We are committed to collecting only what we need, using it only for the purposes stated, keeping it secure, and respecting the rights of every individual whose data we hold. This policy reflects that commitment and guides every member of our organisation.
Overview of the Policy
1.1 Definitions
- Personal Data — Any information relating to an identified or identifiable natural person (data subject), including name, phone number, email address, location, financial information, or any combination thereof.
- Data Controller — Code Dreamers Limited, which determines the purposes and means of processing personal data.
- Data Processor — Any party that processes personal data on behalf of Code Dreamers Limited.
- Data Subject — The individual whose personal data is collected and processed.
- Processing — Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- DPO — Data Protection Officer, responsible for overseeing compliance with this policy.
- PDPA — Personal Data Protection Act of Tanzania, Cap. 44 (2022).
- PDPC — Personal Data Protection Commission of Tanzania.
- Consent — Freely given, specific, informed and unambiguous agreement by a data subject to the processing of their personal data.
- Data Breach — A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
1.2 Introduction
Code Dreamers Limited is a Tanzanian software development company providing software solutions, mobile applications and website hosting services to clients across Tanzania, Malawi and Kenya. In the course of delivering these services, we collect and process personal data belonging to our clients, their end users, school staff, students, parents and members of the public who interact with our services.
We recognise that the individuals behind this data deserve respect, transparency and protection. This policy sets out how we honour that responsibility in full compliance with the PDPA.
1.3 Purpose
The purpose of this policy is to:
- Establish clear standards for the collection, use, storage and disposal of personal data across all Code Dreamers services
- Ensure compliance with the Personal Data Protection Act of Tanzania (Cap. 44) and all applicable regulations
- Define the rights of data subjects and our obligations as a data controller
- Assign accountability and responsibility for data protection within the organisation
- Build and maintain the trust of our clients, partners and the public
1.4 Scope
This policy applies to:
- All employees, contractors and partners of Code Dreamers Limited
- All personal data collected, processed or stored by Code Dreamers in the delivery of its services, including the ISO School Administration System (ISO SAS), the Taifa Gas customer and agent mobile applications, school websites and web hosting services
- All data processing activities regardless of the medium — digital, paper, or otherwise
- Personal data of clients, end users, school students and staff, parents, and employees
Policy Statements
2.1 Principles of Personal Data Protection
All personal data processed by Code Dreamers Limited shall be handled in accordance with the following core principles, consistent with the PDPA:
Lawfulness, Fairness & Transparency
Data is processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose Limitation
Data is collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimisation
Only data that is adequate, relevant and limited to what is necessary in relation to the purposes of processing is collected.
Accuracy
Personal data is kept accurate and, where necessary, up to date. Inaccurate data is corrected or erased without delay.
Storage Limitation
Data is kept in a form that permits identification of data subjects for no longer than necessary for the stated purpose.
Integrity & Confidentiality
Data is processed in a manner that ensures appropriate security, including protection against unauthorised processing and accidental loss.
Accountability
Code Dreamers Limited takes responsibility for compliance and is able to demonstrate adherence to these principles at any time.
No Selling of Data
We do not sell, rent or trade personal data. No data is shared with advertisers or marketing platforms. Our services contain no advertising.
2.2 Data Collection and Use
Types of personal data collected vary by service but may include:
- Identity data: full name, date of birth, national ID number
- Contact data: phone number, email address, physical address
- Account data: username, account number, role within an organisation
- Financial data: transaction amounts, payment method references, Mobile Money transaction IDs (not full account credentials)
- Academic data: student enrollment records, examination results, attendance, disciplinary records (ISO SAS schools)
- Payroll data: staff salary, PAYE, NSSF and HESLB contributions (ISO SAS schools)
- Location data: delivery address, agent location for order routing (Taifa Gas app only, with consent)
- Device and usage data: IP address, browser type, app usage logs, timestamps
Methods of collection: data is collected directly from data subjects at the point of registration or account creation, through use of our software and mobile applications, via school administrative staff entering records into ISO SAS, and through server log files generated automatically during service use.
Legal basis for processing: we process personal data on one or more of the following lawful bases — (a) consent of the data subject; (b) performance of a contract to which the data subject is party; (c) compliance with a legal obligation; or (d) legitimate interests of Code Dreamers or a third party, where those interests are not overridden by the interests or rights of the data subject.
