Privacy Policy

This Privacy Policy describes how BIT2025 by Isaiah (“we,” “us,” or “the platform”) collects, uses, stores, shares, and protects information when you use our website, tools, and related services. We are committed to transparency, proportionate data use, and strong technical and organizational safeguards.

1. Who we are & what this site does

BIT2025 by Isaiah is an independent academic and productivity platform created by Isaiah P. Nyalali for students and visitors, with a focus on the University of Dar es Salaam’s College of Information and Communication Technology (CoICT) community. The site provides:

Curated BIT course materials & semester journey

UDSM GPA calculators (semester, final, predictor)

SGR Trip Finder (schedules & availability)

Salary, HESLB & loan calculators

Cycle by Isaiah (wellness companion)

Account, subscriptions & optional paid features

Some tools run entirely in your browser; others call our backend APIs or trusted third-party services to deliver functionality (e.g. live train data, payments, analytics, or support chat). Where a feature touches personal data, it is summarized below and in the security section.

2. Data we collect

We only collect data that is reasonably necessary to operate the platform, secure accounts, fulfill payments, communicate with you, and improve reliability. Categories may include:

2.1 Account & authentication data

Registration & profile: Information you provide when creating or updating an account (e.g. name, email address, academic identifiers you choose to share, and preferences).
Credentials & sessions: When you log in, our systems issue a secure access token stored in your browser for session continuity. Passwords are never stored in plain text on the client.

2.2 Usage & technical data

Device & connection: IP address, browser type, approximate region, timestamps, and diagnostic data used for security and performance.
Analytics: Aggregated usage metrics (e.g. page views, feature engagement) via tools such as Google Analytics and Cloudflare Web Analytics to understand traffic patterns.
Support & chat: If you use live chat (e.g. Tawk.to), messages and metadata may be processed by that provider under their terms.

2.3 Content you submit

Contact & inquiry forms: Name, phone, email, subject, message, and related fields submitted through our contact workflow (processed via Web3Forms or comparable form providers).
Course & academic interactions: Actions tied to unlocking materials, subscription tiers, or document access may generate server-side records (e.g. entitlement status, purchase references).

2.4 Payment-related data

Third-party checkout: Support contributions and paid features are processed by our payment partner (Snippe or other gateways we may integrate). We typically receive confirmation metadata (e.g. transaction status, reference IDs, product purchased)—not your full card number.
Billing support: Limited records may be retained to reconcile access, prevent fraud, and respond to disputes.

2.5 Calculator & tool inputs

Local processing: Many calculator inputs (GPA fields, salary figures, loan parameters) are processed in your browser and may never leave your device unless you explicitly submit them elsewhere.
Network-backed tools: The SGR Trip Finder and similar features may send search parameters (stations, dates) to external or internal APIs to retrieve schedules; those queries may appear in service logs for reliability and abuse prevention.

3. How we use your information

Provide, personalize, and secure accounts, subscriptions, and paid entitlements.
Deliver academic content, calculators, and integrations you request.
Authenticate requests to our APIs using industry-standard bearer tokens and server-side validation.
Communicate service updates, access confirmations, and (where permitted) product information.
Detect, investigate, and block fraud, abuse, scraping, or unauthorized access.
Maintain backups, audit trails, and operational logs consistent with legitimate interests and legal obligations.
Measure aggregate performance and improve UX (not to sell personal data).

4. Legal bases & retention (summary)

Depending on context, processing may rely on performance of a contract (providing features you sign up for), legitimate interests (security, analytics, product improvement), consent (where required, e.g. certain cookies or marketing), or legal obligation. We retain personal data only as long as needed for these purposes, plus statutory limits—then we delete or irreversibly anonymize it where feasible.

