Privacy Policy

1. Introduction

Ynai (“we,” “our,” or “us”) operates the bar exam preparation platform accessible at ynai.co.ke. We are committed to protecting the personal data of every user in compliance with the Kenya Data Protection Act, 2019 (the “DPA”), the Data Protection (General) Regulations, 2021, and all guidance issued by the Office of the Data Protection Commissioner (ODPC).

This Privacy Policy explains what data we collect, why we collect it, how we process and protect it, with whom we share it, and the rights you hold as a data subject under Kenyan law.

2. Data Controller & Data Protection Officer

The data controller responsible for your personal data is:

For any data protection inquiries, requests, or complaints, you may contact our Data Protection Officer at dpo@ynai.co.ke.

3. Personal Data We Collect

3.1 Account Information

When you register, we collect:

• Full name and email address
• Profile photograph (if you upload one or sign in via Google)
• Community username you choose
• Kenya School of Law enrollment status and target exam sitting (e.g., November 2026)
• Authentication credentials managed via Google Firebase (we never see or store your Google password)

3.2 Study & Performance Data

• Study progress, quiz scores, mastery phase completion, and spaced-repetition metrics
• Oral examination audio recordings and AI-graded scores
• Legal drafting documents you create on the platform
• Study streak history and session durations

3.3 AI Interaction Data

When you use our AI Tutor, Clarification, Research, or Oral Examination features, we process anonymised snapshots of your interaction — for example, the legal question you asked and the AI-generated response. We do not send your name, email, student number, or any personally identifiable information to AI providers. See Section 6 below for full details.

3.4 Payment Data

• Subscription plan, billing period, and transaction reference numbers
• Payment channel used (M-Pesa, card, etc.)
• We do not store your M-Pesa PIN, credit/debit card number, or CVV. All card and mobile-money details are processed directly by our payment provider (Paystack) and never touch our servers.

3.5 Community Data

• Posts, replies, and votes you submit to community discussion threads
• Direct messages exchanged with other users (encrypted at rest)
• Challenge submissions and scores

3.6 Technical Data

• Browser type, operating system, and device category
• Push notification subscription tokens (for web push notifications)
• IP address (logged transiently for security; not stored long-term)

4. Legal Basis for Processing

Under Section 30 of the Data Protection Act, 2019, we process your personal data on the following lawful bases:

• Performance of a contract (Section 30(a)) — Processing is necessary to provide you the study platform services you signed up for, including personalised study plans, AI tutoring, progress tracking, and subscription management.
• Consent (Section 30(b)) — For optional processing such as sending you engagement emails (daily reminders, weekly reports, fun facts). You may withdraw consent at any time via your notification settings or by contacting us.
• Legitimate interest (Section 30(f)) — For platform security, fraud prevention, and aggregate analytics that improve the service for all users. We conduct a balancing assessment to ensure our interests do not override your rights.
• Legal obligation (Section 30(c)) — Where we are required by Kenyan law to retain certain records, for example, payment receipts under the Kenya Revenue Authority regulations.

5. How We Use Your Personal Data

• Deliver personalised study sessions, quizzes, and mastery assessments across the 9 ATP units
• Power AI tutoring, oral examinations, legal research, and document drafting features
• Track your progress, study streaks, and weak-area identification
• Process subscription payments and issue receipts
• Send transactional emails (payment confirmations, subscription changes) and, with your consent, engagement emails (study reminders, weekly reports)
• Enable community features: discussion threads, direct messaging, challenges, and leaderboard rankings
• Improve platform quality, fix bugs, and develop new features through aggregated, anonymised analytics
• Ensure platform security and prevent misuse

6. Third-Party Data Processors & Cross-Border Transfers

We share limited data with carefully selected third-party processors to deliver our services. Under Section 48 of the DPA, we ensure each provider offers adequate data protection safeguards:

• Authentication Provider — We use a trusted identity platform to securely manage your login credentials and account verification. Data shared: email address, display name, and profile photo URL. We never see or store your password.
• AI Processing Provider — Our AI-powered features (tutoring, quizzes, oral examinations, legal research, and drafting assistance) are powered by a leading AI service. Only anonymised interaction snapshots are sent — the text of your legal question or prompt and relevant study context. Your name, email, student number, and account identifiers are never transmitted. The AI provider does not use API-submitted data to train its models.
• Payment Processor — Subscription payments (M-Pesa and card) are processed by a PCI-compliant payment provider. Data shared: email address, payment amount, and transaction reference. Your M-Pesa PIN, card number, and CVV never touch our servers — they go directly to the payment provider.
• Email Delivery Provider — Transactional and engagement emails are dispatched through a professional email delivery service. Data shared: email address, display name, and email content generated on our servers.
• Cloud Database Provider — Your data is stored in a managed, encrypted-at-rest cloud database hosted by a reputable infrastructure provider.

