Privacy Policy
Last updated: 14 July 2026
Operated by: IDARA MEDIA LIMITED, RC 1618394.
Service: gradwate.com and the Gradwate WhatsApp learning service
Effective date: July 2026
Last updated: July 2026
1. Who we are
Gradwate ("Gradwate", "we", "us", "our") is a WhatsApp-first and web-based learning platform operated by IDARA MEDIA LIMITED, a company incorporated in Nigeria (RC No. 1618394), with its registered office at Abuja , Nigeria.
We provide exam-preparation courses (WAEC, JAMB, and similar), skills and professional courses, corporate compliance training, and proctored certification exams with publicly verifiable certificates, delivered through the WhatsApp Business platform and through our web portal at gradwate.com.
For the purposes of the Nigeria Data Protection Act 2023, we are the data controller for personal data we process about our learners and website visitors. Where we deliver corporate training on behalf of an employer, we act as the data processor and the employer is the controller (see Section 8).
2. Scope
This policy explains what personal data we collect, why, how we use it, who we share it with, how long we keep it, and the rights you have. It covers:
- Learners using the Gradwate WhatsApp service and the gradwate.com web portal
- Candidates who sit proctored certification exams
- Parents and guardians who receive progress reports about a linked learner
- Employees enrolled by an employer in corporate/compliance cohorts
- Course creators who publish content and receive payouts on the platform
- Administrators who use the Gradwate management dashboard
- Visitors to gradwate.com and anyone interacting with our WhatsApp Business account
It does not govern third-party services you use independently (for example Meta/WhatsApp itself, your school's systems, or your employer's internal systems beyond the data they share with us).
3. Applicable law and lawful bases
We process personal data in accordance with:
- The Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR), as administered by the Nigeria Data Protection Commission (NDPC)
- Where they apply to specific users, equivalent laws in other jurisdictions we serve (e.g. Ghana Data Protection Act 2012, Kenya Data Protection Act 2019, South Africa POPIA 2013, and the EU/UK GDPR for learners in those regions)
Our lawful bases for processing are:
| Purpose | Lawful basis |
|---|---|
| Providing the learning service you signed up for | Performance of a contract |
| Sending WhatsApp lessons, quizzes, drip content, and reminders | Contract + your consent (given when you enrol/opt in) |
| Proctoring and identity verification for certification exams | Your explicit consent (captured before each exam) + performance of a contract (issuing a credible certificate) |
| Issuing, watermarking, and publicly verifying certificates | Contract + legitimate interest (integrity and proof of achievement) |
| Protecting premium content from unauthorised copying (watermarking, access logging) | Legitimate interest (protecting creators' and our intellectual property) |
| Processing payments and issuing invoices/payouts | Contract + legal obligation (tax/accounting) |
| Corporate compliance training | Contract with your employer + the employer's legitimate interest |
| Detecting fraud, abuse, and securing the service | Legitimate interest |
| Product analytics, error monitoring, and improving the service | Legitimate interest (assessed as not overriding your rights) |
| Tax, regulatory, and accounting compliance | Legal obligation |
| Marketing communications | Your consent (withdrawable at any time) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interest, you may object (see Section 12).
4. What personal data we collect
4.1 Information you give us
- Account identifiers: your phone number (the primary identifier; we authenticate you over WhatsApp), your name, your email address (optional), and your preferred language.
- Corporate learners: your employee ID, department, and cohort, as provided by your employer.
- Course creators: payout details necessary to pay you (e.g. bank/transfer reference held via our payment processor — see Section 7).
- Support content: the messages, questions, and any attachments you send us through WhatsApp support or the support desk.
4.2 Information generated as you learn
- Learning activity: courses and modules you enrol in, lessons viewed, quiz attempts, your individual per-question answers (including free-text/short answers), scores, study streaks, badges, drip-schedule progress, and time-based activity.
- Course reviews and feedback, and feature requests/votes you submit.
- Certificates issued to you, including your name, the course, the issue date, an integrity/exam score where applicable, and a cryptographic signature.
- Subscriptions and entitlements: your plan, premium/per-course access, trial usage, and renewal state.
4.3 Proctoring and identity-verification data (certification exams)
When you choose to sit a proctored certification exam, and only after you give explicit consent on screen, we collect and process:
- A photo of your identity document and a selfie, used to confirm that the person sitting the exam is you.
- Periodic snapshots from your device camera taken during the exam.
- Exam-integrity signals, such as when you leave or return to the exam tab, exit full-screen, paste into an answer field, and (where enabled) automated signals like "no face detected" or "multiple faces detected".
- A derived integrity score and a pass/fail/manual-review identity status.
These images and signals are sensitive personal data (they include facial images used for identity confirmation). We treat them accordingly: they are stored in a private, access-controlled object-storage bucket, are visible only to authorised reviewers, and are used solely to verify your identity and protect the integrity of the exam. They are never used for advertising, sold, or used to build a facial-recognition database. See Section 6 for retention.
If you do not consent to proctoring, you cannot take the proctored version of an exam, but you can still use the rest of the learning service.
