Your privacy matters to us.
This Privacy Policy explains how Makronexus (Pvt) Ltd (“Makronexus”, “we”, “us”, “our”) collects, uses, shares, and protects personal information when schools and their users access Makronexus Education—including the platform, admissions workflows, and public website.
Controller vs Processor
Schools decide what data to collect (controller). Makronexus processes it under their instructions (processor).
Enterprise Security
Encryption in transit, RBAC, audit logging, and continuous monitoring protect every byte.
Children First
Learner data receives elevated protection. We never sell children's information.
Zimbabwe Aligned
Designed around the Cyber and Data Protection Act [Chapter 12:07] and constitutional privacy rights.
Contents
1About Makronexus
Makronexus Education is a product of Makronexus (Pvt) Ltd, a Zimbabwean-registered private limited company. We build enterprise software for school operations—covering admissions, student information management, assessments, attendance, fees and billing, communications, reporting, and compliance-supporting audit trails.
Where we process personal data on behalf of a school (as processor), the school remains the controller and determines the purposes and means of processing. Where we process data for our own purposes (e.g. website analytics, marketing, or account administration), Makronexus acts as the controller.
| Detail | Information |
|---|---|
| Legal entity | Makronexus (Pvt) Ltd |
| Jurisdiction | Republic of Zimbabwe |
| Primary legislation | Cyber and Data Protection Act [Chapter 12:07] |
| Contact email | louis.gadza@makronexus.com |
| Privacy enquiries | privacy@makronexus.com (or the contact email above) |
2Scope & Application
This Policy applies to all personal data processed through:
- The Makronexus Education platform (including multi-tenant SaaS and self-hosted deployments).
- The admissions workflows and online application portals.
- The public website at makronexus.com and related subdomains.
- Mobile applications or companion apps if and when provided.
- Customer support channels (email, in-app, phone).
If you are a learner, parent/guardian, or staff member, your school may provide additional privacy notices. Where a school acts as data controller, the school's privacy policies govern its own processing decisions. This Policy describes Makronexus's commitments as a data processor (and, where applicable, as an independent controller).
3Key Definitions
| Term | Definition |
|---|---|
| Personal data / Personal information | Any information that identifies, or can reasonably be used to identify, a natural person directly or indirectly. |
| Data controller | The party that determines the purposes and means of processing personal data (typically the school for learner, staff, and guardian records). |
| Data processor | The party that processes personal data on behalf of a controller (Makronexus for school-controlled data). |
| Data subject | The individual whose personal data is being processed (e.g. learner, parent/guardian, staff member). |
| School-controlled data | Data entered into or generated within the platform under a school tenant/account. |
| Processing | Any operation performed on personal data — collecting, recording, storing, adapting, retrieving, using, disclosing, erasing, or destroying. |
| Sub-processor | A third party engaged by Makronexus to process personal data on behalf of a school. |
| Sensitive personal data | Data revealing racial/ethnic origin, health, biometric identifiers, or information about a child requiring special protection. |
| The Act | The Cyber and Data Protection Act [Chapter 12:07] of Zimbabwe. |
4Data We Collect
The categories and scope of personal data processed depend on the school's configuration, the modules enabled, and how end users interact with the Services. We categorise data as follows:
4.1 Account & Identity Data
- Full name, username, email address, phone number, role (e.g. administrator, teacher, parent, learner), profile photograph, and school/organisation affiliation.
- Authentication credentials (hashed passwords, session tokens, multi-factor authentication records).
4.2 Learner Data
- Student identifiers (internal IDs, national registration where provided by the school), date of birth, gender, nationality, home language, and residential address.
- Academic records: class/grade enrolment, subjects, assessment marks, report cards, examination results, promotion history, and curricular comments.
- Attendance records, disciplinary records, and extracurricular participation (as configured by the school).
- Special educational needs or welfare notes (only where the school chooses to record this; treated as sensitive data with restricted access).
- Photographs or document scans uploaded by the school (e.g. birth certificate copies, transfer letters).
4.3 Parent & Guardian Data
- Full name, relationship to learner, contact details (email, phone, address), employer information (if collected by the school).
- Communications preferences (SMS, email, push), language preferences, and interaction history within the parent portal.
- Admissions application data: application forms, uploaded documents, application status, and interview/assessment notes.
4.4 Staff & HR Data
- Employee identifiers, employment dates, department, qualifications, teaching subjects, and timetable assignments.