5. Features & how they relate to your data

Below is a concise map of major features and typical data implications:

Academic journey & course notes: Server may store access rights, progress flags, or purchase records tied to your account.
GPA suite: Inputs are primarily local; we do not require uploading transcripts for basic calculation.
SGR Trip Finder: Query parameters may transit our backend or partner APIs; avoid entering unnecessary personal details into search fields.
Financial calculators (Salary / HESLB / Loan): Designed for local estimation; do not submit real employer confidential data unless you accept any associated risk.
Cycle by Isaiah: Wellness data should be handled sensitively; review that product’s on-page notices for storage specifics.
Contact form: Submissions are emailed or routed through our form provider; content may be archived for support quality.
Live chat: Conversations are processed by the chat vendor’s infrastructure.

Security architecture & how we protect you

We apply a defence-in-depth model: transport security, authenticated APIs, strict server-side validation, separation of public content from account-gated resources, and minimal retention of sensitive artifacts. Authentication uses signed bearer tokens (stored in your browser’s localStorage only for session management—not for long-term secrets) transmitted over HTTPS/TLS to our API endpoints. Backend services validate every privileged action; client-side state alone cannot grant server trust. Infrastructure may include CDN and WAF layers (e.g. Cloudflare) for DDoS mitigation, bot management, and encrypted delivery. Administrative access is limited on a need-to-know basis; logs may be monitored for intrusion or misuse. While no system is infallible, we continuously review configuration, dependencies, and access patterns to reduce risk.

6. Cookies & similar technologies

We use cookies and local storage for session continuity, preferences, fraud prevention, and measurement. Third-party scripts (analytics, chat, maps, captcha) may set their own cookies governed by their policies. You can control cookies through your browser settings; disabling some cookies may limit functionality.

7. Third-party services

We rely on carefully selected processors, including but not limited to:

Payment processors (e.g. Snippe) for donations and paid unlocks.
Form & email delivery (e.g. Web3Forms) for contact submissions.
Analytics (Google Analytics, Cloudflare) for aggregated insights.
Customer messaging (Tawk.to) for optional chat.
Maps & location embeds (Google Maps) when you view embedded campus maps.
hCaptcha or similar anti-abuse widgets on forms.

Each provider processes data under their respective terms and privacy policies. We instruct processors only to handle data as needed for our service.

8. International transfers

Our infrastructure and subprocessors may be located outside your country. Where data crosses borders, we rely on appropriate safeguards (e.g. standard contractual clauses or equivalent mechanisms) where required by law.

9. Payments — what we see & what we don’t

Payments are completed on our payment partner’s secure checkout. We do not store full payment card numbers on our servers. We may retain transaction references, product identifiers, and status to prove entitlement, issue receipts, and support accounting. For billing questions, contact us using the details below.

10. Your rights

Subject to applicable law, you may have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete information.
Delete your data where no overriding legal basis applies.
Restrict or object to certain processing.
Data portability for data you provided where technically feasible.
Withdraw consent where processing is consent-based.
Lodge a complaint with a supervisory authority in your jurisdiction.

To exercise rights, email us (see §13). We may need to verify your identity before fulfilling sensitive requests.

11. Deleting your account

You may request account deletion by contacting us. We will delete or anonymize personal data tied to your account where legally permissible. Some information may be retained in aggregated, de-identified, or legally required form (e.g. tax or fraud-prevention records). Third-party processors may retain their own copies per their policies until purged.

12. Children’s privacy

The platform is intended for a general audience including university-level users. We do not knowingly collect personal information from children under 13 (or the minimum age in your jurisdiction) without parental consent. If you believe we have collected such data, contact us for prompt removal.

13. Changes to this policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. Material updates will be indicated by revising the “Last updated” date at the top. Continued use after changes constitutes acceptance unless applicable law requires additional consent.

14. Contact & data requests

For privacy-specific questions, data subject requests, or security disclosures, use the contact section on this page or the channels listed in the site footer. Please include a clear description of your request and, where relevant, the email address associated with your account.

Operator: Isaiah P. Nyalali — BIT2025 by Isaiah (UDSM CoICT alumni project).