Privacy Policy

This Privacy Policy describes how personal data is processed in connection with the Pamoja.aiplatform and the website pamoja.ai. Pamoja.ai by Galago is designed to support GDPR requirements and to help customers manage data responsibly. Nothing in this policy constitutes a claim of formal GDPR “certification”.

Pamoja.ai is operated by Marc Bonis-Charancle EI, trading as Galago. Registered address: 39 rue Marcel Cerdan, 92160 Antony, France. Contact: marcbonischarancle@gmail.com.

Pamoja.ai by Galago acts in two distinct capacities:

• Processor for the customer-controlled programme data uploaded or generated by customer organisations (foundations, schools, trusts, NGOs) within the platform — for example student profiles, donor records, sponsorships, school information and uploaded documents. The customer is the controller for that data.
• Controller for account, billing, website analytics, commercial contact data and security logs that we collect for our own purposes.

The full controller / processor allocation for B2B customers is set out in the Data Processing Agreement.

• User account data — name, email, role, password hash, MFA factors, last login.
• Organisation and billing data — legal name, billing address, country, VAT number, billing email, contract signer, purchase orders.
• Student profile data — names, school enrolment, year, programme status, sponsorship status. Uploaded by authorised customer staff.
• School and academic data — school details, partner schools, grades and academic milestones uploaded by customers.
• Donor / sponsor data — names, contact details, sponsorship history, communication preferences, payment history (high-level, not card data).
• Documents uploaded by customers — scholarship applications, ID documents, school reports, contracts, certificates.
• Support and communication data — emails sent to support, feedback, in-app messages.
• Technical logs and security data — IP address, user-agent, audit logs, error traces, access logs.

• Provide the Pamoja.ai SaaS platform.
• Manage user accounts, authentication and access rights.
• Support scholarship programme administration on behalf of customer organisations.
• Generate reports, dashboards and exports requested by customers.
• Provide customer support.
• Ensure security, abuse prevention and auditability.
• Manage billing and subscriptions.
• Improve the product.

• Performance of a contract — to deliver the platform you or your organisation subscribed to.
• Legitimate interests — service security, fraud prevention, product improvement and limited commercial outreach.
• Legal obligation — bookkeeping, tax records, statutory disclosures.
• Customer instructions — where Pamoja acts as a processor on behalf of a customer organisation.
• Consent — only where strictly required, for example optional analytics cookies or marketing emails.

Customer programme data (students, donors, schools, documents, communications) is retained for the duration of the customer’s subscription unless otherwise agreed in writing. After termination, data can be exported and then deleted in accordance with the contractual terms — typically within 30 days of the end of the agreed deletion window.

Account and billing data are retained for as long as required to comply with French and European accounting and tax obligations.

Specific retention periods can be agreed in a customer DPA where required.

We share personal data only with the categories of recipients listed below:

• Hosting and infrastructure providers (see Subprocessors).
• Database and storage providers.
• Authentication and email-delivery providers.
• Payment and billing providers, where the customer uses card payments.
• AI providers, only when AI features are explicitly enabled by the customer.
• Professional advisors (accountant, legal counsel) and competent authorities, where legally required.

We do not sell personal data and we do not use it for advertising.

The platform is hosted in the European Union (Supabase Frankfurt, eu-central-2) and served via Vercel’s edge network. Some subprocessors may operate from outside the EU/EEA. Where that is the case, transfers are protected using appropriate safeguards — typically the European Commission’s Standard Contractual Clauses and additional technical measures — as required by Chapter V of the GDPR.

If you are based in the EEA, the United Kingdom or another jurisdiction with similar rights, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Request erasure (“right to be forgotten”) where applicable.
• Restrict processing in certain situations.
• Object to processing based on legitimate interests.
• Receive your data in a portable format and have it transmitted to another controller where technically feasible.
• Withdraw consent at any time, where consent is the legal basis.
• Lodge a complaint with your local data protection authority — in France, the CNIL ( cnil.fr).

If your personal data is held by Pamoja.ai on behalf of a customer organisation (for example because you are a student or donor of that organisation), please direct your request to that organisation in the first instance. We will route the request to the right contact and assist as required by the GDPR.

Pamoja.ai is not a public social network and is not directed to the general public. Student data is managed by authorised organisations such as foundations, schools or trusts under their own policies and lawful basis.

Donor / student communication features include safeguarding controls: optional moderation, masking of personal contact details, audit trails, role-based access and the ability for the customer organisation to remove a user or a record at any time.

Questions or requests: marcbonischarancle@gmail.com. We aim to respond within one month, in line with article 12 GDPR.

We may update this policy from time to time. Material changes will be communicated to customers by email and/or in-app notice. Continued use of the platform after the effective date of the updated policy constitutes acceptance of the changes.