This Privacy Policy describes how Scolah, Inc. (“we”, “us”, or “our”) collects, uses, shares, and protects personal data when you use our services, including:

  • Scolah — a family and early childhood platform for parents, guardians, and schools
  • Scolah Compass — a social protection and case management platform for NGOs and government agencies
  • Scolah Care — a platform connecting families with the care facilities looking after their elderly relatives

By using our services, you agree to the practices described in this policy. If you are using Compass as a beneficiary of a social protection programme, please also refer to your programme operator’s own privacy notice — they are the data controller for your beneficiary record.


1. Who We Are

Scolah, Inc. is the developer and operator of the Scolah suite of products. For all privacy matters, you can reach us at:


2. What Personal Data We Collect

2.1 Scolah App (Parent & Family Platform)

Account information

When you create an account, we collect your full name, email address, phone number, date of birth, gender, postal address (city, state/region, country), and an optional profile biography. If you add an emergency contact, we store their name, phone number, and relationship to you.

Authentication data

Your password is stored as a one-way BCrypt hash — we never see your plain-text password. If you enable multi-factor authentication (MFA), your TOTP secret and backup codes are stored encrypted. If you sign in with Google or Apple, we receive and store a link to your OAuth2 provider identity.

Child and ward profiles

When you add a child, we collect the child’s full name and date of birth, and optionally their school enrollment details.

Activity and health data

We collect the activity logs you create: feeding records, temperature readings, diaper changes, nap records, and free-form activity notes. If you attach photos or media to an activity, those files are stored on our secure media servers. When you use the AI Photo Log feature, your photo is sent to an AI provider (see §5) for activity extraction and is not retained on our servers unless you explicitly save the activity.

Goals, reminders, and family data

We store the development goals and reminders you create, as well as family relationship records (co-parents, guardians) and the sharing permissions you set between family members.

Device and usage data

We collect your Firebase Cloud Messaging (FCM) device token to send you push notifications. Firebase Analytics collects anonymised crash reports, session data, and feature usage statistics from our mobile apps. Server access logs capture your IP address and device type.

Subscription and payment data

We store your subscription tier and billing status. Payment card details are processed directly by our payment provider and are never stored on our servers.

2.2 Compass (Case Management Platform)

Caseworker and staff accounts

For agency staff, we collect full name, email address, role, and agency affiliation, along with the authentication data described above.

Beneficiary records

Compass stores the following data about programme beneficiaries: full name, date of birth, gender, national identification number, phone number, email address, and residential details including district, community, street address, and geographic code. Beneficiary records may also include profile photographs and custom fields defined by the deploying agency, which may contain additional sensitive personal or financial information depending on the programme.

Applicant records

For individuals applying to a programme, we collect full name, date of birth, gender, phone number, email address, geographic location, a profile photograph, a scan of their identity document (ID card), and the responses to the application form (content varies by programme and agency).

Case and programme records

We store case notes, field visit records, Proxy Means Test (PMT) assessments, eligibility scores, intervention records (such as counselling, referral, medical, or legal aid actions), disbursement history, and proof-of-life photographs collected during beneficiary verification checks.

Communication data

Where an agency has enabled the WhatsApp integration, we store conversation data between caseworkers and beneficiaries via that channel.

Uploaded documents

Caseworkers may upload government-issued identification, medical records, and other supporting documents as part of a case file.

2.3 Scolah Care (Elderly Care Platform)

Family member accounts

Family members who connect to a care facility through Scolah Care provide their full name, email address, and their relationship to the resident. Authentication follows the same pattern described in §2.1.

Resident profiles

Care facilities create a profile for each resident, which may include the resident’s full name, date of birth, room or ward identifier, allergies, current prescription medications and schedules, and advance care directives.

Daily care logs

Care staff record daily logs against each resident’s profile. These logs may include medication administration records (doses, times, administered by whom), meals and appetite notes, activities (physiotherapy, social activities, outdoor time), sleep records, mood observations, and photographs from activities.

Wellbeing and health data

We store trend data derived from daily logs: activity frequency, medication adherence rates, appetite and sleep patterns. This data is displayed to authorised family members as a weekly summary.

Incident and alert records

Falls, missed medications, unusual health changes, or other incidents are recorded as alerts. These are flagged to designated family members and care staff as configured by the facility.

Medical records (emergency access)

Facilities may store allergies, prescriptions, and advance directives so they can be shared with hospital staff in an emergency.