4.4 Content-protection and access data
For premium/protected learning materials, we embed a per-view watermark linked to your account and record a content-access log (the material viewed, the time, your IP address, and your device/browser user-agent). This exists to trace and deter unauthorised copying and redistribution of paid content. It is used only for security and anti-piracy investigations.
4.5 Parent/guardian data
Where a learner is linked to a parent or guardian (for progress reporting), we hold the parent's/guardian's name, phone number, and (optionally) email address, and we send periodic progress reports to them. A parent link is created either by an administrator/school or by the parent's own verified opt-in.
4.6 Information collected automatically
- Technical metadata: IP address, browser/device user-agent, and timestamps of logins and significant actions.
- Security and audit logs: records of administrative and sensitive actions (including the actor, the action, and IP/user-agent) for security and compliance.
- WhatsApp delivery metadata: message IDs and delivery statuses provided by Meta.
- Error-monitoring and diagnostic data: we use an error-monitoring tool that may capture diagnostic information and, when an error occurs, a limited replay of the affected web session, to help us fix bugs (see Section 7).
- A stable WhatsApp business-scoped identifier (BSUID) that Meta includes with your messages, which we retain to keep recognising you if WhatsApp withholds your phone number in future.
4.7 Data we do not collect
We do not collect your WhatsApp contact list, messages you exchange with people other than our service, your address-book contacts, or your precise geolocation. We do not access your camera except during a proctored exam you have explicitly consented to.
5. How we use your data
We use personal data to:
- Deliver lessons, quizzes, drip content, and reminders over WhatsApp and gradwate.com.
- Track your progress, compute streaks and badges, and grade your attempts — including using a third-party AI model provider to grade free-text/short answers, generate explanations, and (for proctoring) assist identity-check triage (see Section 7 for who and what is shared).
- Verify your identity and supervise proctored exams, and issue watermarked, publicly verifiable certificates.
- Protect premium content against unauthorised copying.
- Process payments, issue invoices, and pay course-creator payouts.
- For corporate cohorts, report progress and completion to your employer (the contracted purpose).
- Authenticate you, prevent fraud/abuse, and secure the service.
- Respond to support requests.
- Monitor errors and improve content and service quality (largely through aggregated/anonymised analysis).
- Send service messages and, with your consent, marketing.
- Comply with our legal obligations.
We do not sell your personal data, and we do not use your learning content or answers to train AI models for third parties.
6. Automated processing and AI
Parts of the service use automated processing and a third-party AI language-model provider (see Section 7):
- Grading of free-text/short answers and generation of answer explanations.
- Generation of practice questions.
- Automated triage of identity checks for proctored exams (which may auto-clear straightforward cases or route others to a human reviewer).
- Exam-integrity scoring from the signals in Section 4.3.
A machine does not make the final decision alone where it significantly affects you. Identity failures and exam disqualifications are subject to human review, and you can ask a human to review any such outcome and contest it by contacting us (Section 12). AI-graded free-text scores can be appealed through support.
7. Who we share data with
We share personal data only with the following categories of recipient, each bound by contractual data-protection terms to use it only as we instruct:
| Recipient | Purpose | What they receive |
|---|---|---|
| Meta Platforms (WhatsApp Business Platform) | Delivering and receiving your WhatsApp messages | Your phone number/BSUID and message content |
| Paystack | Payment processing and creator payouts | Payment/transfer data needed to process a transaction (we do not store full card/bank details — see Section 9) |
| Our AI provider | Grading free-text answers, generating explanations/questions, identity-check triage | Only the specific text or data needed for the task (e.g. your answer text and the rubric; identity-triage inputs). Handled under the provider's enterprise terms and not used to train their models |
| Error-monitoring provider — Sentry | Diagnosing errors, incl. limited on-error session replay | Diagnostic and session data captured around an error |
| Cloud hosting ([data centre region: Finland, EU]) | Running our servers and databases | All service data, stored encrypted in transit |
| Object-storage provider — [S3-COMPATIBLE PROVIDER] | Storing files, incl. the private proctoring bucket and protected content | Uploaded files, certificates, proctoring images/snapshots |
| Email provider | Transactional and report emails | Recipient email and message content |
| Identity-verification vendor, if enabled] | Automated ID verification for proctoring | ID document and selfie for the verification check |
Your employer (corporate learners only): if your employer enrolled you, they can see your enrolment status, progress, completion, and scores, and any certificates you earn. We are the processor and your employer is the controller for this reporting; your rights against your employer are governed by your employment relationship.
Public certificate verification: each certificate has a public verification URL that lets anyone with the link confirm it is genuine. That page shows the holder's name, the course title, the issue date, and (for proctored exams) that the exam was proctored. By accepting a certificate you consent to this limited public verifiability.
Legal disclosures: we may disclose data where compelled by valid legal process from a competent authority. Where lawful, we will tell you first.
Business transfers: in a merger, acquisition, or restructuring, data may transfer to the successor entity, which will remain bound by this policy; we will notify you.
We do not share your data with advertisers or data brokers.
