1. Scope of This Notice

We are the Rwanda Bankers Association ("RBA", "we", "us", or "our"), located in Kigali, Rwanda. This Privacy Policy applies to all individuals who register for, access, or use the RBA eLearning Platform, including employees and authorised representatives of RBA member institutions.

This notice covers how we collect and process your personal data through the platform, your rights under applicable data protection law, and how you can contact us with questions or requests.

Links to Other Websites

Our platform may contain links to third-party websites that we do not own or control. This Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party sites you visit.

Controller and Processor

RBA acts as the data Controller for personal data you provide directly to us when registering and using the platform. Where RBA processes personal data on behalf of a member institution (for example, when an institution enrols employees into training), RBA may act as a Processor and the member institution acts as the Controller of that data. If you have questions about how your institution handles your data, please contact your employer directly.

2. Changes to This Policy

We may update this Privacy Policy from time to time. If we make changes, we will revise the effective date at the top of this document. If we make material changes that significantly affect how your data is used, we will provide additional notice, such as sending you an email or displaying a prominent notice on the platform, prior to those changes taking effect. We encourage you to review this policy periodically to stay informed about how we protect your data.

3. How We Collect Personal Data

3.1 Information You Provide Directly

We collect personal data directly from you in the following circumstances:

• When you complete the registration form to create a learner account on the platform.

• When you update your profile, change account settings, or upload documents.

• When you participate in surveys, assessments, or feedback forms.

• When you contact us for customer support or with an enquiry.

• When you enrol in, complete, or request a certificate for a course.

3.2 Information Collected Automatically (Usage Data)

When you access and use the platform, we automatically collect certain technical and behavioural data (referred to as "Usage Data") to ensure the platform functions correctly and to improve your experience. This includes:

• Internet Protocol (IP) address and approximate location derived from it.

• Browser type, version, and language settings.

• Operating system and device type.

• Pages visited, features used, and actions taken on the platform.

• Access times, session duration, and referring URLs.

• Course progress and bookmarking data, so you can resume from where you left off.

This Usage Data is collected through cookies and similar technologies. Please see Section 8 (Cookies and Similar Technologies) for more information.

3.3 Information from Third Parties

In some circumstances, RBA may receive personal data about you from your member institution (for example, when your employer pre-registers you for a training programme). In such cases, your employer is responsible for ensuring the transfer of your data to RBA is lawful.

4. Personal Data We Collect and Why

The table below summarises the categories of personal data we collect, why we collect each category, and the legal basis on which we rely to process it.

5. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

Provide and operate the platform: To create and manage your learner account, deliver eLearning content, track your course progress, issue certificates, and support your use of the platform.

Personalise your learning experience: To recommend courses and training modules relevant to your job role, department, and learning history.

Reporting and analytics: To generate participation and completion reports for RBA member institutions, including gender-disaggregated and department-level reports that support corporate sustainability and training governance objectives.

Communicate with you: To send administrative notices, course updates, reminders, security alerts, and, where you have consented, marketing communications about new training offerings.

Improve our platform and services: To analyse how users interact with the platform, understand feature usage, diagnose technical problems, and develop new capabilities.

Ensure security and prevent fraud: To monitor for unauthorised access, investigate suspicious activity, and protect the integrity of the platform and its users.

Comply with legal obligations: To meet our obligations under applicable Rwandan and international data protection law, including responding to lawful requests from authorities.

Our processing of your personal data involves both automated methods (such as analytics algorithms) and, where necessary, manual review by authorised RBA staff.

6. How We Share Personal Data

We do not sell your personal data to third parties. We may share your data in the following circumstances:

6.1 Member Institutions

Course completion data, participation records, and certificates may be shared with your employer or the RBA member institution that enrolled you, for the purposes of training governance and reporting. This sharing is subject to your institution's own data protection obligations.

6.2 Service Providers

We engage trusted third-party service providers to help operate and maintain the platform. These include hosting providers, email delivery services, analytics tools, and payment processors (where applicable). Our service providers are contractually bound to process your data only for the purposes we specify, to maintain appropriate security measures, and not to use your data for their own purposes.

6.3 Analytics and Research Partners

We may share aggregated, anonymised Usage Data with selected research or analytics partners to improve our platform and the broader banking sector's training outcomes. This data cannot be used to identify you individually.

6.4 Legal and Regulatory Disclosure

We may disclose your personal data where required by law, regulation, or a valid order from a competent authority, including to: (a) comply with applicable Rwandan law or regulatory requirements; (b) protect the rights, property, or safety of RBA, its users, or the public; (c) enforce our Terms and Conditions; or (d) respond to a legal process or government request.

6.5 Business Transfers

In the event of a merger, acquisition, restructuring, or transfer of RBA's operations, your personal data may be transferred to the relevant successor organisation, subject to equivalent privacy protections.

7. How Long We Retain Your Data

We retain your personal data only for as long as is necessary for the purposes described in this Privacy Policy, or as required by applicable law. Specifically:

• Account and profile data are retained for as long as your account remains active or as needed to provide you with platform services.

• Course completion records and certificates are retained for a minimum of five (5) years for professional development and audit purposes, or longer where required by law or your institution's policies.

• Usage Data and analytics data is typically retained for up to twenty-four (24) months before aggregation or deletion.

• Data collected for marketing communications is retained until you withdraw consent or opt out.

• If you request deletion of your account, we will remove your active profile and personal data, subject to any legal retention obligations. Residual copies may remain in backup systems for a limited period before being overwritten.