- Leave records, performance review data, and professional development logs (where enabled by the school).
4.5 Financial & Billing Data
- Fee structures, invoices, payment records, outstanding balances, receipts, and scholarship/bursary information.
- Payment method details are processed exclusively by PCI-compliant third-party payment processors. Makronexus does not store full card numbers.
4.6 Communications Data
- Messages, announcements, notice templates, delivery status logs, and parent-school correspondence within the platform.
4.7 Technical & Usage Data
- Device identifiers, IP address, browser/OS type and version, screen resolution, timezone, and language setting.
- Pages/screens visited, feature usage metrics, click events, timestamps, session duration, and referral source.
- Error and performance logs, API request metadata (method, endpoint, status code, response time).
4.8 Support & Correspondence
- Support tickets, screenshots, attachments, troubleshooting logs, and feedback survey responses.
4.9 Admissions & Application Data
- Online application form submissions, uploaded supporting documents, application timeline, reviewer notes, and acceptance/rejection decisions.
- Waitlist positions, communications with applicant families, and related workflow data.
5How We Collect Data
| Source | Examples |
|---|---|
| Directly from you | Account registration, profile updates, support tickets, admissions applications, messages sent via the platform. |
| From the school | Bulk CSV imports, administrative data entry, automated enrolment workflows, and SIS integrations. |
| Automatically collected | Server logs, cookies, device context headers, analytics pixels, and session recordings (where enabled). |
| Third-party sources | Payment processors (transaction confirmations), email/SMS delivery providers (delivery receipts), and identity verification services (where applicable). |
6Purposes of Processing
| Purpose | Description |
|---|---|
| Service delivery | Operating the platform, managing school tenants, processing admissions, recording academic data, generating reports, and facilitating communications. |
| Authentication & access control | Verifying user identity, enforcing role-based permissions, managing sessions, and preventing unauthorised access. |
| Security & fraud prevention | Monitoring for suspicious activity, maintaining audit trails, enforcing rate limits, and responding to security incidents. |
| Customer support | Responding to enquiries, diagnosing issues, and improving service reliability. |
| Product improvement | Analysing aggregated and anonymised usage patterns to improve features, performance, and user experience. |
| Compliance & legal obligations | Meeting obligations under the Act, responding to lawful government or regulatory requests, and maintaining records as required by law. |
| Communications | Sending service-related notifications (incidents, maintenance, policy changes) and, where permitted and consented, marketing communications about Makronexus services. |
| Billing & invoicing | Processing subscription payments, issuing invoices, managing fee collection (for school-parent billing features), and preventing payment fraud. |
| Research & analytics | Producing de-identified, aggregated statistical reports for sector insights (only with appropriate safeguards and never in a way that identifies individual learners). |
7Legal Basis for Processing
We process personal data only where we have a lawful basis recognised under the Cyber and Data Protection Act and applicable Zimbabwean law. The legal basis depends on the context:
| Legal Basis | When It Applies |
|---|---|
| Performance of a contract | Processing necessary to provide the Services under a school subscription or user agreement. |
| Legitimate interests | Securing the platform, preventing fraud, maintaining service quality, debugging, analytics (using de-identified data), and operating our business — balanced against data subjects' rights. |
| Compliance with a legal obligation | Where Zimbabwean law requires us to process, retain, or disclose data (e.g. tax records, lawful regulatory requests). |
| Consent | Where specifically required (e.g. optional marketing emails, certain cookie categories). Consent can be withdrawn at any time. |
| Public interest / official authority | Where processing is necessary for a task carried out in the public interest (e.g. supporting Ministry of Education reporting as directed by the school). |
| Vital interests | In rare emergency situations where processing is necessary to protect someone's life or physical safety. |
Where the school is the controller, the school is responsible for determining and documenting its own lawful basis for learner, staff, and parent/guardian data, and for providing appropriate privacy notices to families and staff. Makronexus processes school-controlled data under the school's instructions and the contractual relationship.
8Children & Minors
Makronexus Education is designed for use by schools, many of which serve learners who are minors. We recognise the need for heightened protection of children's data:
- School responsibility: Schools are responsible for obtaining any necessary parental/guardian consent and providing appropriate notices before entering learner data into the platform.
- Purpose limitation: We process children's data solely to provide the educational services requested by the school. We do not use it for marketing, profiling, or behavioural advertising.