2.3 Data Subject Rights
Every individual whose personal data we hold has the following rights under the PDPA. To exercise any right, contact our DPO (see section 2.8). We will respond within 30 days.
Right to Access
You may request a copy of the personal data we hold about you and information on how it is used.
Right to Rectification
You may request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
You may request deletion of your personal data where it is no longer necessary, or where you withdraw consent.
Right to Restrict Processing
You may request that we limit how we use your data while a dispute or request is being resolved.
Right to Object
You may object to processing of your personal data in certain circumstances, including processing based on legitimate interests.
Right to Data Portability
Where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time without affecting lawfulness of prior processing.
Right to Lodge a Complaint
You have the right to lodge a complaint with the PDPC at helpdesk@pdpc.go.tz or +255 743 699 996.
2.4 Processing Sensitive Personal Data
Code Dreamers processes certain categories of data that require heightened protection under the PDPA, specifically in the context of the ISO School Administration System:
- Student health and medical records — pocket/medical/caution money records for boarding schools
- Disciplinary records — student conduct and behavioural history
- Financial records — payroll, tax and social security data for school staff
Such data is processed only where strictly necessary for the delivery of the contracted service, with access restricted to authorised personnel on a need-to-know basis, and is never shared outside the contracted institution without explicit instruction from the data controller (the school).
We do not collect or process biometric data or genetic data in any of our services.
2.5 Consent Management
Where processing is based on consent, Code Dreamers obtains consent that is freely given, specific, informed and unambiguous, through a clear affirmative action by the data subject (e.g. ticking a consent checkbox, accepting terms of service, or providing a signed agreement).
- Consent is requested at the point of data collection and before processing begins
- Records of consent — including what was consented to and when — are maintained by the DPO
- Data subjects may withdraw consent at any time by contacting the DPO. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal
- We never use pre-ticked boxes or inactivity as a basis for consent
- For minor data subjects (under 18), consent is obtained from a parent or legal guardian
2.6 Data Security and Storage
Code Dreamers implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction.
Infrastructure: Online services and hosted websites are deployed on Amazon Web Services (AWS), using data centres in the following regions:
Europe (London)
AWS eu-west-2
Asia Pacific (Mumbai)
AWS ap-south-1
Africa (Cape Town)
AWS af-south-1
The ISO School Administration System is installed locally on the school's own premises and does not transmit personal data to external servers during normal operation.
Security measures include:
- Encryption of data in transit using TLS/HTTPS
- Encryption of data at rest on cloud infrastructure
- Role-based access control — users can only access data relevant to their function
- Strong authentication requirements for administrative access
- Automated backups with backup reminders built into ISO SAS
- Regular review of access permissions
2.7 Complaints Handling
Any individual who believes their personal data has been handled in a manner inconsistent with this policy or the PDPA may submit a complaint to our DPO (see section 2.8).
- The complaint is acknowledged in writing within 5 working days
- The DPO investigates the complaint and consults relevant parties as needed
- A formal response is provided within 30 days of receipt
- Where the complaint is upheld, appropriate corrective action is taken promptly
- If the complainant is not satisfied with our response, they may escalate to the PDPC at helpdesk@pdpc.go.tz
2.8 Data Protection Officer (DPO)
Code Dreamers Limited has appointed a Data Protection Officer responsible for overseeing all matters relating to personal data protection, ensuring compliance with this policy and the PDPA, and serving as the primary point of contact for data subjects and the PDPC.
Isack Shayo
Data Protection Officer & Chief of Engineering
Code Dreamers Limited
The DPO operates independently and reports directly to the Managing Director. The DPO's responsibilities include:
- Monitoring compliance with the PDPA and this policy across all operations
- Advising on Data Protection Impact Assessments (DPIAs)
- Maintaining the register of processing activities
- Serving as the contact point for data subjects exercising their rights
- Liaising with the PDPC on matters of compliance and incident reporting
- Leading internal training and awareness on data protection
2.9 Employee Training and Awareness
Code Dreamers is committed to ensuring all employees and contractors who handle personal data understand their obligations under this policy and the PDPA.
