Privacy Policy

Transparency notice

This page describes how the Skill-Age stack is designed to operate when our Laravel API and Next.js frontend are deployed together. It is not a substitute for a jurisdiction-specific privacy policy drafted with legal counsel. Replace or extend sections below after regulatory and product review.

Who processes data

The public website (web) talks to a Skill-Age Laravel REST API for persisted programme data — registrations, leaderboard rows, nominations, ledger-related finance records, careers data, audits, and staff actions — when operators configure the API URL on the Next server (see Environment on API documentation). Where the API is not configured or a feature is unreachable, individual pages may fall back to local demo behaviour and avoid persisting identifiable data centrally.

Cookies and authentication

Staff sessions: after organisation sign-in, the Next application may set cookies derived from Laravel Sanctum (staff token forwarded by the BFF) alongside an optional signed admin session cookie when ADMIN_SESSION_SECRET is set. These restrict access to /admin routes and server-backed JSON endpoints.
Super-admin areas: additional checks require a configured API base URL and proof of super_admin capability from the API.
Browser-only UX: pages may use sessionStorage for non-auth conveniences (for example showing a freshly issued registration reference). That storage is scoped to your browser tab/session and is not the source of truth for persisted programme data — the Laravel API is.

Uses of personal data

Typical flows when connected to Laravel include:

Competition: guardian and child names, email, optional phone, motivation text, state of residence, and issued public registration identifiers.
Payments: online vote purchases may invoke Paystack; settlement and webhook handling occur on the API server according to Laravel configuration (processor terms DPA wording belongs in final policy).
Careers & volunteers: application and staffing records captured via admin tooling.
Audit trails: security-relevant events may be logged in the database for accountability.

Your rights & contacts

For access, correction, or deletion requests, use our contact channels. Final policy text should specify lawful bases, retention windows, supervisory authority contacts, and any cross-border transfers.

Contact support

Loading…

chat

← Back to home