1. Introduction and Group Structure

This Group Privacy Policy (“Policy”) applies to all services and platforms operated by The Craft Catalyst Limited (“The Craft Catalyst”, “we”, “us”, “our”), a company incorporated in Kenya and registered as a Data Controller with the Office of the Data Protection Commissioner (ODPC) of Kenya (Registration No. [INSERT]). The Craft Catalyst is the group holding entity and the single data controller responsible for all personal information processed across its services.

The Craft Catalyst operates two distinct service lines:

• CraftEd — an authorised international student placement and recruitment agency that recruits eligible students from East Africa and refers them to accredited partner universities in Malaysia for undergraduate, postgraduate, and professional programmes. The Craft Catalyst acts as an authorised agent of each Partner University under a formal Agency Agreement.
• CraftEx — a virtual work simulation platform that provides AI-assessed, scenario-based professional skills development tools for students, job-seekers, and corporate clients across East Africa.

This Policy governs the collection, use, storage, sharing, and protection of your personal data across both services (together, the “Platforms”). Where a provision applies exclusively to one service, this is clearly stated. By using either Platform, you acknowledge that you have read and understood this Policy.

2. Legal and Regulatory Framework

As a Kenyan-registered data controller operating across East Africa and processing data that is transferred to Malaysia, The Craft Catalyst complies with the following legal frameworks:

2.1 Primary Jurisdiction — Kenya

• Data Protection Act, 2019 (No. 24 of 2019) — primary governing statute
• Data Protection (General) Regulations, 2021
• Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
• Constitution of Kenya, 2010, Article 31 (Right to Privacy)

2.2 East African Jurisdictions (Student Recruitment Regions)

• Uganda: Data Protection and Privacy Act, 2019 and the Data Protection and Privacy Regulations, 2021
• Rwanda: Law No. 058/2021 of 13/10/2021 on the Protection of Personal Data and Privacy
• Tanzania: Personal Data Protection Act, 2022 (where in force)
• Ethiopia: Computer Crime Proclamation No. 958/2016 and applicable Ministry of Innovation and Technology directives

2.3 Destination Jurisdiction — Malaysia (CraftEd)

• Personal Data Protection Act 2010 (Malaysia) (PDPA 2010) — applies to personal data transferred to and processed by Partner Universities in Malaysia
• Partner Universities are independent data controllers under Malaysian law and are bound by their own privacy policies and the Malaysian PDPA 2010 once data has been lawfully transferred to them

2.4 Continental and International Frameworks

• African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014)
• GDPR (EU) 2016/679 principles are applied as a benchmark for international best practice where local law is silent

In the event of a conflict between the laws of different jurisdictions, The Craft Catalyst applies the standard that affords the greater protection to the individual.

3. Who This Policy Applies To

This Policy applies to all individuals whose personal data is processed by The Craft Catalyst, including:

• Students and Applicants — individuals from East Africa who use CraftEd to apply for placement at a Partner University in Malaysia, or who use CraftEx for skills development or assessment
• Corporate Clients — organisations that access CraftEx to commission simulations or assess candidates
• Partner Universities — accredited Malaysian universities that have appointed The Craft Catalyst as an authorised recruitment agent; their staff may interact with our Platform in connection with application processing
• Visitors — individuals who browse either Platform without registering

4. Information We Collect

4.1 CraftEd — International Student Placement

Because CraftEd facilitates the placement of East African students at Malaysian universities, we collect a more comprehensive set of personal data than is typical for a digital platform. This is necessary to assess eligibility, prepare applications, and comply with university and immigration requirements.

