Privacy Policy

1. Introduction

Peakpoint Services ("we", "us", "our") operates the MRI Training Platform ("Platform") to provide assessment and training services for MRI technician candidates in Zimbabwe. This Privacy Policy applies to all personal data we collect through the Platform.

Data Controller: Peakpoint Services, registered and operating in Zimbabwe.

Legal Basis: We process your data in accordance with:

• Zimbabwe's Postal and Telecommunications Regulatory Authority (POTRAZ) Data Protection Act
• General Data Protection Regulation (GDPR) principles
• Consent provided during registration
• Contractual necessity for service provision
• Legitimate business interests
• Legal obligations under Zimbabwe law

2. Personal Data We Collect

2.1 Information You Provide Directly

Data Category	Specific Information	Purpose
Account Information	Username, password (encrypted), email address	Account creation, authentication, communication
Personal Identification	Full name, date of birth, national ID number, gender	Identity verification, candidate tracking, legal compliance
Contact Details	Phone number, physical address, city, province	Communication, regional analytics, certificate delivery
Professional Information	Employment status, employer, years of experience, education level, institution, license number	Candidate assessment, program eligibility, skills tracking
Demographic Data	Location, employment sector, education background	Program development, regional planning, reporting

2.2 Information Collected Automatically

Data Category	Specific Information	Purpose
Technical Data	IP address, browser type, device information, operating system	Security, technical support, service optimization
Usage Data	Login times, pages visited, features used, time spent	Platform improvement, user experience enhancement
Assessment Data	Test responses, scores, time taken per question, attempt history	Performance evaluation, certification, analytics
Proctoring Data	Webcam images (periodic snapshots), screen captures, browser activity logs	Test integrity, anti-cheating measures, quality assurance

2.3 Sensitive Personal Data

We collect limited sensitive data only when necessary:

• Medical/Health Data: Only if relevant to MRI safety protocols (processed with explicit consent)
• Biometric Data: Facial recognition during proctoring (stored temporarily, processed with consent)

3. How We Use Your Personal Data

3.1 Primary Purposes

• Service Provision: Account management, test administration, result delivery
• Authentication: Verify your identity and prevent unauthorized access
• Assessment: Evaluate your performance, provide feedback, issue certifications
• Communication: Send important updates, test schedules, results, and notifications
• Proctoring: Monitor test integrity and prevent cheating
• Plagiarism Detection: Compare responses to detect similarities
• Analytics: Generate performance reports, identify skill gaps, track progress

3.2 Secondary Purposes

• Platform Improvement: Enhance user experience and features
• Research: Conduct anonymized studies on training effectiveness
• Compliance: Meet legal and regulatory obligations
• Security: Detect and prevent fraud, abuse, or security threats
• Business Operations: Internal record-keeping, quality assurance

3.3 Legal Basis for Processing

Processing Activity	Legal Basis
Account creation and management	Contractual necessity, Consent
Test administration and proctoring	Consent, Contractual necessity
Performance assessment	Contractual necessity, Legitimate interest
Communication (essential)	Contractual necessity
Marketing communications	Consent (opt-in)
Platform analytics	Legitimate interest
Legal compliance	Legal obligation

4. Data Sharing and Disclosure

4.1 We Share Data With:

Service Providers:

• Cloud hosting providers (data storage and Platform infrastructure)
• Email service providers (communications)
• Payment processors (if applicable)
• Analytics providers (usage statistics)

Note: All service providers are contractually bound to protect your data and use it only for specified purposes.

Authorized Third Parties:

• Employers/Sponsors: With your consent, we may share your results with authorized employers or training sponsors
• Regulatory Bodies: POTRAZ or other Zimbabwe authorities when legally required
• Professional Bodies: Relevant medical or radiography councils for certification purposes

4.2 We Do NOT:

• ❌ Sell your personal data to third parties
• ❌ Share your data for marketing purposes without consent
• ❌ Transfer data outside Zimbabwe without adequate safeguards
• ❌ Use your data for purposes unrelated to the Platform

4.3 Legal Disclosures

We may disclose your data when required by law, including:

• Court orders or legal proceedings
• POTRAZ investigations or regulatory inquiries
• Law enforcement requests
• Protection of our rights, property, or safety
• Fraud prevention or security investigations

