Privacy Policy || Stunov - School Management System

Privacy Policy

Last updated: March 2026

This Privacy Policy describes how FiNENOV SARL ("FiNENOV", "we", "us"), operating the Stunov platform, collects, uses, stores, and protects personal data in connection with the Stunov school management service (the "Platform"). By using the Platform, you acknowledge that you have read and understood this policy.

Article 1 — Data Controller and Processor Roles

Under applicable data protection law, including Cameroon Law No. 2010-012 of 21 December 2010 on cybersecurity and personal data protection, each subscribing school (the "Client") acts as the data controller for the personal data of its students, parents, and staff. FiNENOV SARL acts as the data processor, processing personal data solely on behalf of and under the instructions of the Client, in accordance with the terms of the subscription agreement and this policy.

Article 2 — Data Collected

The Platform may collect and process the following categories of personal data: (a) Client account information: school administrator name, email, phone number, school name, and address; (b) billing and subscription data: payment method details, transaction records, invoices; (c) operational data: student records, attendance, grades, timetables, and communications entered by Client users; (d) technical data: IP addresses, browser type, device identifiers, access logs, and session cookies; (e) support data: correspondence and support tickets submitted to FiNENOV.

Article 3 — Legal Basis for Processing

Personal data is processed on one or more of the following legal bases: (a) contractual necessity — processing required to deliver the subscribed services; (b) legitimate interest — platform security monitoring, fraud prevention, service improvement; (c) legal obligation — compliance with Cameroon law, tax regulations, ANTIC directives; (d) consent — where specifically obtained for optional features such as marketing communications.

Article 4 — Purposes of Processing

Data is processed for the following purposes: (a) provision and operation of the Platform; (b) account management and authentication; (c) billing, invoicing, and payment processing; (d) technical support and incident resolution; (e) security monitoring and abuse prevention; (f) aggregated analytics to improve the service (no individual profiling); (g) compliance with legal and regulatory obligations.

Article 5 — Third-Party Services and Sub-Processors

FiNENOV may engage sub-processors to deliver parts of the service, including but not limited to: (a) cloud infrastructure providers for hosting and data storage; (b) push notification services (e.g., Firebase Cloud Messaging) for mobile alerts; (c) email delivery services (SMTP providers) for transactional emails; (d) payment gateway providers for subscription billing. All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures. A current list of sub-processor categories is available upon request.

Article 6 — Cookies and Tracking Technologies

The Platform uses: (a) strictly necessary cookies — session management, CSRF protection, authentication tokens; (b) functional cookies — language preference, interface settings. The Platform does not use third-party advertising trackers. If analytics cookies are introduced, users will be informed and, where required, their consent obtained.

Article 7 — Cross-Border Data Transfers

Platform servers may be located in or outside the Republic of Cameroon. Where personal data is transferred outside Cameroon, FiNENOV ensures that appropriate safeguards are in place, including contractual data protection clauses with hosting providers, in compliance with applicable Cameroon law and international standards.

Article 8 — Data Security

FiNENOV implements reasonable technical and organizational security measures, including: (a) encryption of data in transit (TLS/SSL) and at rest where applicable; (b) tenant database isolation — each school's data is stored in a separate database; (c) role-based access controls; (d) regular automated backups; (e) access logging and monitoring. No system can guarantee absolute security. FiNENOV is not liable for unauthorized access resulting from Client-side security failures (e.g., shared passwords, compromised devices).

Article 9 — Data Retention

Personal data is retained for the duration of the Client's active subscription plus any legally mandated retention period. Upon subscription termination, Client data is retained for thirty (30) calendar days to allow for recovery or data export. After this period, data is permanently deleted or irreversibly anonymized unless longer retention is required by applicable law.

Article 10 — Data Subject Rights

In accordance with applicable law, data subjects may exercise the following rights: (a) right of access — obtain confirmation of whether personal data is processed and request a copy; (b) right of rectification — request correction of inaccurate data; (c) right of deletion — request erasure of personal data, subject to legal retention requirements; (d) right of data portability — receive personal data in a structured, machine-readable format; (e) right to object — object to processing based on legitimate interest. For data processed by a school (Client), requests should be directed to the school administration. For data processed directly by FiNENOV (billing, account data), requests may be sent to privacy@stunov.com.

Article 11 — Children's Data

The Platform processes personal data of minors (students) solely on behalf of subscribing schools acting as data controllers. Schools are responsible for ensuring that appropriate parental or guardian consent is obtained in accordance with applicable Cameroon law and, where relevant, international standards (e.g., GDPR Article 8, COPPA). FiNENOV does not knowingly collect personal data directly from minors without school and parental authorization.

Article 12 — Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, FiNENOV will: (a) notify affected Client schools without undue delay, and no later than seventy-two (72) hours after becoming aware of the breach; (b) provide details of the nature of the breach, data categories affected, and remedial measures taken. Client schools are responsible for notifying their own users (students, parents, staff) as required by applicable law.

Article 13 — Contact and Supervisory Authority

For questions or requests regarding this Privacy Policy, contact FiNENOV SARL at: privacy@stunov.com. Complaints may also be directed to the Agence Nationale des Technologies de l'Information et de la Communication (ANTIC), the competent supervisory authority under Cameroon law.

Article 14 — Policy Updates

FiNENOV reserves the right to update this Privacy Policy at any time. Material changes will be communicated via email or dashboard notification at least thirty (30) days before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.