Cross-border transfers: Some of our processors are located outside Kenya (primarily the United States and European Union). In accordance with Section 48 of the DPA, we ensure transfers are only made to jurisdictions or entities that provide adequate data protection safeguards, including through binding contractual terms (Data Processing Agreements) that obligate each provider to protect your data to a standard no less stringent than the DPA.

7. Data Security

We implement technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS for all connections)
• Encryption at rest (database-level encryption via our cloud provider)
• Secure authentication via Firebase with support for multi-factor authentication
• Role-based access controls limiting staff access to personal data on a need-to-know basis
• Regular security reviews and dependency audits
• Push notification tokens stored securely and deactivated automatically when expired

In the event of a data breach that poses a real risk to your rights and freedoms, we will notify the ODPC within 72 hours and inform affected data subjects without undue delay, as required by Section 43 of the DPA.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: Retained for the duration of your active account
• Study progress & mastery data: Retained while your account is active; deleted within 30 days of account deletion
• Payment records: Retained for 7 years to comply with Kenya Revenue Authority requirements
• AI interaction snapshots: Processed in real time and not stored beyond the session; only the final AI-generated output is saved to your study history
• Community posts & messages: Retained while your account is active; anonymised or deleted upon account deletion
• Email notification logs: Retained for 90 days for delivery monitoring, then deleted

If you delete your account, we will erase your personal data within 30 days, except where retention is required by law (e.g., payment records).

9. Your Rights as a Data Subject

Under Part IV of the Data Protection Act, 2019, you have the following rights:

• Right of access (Section 26(a)): Request a copy of the personal data we hold about you
• Right to rectification (Section 26(c)): Request correction of inaccurate or incomplete personal data
• Right to deletion (Section 26(d)): Request erasure of your personal data where processing is no longer necessary or consent is withdrawn
• Right to restrict processing: Request limitation of processing in certain circumstances
• Right to data portability (Section 26(g)): Receive your personal data in a structured, commonly used, machine-readable format
• Right to object (Section 26(e)): Object to processing based on legitimate interest, including profiling and direct marketing
• Right to withdraw consent: Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing
• Right not to be subject to automated decision-making (Section 35): Our AI features provide study assistance only and do not make legally binding decisions about you

To exercise any of these rights, email dpo@ynai.co.ke. We will respond within 30 days.

10. Email Communications

We send two categories of email:

• Transactional emails — Payment receipts, subscription confirmations, account security alerts. These are essential to the service and cannot be opted out of while your account is active.
• Engagement emails — Daily study reminders, weekly progress reports, legal fun facts, streak milestones, and mastery achievements. You can opt out of these at any time via your Settings page or by clicking the unsubscribe link in any email.

We limit engagement emails to a maximum of one per day per user to prevent email fatigue.

11. Cookies & Local Storage

Ynai uses essential browser storage (cookies and localStorage) for authentication session management, theme preferences, and notification state. We do not use third-party tracking cookies or advertising pixels. No data stored in your browser is shared with external advertising networks.

12. Children's Privacy

Our platform is designed exclusively for law students and legal professionals, typically adults enrolled at the Kenya School of Law. We do not knowingly collect personal data from children under 18 years of age. If we become aware that a child's data has been collected, we will delete it promptly and notify the ODPC as appropriate.

13. Automated Decision-Making & AI

Our platform uses AI models to generate study content, grade practice questions, simulate oral examinations, and provide legal research assistance. These AI outputs are educational aids only and do not constitute legal advice or make binding determinations about your academic standing. Your mastery scores and study recommendations are derived from algorithmic analysis of your quiz performance and study patterns — you may request a human review of any AI-generated assessment by contacting our support team.

14. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

We encourage you to contact us first at dpo@ynai.co.ke so we can attempt to resolve your concern directly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and an in-app notification at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

16. Contact Us

For general privacy inquiries:

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Kenya, including the Data Protection Act, 2019. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Kenya.