Privacy Policy

Who We Are

Campus Compass (Aleph-Tav Initiative) ("Campus Compass", "we", "our", or "us") operates the website campus-compass.com and related mobile and desktop applications. We are the data controller responsible for the personal information you provide when using our platform.

Registered address: House 257 Apartment 01, Off Olive Drive, Meanwood Ibex, Lusaka, Zambia

Contact: support@campus-compass.com

What Data We Collect

We collect the following categories of personal data:

Identity data: name, email address, role (student, parent, organisation).

Academic data: university, country, education level, course of interest.

Account data: hashed password, device fingerprints (SHA-256 hash only — never the raw fingerprint), account creation date.

Payment data: transaction references and plan labels. We do not store card numbers, CVV codes, or bank account numbers — all card processing is handled by DPO Pay (PCI DSS Level 1 certified).

Usage data: content accessed, enrolled subjects, trial and subscription status.

Technical data: IP address (logged by our web server for security purposes), browser type inferred from request headers.

Communications: messages sent via our contact form.

How We Use Your Data

We use your personal data for the following purposes:

To create and manage your account (contractual necessity).

To verify your identity via email and two-factor authentication (legitimate interest — security).

To process payments and grant access to subscribed content (contractual necessity).

To send transactional emails: account verification, login codes, password reset, enrollment confirmations (contractual necessity).

To respond to support enquiries (legitimate interest).

To comply with legal obligations including fraud prevention and financial record-keeping.

To improve our platform based on anonymised usage analytics (legitimate interest).

Legal Basis for Processing

Under the General Data Protection Regulation (GDPR) and applicable African data protection laws, we rely on the following legal bases:

Contractual necessity — processing required to perform our service contract with you.

Legitimate interests — security monitoring, fraud prevention, platform improvement.

Legal obligation — record-keeping required by financial and tax regulations.

Consent — where you have explicitly ticked the consent checkbox at registration. You may withdraw consent at any time by deleting your account.

Data Sharing

We do not sell your personal data. We share data only with:

DPO Pay — our payment processor, for payment verification. DPO is PCI DSS Level 1 certified.

Zoho Mail — for transactional email delivery (SMTP). Emails are sent from noreply@campus-compass.com.

Cloudinary — for storage of uploaded files (proof of payment images, CSV files for bulk enrolments).

MongoDB Atlas — our database provider, which stores your account and enrolment data.

All third-party processors are bound by data processing agreements and may not use your data for their own purposes.

Data Retention

We retain your personal data for as long as your account is active, plus the following periods after deletion:

Payment records: 7 years (financial regulation requirement).

Security logs (IP addresses, login events): 90 days.

Support correspondence: 2 years.

Anonymised, aggregated usage statistics: indefinitely (no personal data).

When the retention period expires, data is securely deleted or irreversibly anonymised.

Your Rights

Under GDPR Article 12–23 and applicable law, you have the following rights:

Right of access — request a copy of your personal data (available via Profile → Download My Data).

Right of rectification — correct inaccurate data by updating your profile.

Right to erasure — delete your account and all associated data (available via Profile → Delete Account).

Right to restrict processing — contact us to request that we limit how we use your data.

Right to data portability — your data export is provided in machine-readable JSON format.

Right to object — object to processing based on legitimate interests.

Right to withdraw consent — withdraw at any time by deleting your account.

To exercise any right not available self-service, contact us at support@campus-compass.com. We will respond within 30 days.

Cookies & Tracking

Campus Compass uses the following:

Session cookie (HttpOnly, Secure, SameSite=None) — stores your authentication JWT token. This is strictly necessary for the platform to function and does not require consent.

Google reCAPTCHA v3 — used on public forms to detect automated abuse. Google's privacy policy applies to reCAPTCHA data.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

Security

We implement the following security measures to protect your data:

Passwords are hashed using bcrypt (cost factor 10) — we never store plain-text passwords.

All API communication is over HTTPS (TLS 1.2+).

Authentication uses short-lived JWTs (40-minute expiry) with two-factor OTP verification.

Login is rate-limited and accounts are temporarily locked after 5 failed attempts.

Device fingerprints are stored as SHA-256 hashes only.

Payment card data is never transmitted to or stored on our servers.

Children

Campus Compass is designed for university students and is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered an account, please contact us at support@campus-compass.com and we will delete the account promptly.

International Transfers

Our servers and third-party processors may be located outside your country of residence. Where data is transferred outside the European Economic Area or African Union member states with adequacy decisions, we rely on standard contractual clauses or equivalent safeguards as required by applicable law.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address and posted on this page with an updated effective date. The version in force at the time of your last login governs your data.

Current version: 2025-04-01

Effective date: 13 April 2026

Contact & Complaints

For any privacy-related question or to exercise your rights:

Email: support@campus-compass.com

Address: House 257 Apartment 01, Off Olive Drive, Meanwood Ibex, Lusaka, Zambia

If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your country of residence.