Privacy Policy — TTI Masomo & TTI Trainer | Dual Dimension Consulting Limited

Effective Date: 24 June 2026

This Privacy Policy explains how Dual Dimension Consulting Limited (“DDCL,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information through:

TTI Masomo (the “Student App”), used by registered students of subscribing educational institutions; and
TTI Trainer (the “Trainer App”), used by trainers, administrators, and other staff of subscribing educational institutions;

(together, the “Apps”).

This Policy applies to both Apps. Where a practice applies to only one App, this is stated explicitly.

1. Who We Are, and Our Role

DDCL develops and operates the Apps and the backend systems that support them. The Apps are licensed to educational institutions (“Institutions”) that subscribe to use them for their own students and staff.

For most personal data processed through the Apps, the subscribing Institution is the data controller, and DDCL acts as a data processor acting on the Institution's instructions, within the meaning of Kenya's Data Protection Act, 2019 (“DPA”). This means:

The Institution decides what student/staff data is collected, why, and how long it is kept.
DDCL provides the technical platform (the Apps and backend) and processes data only to operate that platform and as instructed by the Institution.
Requests to access, correct, or delete your personal data should generally be directed to your Institution in the first instance, since the Institution controls your account and records. DDCL will support the Institution in fulfilling such requests, and will also respond directly to you where required by law (see Section 9).

For limited technical/diagnostic data described in Section 3.4, DDCL acts as a controller in its own right.

2. Who Can Use the Apps

The Student App is available only to individuals registered as students by a subscribing Institution, who log in using credentials issued by that Institution. There is no public self-registration.
The Trainer App is available only to individuals registered as trainers, administrators, or other staff by a subscribing Institution, who log in using credentials issued by that Institution.

We do not knowingly direct the Apps at children under 18 for independent, unsupervised use. Technical and vocational training institutions may enrol students who are minors; where this occurs, the Institution — not DDCL — is responsible for the lawful basis for enrolling that student and for any parental/guardian consent required under applicable law. DDCL processes such data only as instructed by the Institution, as described in Section 1.

3. Information We Collect

3.1 Account and Profile Information

Student App:

Admission number and password (for login)
Full name, email address, phone number
Date of birth, national ID number, gender
Address, guardian name, guardian phone number
Course, intake, and enrollment details

Trainer App:

Username/staff identifier and password (for login)
Full name, email address, phone number
Role, department(s), and employment details relevant to your duties

3.2 Academic and Operational Records

Depending on which App you use, this may include: class/training session enrollment, attendance records, timetables, portfolio submissions and grading/feedback, assessment expectations and due dates, internal messages sent through the App's messaging feature, and (Student App) accommodation booking details.

3.3 Evidence Media (Camera and Photo Library)

Both Apps request camera and photo library access so trainers and students can capture or attach photographs, scanned documents, and videos as portfolio evidence for academic assessment. These files are uploaded to the Institution's records and are not used for any purpose other than the academic submission you make. We do not access your camera or photo library other than when you actively choose to capture or attach a file.

3.4 Technical and Diagnostic Information

We may collect limited technical data — such as crash reports, app performance logs, device type, and operating system version — to help us maintain, debug, and improve the Apps. This information is used in de-identified or aggregated form wherever possible and is not used to profile individual users.

3.5 What We Do Not Collect

We do not collect your precise location (GPS), and the Apps do not integrate third-party advertising or social media tracking SDKs.

4. How We Use Information

We (and, where applicable, the Institution) use the information described above to:

Authenticate your account and provide secure access to the Apps;
Deliver core academic functions: attendance, grading, portfolio review, timetabling, messaging, and (where applicable) accommodation booking;
Allow Institutions to administer enrollment, academic records, and staff/student management;
Send service-related communications, including one-time passwords (OTP) for login and password reset;
Maintain, secure, diagnose, and improve the Apps and backend systems (see Section 3.4);
Comply with applicable legal and regulatory obligations.

5. Legal Basis for Processing

Under the DPA, we (and Institutions) process personal data on one or more of the following bases: performance of the enrollment/employment relationship between you and the Institution, the Institution's legitimate educational and administrative interests, your consent (for example, where you actively grant camera/photo access), and compliance with legal obligations.

6. How Information Is Shared

We do not sell personal data. Information collected through the Apps may be shared with:

Your Institution — which owns and controls the underlying academic and employment records;
DDCL personnel and systems that operate the Apps and backend, on a need-to-know basis;
Service providers that support our infrastructure (e.g., hosting, email/SMS delivery for OTPs), acting under contractual confidentiality and data protection obligations;
Regulators or authorities, where required by law or to protect the rights, safety, or property of DDCL, an Institution, or others.

We do not currently integrate third-party analytics, advertising, or social media SDKs into the Apps.

7. Data Retention

Personal data collected through the Apps is retained and used by the subscribing Institution in accordance with that Institution's own records-retention practices and applicable law. DDCL retains data on the Institution's behalf for as long as the Institution's subscription is active, and for a reasonable period thereafter as needed to support an orderly handover or deletion, unless a longer period is required by law. Diagnostic/technical data described in Section 3.4 is retained only as long as needed for the purposes described.

8. Data Security

We apply technical and organisational measures appropriate to the sensitivity of the data we process, including encrypted transmission of data between the Apps and our servers, secure on-device storage of credentials (such as device Keychain/Keystore-backed storage), and access controls limiting who may access personal data. No method of transmission or storage is completely secure; we continually work to improve our safeguards.

9. Your Rights

Under the DPA, you have the right to: be informed of how your data is processed; access the personal data we (or your Institution) hold about you; request correction of inaccurate or incomplete data; request deletion or restriction of processing, subject to lawful retention requirements; object to processing in certain circumstances; data portability, where applicable; and lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya, if you believe your rights have been violated.

To exercise these rights, contact your Institution directly, or contact us using the details in Section 12 and we will coordinate with the relevant Institution as needed.

10. International Data Transfers

Where any processing of your data involves a transfer outside Kenya (for example, where a service provider's infrastructure is located abroad), we take steps to ensure such transfers comply with the cross-border transfer requirements of the DPA, including the use of contractual or other safeguards required by law.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Apps' functionality, or legal requirements. We will post the updated Policy at this URL with a revised effective date. Where changes are material, we will take reasonable steps to notify Institutions and, where appropriate, users directly through the Apps.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact:

Dual Dimension Consulting Limited
Email: developer@ddcl.co.ke

If your question concerns your specific academic or employment records, please also contact your Institution directly, as it controls those records.