Student and Applicant Data

• Full legal name, date of birth, gender, nationality, and country of residence
• National identity document number or passport number and expiry date
• Personal email address, phone number, and residential address
• Academic transcripts, certificates, and qualifications (secondary school and above)
• English language proficiency test results (e.g. IELTS, TOEFL, or equivalent)
• Personal statement, reference letters, and any other supporting application documents
• Programme preferences, intended field of study, and target intake year
• Financial information provided for scholarship or financial aid applications (where applicable)
• Profile photograph (as required by Partner Universities)
• Emergency contact details (name and phone number of a parent or guardian)
• Immigration history or visa refusal history (where disclosed voluntarily or required by a Partner University)
• Application status, communication history with Partner Universities, and offer letter details

Partner University Staff Data

• Name, title, institutional email address, and phone number of admissions contacts
• Communication records relating to student applications

4.2 CraftEx — Virtual Work Simulation Platform

Students, Job-Seekers, and Individual Users

• Full name, email address, and phone number
• Educational background and professional experience
• National ID or passport number (for identity verification where required)
• Simulation performance data: task completion rates, scores, decision patterns, and time-on-task
• AI-generated assessments, feedback reports, and competency ratings
• Video or audio recordings submitted as part of simulation tasks (where applicable and with explicit consent)
• Skills badges and competency certificates earned
• Career interests and job-readiness indicators

Corporate Clients

• Company name, industry, and business registration details
• Contact person name, title, email address, and phone number
• Custom simulation briefs and scenario requirements
• Candidate shortlists and evaluation notes generated through the Platform
• Subscription and billing information

4.3 Information Collected Automatically (Both Platforms)

• Technical Data: IP address, browser type, device information, and operating system
• Usage Data: Pages visited, time on Platform, click patterns, and feature usage
• Performance Data: Response times, errors, and page load times
• Security Data: Login attempts, authentication events, and security logs

4.4 Sensitive Personal Data

CraftEd applications may incidentally involve sensitive personal data, such as disability disclosures made voluntarily for accommodation requests, or immigration and visa history shared at the request of a Partner University. We collect such data only where it is strictly necessary for the application, with your explicit consent. You are not obliged to disclose sensitive data beyond what is required by the Partner University to which you are applying.

CraftEx does not intentionally collect sensitive personal data. If you voluntarily include such information in a simulation response or profile, you consent to its processing for the purposes described in this Policy.

4.5 Cookies and Tracking Technologies

Both Platforms use cookies and similar technologies to maintain login sessions, personalise recommendations, analyse usage, prevent fraud, and remember regional settings. You may manage cookie preferences through your browser settings, though restricting certain cookies may limit Platform functionality. A full Cookie Policy is available on each Platform.

5. How We Use Your Information

5.1 CraftEd — Placement-Specific Purposes

• Assessing your eligibility for programmes offered by Partner Universities based on your academic profile and stated preferences
• Preparing, compiling, and submitting complete and accurate applications to Partner Universities on your behalf
• Communicating with Partner Universities regarding application status, conditional offer requirements, and enrolment procedures
• Transmitting Offer Letters and official correspondence from Partner Universities to you
• Facilitating introductions to scholarship and financial aid opportunities offered by Partner Universities
• Providing general pre-departure guidance on Malaysian student visa processes, travel, accommodation, and orientation
• Maintaining records of your application history and our agency correspondence for compliance and audit purposes
• Complying with our obligations to Partner Universities under Agency Agreements

5.2 CraftEx — Simulation-Specific Purposes

• Delivering and scoring virtual work simulations
• Generating AI-powered performance feedback and skills assessments
• Issuing verified digital skills badges and competency certificates
• Providing Corporate Clients with candidate performance data, subject to User consent or prior disclosure
• Developing and improving simulation content and AI assessment accuracy

5.3 Shared Group Purposes

• Creating, verifying, and maintaining user accounts across the Group
• Detecting and preventing fraud, identity misrepresentation, and security threats
• Sending Platform updates, policy changes, and service notifications
• Conducting analytics to improve products, features, and user experience
• Complying with legal and regulatory obligations across all operating jurisdictions
• Enforcing the Group Terms of Service and resolving disputes

5.4 Lawful Basis for Processing

All processing is grounded in one or more of the following lawful bases:

• Contractual necessity — to deliver the placement or simulation services you have requested
• Legitimate interests — to operate and improve our Platforms, prevent fraud, and fulfil our agency obligations to Partner Universities, balanced against your rights
• Consent — for sensitive data, optional features, marketing communications, and the sharing of simulation data with specific employers (consent may be withdrawn at any time)
• Legal obligation — where processing is required by applicable law in any jurisdiction we operate

6. Information Sharing and Disclosure

Important: The Craft Catalyst does not sell your personal data to any third party, under any circumstances.

