who we are

YoShule is operated by [OPERATOR LEGAL NAME — to be completed before launch], contactable at info@yoshule.com.

What data we process

We only process the data a school enters to run its operations. Depending on which modules a school uses, this includes:

Students (including minors)

  • Identity and enrollment: names, date of birth, gender, student ID, class/stream, boarding or day status, photos where the school uploads them.
  • Health data: clinic visit records, diagnoses, medication courses and doses administered by school medical staff. This is sensitive ("special category") data and is only visible to roles the school authorises (e.g. the school nurse/matron).
  • Finance: invoices, payments, waivers, and account balances relating to the student's fees.

Guardians

  • Names, phone numbers, email addresses, relationship to the student.
  • National identification numbers (NINs) where the school records them.
  • Consent records: when you give (or withdraw) consent digitally or on a signed hardcopy form, we keep the consent history, including a scan of the signed form if one was uploaded.

Staff

  • Identity and employment: names, contact details, national ID, contracts, department and teaching assignments.
  • Payroll: salary, allowances, deductions, and payment records.
  • Account data: email, hashed password (we never store plaintext passwords), role assignments, and sign-in activity needed to secure accounts.

Everyone

  • Technical data needed to run the service: authentication tokens, the active school and term you are working in, and — only if you opt in via the cookie banner — aggregated analytics (see the Cookie Policy).

Why we process it (legal basis)

  • Running the school's contract with us — hosting and operating the records the school keeps (performance of contract).
  • Guardian and minor data — processed on the school's instruction; for data about minors, YoShule supports explicit guardian consent capture (digital or signed hardcopy) and withdrawal at any time. See Guardian consent.
  • Health data — processed only for the school's medical-care record keeping, gated behind explicit guardian consent flags and role-restricted access.
  • Analytics — only with your consent via the cookie banner.
  • Security — protecting accounts and preventing abuse (legitimate interest).

Who we share it with (processors)

We do not sell personal data. We share it only with the service providers needed to run the platform:

ProviderWhat they doWhat they see
Google Cloud PlatformHosting, storage (GCS), and messaging (Pub/Sub)All platform data, encrypted in transit
ResendSending transactional email (invites, receipts, notifications)Recipient email addresses and message content
Google Analytics 4Optional, consent-gated usage analyticsAggregated usage data; loaded only after you opt in

Schools can request our Data Processing Agreement, which lists these sub-processors and our obligations when handling school data.

How long we keep it

Records live for as long as the school keeps them: schools control creation, correction, and deletion of their records. When a school leaves YoShule it can request export and deletion of its tenant data. Consent history is append-only so that granting and withdrawal remain auditable. Backups expire on a rolling schedule.

Your rights

Under the Uganda Data Protection and Privacy Act, 2019, you can:

  • Access the data held about you or your child.
  • Correct inaccurate records.
  • Delete data that the school no longer has grounds to keep.
  • Withdraw consent at any time — for guardian consent, via your school or the withdrawal action on the student's record; for analytics, via the cookie banner.
  • Complain to Uganda's Personal Data Protection Office (PDPO).

Start with your school administrator (the controller of your records), or contact us at info@yoshule.com and we will route the request to the right school.

Security

Passwords are stored hashed (never plaintext), sessions use signed tokens, access is role-restricted per school, and each school's data is isolated by tenant. Sensitive records such as medical data and consent scans are further restricted to authorised roles.

Changes to this policy

We will update this page and its "Last updated" date when the policy changes. Material changes will be announced in the app.