Privacy Policy

Manhaj processes personal data, including data relating to minors, in the course of providing the service to institutions. This policy describes such processing in accordance with Organic Law No. 2004-63 of 27 July 2004 and the requirements of the INPDP.

Version 2026-06-v1 · Effective 27 June 2026

1. Controller and roles

Each client institution is the controller of the data it manages through the service. Manhaj acts as processor: it processes such data only on the institution’s instructions and solely for the purposes of providing the service.

The contact details of the institution’s data contact (DPO or data officer) are made available to data subjects by the institution itself.

2. Data collected

Depending on the features used, the service processes: identity data (learners, parents/guardians, staff), academic data (enrolments, grades, attendance), contact data, billing data and, where applicable, sensitive data (school health) strictly necessary to the institution’s mission.

3. Purposes and legal bases

Data is processed for the management of schooling and training, communication with families, billing and compliance with the institution’s legal obligations.

Processing is based on performance of the relationship between the institution and families, on applicable legal obligations and, where relevant, on consent collected in accordance with Law 2004-63.

4. Minors’ data

The service processes data relating to minors under the responsibility of the institution and parental authority. Such data benefits from reinforced protection and is accessible only to authorised persons.

5. Recipients and sub-processors

Data is accessible only to authorised users of the institution and to the publisher’s staff strictly necessary for operation and support, bound by confidentiality.

Any use of further sub-processors (hosting, notification delivery) takes place in compliance with Law 2004-63 and under equivalent confidentiality and security commitments.

6. Hosting and transfers

Data is hosted on secure infrastructure. Any transfer of data outside Tunisia is governed in accordance with the requirements of Law 2004-63 and, where applicable, subject to INPDP authorisation.

7. Retention periods

Data is retained for the period necessary for the purposes pursued and the institution’s legal obligations (in particular academic and accounting retention periods), then securely deleted or archived.

8. Security

The publisher implements appropriate technical and organisational measures: strict data isolation per institution, encryption at rest of sensitive data, role-based access control, action logging and regular backups.

9. Rights of data subjects

In accordance with Law 2004-63, every data subject has a right of access, rectification and objection on legitimate grounds regarding their data.

These rights are exercised with the institution acting as controller. Manhaj, as processor, assists the institution in handling such requests.

10. INPDP formalities

Processing of personal data is subject to the formalities provided by Law 2004-63 before the INPDP. The institution remains responsible for completing the declarations or authorisations incumbent upon it; Manhaj provides the necessary technical information.

11. Cookies and trackers

The platform uses cookies strictly necessary for authentication and operation of the service. No third-party advertising tracker is placed.

12. Changes and contact

This policy may be updated; the version in force is published on this page. For any data-related question, the institution and data subjects may contact Manhaj via the Contact page.

For any question about this document, contact Manhaj via the Contact page.