6.1 Sharing with Partner Universities (CraftEd)

This is the most significant data sharing activity under this Policy. By submitting an application through CraftEd, you explicitly consent to The Craft Catalyst sharing your personal data, academic records, and supporting documents with the Partner University or universities to which you are applying. This sharing is the core purpose of the CraftEd service and is necessary to process your application.

The following categories of data are shared with Partner Universities:

• Full name, date of birth, nationality, and passport or national ID details
• Academic transcripts, qualifications, and language proficiency results
• Personal statement, reference letters, and all other application documents you have submitted
• Programme preferences, financial aid requests, and any supplementary information required by the university
• Contact information for communication purposes

Partner Universities receiving your data are independent data controllers. Once your data has been lawfully transferred to a Partner University, that university is responsible for its handling in accordance with Malaysia’s Personal Data Protection Act 2010 (PDPA 2010) and its own privacy policy. The Craft Catalyst is not responsible for the data handling practices of Partner Universities after transfer. We strongly encourage you to review the privacy policy of any Partner University to which you apply.

6.2 Within the CraftEd Service

Your application data is accessible only to The Craft Catalyst staff responsible for managing your application and to the specific Partner University or universities to which you have applied. Your data is not shared with other students, other Partner Universities, or third parties except as described in this Policy.

6.3 Corporate Clients (CraftEx)

A Corporate Client may access a User’s CraftEx simulation results only where the User has applied to that client through CraftEx, has given explicit consent for their results to be shared with that client, or enrolled in a simulation with prior notice that results would be shared. Anonymised, aggregated data that does not identify any individual may be shared with Corporate Clients or research partners for sector-level insights.

6.4 Within the Group (CraftEd and CraftEx)

As a Group sharing a single data controller, data may flow between CraftEd and CraftEx where it serves a legitimate and proportionate purpose, for example to maintain a unified user profile for a Student active on both Platforms. All intra-group data flows are governed by internal data sharing protocols consistent with this Policy.

6.5 Service Providers

We share data with vetted third-party service providers who assist with cloud hosting and storage, email and communication delivery, AI and machine learning processing, payment processing, and security monitoring. All providers are contractually bound to process data solely on The Craft Catalyst’s instructions and to implement security measures at least equivalent to those in this Policy.

6.6 Legal Disclosure

We may disclose personal data when required by a court order, law enforcement request, or regulatory directive from a competent authority in Kenya, Uganda, Tanzania, Rwanda, Ethiopia, or Malaysia. We will notify you of such a request unless legally prohibited from doing so or where notification could compromise a lawful investigation.

6.7 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may transfer to the successor entity. We will provide at least 30 days’ advance notice and inform you of any change in data controller before such a transfer takes effect.

7. International Data Transfers

7.1 Transfers to Malaysia (CraftEd)

The core function of CraftEd necessarily involves the transfer of your personal data from East Africa to Malaysia, specifically to the Partner University or universities to which you are applying. This transfer is made on the basis of contractual necessity — it is required to deliver the placement service you have requested — and with your explicit consent given at the point of application.

Malaysia has a data protection framework in the form of the Personal Data Protection Act 2010 (PDPA 2010), which governs the processing of personal data by commercial entities, including universities. Before transferring your data to any Partner University, The Craft Catalyst requires that university to confirm its compliance with the PDPA 2010 and with the data handling obligations set out in the Agency Agreement. The Craft Catalyst will not transfer data to a Partner University that it has reason to believe is non-compliant with applicable data protection law.