5. Data Security Measures

5.1 Technical Security

• Encryption: Data transmitted using TLS/SSL encryption (HTTPS)
• Password Protection: Passwords stored using strong cryptographic hashing
• Secure Hosting: Data stored on secure servers with firewall protection
• Access Controls: Role-based access with multi-factor authentication for administrators
• Regular Backups: Automated backups with encryption
• Vulnerability Testing: Regular security audits and penetration testing

5.2 Organizational Security

• Data Access Policy: Only authorized personnel can access personal data
• Staff Training: Regular training on data protection and security
• Confidentiality Agreements: All staff sign confidentiality agreements
• Incident Response Plan: Procedures for handling data breaches

5.3 Proctoring Data Security

• Webcam images compressed and stored securely
• Automatic deletion after 30 days (unless flagged for review)
• Access restricted to authorized proctoring reviewers only
• Images not used for any purpose other than test integrity

6. Data Retention

Data Type	Retention Period	Reason
Account Information	Duration of account + 2 years	Legal obligations, dispute resolution
Test Results	Permanently (anonymized after 5 years)	Certification records, historical data
Proctoring Images	30 days (90 days if flagged)	Test integrity verification
Usage Logs	12 months	Security, technical support
Communication Records	3 years	Legal compliance, audit trail
Financial Records	7 years	Tax and accounting requirements

When data is no longer required, we securely delete or anonymize it. You may request earlier deletion, subject to legal retention requirements.

7. Your Data Protection Rights

Under Zimbabwe's POTRAZ Data Protection Act and GDPR principles, you have the following rights:

7.1 Right of Access

You can request a copy of your personal data we hold. We will provide this within 30 days of your request.

7.2 Right to Rectification

You can request correction of inaccurate or incomplete data. Update your profile directly or contact us.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your data, except where:

• We need it to comply with legal obligations
• It's required for certification records
• There are active legal proceedings
• It's necessary for fraud prevention

7.4 Right to Restrict Processing

You can request we limit how we use your data while we:

• Verify the accuracy of disputed data
• Determine the legitimacy of processing
• Assess a deletion request

7.5 Right to Data Portability

You can request your data in a structured, machine-readable format (e.g., CSV, JSON) for transfer to another service.

7.6 Right to Object

You can object to processing based on legitimate interests or for marketing purposes.

7.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This doesn't affect the lawfulness of processing before withdrawal.

7.8 Right to Lodge a Complaint

You have the right to complain to:

• Peakpoint Services DPO: dpo@peakpoint.africa
• POTRAZ: Postal and Telecommunications Regulatory Authority of Zimbabwe

8. Cookies and Tracking Technologies

8.1 What We Use

• Essential Cookies: Required for Platform functionality (login sessions, security)
• Performance Cookies: Help us understand how you use the Platform
• Functional Cookies: Remember your preferences

8.2 Your Control

You can control cookies through your browser settings. Note that disabling essential cookies may affect Platform functionality.

8.3 Third-Party Cookies

We may use third-party analytics tools (e.g., Google Analytics) that place cookies. These are governed by third-party privacy policies.

9. International Data Transfers

Your data is primarily stored and processed in Zimbabwe. If we transfer data internationally, we ensure:

• Adequate safeguards are in place (e.g., Standard Contractual Clauses)
• Destination countries have adequate data protection laws
• Explicit consent is obtained when required
• POTRAZ guidelines on cross-border transfers are followed

10. Children's Privacy

The Platform is intended for individuals 18 years and older. We do not knowingly collect data from children under 18. If we discover we have collected data from a minor, we will delete it immediately.

If you believe a minor has provided us with personal data, please contact us at: privacy@peakpoint.africa

11. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

1. Notify POTRAZ within 72 hours of discovery (as required by law)
2. Notify affected users without undue delay
3. Provide details of the breach, affected data, and remedial actions
4. Offer guidance on protective measures you can take

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in:

• Our data practices
• Platform features
• Legal or regulatory requirements
• Technology or security measures

We will notify you of significant changes by:

• Email to your registered address
• Prominent notice on the Platform
• In-app notification

The "Last Updated" date at the top reflects the most recent revision. Your continued use after changes constitutes acceptance.