- No selling: We never sell children's personal data under any circumstances.
- Access controls: Learner data is protected by role-based access control. Only authorised school staff with appropriate permissions can view or modify learner records.
- Direct collection: Where learners interact directly with the platform (e.g. a student portal), we collect only the minimum data needed for that feature. We do not ask children to provide more data than is reasonably necessary.
- Elevated safeguards: Sensitive learner records (welfare notes, SEN data, medical information) are subject to additional access restrictions and audit logging.
9Data Sharing & Disclosure
We share personal data only in the following circumstances:
| Recipient | Purpose | Safeguards |
|---|---|---|
| The school (controller) | Schools and their authorised users access data within the platform based on their configured permissions. | Role-based access control, audit logging. |
| Sub-processors | Infrastructure, hosting, email/SMS delivery, analytics, error monitoring, and backup services. | Contractual data protection terms, security assessments, confidentiality obligations. |
| Payment processors | Processing school-to-parent fee payments and subscription billing. | PCI-DSS compliance, tokenisation, no full card numbers stored by Makronexus. |
| Professional advisors | Legal counsel, auditors, and insurers where necessary for business operations. | Professional confidentiality obligations, need-to-know access. |
| Law enforcement / regulators | To comply with lawful requests, court orders, or mandatory reporting obligations under Zimbabwean law. | We assess legality and scope before disclosing; we notify the school where legally permitted. |
| Business transfers | In connection with a merger, acquisition, or sale of assets. | Data protection provisions in transaction agreements, notification to affected parties. |
10Sub-Processors
We engage vetted sub-processors to help deliver the Services. Each sub-processor is bound by contractual data protection obligations at least as protective as our own commitments.
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure | Hosting, compute, and database services for the platform. | Varies (see DPA for specifics) |
| Object storage | Storing uploaded files (documents, images, exports). | Varies |
| Email delivery | Transactional and notification emails (password resets, alerts, reports). | Global |
| SMS / messaging | Delivery of SMS notifications and alerts to parents. | Regional / Global |
| Error monitoring | Real-time error tracking and performance monitoring. | Global |
| Analytics | Aggregated product usage analytics (no PII shared with these tools). | Global |
| Payment processing | Processing subscription and fee payments. | PCI-DSS certified |
Schools may request a current, named sub-processor list by contacting us. We will notify schools of material changes to our sub-processors with reasonable advance notice (typically 30 days), giving the school the opportunity to object.
11International Data Transfers
Depending on the deployment model and sub-processors used, personal data may be processed in Zimbabwe and/or other jurisdictions. Where data is transferred outside Zimbabwe, we implement appropriate safeguards including:
- Contractual protections: Data processing agreements with sub-processors that include obligations equivalent to the protections under the Act.
- Adequacy assessments: Evaluating the data protection framework of the destination country.
- Technical safeguards: Encryption in transit and at rest, access controls, and pseudonymisation where feasible.
- Data residency options: For schools with strict data residency requirements, discuss hosting options with us during contracting.
12Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, and support legitimate business needs.
| Data Category | Retention Period | Notes |
|---|---|---|
| Active school-controlled data | Duration of the school subscription | Schools can delete individual records at any time via the platform. |
| Data after subscription ends | Up to 90 days post-termination | Allows for data export. Deleted after the retention window unless the school requests extension. |
| Backup archives | Up to 180 days post-deletion | Encrypted backups are purged in accordance with the retention schedule. |
| Audit logs | Up to 3 years | Retained for security, compliance, and dispute resolution. Stored separately with restricted access. |
| Billing / financial records | Up to 7 years | As required by Zimbabwean tax law and accounting standards. |
| Marketing consent records | Duration of consent + 3 years | Retained to demonstrate compliance with consent requirements. |
| Support tickets | Up to 2 years after resolution | May be anonymised and retained longer for trend analysis. |
| Website analytics | Up to 26 months | Aggregated and anonymised data may be retained indefinitely. |
Where the school is the controller, the school's own retention policies and applicable education record-keeping requirements take precedence. Schools should configure retention settings within the platform and communicate retention periods to their communities.
