Privacy Policy
How Jetbrains Institute collects, uses, and protects your personal data.
Last updated: July 2026 | GDPR Compliant
1. Data Controller
Jetbrains Institute of Information Technology ("we", "us", "our") is the data controller responsible for your personal data. We are registered in Kenya and operate from Jaskat House, Co-op Building Rm. 406, 4th Floor, Limuru.
Contact our Data Protection Officer at privacy@jetbrainscollege.com or call +254 712 799 392.
2. Data We Collect
We collect the following categories of personal data:
- Account Data: Name, email address, phone number, password (hashed), profile picture, bio, location
- Enrollment Data: Course enrollments, payment history, M-Pesa transaction receipts, certificates earned
- Learning Data: Course progress, quiz scores, notes, discussions, assignments, attendance records
- Technical Data: IP address, browser type, device information, cookies, usage analytics
- Payment Data: M-Pesa phone numbers (processed via Safaricom Daraja API; we never store full card numbers)
3. How We Use Your Data
We process your data based on the following legal bases (GDPR Article 6):
- Contract Performance: To provide educational services, process enrollments, and deliver courses
- Legitimate Interest: To improve our services, prevent fraud, and ensure platform security
- Consent: For marketing communications, analytics cookies, and AI tutor interactions
- Legal Obligation: To maintain financial records for tax compliance (7 years), and respond to legal requests
4. Data Security (PCI DSS)
We implement PCI DSS compliant security measures:
- No Card Storage: We use M-Pesa (mobile money) for payments. No credit/debit card numbers are ever stored on our servers.
- Encryption: All data is transmitted over TLS/HTTPS encryption. Passwords are hashed with PBKDF2.
- Access Controls: Role-based access control (RBAC) limits data access to authorized personnel only.
- Audit Logging: All payment operations and data access are logged in an immutable audit trail.
- Network Security: Cloudflare WAF, DDoS protection, and Turnstile CAPTCHA protect against attacks.
- Incident Response: Security incidents are tracked, investigated, and resolved per PCI DSS requirements.
5. Your GDPR Rights
Under the GDPR, you have the following rights:
- Right of Access (Article 15): Request a copy of all personal data we hold about you
- Right to Rectification (Article 16): Request correction of inaccurate personal data
- Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
- Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
- Right to Restrict Processing (Article 18): Request restriction of processing in certain circumstances
- Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing
To exercise any of these rights, visit your dashboard profile or contact us at privacy@jetbrainscollege.com.
6. Data Retention
We retain personal data only as long as necessary:
- User Accounts: 7 years after last login (legal/tax compliance)
- Payment Records: 7 years (tax requirements)
- Enrollment Records: 7 years (certification verification)
- Course Notes: 1 year after course completion
- Discussion Posts: 3 years
- Contact Submissions: 1 year
- AI Conversations: 6 months
- Cookie Preferences: 1 year
When data is erased, some records are retained in anonymized form for legal compliance (e.g., PCI DSS audit logs, financial records).
7. Third-Party Processors
We share data with the following processors for specific purposes:
- Cloudflare: Hosting, CDN, DDoS protection, Turnstile CAPTCHA
- Safaricom (M-Pesa): Payment processing via Daraja API
- Workers AI (Cloudflare): AI tutor and content generation
- Resend/Agentic Inbox: Transactional email delivery
All processors are bound by data processing agreements and comply with applicable data protection laws.
8. Cookies
We use the following types of cookies:
- Essential Cookies: Required for authentication and security (cannot be disabled)
- Analytics Cookies: Help us understand how users interact with our platform
- Marketing Cookies: Used to deliver relevant advertisements
- Preference Cookies: Remember your settings and choices
Manage your cookie preferences in Cookie Settings.
9. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of our services after changes constitutes acceptance of the updated policy.
Questions about this policy? Contact our Data Protection Officer.