- All new employees receive data protection orientation as part of their onboarding
- Refresher awareness is conducted annually or whenever significant changes to data protection law occur
- Employees are instructed never to access, disclose or transmit personal data outside the scope of their role
- Any employee found to have deliberately violated this policy will be subject to disciplinary action
2.10 Data Retention and Disposal
Personal data is retained only for as long as it is needed for the purpose for which it was collected, unless a longer retention period is required by law.
- Payment and financial transaction records — retained for the lifetime of the account/contract, and thereafter for as long as required by applicable financial and tax regulations in Tanzania
- School administration data (ISO SAS) — retained for the duration of the contract with the school. Upon contract termination, data is returned to the school and securely deleted from Code Dreamers systems where applicable
- App account data — retained while the account is active. Inactive accounts may be deleted after 24 months of inactivity following prior notification
- Support and communication records — retained for 12 months after the matter is resolved
- Server log files — retained for no more than 12 months
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised such that it can no longer be linked to an identifiable individual. Physical records containing personal data are shredded. Digital records are permanently deleted and not recoverable.
2.11 Personal Data Breach Notification
A personal data breach is any security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Our breach response procedure:
- Any suspected breach is reported immediately to the DPO (Isack Shayo)
- The DPO assesses the nature, scope and likely consequences of the breach
- Immediate containment measures are implemented to stop or limit the breach
- Where the breach is likely to result in a risk to individuals' rights, the PDPC is notified within 72 hours with full details of the incident
- Affected data subjects are notified without undue delay where the breach is likely to result in high risk to their rights and freedoms
- A full incident report is prepared, including causes, impact, corrective actions taken, and measures to prevent recurrence
2.12 Privacy Notices
Code Dreamers provides clear and accessible privacy notices to individuals at or before the point of data collection. Our privacy notice (available at codedreamers.co.tz/privacy.html) sets out in plain language:
- Who we are and how to contact us
- What data we collect and why
- The legal basis for processing
- How long we keep data
- Who we share data with
- Data subject rights and how to exercise them
- How to lodge a complaint
Where services are provided to third-party organisations (e.g. schools using ISO SAS), those organisations are responsible for informing their own users (students, parents, staff) of the data processing activities undertaken through the platform, and Code Dreamers provides the necessary information to support this obligation.
2.13 Data Protection Impact Assessment (DPIA)
Code Dreamers conducts a Data Protection Impact Assessment before introducing any new data processing activity that is likely to result in high risk to individuals' rights and freedoms, in accordance with PDPC guidelines.
A DPIA is required when:
- Introducing a new feature, service or system that processes personal data at scale
- Implementing systematic monitoring of individuals (e.g. location tracking features)
- Processing sensitive personal data on a large scale
- Significant changes are made to existing data processing activities
DPIAs are conducted by the DPO in consultation with the relevant technical team and, where required, in consultation with the PDPC. Results are documented and reviewed prior to deployment.
2.14 Transborder Flow of Personal Data
Some of our online services are hosted on Amazon Web Services (AWS) infrastructure located in the United Kingdom (London), India (Mumbai) and South Africa (Cape Town). This means that personal data processed through these services may be stored and processed outside Tanzania.
We ensure that all such transborder transfers comply with the PDPA by:
- Using AWS regions that operate under robust data protection frameworks (UK GDPR, South Africa POPIA)
- Entering into appropriate data processing agreements with AWS as our data processor
- Ensuring transfers are limited to what is necessary for the delivery of the contracted service
- Maintaining transparency with data subjects about where their data is stored
2.15 Automated Processing and Profiling
Code Dreamers does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
Our systems use automated processes for operational purposes only — such as generating examination result reports, calculating payroll, routing delivery orders, or sending SMS notifications — which are functions carried out on behalf of and under the instructions of our clients. No automated profiling is used for marketing, credit scoring, or any form of behavioural targeting.
We do not serve advertisements on any of our services and do not share data with advertising networks or marketing platforms.
2.16 Sharing Personal Data
Code Dreamers shares personal data with third parties only where strictly necessary to complete a specific process on behalf of the data subject or our client. We do not sell, rent or share personal data for marketing purposes.
