Privacy Policy & Data Protection

Last updated: 18 April 2026  ·  Thika School of Medical and Health Sciences

1. Who We Are (Data Controller)

Thika School of Medical and Health Sciences (TSMHS) is the data controller responsible for your personal information.

• Physical address: Thika Town, Kiambu County, Kenya
• Email: info@tsmhs.ac.ke
• Phone: +254 708241019

2. What Data We Collect

When you register on our website

• Full name, email address, phone number
• National ID number or passport number
• County of residence
• Programme of interest and how you heard about us
• Account password (stored as a secure hash — never readable)
• Consent records with timestamps

When you submit an application or enquiry

• KCSE grade, county, personal statement
• Communication history with our admissions team

When you visit our website

• Pages viewed, time of visit, referring website (anonymised)
• IP address (stored as a daily-salted hash — not personally identifiable)
• Cookie consent preferences

3. How We Use Your Data

• Processing admission enquiries and applications
• Sending fee schedules, brochures and programme information you request
• Sending newsletters and event updates (only if you consented)
• Improving our website and understanding how visitors use it
• Complying with legal obligations under Kenyan law

We do not sell, rent or share your personal data with third parties for their marketing purposes.

4. Legal Basis for Processing

• Consent — for newsletters, media use and optional data collection. You may withdraw consent at any time.
• Contract — to process your application and deliver the services you request.
• Legitimate interest — for website analytics and security.
• Legal obligation — where required by Kenyan law.

5. Media & Photo Consent

TSMHS may photograph or film students, staff and visitors during events, graduation ceremonies and campus activities. These images may be used on our website, social media and printed materials.

• You will be asked for explicit consent when registering on this website
• Event attendees are notified by visible signage that photography is taking place
• You may withdraw media consent at any time by updating your account settings or emailing us
• Withdrawal of consent will not affect use of images already published, but we will remove them from future use upon request

6. Data Retention

• Account data: retained while your account is active, and for 3 years after your last login
• Application data: retained for 5 years in line with educational records requirements
• Website analytics: retained for 24 months in aggregate form
• Consent records: retained for 7 years (legal requirement)

7. Your Rights Under the Kenya Data Protection Act

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — ask us to stop processing your data in certain circumstances
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, email info@tsmhs.ac.ke with the subject line "Data Rights Request". We will respond within 21 days.

8. Cookies

We use the following cookies:

• Essential cookies — session management, security tokens. These cannot be disabled.
• Analytics cookies — Google Analytics (GA4) to understand how visitors use our site. Only loaded with your explicit consent.
• Preference cookies — remembering your dark/light mode and font size settings.

You can manage your cookie preferences at any time by clicking the cookie banner or contacting us.

9. Third-Party Services

• Amazon SES — used to send transactional emails (fee schedules, confirmations). Data is processed under Amazon's privacy policy.
• Google Analytics — website analytics. Only active with your consent. Data is anonymised.
• OpenStreetMap / Leaflet.js — map tiles for campus location maps. No personal data is shared.
• WhatsApp — if you click a WhatsApp button, you are redirected to WhatsApp's platform under their privacy policy.

10. Data Security

• All passwords are hashed using bcrypt — never stored in plain text
• Website served over HTTPS (TLS encryption)
• Database access is restricted to authorised staff only
• Regular security updates applied to all systems

11. Children's Privacy

Our website and services are intended for persons aged 18 and above. We do not knowingly collect data from persons under 18 without parental consent. If you believe a minor has registered without consent, please contact us immediately.

12. Complaints

If you have a complaint about how we handle your data, you may contact us directly at info@tsmhs.ac.ke. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at www.odpc.go.ke.

13. Changes to This Policy

We may update this policy from time to time. The date at the top of this page shows when it was last revised. Continued use of our website after changes constitutes acceptance of the updated policy.