Privacy Policy — Royal Family Academy

Last updated: 28 August 2025

Royal Family Academy (“RFA”, “we”, “us”, “our”) is committed to protecting your privacy. This policy explains what personal data we collect, how we use it, how we keep it safe, and your rights under the Nigeria Data Protection Act 2023 (NDPA) and other applicable laws.

1) Who we are (Data Controller)

Royal Family Academy
Plot 648 Idris Gidado Way, Wuye, Abuja, Nigeria
Website: https://royalfamilyacademy.org
Email: privacy@royalfamilyacademy.org
Telephone: 08182535981
Data Protection Officer (DPO): dpo@royalfamily.org

This policy applies to our websites (including royalfamilyacademy.org), portals, learning platforms we provide access to, social media pages, and on-campus systems (e.g., CCTV).

2) Whose data we process

• Prospective students and parents/guardians

• Enrolled students and parents/guardians

• Alumni and donors

• Job applicants and staff

• Website visitors and social media followers

• Visitors to our campus

3) Children’s privacy

We primarily serve children and process children’s data. We obtain verifiable parental/guardian consent where required. We do not knowingly collect data directly from children online without appropriate consent and supervision.

4) What data we collect

Identity & contact: names, date of birth, gender, nationality, addresses, phone numbers, email.
Admissions & academic: prior schools, references, assessments, results, reports, classwork, attendance.
Pastoral & safeguarding: notes required to support students’ welfare and safety.
Health & special needs: medical information, allergies, SEN/IEP details (with safeguards).
Financial: fee records, invoices, bursary/scholarship details, payment confirmations (no full card data stored).
IT & usage: IP address, device info, browser, cookies, usage logs, learning platform activity.
Media: photographs, videos, yearbook images, event recordings (with opt-out/consent options provided).
CCTV & access control: footage and access logs for safety and security on campus.
Communications: emails, messages, enquiry forms, complaints, feedback.
Social media: interactions on platforms (e.g., Instagram posts we embed or link to).

5) How we collect data

• Directly from you (forms, email, phone, events, fees, visits)

• From your child (class activities, learning platforms)

• From parents/guardians, referees, previous schools

• From staff and service providers (e.g., exam boards)

• Automatically via cookies/analytics when you use our sites

• CCTV and access control systems on campus

• Public sources where lawful (e.g., professional profiles, public registers)

6) Why we use your data (lawful bases)

We process personal data where one or more lawful bases apply, including consent, contract, legal obligation, vital interests, public interest, and legitimate interests (balanced against your rights).

Examples

• Admissions and enrolment; placement and progress tracking

• Teaching, assessments, reports, exam entries/certification

• Pastoral care, SEN support, safeguarding and child protection

• Fee administration, scholarships/bursaries, donations

• Communications with parents/guardians and students

• Providing and managing learning platforms and accounts

• Managing events, trips, co-curricular activities

• Security and safety (CCTV, access logs, incident records)

• Website performance, analytics and improvements

• Marketing (with consent/opt-out), yearbooks, alumni relations

7) Cookies, analytics & similar technologies

We use cookies and similar technologies to run our website, remember preferences, and analyse usage. You can manage cookies via your browser and (where implemented) our on-site cookie banner. Some features (e.g., embedded Instagram or maps) may set third-party cookies. See our Cookie Notice.

8) Sharing your data

We share data only as needed and with safeguards, for example with:

• Service providers/“processors” (IT hosting, learning platforms, email/SMS, payment processors)

• Examination boards, educational partners, placement providers

• Regulators, law enforcement and authorities where legally required

• Medical professionals in emergencies

• Photography/video contractors for school media (where permitted)

• Alumni and development partners (with your preference respected)

We require processors to follow our instructions, keep your data secure, and not use it for their own purposes.

9) International transfers

Some providers may process data outside Nigeria. Where this occurs, we implement safeguards consistent with the NDPA (e.g., contractual clauses, due diligence of provider protections). You can contact our DPO for details of relevant safeguards for your data.

10) Data retention

We keep personal data no longer than necessary for the purposes collected and to meet legal, regulatory, or safeguarding requirements. Examples:

• Admissions enquiries (unsuccessful): up to 1 year

• Student records (core academic): throughout enrolment + 10 years

• Safeguarding records: in line with legal guidance (often to age 25+ or longer if required)

• Financial records (fees/invoices): 7 years

• CCTV: typically 30–60 days unless retained for an incident

• Marketing preferences: until you withdraw consent or object

• Alumni records: ongoing, reviewed periodically

We anonymise or securely delete data when the retention period ends.

11) Your rights (NDPA)

You have rights to be informed, access, rectify, erase (where applicable), restrict, object (including to direct marketing), portability (in certain cases), and not be subject to solely automated decisions with legal/similar significant effects, including the right to human review.

Where we rely on consent, you can withdraw it at any time (this won’t affect past processing).

12) How to exercise your rights

Email privacy@royalfamilyacademy.org or our DPO at dpo@royalfamily.org. We may need to verify your identity and, for children, confirm parental/guardian authority. We aim to respond within 30 days.

If you are not satisfied, you can lodge a complaint with the Nigeria Data Protection Commission (NDPC).

13) Security

We use administrative, technical, and physical measures to protect data (role-based access, encryption where appropriate, staff training, secure networks). If a data breach risks your rights and freedoms, we will notify the NDPC and affected individuals where required.

14) CCTV & campus access

We use CCTV and access control for safety, crime prevention, and operational purposes. Signage is displayed where CCTV is in use. Footage is retained for limited periods unless required for investigations.

15) Photography & media

We celebrate student life through photos/videos. We respect your preferences and local policies. You can opt out of non-essential media uses; essential documentation for education/safeguarding may still occur.

16) Social media, embeds & external links

Our site may link to or embed third-party content (e.g., Instagram). Those services operate their own privacy policies and may collect data when you view or interact with them.

17) Changes to this policy

We may update this policy from time to time. The version date appears at the top. Material changes will be highlighted on our website or via email.

18) Contact us

• General privacy enquiries: privacy@royalfamilyacademy.org

• Data Protection Officer: dpo@royalfamily.org

• Address: Plot 648 Idris Gidado Way, Wuye, Abuja, Nigeria

• Website: https://royalfamilyacademy.org