Third parties with whom data may be shared include:
- Mobile Money operators (e.g. Mpesa, Tigo Pesa, Airtel Money) — transaction data necessary to process a payment initiated by the user
- SMS gateway providers — phone number and message content only, for the purpose of sending notifications or examination results as instructed by the school or user
- Amazon Web Services (AWS) — as our cloud infrastructure provider and data processor, under a formal data processing agreement
- Law enforcement or regulatory authorities — only where required by law (see section 2.17)
2.17 Disclosure to Law Enforcement Authorities
Code Dreamers may disclose personal data to law enforcement or government authorities only where required to do so by a valid legal obligation, court order, or lawful request from a competent Tanzanian authority.
- We disclose the minimum data necessary to satisfy the legal requirement
- Where legally permitted, we notify the affected data subject of such a request
- All such disclosures are recorded by the DPO and reported in the annual compliance review
2.18 CCTV Cameras and Location Technologies
CCTV: Code Dreamers does not currently operate CCTV cameras at its office premises. Should CCTV be introduced in future, appropriate notices will be displayed and this policy updated accordingly.
Location technologies: The Taifa Gas customer and agent mobile applications collect location data for the sole purpose of routing gas orders to nearby delivery agents. Location data is:
- Collected only with the explicit consent of the user, requested at app installation or first use
- Used only for order routing during active app sessions
- Not retained after the delivery transaction is complete
- Never sold or shared with third parties other than for the purpose of completing the delivery
Users may withdraw consent for location tracking at any time through their device settings, though this will affect the functionality of the delivery service.
2.19 Cookies and Online Tracking
Our websites use cookies and similar technologies to ensure the site functions correctly and to understand how visitors use our services. We use only essential and functional cookies — we do not use advertising, targeting or cross-site tracking cookies.
- Essential cookies — required for the website to function (e.g. session management, login state)
- Functional cookies — remember user preferences to improve the experience
- Analytics — limited server-side log analysis for site administration; no third-party analytics scripts (e.g. no Google Analytics) are deployed on our services
Users may disable cookies through their browser settings. Note that disabling essential cookies may affect website functionality. No cookie consent is required for strictly necessary cookies under applicable regulations.
2.20 Online Privacy Rights for Special Groups
Children and minors: Code Dreamers processes personal data relating to students in the context of the ISO School Administration System. This data is provided by and processed on behalf of the school (acting as data controller in respect of its students). Schools are responsible for obtaining appropriate consent from parents or guardians for the processing of student data.
Code Dreamers does not knowingly collect personal data directly from children under 18 through any consumer-facing registration process. Our mobile applications and websites are not directed at children as end users. If we become aware that personal data from a child has been collected without appropriate authorisation, it will be deleted promptly.
Any parent or guardian who believes their child's data has been collected inappropriately should contact our DPO immediately.
2.21 Data Protection by Design and by Default
Code Dreamers integrates data protection considerations into the design and development of all new software, systems and features from the outset, rather than as an afterthought.
- New features involving personal data are reviewed by the DPO prior to development
- Default system settings are configured to the most privacy-protective options (e.g. minimum data collected by default, restricted access by default)
- Role-based access control is built into ISO SAS so users can only access data relevant to their function
- Where a feature can be delivered without personal data, it is designed to do so
- Data minimisation is applied at the data model level — we collect only what is functionally necessary
Implementation, Monitoring and Evaluation
This policy is effective from the date of approval and applies to all Code Dreamers operations. The DPO is responsible for its implementation across the organisation.
- Annual review: This policy is reviewed at least annually by the DPO and approved by the Managing Director. It is updated promptly following any significant change in data processing activities, applicable law, or PDPC guidance
- Internal audits: The DPO conducts periodic internal reviews of data processing activities to assess compliance with this policy and the PDPA
- PDPC reporting: Code Dreamers submits compliance reports to the PDPC as required under the PDPA and its regulations
- Register of processing activities: A register of all personal data processing activities is maintained by the DPO and updated as processing activities change
- Breach register: All personal data breaches, including those that do not meet the threshold for PDPC notification, are recorded and reviewed by the DPO
- Policy enforcement: Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or contract
Questions about this policy should be directed to the DPO at info@codedreamers.co.tz.
Policy Approval
This policy has been approved by the undersigned and will be reviewed at least annually.
← Scroll to see full table| Name | Title | Date Approved | Review Date | Signature |
|---|---|---|---|---|
| Florian Safari | Managing Director Code Dreamers Limited |
July 2024 | July 2025 |