7.2 Transfers Outside the East African Region (Technical Services)

Your personal data may also be processed outside East Africa in connection with cloud infrastructure, AI processing, technical support, and analytics services. Before any such transfer, The Craft Catalyst ensures that at least one of the following safeguards is in place:

• A Data Processing Agreement incorporating Standard Contractual Clauses (SCCs) or equivalent contractual protections
• Transfer to a jurisdiction recognised by the Kenya ODPC as providing adequate protection
• A Transfer Impact Assessment (TIA) conducted and documented where required
• Regular compliance audits of all international service providers

7.3 Your Rights Regarding International Transfers

You may request information about the specific safeguards applied to the transfer of your data to any particular recipient, including Partner Universities, by contacting security@thecraftcatalyst.com. Where a transfer is based on consent, you may withdraw that consent at any time, though withdrawal will prevent us from processing your application to the relevant Partner University.

8. Data Security and Protection

8.1 Technical Safeguards

• SSL/TLS encryption for all data in transit between your device and our servers
• Encryption of personal data at rest using industry-standard algorithms
• Regular penetration testing, vulnerability scanning, and security patching
• Multi-factor authentication (MFA) available and recommended for all accounts
• Intrusion detection and continuous security monitoring

8.2 Administrative Safeguards

• Background screening for all staff and contractors with access to personal data
• Role-based access controls — staff access only the data necessary for their function
• Mandatory annual data protection and security awareness training
• Documented incident response and escalation procedures
• Regular internal audits of data handling practices

8.3 Document Security (CraftEd)

Given the sensitivity of the academic, identity, and financial documents submitted through CraftEd, additional controls apply:

• Application documents are stored in access-controlled, encrypted repositories
• Documents are accessible only to staff directly managing the relevant application and to the designated admissions contact at the relevant Partner University
• Documents submitted for one application are not reused for a different Partner University without your explicit authorisation
• Physical or digital copies of your documents will not be retained by The Craft Catalyst beyond the retention periods specified in Section 8.5 below

8.4 Data Breach Notification

In the event of a personal data breach likely to result in risk to individuals, The Craft Catalyst will:

• Notify the Kenya ODPC within 72 hours of becoming aware (Data Protection (General) Regulations, 2021, Reg. 18)
• Notify the relevant authority in other affected jurisdictions: Uganda and Rwanda — without undue delay; Tanzania and Ethiopia — as required by applicable law
• Notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms
• Where a breach involves data already transferred to a Partner University, notify that university immediately so it can take appropriate action under its own obligations
• Maintain a written record of all breaches, including those not reported externally

8.5 Data Retention

We retain personal data for the following standard periods, after which data is securely deleted or irreversibly anonymised:

• Active accounts: Duration of use plus 3 years
• Inactive accounts: 2 years from last login
• CraftEd application records and supporting documents: 5 years from the date of the last application activity (whether the application resulted in enrolment or not), to comply with educational agency record-keeping obligations
• CraftEd communication records with Partner Universities: 5 years
• CraftEx simulation performance records: 3 years
• Billing and financial records: 7 years (as required by Kenyan tax law and equivalent local requirements)
• Security and audit logs: 12 months
• Marketing communications data: Until withdrawal of consent or unsubscribe request

Note: If you withdraw your application or close your account, we will delete your data in accordance with the above schedule. We are unable to delete data that has already been transmitted to a Partner University; any such deletion request must be made directly to the university.

9. Your Rights and Choices

The Craft Catalyst respects and upholds your data protection rights. Depending on your country of residence, you may have the following rights:

• Right of Access — Request a copy of all personal data we hold about you across either or both Platforms, including details of how it is used and to whom it has been shared.
• Right of Rectification — Request correction of inaccurate or incomplete personal data. For CraftEd, you must also notify the relevant Partner University directly of any corrections after your application has been submitted.
• Right of Erasure — Request deletion of your personal data where we no longer have a lawful basis to retain it. Note that data already shared with a Partner University is outside our control; deletion requests for that data must be directed to the university.
• Right to Object — Object to processing based on legitimate interests, including direct marketing.
• Right of Portability — Request a copy of your data in a structured, machine-readable format.
• Right to Restrict Processing — Request that we limit how we process your data, for example while a complaint is being resolved.
• Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time. For CraftEd, withdrawing consent to share data with a specific Partner University will prevent us from processing or continuing your application to that university.

