Privacy Policy

Last updated: 19 February 2026

On This Page
← Terms of Service

Privacy Policy

Books & Beyond is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and the choices available to you. It should be read alongside our Terms of Service.

1. Information We Collect

1.1 Information You Provide

  • Account registration: first name, last name, email address, username, password (hashed — never stored in plain text), gender, country, city, occupation.
  • Profile: profile photo, biography, social media URLs, public/private setting.
  • Application forms: internship, partnership, and infrastructure support applications include contact details, motivation statements, organisational details, and uploaded files.
  • Donation records: donation type, quantity, delivery address, status updates.
  • Contact messages: name, email, phone number, and message body.
  • Newsletter subscriptions: email address only.
  • Activity logs (interns): date, description of activities, hours, and any supporting notes.

1.2 Information Collected Automatically

  • Log data: IP address, browser type, pages visited, time and date of visit, referring URL.
  • Cookies and local storage: session identifiers, preference tokens (see Section 4).

1.3 Information from Third Parties

We may receive information about you from third-party services you connect (e.g. payment processors for financial donations). We do not buy or rent personal data from third parties.

2. How We Use Your Information

Purpose Legal Basis
Operate and deliver the Platform's features Contract (Terms of Service)
Verify your identity and manage your account Contract / Legitimate Interests
Process and track your donation or application Contract
Send transactional emails (welcome, password reset, application status, donation updates) Contract
Send newsletter updates (opt-in) Consent
Generate AI-assisted recommendations and certificates Legitimate Interests (intern service delivery)
Produce anonymised analytics and impact reports Legitimate Interests
Comply with legal obligations (record-keeping) Legal Obligation
Detect and prevent fraud, abuse, or security incidents Legitimate Interests

3. How We Share Your Information

We do not sell your personal data. We share it only as follows:

  • Service providers: hosting (server infrastructure), email delivery (SendGrid/Mailtrap), and AI processing (Anthropic) — bound by data processing agreements.
  • School partners: interns' names and activity summaries are shared with the school they are placed at, and with their Head Intern, for supervision purposes.
  • Public profiles: if you set your profile to "public", your name, bio, country, and social links are visible to all visitors of the Platform.
  • Legal requirements: we may disclose data if required by law, court order, or to protect the rights and safety of Books & Beyond, its beneficiaries, or the public.

4. Cookies & Tracking

We use the following types of cookies:

  • Strictly necessary: session cookie (session) required for login and CSRF protection. Cannot be disabled without breaking the Platform.
  • Functional: preference tokens (e.g. dark mode, if implemented). These are optional but improve your experience.

We do not use advertising cookies, third-party tracking pixels, or analytics services (e.g. Google Analytics) at this time. If this changes, we will update this Policy and request consent where required.

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in.

5. Data Retention

Data Type Retention Period
Account data (active users) For the lifetime of the account
Account data (deleted accounts) Anonymised within 30 days of deletion request
Donation records 7 years (Kenyan financial record-keeping requirement)
Application forms (rejected) 12 months from decision, then deleted
Application forms (successful) Duration of engagement + 3 years
Intern activity logs & certificates Indefinitely (permanent record of achievement)
Contact messages 3 years
Email logs 90 days
Newsletter subscriptions Until unsubscribed

6. Your Rights

You have the following rights over your personal data, subject to applicable law:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations (e.g. donation records).
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on your consent (e.g. newsletter), you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@booksandbeyondonline.org . We will respond within 30 days.

7. Children's Privacy

Books & Beyond exists to serve children — but children are the beneficiaries of our work, not platform users.

The Platform is not directed at children under 13. We do not knowingly collect personal data from children under 13 without verifiable parental consent. The Platform is accessible publicly, but user accounts require applicants to confirm they are 13 or older.

When we display photographs of children (students, beneficiaries) on the Platform, we ensure that written consent has been obtained from a parent or legal guardian. Photos of identifiable children are captioned with only first names unless explicit permission for full names has been obtained.

If you believe we have inadvertently collected data about a child under 13 without appropriate consent, contact us immediately at privacy@booksandbeyondonline.org .

8. Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

  • Passwords stored using bcrypt hashing (never in plain text).
  • All data in transit encrypted via TLS (HTTPS).
  • Database access restricted to application processes only.
  • CSRF protection on all state-changing forms.
  • Role-based access controls enforced server-side on every request.
  • File uploads scanned and stored outside the web root.

No method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify affected users and relevant authorities within 72 hours where feasible.

9. International Data Transfers

Our servers are currently hosted in the European Union. Your data may also be processed by our service providers (SendGrid, Anthropic) in the United States. Where we transfer data outside Kenya or the EU, we ensure appropriate safeguards are in place (e.g. standard contractual clauses).

10. Changes to This Privacy Policy

We will update this Privacy Policy as our data practices evolve or as required by law. Material changes will be communicated by email to registered users at least 14 days before they take effect. The current version is always available at booksandbeyondonline.org/privacy .

Contact Us

For questions about this Privacy Policy or to exercise your data rights:

Books & Beyond

Nairobi, Kenya

General enquiries: hello@booksandbeyondonline.org

Privacy & data requests: privacy@booksandbeyondonline.org

Send a Message ← Terms of Service