Privacy Policy

Last updated: March 2026

This Privacy Policy describes how FiNENOV SARL (\"FiNENOV\", \"we\", \"us\"), operating the Stunov platform, collects, uses, stores, and protects personal data in connection with the Stunov school management service (the \"Platform\"). By using the Platform, you acknowledge that you have read and understood this policy.

Article 1 — Data Controller and Processor Roles

Under applicable data protection law, including Cameroon Law No. 2010-012 of 21 December 2010 on cybersecurity and personal data protection, each subscribing school (the \"Client\") acts as the data controller for the personal data of its students, parents, and staff. FiNENOV SARL acts as the data processor, processing personal data solely on behalf of and under the instructions of the Client, in accordance with the terms of the subscription agreement and this policy. Because the Platform's infrastructure is hosted in the European Union (France), processing of personal data through the Platform is also subject to EU Regulation 2016/679 (General Data Protection Regulation, \"GDPR\") to the extent applicable, in addition to Cameroon law.

Article 2 — Data Collected

The Platform may collect and process the following categories of personal data: (a) Client account information: school administrator name, email, phone number, school name, and address; (b) billing and subscription data: payment method details, transaction records, invoices; (c) operational data: student records, attendance, grades, timetables, and communications entered by Client users; (d) technical data: IP addresses, browser type, device identifiers, access logs, and session cookies; (e) support data: correspondence and support tickets submitted to FiNENOV.

Article 3 — Legal Basis for Processing

Personal data is processed on one or more of the following legal bases: (a) contractual necessity — processing required to deliver the subscribed services; (b) legitimate interest — platform security monitoring, fraud prevention, service improvement; (c) legal obligation — compliance with Cameroon law, EU law where applicable, tax regulations, ANTIC and CNIL directives; (d) consent — where specifically obtained for optional features such as marketing communications.

Article 4 — Purposes of Processing

Data is processed for the following purposes: (a) provision and operation of the Platform; (b) account management and authentication; (c) billing, invoicing, and payment processing; (d) technical support and incident resolution; (e) security monitoring and abuse prevention; (f) aggregated analytics to improve the service (no individual profiling); (g) compliance with legal and regulatory obligations.

Article 5 — Infrastructure, Sub-Processors and International Transfers

The Platform's database and application data are hosted on EU-based cloud infrastructure located in France. File assets (documents, images, and attachments generated or uploaded within the Platform) are stored on globally distributed CDN infrastructure operated from the United States, with edge nodes worldwide. FiNENOV may additionally engage the following categories of sub-processors: (a) mobile push notification services (e.g., Firebase Cloud Messaging) for mobile alerts; (b) email delivery services (SMTP providers) for transactional emails; (c) payment gateway providers for subscription billing. All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures. For transfers of personal data outside the European Economic Area (EEA), FiNENOV relies on Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to GDPR Article 46, or other appropriate safeguards. A current list of sub-processor categories is available upon request.

Article 6 — Cookies and Tracking Technologies

The Platform uses: (a) strictly necessary cookies — session management, CSRF protection, authentication tokens; (b) functional cookies — language preference, interface settings. The Platform does not use third-party advertising trackers. If analytics cookies are introduced, users will be informed and, where required, their consent obtained.

Article 7 — Data Storage and Cross-Border Transfers

Platform database and application data (text records, logs, account information) are stored on cloud infrastructure hosted in France (European Union), and are therefore subject to GDPR requirements. File assets (uploaded documents, images, and attachments) are stored on globally distributed CDN infrastructure with servers located in the United States and edge nodes worldwide; such transfers are governed by Standard Contractual Clauses (SCCs) compliant with GDPR Article 46. FiNENOV further ensures compliance with Cameroon Law No. 2010-012 for all data processing operations.

Article 8 — Data Security

FiNENOV implements reasonable technical and organizational security measures, including: (a) encryption of data in transit (TLS/SSL) and at rest where applicable; (b) encrypted storage of file assets on globally distributed CDN infrastructure; (c) tenant database isolation — each school's data is stored in a separate database; (d) role-based access controls; (e) regular automated backups; (f) access logging and monitoring. No system can guarantee absolute security. FiNENOV is not liable for unauthorized access resulting from Client-side security failures (e.g., shared passwords, compromised devices).

Article 9 — Data Retention

Personal data is retained for the duration of the Client's active subscription plus any legally mandated retention period. Upon subscription termination, Client data is retained for thirty (30) calendar days to allow for recovery or data export. After this period, data is permanently deleted or irreversibly anonymized unless longer retention is required by applicable law.

Article 10 — Data Subject Rights

In accordance with applicable law, including GDPR where applicable, data subjects worldwide may exercise the following rights: (a) right of access (GDPR Art. 15) — obtain confirmation of whether personal data is processed and request a copy; (b) right of rectification (GDPR Art. 16) — request correction of inaccurate data; (c) right of erasure (GDPR Art. 17) — request deletion of personal data, subject to legal retention requirements; (d) right of data portability (GDPR Art. 20) — receive personal data in a structured, machine-readable format; (e) right to restriction of processing (GDPR Art. 18) — request that processing be limited in certain circumstances; (f) right to object (GDPR Art. 21) — object to processing based on legitimate interest; (g) right not to be subject to solely automated decisions (GDPR Art. 22) — where such processing produces legal or similarly significant effects. For data processed by a school (Client), requests should be directed to the school administration. For data processed directly by FiNENOV (billing, account data), requests may be sent to [email protected]. FiNENOV will respond within one (1) month of receiving a verifiable request, as required by GDPR.

Article 11 — Children's Data

The Platform processes personal data of minors (students) solely on behalf of subscribing schools acting as data controllers. Schools are responsible for ensuring that appropriate parental or guardian consent is obtained in accordance with applicable Cameroon law and, where relevant, international standards (e.g., GDPR Article 8, COPPA). FiNENOV does not knowingly collect personal data directly from minors without school and parental authorization.

Article 12 — Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, FiNENOV will: (a) notify affected Client schools without undue delay, and no later than seventy-two (72) hours after becoming aware of the breach; (b) provide details of the nature of the breach, data categories affected, and remedial measures taken. Client schools are responsible for notifying their own users (students, parents, staff) as required by applicable law.

Article 13 — Contact and Supervisory Authorities

For questions or requests regarding this Privacy Policy, contact FiNENOV SARL at: [email protected]. Because personal data is processed on infrastructure located in France (EU), complaints regarding data processing may be directed to: (a) the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority (www.cnil.fr) — lead supervisory authority for EU data processing operations; (b) the Agence Nationale des Technologies de l'Information et de la Communication (ANTIC) — competent supervisory authority under Cameroon law. Users located in other jurisdictions may also contact the data protection authority of their country of residence.

Article 14 — Policy Updates

FiNENOV reserves the right to update this Privacy Policy at any time. Material changes will be communicated via email or dashboard notification at least thirty (30) days before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.