8. Corporate/compliance learners
If you were enrolled by an employer, that employer is the data controller for your participation, and we process your data on their documented instructions under a data-processing agreement. Your employer decides what training you take and receives reporting on your progress and completion. Questions about that use should go to your employer; we will support any valid data-rights request routed through them.
9. Payments
Paystack processes all card and bank payments. We do not store your full card number or bank account details. We store only the payment reference, amount, currency, and status returned to us, plus invoices and (for creators) payout references. See Paystack's privacy policy at https://paystack.com/privacy.
10. Cross-border transfers
Our servers and databases are hosted in [Finland, European Union], so personal data about Nigerian and other African learners is stored and processed outside Nigeria. Some processors (Meta, Paystack, our AI and error-monitoring providers) also operate internationally.
Where data leaves Nigeria, we rely on one or more transfer mechanisms recognised under the NDPA/NDPR — an adequacy decision of the NDPC, standard/contractual data-protection clauses, or your explicit consent — to ensure your data remains protected to an equivalent standard.
11. How long we keep your data
| Data category | Retention |
|---|---|
| Active account profile | While your account is active; deleted within 30 days of a valid deletion request |
| Learning activity (enrolments, attempts, answers, progress) | While your account is active; for known minors, behavioural detail is kept no longer than 12 months after last activity unless needed to support a certificate earned |
| Proctoring images and camera snapshots | Kept only as long as needed to complete identity review and resolve disputes — 90–180 days after the exam, then deleted; images are deleted sooner once a session is cleared, unless an integrity dispute is open |
| Proctoring outcome (pass/fail, integrity score) | With the certificate record, for its validity period |
| Certificates | 7 years (educational/record-keeping) |
| Content-access / watermark logs | 12–24 months for anti-piracy investigation, then deleted |
| Payment and invoice records | 7 years (Nigerian tax law) |
| Security/audit logs | 2 years |
| Support conversations | 24 months after resolution |
| Error-monitoring/session-replay data | Per the provider's default retention (90 days) |
After the applicable period, data is deleted or irreversibly anonymised.
12. Children and minors Highest priority
Many Gradwate learners are secondary-school students who may be under 18. Our approach:
- Learners aged 13–17 may use Gradwate with the verifiable consent of a parent or guardian. Enrolling (or being enrolled by a school) confirms that consent has been obtained.
- Learners under 13 may not sign up as individuals. Where a school enrols under-13 students, we rely on the school's representation that it has obtained appropriate parental consent.
- No marketing is sent to users we know to be under 18.
- Reduced retention applies to minors' behavioural data (Section 11).
- Proctoring of minors requires the explicit consent of a parent/guardian; a minor should not sit a proctored, camera-based exam without it.
- A parent/guardian may contact our us to access, correct, or delete their child's data or withdraw consent; we may ask for reasonable proof of guardianship.
13. Your rights
Subject to the NDPA (and other laws where they apply), you have the right to:
- Access the data we hold about you — available in-app as a data export and on request.
- Rectify inaccurate or outdated data.
- Erase your data, subject to lawful retention (Section 11) — available in-app as account deletion with confirmation, or on request.
- Restrict or object to processing in certain cases (including processing based on legitimate interest, and direct marketing).
- Data portability — receive your data in a machine-readable format.
- Withdraw consent at any time where processing relies on consent.
- Human review of automated identity/exam decisions (Section 6).
- Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at https://ndpc.gov.ng, or with the data-protection authority where you live.
Use the in-app controls on gradwate.com, or contact privacy@gradwate.com. We respond within 30 days (extendable where the law allows, with notice). We do not charge for reasonable requests.
14. Cookies and similar technologies
gradwate.com uses a small number of strictly necessary cookies/tokens to keep you signed in, secure your session (including CSRF/CSP protections), and remember basic preferences. We do not use third-party advertising or cross-site tracking cookies. Our error-monitoring tool may set storage needed to correlate a session for debugging. Where required by law, we will present a cookie notice/consent control.
15. Security
We apply technical and organisational measures appropriate to the sensitivity of the data, including:
- HTTPS-only transport and encrypted storage; proctoring images and protected content held in private, access-controlled buckets with time-limited, signed access.
- Strong authentication (hashed credentials, revocable session tokens, one-time codes for sensitive actions) and rate-limiting on authentication endpoints.
- Per-tenant data isolation enforced at the database-query layer.
- Signed/verified webhooks for inbound WhatsApp and payment traffic.
- Audit logging of administrative and data-rights actions.
- Least-privilege access for staff and reviewers, and dependency-vulnerability monitoring.
No system is perfectly secure. If we become aware of a personal-data breach that risks your rights and freedoms, we will notify the NDPC and affected individuals as required by the NDPA (breach notification obligations).
16. Changes to this policy
We may update this policy as the service or the law changes. Material changes will be notified to active users (for example by WhatsApp message and/or a notice on gradwate.com) at least 14 days before they take effect. The "Last updated" date reflects the latest revision.
17. Contact
- Data Protection/privacy: privacy@gradwate.com
- Operating entity: IDARA MEDIA LIMITED, RC No. 1618394
- Registered office: Abuja, Nigeria
- Regulator: Nigeria Data Protection Commission (NDPC), https://ndpc.gov.ng