8. Cookies and Similar Technologies

Our platform uses cookies and similar technologies to store and honour your preferences, keep you signed in, enable platform features, and help us understand how the platform is used.

8.1 Types of Cookies We Use

Strictly necessary cookies: These are essential for the platform to function. They include session cookies that keep you logged in as you navigate between pages and cookies that remember your bookmarked course position. These cookies are always active.

Functional cookies: These remember your preferences and settings (such as language and display options) to personalise your experience. They are deleted when your browser session ends or after a set period.

Analytics cookies: With your consent, we use analytics tools to collect anonymised information about how users interact with the platform. This helps us identify popular features, diagnose problems, and improve the learning experience.

8.2 How to Control Cookies

You can control cookies through your browser settings at any time. Most browsers allow you to block or delete cookies. Please note that disabling strictly necessary cookies may affect your ability to use certain platform features, such as staying logged in or resuming courses. Please consult your browser's help documentation for instructions on managing cookies.

For more detailed information about the specific cookies used on this platform, please refer to our separate Cookie Policy.

9. Analysis Tools and Third-Party Services

We may use third-party analytics tools to monitor platform traffic and understand user behaviour. These tools operate primarily with anonymised or pseudonymised data, meaning your browsing patterns on the platform are generally not traceable back to you in identifiable form. You may opt out of analytics tracking by adjusting your cookie preferences as described in Section 8.

Where we use Google Analytics or comparable services, we ensure that data sharing with those providers is governed by appropriate data processing agreements and that the data is used only for the purposes of improving the platform.

10. Data Security

10.1 Encryption

This platform uses SSL/TLS encryption to protect all data transmitted between your browser and our servers. You can verify this by checking that the address bar shows "https://" and displays a padlock icon. When encryption is active, data you transmit cannot be read by unauthorised third parties in transit.

10.2 Security Measures

We implement industry-standard technical and organisational security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These include access controls, secure server infrastructure, regular security reviews, and staff training on data protection obligations.

10.3 Your Responsibilities

You are responsible for maintaining the confidentiality of your account credentials. Do not share your login details with anyone. If you believe your account has been compromised, contact us immediately at info@rba.rw.

10.4 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, RBA will notify affected individuals and the relevant supervisory authority as required by applicable data protection law, within the timeframes stipulated by that law.

11. Legal Basis for Processing

We process your personal data on the following legal grounds, depending on the context:

Contractual necessity: Processing required to create and manage your account, deliver courses, and issue certificates as part of our service to you or your institution.

Legitimate interests: Processing for platform improvement, security, fraud prevention, and analytics, where our interests do not override your rights and freedoms.

Consent: Processing for marketing communications, gender-disaggregated reporting, and optional analytics cookies, where we ask for and rely on your explicit consent. You may withdraw consent at any time.

Legal obligation: Processing required to comply with applicable law, including data protection, financial, or regulatory requirements.

12. Your Privacy Rights

Depending on your location and the applicable data protection law, you have the following rights with respect to your personal data:

To exercise any of the above rights, please contact us at info@rba.rw. We will respond to your request within thirty (30) days, or within any shorter period required by applicable law. We may ask you to verify your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Rwanda Data Protection Authority or another competent supervisory authority.

13. Children's Privacy

The RBA eLearning Platform is intended for use by adult banking professionals and is not directed at children under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that a user under the age of 18 has registered on the platform without appropriate authorisation, we will take steps to remove their personal data from our systems.

14. International Data Transfers

Your personal data is primarily stored on servers located in Rwanda or within Africa. In some cases, the use of third-party service providers may involve the transfer of your data to other countries. Where such transfers occur, we ensure that appropriate safeguards are in place, such as contractual clauses or equivalent data protection measures consistent with the Rwanda Data Protection Law and, where applicable, GDPR.

15. Regulatory Compliance

This platform is developed and operated in compliance with the following:

• Rwanda Data Protection Law No. 058/2021 of 13/10/2021 relating to the protection of personal data and privacy.

• The EU General Data Protection Regulation (GDPR), applied as an international best practice standard for platforms with potential global users.

In particular, the platform incorporates the following compliance measures:

• Explicit consent mechanisms for data processing activities that require consent.

• Full disclosure of data collection purposes through this Privacy Policy and our Cookie Policy.

• Restriction of data transfers to parties not involved in delivering the platform's objectives.

• Technical and organisational security measures to safeguard user data.

• A process for users to exercise their data protection rights.

16. Third-Party Links

Our platform may contain links to third-party websites, external resources, or partner organisations. RBA is not responsible for the content or privacy practices of those third-party sites. We encourage you to review their privacy policies before submitting any personal data to them.

17. Your Communication and Marketing Choices

You may choose whether to receive marketing and promotional communications from RBA about new courses, events, or training offerings. Where we rely on consent to send you marketing emails, you can withdraw that consent at any time by:

• Clicking the unsubscribe link in any marketing email you receive from us.

• Updating your communication preferences in your account settings.

• Contacting us at info@rba.rw with a request to opt out.

Please note that opting out of marketing communications will not affect our ability to send you essential service-related communications, such as course enrolment confirmations, certificate notifications, or security alerts.

18. How to Contact Us

If you have any questions, requests, or complaints about this Privacy Policy or how we handle your personal data, please contact us using the details below. We will respond within thirty (30) days.

By using the RBA eLearning Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your personal data as described herein.