13Your Rights
Under the Cyber and Data Protection Act and applicable law, data subjects may have the following rights (subject to exceptions and limitations):
| Right | Description |
|---|---|
| Right of access | Request confirmation of whether we process your personal data and receive a copy of that data. |
| Right to rectification | Request correction of inaccurate or incomplete personal data. |
| Right to erasure | Request deletion of your personal data where there is no compelling reason for continued processing. |
| Right to restriction | Request that we restrict processing of your data in certain circumstances (e.g. while a correction request is assessed). |
| Right to data portability | Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller. |
| Right to object | Object to processing based on legitimate interests or for direct marketing purposes. |
| Right to withdraw consent | Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing. |
| Right not to be subject to automated decisions | Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, unless safeguards are in place. |
| Right to lodge a complaint | Lodge a complaint with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) or the relevant data protection authority. |
14How to Exercise Your Rights
For school-controlled data
If your data is managed by a school using Makronexus, direct your request to the school first. The school (as controller) decides how to respond. If the school asks us to assist, we will do so promptly.
For Makronexus-controlled data
For data we control directly (e.g. website contact forms, marketing lists, account administration), email us at louis.gadza@makronexus.com.
Our process
- We will acknowledge your request within 5 business days.
- We will verify your identity and authority (e.g. confirm you are a school administrator or a legal guardian) before releasing data, to protect learners and prevent unauthorised disclosure.
- We aim to fulfil requests within 30 calendar days. Complex requests may take up to 60 days with notice.
- If we cannot fulfil a request (e.g. legal retention obligations apply), we will explain the reason.
15Security Measures
We implement a layered approach to security designed for enterprise education environments:
Encryption
TLS 1.2+ for all data in transit. AES-256 encryption for sensitive data at rest. Hashed and salted password storage.
Access Control
Role-based access control (RBAC) with granular permissions. Multi-factor authentication support. Session management with automatic expiry.
Monitoring & Audit
Comprehensive audit trails for data access and modifications. Real-time intrusion detection and alerting. Regular security log reviews.
Infrastructure
Hardened server configurations. Regular patching and vulnerability scanning. Network segmentation and firewall rules. DDoS protection.
Business Continuity
Automated encrypted backups. Disaster recovery plans tested regularly. Defined Recovery Time and Recovery Point Objectives.
People & Process
Security awareness training. Background checks for staff with data access. Incident response procedures. Principle of least privilege.
Schools are responsible for securing user devices, credentials, and local networks, and for limiting platform access to authorised personnel. We strongly recommend schools enforce strong password policies and enable multi-factor authentication for all administrator accounts.
16Cookies & Tracking Technologies
Our public website uses cookies and similar technologies for security, basic analytics, and improving content. The platform uses session storage and local storage for operational and security purposes.
For a complete breakdown of cookie types, third-party cookies, and how to manage preferences, see our dedicated Cookie Policy.
17Automated Decision-Making & Profiling
Makronexus Education does not currently make fully automated decisions that produce legal or similarly significant effects on individuals without human involvement. Where the platform includes features that provide recommendations or scores (e.g. admissions scoring, analytics dashboards), these are designed as decision-support tools—not as replacements for human judgement.
If we introduce features involving significant automated decision-making in the future, we will:
- Provide clear notice of how the automated processing works.
- Ensure meaningful human oversight is available.
- Allow individuals to contest decisions and request human review.
- Update this Policy accordingly.
18Data Breach Notification
In the event of a personal data breach, we follow a structured incident response process:
- Detection & containment: Automated monitoring detects anomalies. The incident response team contains the breach and begins investigation.
- Assessment: We assess the scope, severity, and categories of data affected.
- School notification: We notify affected schools (as controllers) without undue delay and in no event later than 72 hours after becoming aware of a breach, providing details of the nature, scope, and recommended mitigation steps.
- Regulatory notification: Where required by the Act, we assist the school in notifying POTRAZ or the relevant authority.
- Remediation: We implement corrective measures to prevent recurrence and provide a post-incident report.
Schools are responsible for notifying affected individuals (learners, parents, staff) as required by their own obligations and policies.
19Changes to This Policy
We may update this Privacy Policy from time to time to reflect product changes, legal developments, or operational improvements. When we make changes:
- The “Effective” date and version number at the top of the page will be updated.
- Material changes will be communicated to schools via email or in-app notification at least 30 days before taking effect.
- Previous versions of this Policy will be archived and available on request.
Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
20Contact Us
If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy concern, please contact us:
If you are not satisfied with our response, you may escalate your complaint to the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) or the relevant data protection supervisory authority.