9.1 How to Exercise Your Rights

Submit a written request to securit@thecraftcatalyst.com. We will acknowledge within 5 business days and respond substantively within 30 days. We may request proof of identity before processing your request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.

9.2 Regulatory Complaints

If you are not satisfied with our response, you may lodge a complaint with the relevant data protection authority:

• Kenya: Office of the Data Protection Commissioner (ODPC) — odpc.go.ke |  info@odpc.go.ke
• Uganda: Personal Data Protection Office (PDPO) — pdpo.go.ug
• Rwanda: National Cyber Security Authority (NCSA) — ncsa.gov.rw
• Tanzania: Tanzania Communications Regulatory Authority (TCRA) — tcra.go.tz
• Ethiopia: Ministry of Innovation and Technology (MInT) or designated authority
• Malaysia (for data held by Partner Universities): Personal Data Protection Commissioner — pdp.gov.my

10. Children’s Privacy

Neither CraftEd nor CraftEx is directed at children under the age of 16. For CraftEd, students aged 17 may submit applications where they will reach the age of 18 before or during their intended enrolment year at a Partner University, provided verified parental or guardian consent is obtained and documented before the application is submitted. We do not knowingly collect personal data from any individual under 16 without verified parental consent.

If you believe we have inadvertently collected data from a child under 16 without proper consent, please contact privacy@thecraftcatalyst.co.ke immediately and we will take prompt action to delete such data.

11. Automated Decision-Making and AI Processing

The Platforms use AI and automated systems in the following ways:

• CraftEd: AI-assisted matching of Student profiles to suitable Partner University programmes based on academic qualifications, language proficiency, budget range, and stated career interests. Matching outputs are recommendations only — final programme selection is always made by the Student and final admission decisions are always made by the Partner University.
• CraftEx: AI-powered scoring, feedback generation, and skills gap analysis for simulation tasks. AI assessments support but do not replace human judgement in hiring or placement decisions.

No automated system on either Platform makes a binding decision about your application or your future. However, where an AI-generated output materially influences a recommendation presented to you or to a Partner University or Corporate Client, you have the right to:

• Request a human review of the automated output
• Obtain a plain-language explanation of the criteria and logic applied
• Provide additional context or contest the output

To exercise this right, contact dpo@thecraftcatalyst.co.ke with the subject line “Automated Decision Review”. We will respond within 10 business days.

12. Changes to This Policy

We may update this Policy periodically to reflect changes in our operations, applicable law, Partner University relationships, or best practice. We will notify you of material changes by email and via a prominent notice on both Platforms at least 30 days before the new version takes effect. Minor or administrative updates will be reflected in the Effective Date above without advance notice.

Your continued use of either Platform after the effective date constitutes acceptance of the updated Policy. If you do not accept the revised Policy, you should cease using the affected Platform and may request account closure. For CraftEd, note that applications already submitted to Partner Universities prior to policy change are not affected by the revised Policy.

13. Contact Information

The Craft Catalyst — Data Protection Officer

• Email: security@thecraftcatalyst.com
• Phone: +254 742 950 093
• Address: Riverside Drive

General Privacy Enquiries

• Email: security@thecraftcatalyst.com
• CraftEd (Placement): security@thecraftcatalyst.com
• CraftEx (Simulations): security@thecraftcatalyst.com

Regulatory Authorities

• Kenya (Lead Supervisory Authority): Office of the Data Protection Commissioner (ODPC) — odpc.go.ke |  info@odpc.go.ke
• Malaysia (Partner University Data): Personal Data Protection Commissioner — pdp.gov.my