3. How We Use Your Data

Purpose Data involved
Delivering and personalising our services Account info, child profiles, activity data, case records
Sending notifications (email, SMS, push) Email address, phone number, FCM device token
AI-powered features (activity recognition, goal analysis, risk assessments) Activity photos, goals, case summaries — sent to AI providers listed in §5
Analytics and service improvement Anonymised usage data via Firebase Analytics
Authentication and account security Credentials, MFA secrets, IP address, access logs
Payment and subscription management Subscription status, routed to payment providers
Fraud prevention and abuse detection Server logs, IP address, access patterns
Legal compliance and dispute resolution Account records, audit logs

Where applicable law requires us to identify a legal basis for processing, we rely on:

  • Performance of a contract — to deliver the services you have signed up for
  • Legitimate interests — to maintain security, prevent fraud, improve our services, and send service-related communications
  • Consent — for optional features such as marketing communications or analytics tracking where required by law
  • Legal obligation — to comply with applicable laws and lawful regulatory requests

For Compass beneficiary data: The deploying agency (the NGO or government body running the programme) is the data controller for beneficiary and applicant records. Scolah, Inc. processes this data on the agency’s behalf as a data processor under a Data Processing Agreement. If you are a beneficiary, please direct data rights requests to the agency that enrolled you.


5. Data Sharing and Third-Party Processors

We share personal data only with third parties that are necessary to operate our services. All sub-processors are bound by Data Processing Agreements that restrict their use of your data.

Category Purpose Data shared
Email delivery Transactional email delivery Email address, name, message content
SMS delivery & workflow messaging SMS delivery and SMS-based workflow integration Phone number, SMS/message content
Push notifications & mobile analytics Mobile push notifications and anonymised usage analytics Device token, anonymised usage statistics
Cloud file storage File and media storage Uploaded photos, documents, ID card scans
AI model (self-hosted) AI assistant responses, risk scoring, and search/embeddings in Compass — run on our own infrastructure, not a third-party AI provider Conversation context, anonymised case summaries, anonymised text queries
Vector database AI retrieval (semantic search over knowledge base and case content) Embedded document vectors
Payment processor (optional — only active if your organization enables it) Processes disbursement payments, using the provider your organization has configured in Settings Payment amount and programme reference
OAuth sign-in Social sign-in authentication OAuth token, email address, display name

We do not sell personal data. We do not share data with advertisers or use it for targeted advertising.


6. Data Retention

Data Retention period
Active account data While your account remains active
Uploaded media and photos (originals) 90 days from the date of upload
Server and application logs 30 days
Completed and dismissed reminders 90 days
Account after a deletion request 30-day grace period, then full anonymisation
Anonymised records after deletion Retained indefinitely in anonymous form
Payment and transaction records As required by applicable financial and tax law

When you request account deletion, a 30-day grace period begins during which you may cancel the request. After this period, all identifying fields (name, email, phone number) are replaced with opaque anonymous identifiers. You will not be able to log in after anonymisation is complete.


7. Children’s Data

The Scolah Parent App allows parents and guardians to create profiles for children in their care. We collect children’s names and dates of birth as part of the core service. The parent or guardian is responsible for ensuring they have the right to provide this information.

In the Compass platform, beneficiaries may include minors. The deploying agency is responsible for ensuring it holds appropriate legal authority or parental consent to register and process data about minors in accordance with applicable child protection legislation.


8. Your Rights

Depending on your location and applicable law, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data (subject to legal retention obligations)
  • Restrict processing in certain circumstances
  • Receive a copy of your data in a portable format
  • Object to processing based on legitimate interests

To exercise any of these rights, email privacy@scolah.com. We will respond within 30 days. For Compass beneficiary records, please contact the agency that registered you — they are the data controller.

See our GDPR & Data Rights page for a full description of your rights and how to exercise them.


9. Security

We protect your data using the following measures:

  • Passwords hashed with BCrypt; plain-text passwords are never stored or transmitted
  • All data in transit encrypted with HTTPS/TLS
  • Multi-factor authentication (TOTP) available for all accounts
  • Role-based access control and JWT-based stateless authentication
  • Redis-based rate limiting to prevent brute-force attacks
  • Audit logging for account and data access events
  • Regular security reviews and infrastructure hardening

No transmission over the internet or electronic storage is entirely secure. If you believe your account has been compromised, contact us at privacy@scolah.com immediately.


10. International Data Transfers

Our infrastructure is hosted on cloud providers, which may process data in regions outside your country of residence. When we transfer personal data internationally, we rely on appropriate safeguards — such as Standard Contractual Clauses — to ensure your data receives equivalent protection. Our AI features are powered by our own self-hosted model and do not involve transmitting data to a third-party AI provider.


11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the platform or by email and update the effective date at the top of this page. Your continued use of our services after the effective date of a revised policy constitutes acceptance of the changes.


12. Contact Us

For privacy questions, data access requests, or concerns about how we handle your personal data: