ClassAddmin

Legal

Privacy policy

Last updated 4 June 2026

1. Who we are

Modularpath Systems Ltd(“ClassAddmin”, “we”, “us”) is registered in Ghana and runs the ClassAddmin service. For questions about this policy or to exercise any of the rights below, email privacy@classaddmin.com.

2. What this policy covers

This policy covers personal data we collect as a controller, namely:

  • data about your school’s staff who sign in to the service;
  • data about billing contacts we use to invoice your school;
  • data from marketing site visitors — anyone who books a demo, signs up for the newsletter, sends a message, or uses the live chat;
  • operational telemetry (server logs, error reports) generated by the service.

Personal data about pupils, guardians and applicants is held in the school’s account; the school is the controller of that data and we are its processor. See the Data Processing Addendum for how that relationship works.

3. What we collect and why

3.1 Account & staff data

  • Name, email, phone — to create the sign-in account and contact the user about account, billing, or security issues.
  • Hashed password & two-factor secrets — to authenticate the user. We never see the plaintext password.
  • Role assignments — to enforce what the user can see inside the app.
  • Sign-in events (timestamp, IP, user-agent) — to detect suspicious access and to power your audit trail.

3.2 Billing data

  • Billing contact name & email, school name, invoicing address.
  • Payment instrument metadata (last 4 digits, MoMo provider) — we don’t store full card or MoMo numbers; that lives at Paystack.
  • Invoice and receipt history.

3.3 Marketing-site data

  • Demo bookings — what you submit on the booking form, plus the slot you picked.
  • Newsletter signups — email + the page you signed up from.
  • Contact form submissions.
  • Live-chat conversations with our AI assistant or human team.

3.4 Telemetry

  • Server logs retained for 30 days (error diagnostics, anti-abuse).
  • Aggregate analytics — anonymous, no third-party trackers.

4. Lawful bases

Under Ghana’s Data Protection Act 2012 (Act 843) we process the categories above on the following bases:

  • Performance of contract — anything needed to run your subscription (sign-in, billing, support).
  • Legitimate interest — keeping the service secure, detecting abuse, improving the product, anonymised analytics.
  • Consent — newsletter subscriptions, optional marketing emails, optional analytics cookies. You can withdraw consent at any time.
  • Legal obligation — tax records, responses to lawful requests from regulators or courts.

5. Who we share with

We don’t sell personal data. We share it only with these sub-processors, each acting on our written instructions and bound by confidentiality:

  • Supabase, Inc. — managed Postgres database, file storage and authentication.
  • Cloudflare, Inc. — Workers runtime, CDN, Turnstile bot protection, image delivery.
  • Paystack Payments Ltd — Ghana-licensed payment processor (MoMo + card).
  • Arkesel Ltd — Ghana-based SMS delivery.
  • Resend, Inc. — transactional email delivery.
  • Anthropic, PBC and OpenAI, LLC — large-language-model providers powering the live chat assistant. No live-chat content is used to train their models.
  • Voyage AI, Inc. — text-embedding provider for the help retriever.

We also share data when required by law (court order, regulator request) or when needed to protect rights, property, or safety. Where this happens, we’ll notify you unless the legal request specifically prohibits it.

6. International transfers

Some sub-processors operate from servers outside Ghana (notably in the United States and the European Union). Where they do, we rely on appropriate safeguards including the contractual data-protection commitments those providers offer (such as Standard Contractual Clauses, where applicable) and on the security measures detailed below.

7. How long we keep your data

  • Sign-in accounts: for the life of the subscription, plus up to 90 days afterwards to allow export.
  • Billing records: 7 years, as required by Ghanaian tax law.
  • Marketing-site form submissions: up to 24 months unless you ask us to delete sooner.
  • Newsletter subscriptions: until you unsubscribe (one-click link in every email).
  • Server logs: 30 days; anonymised aggregates indefinitely.

8. Your rights

Under Act 843 you have the right to:

  • Access the personal data we hold about you;
  • Correct data that is inaccurate;
  • Erase data we no longer have a lawful reason to keep;
  • Restrict or object to processing in certain cases;
  • Port data — receive a copy in a structured, machine-readable format (CSV).

To exercise any of these, email privacy@classaddmin.com from the email address on the account. We respond within 30 days. If we can’t resolve a complaint directly, you may also escalate to the Ghana Data Protection Commission at dataprotection.org.gh.

9. Security

We protect data in transit and at rest with industry-standard measures:

  • TLS 1.2+ on every request to and from the service.
  • AES-256 at rest in our database and storage provider.
  • Row-level security in Postgres so each school’s data is isolated by default — multi-tenancy at the database layer, not the application layer.
  • Hardware-backed credentials for sign-in (Supabase Auth); we never store plaintext passwords.
  • Least-privilege role enforcement inside the app.
  • Audit logging on every administrative change.

We notify the Ghana Data Protection Commission and any affected controllers within 72 hours of becoming aware of a notifiable personal-data breach, with the detail we have at that point. See the DPA for the breach-notification clause.

10. Children’s data

ClassAddmin is school-management software, so the service inevitably holds personal data about minors (pupils and applicants). That data is held under the school’s controller responsibility, not ours. We process it strictly on the school’s instructions, with no profiling, advertising, or model-training use. See the Data Processing Addendum for full detail.

11. Cookies

We keep cookies minimal:

  • Essential — sign-in session, CSRF protection, Turnstile bot check. These cannot be disabled while using the service.
  • Preferences — UI choices (e.g. sidebar collapsed). Stored locally only.
  • Analytics — aggregate, anonymous, no third-party trackers.

We don’t use advertising cookies or remarketing pixels.

12. Changes to this policy

Material changes are announced at least 30 days in advanceby email to account holders and via an in-app notice. Minor edits are published immediately and the “Last updated” date is bumped.

13. Contact

Privacy contact: privacy@classaddmin.com
Security contact: security@classaddmin.com
General contact: hello@classaddmin.com