Rebeka
DemoAboutPricingSign In

Privacy Notice

Last updated: April 2026

This privacy notice explains how Rebeka (rebeka.app) collects, uses, and protects your personal data. It complies with Nigeria’s Nigeria Data Protection Act (NDPA) 2023, South Africa’s Protection of Personal Information Act (POPIA), and the EU General Data Protection Regulation (GDPR), as the data controller is established in Germany. If you have questions, email us at privacy@rebeka.app.

See also: Impressum (company details) · Terms of Service (service agreement)

1. Who We Are

Rebeka is a clinical placement management platform for nursing and midwifery education institutions across emerging markets, including Nigeria (launch market), South Africa (reference implementation), Kenya, Uganda, Ghana, and 6 additional markets. We help institutions coordinate student placements, track compliance documents, and log clinical hours — so coordinators can focus on education, not spreadsheets. This notice applies to all Rebeka deployments; compliance obligations vary by market.

Data Controller:

ML Upskill Agents UG (haftungsbeschränkt)
Hohe Straße 13, 92249 Vilseck, Germany
Email: privacy@rebeka.app
Phone: +49 156 79602536
Full company details (Impressum)

2. What Data We Collect

Rebeka collects different types of data depending on your role at your institution:

Institutional Data

  • • Institution name
  • • Contact details (main office phone, email, address)
  • • Regulatory body accreditation status and registration number

Staff Data (Coordinators & Supervisors)

  • • Full name
  • • Email address
  • • Phone number
  • • Professional role and department

Student Data

  • • Full name
  • • Student ID (institutional)
  • • Email address and phone number
  • • Clinical placement records (facility, dates, location)
  • • Attendance records and clinical hours logged
  • • Logbook entries (clinical procedures performed, skills achieved)
  • • Compliance documents (immunisation records, medical fitness certificates)

Payment Data

  • • Processed by Paddle (Merchant of Record)
  • • We do not store credit card details
  • • We retain invoice and transaction records for 7 years (tax compliance)

Usage & Technical Data

  • • Login timestamps and session data
  • • Feature usage and actions taken in the platform
  • • Device information (browser type, operating system)
  • • IP address and basic analytics

3. Why We Collect This Data (Legal Basis)

Under Nigeria’s NDPA 2023 and the EU GDPR, we only process personal data when we have a valid legal basis:

Contract Performance

We process institutional, staff, and student data to provide the Rebeka platform service — coordinating placements, tracking hours, managing compliance, and sending SMS notifications.

Consent

Where applicable, we ask for explicit consent for marketing communications, feature announcements, or research participation. You can withdraw consent at any time.

Legitimate Interest

We process data for security (detecting fraud, preventing unauthorised access), legal compliance, and platform improvement (understanding how institutions use features).

4. Who We Share Data With

Rebeka uses the following third-party processors to deliver the service:

Supabase (Database Hosting)

Stores all institutional, staff, student, and placement data. Hosted in EU and US regions. GDPR-compliant with encryption at rest.

Clerk (Authentication)

Manages user sign-in and session authentication. Hosted in the US. We do not share passwords — Clerk handles secure authentication.

Paddle (Payment Processing — Merchant of Record)

Processes subscription payments as our Merchant of Record. When you purchase a subscription, you contract with Paddle.com Market Ltd (UK) — not with ML Upskill Agents UG — for the payment transaction. Paddle is an independent data controller for payment and billing data. Paddle handles VAT, invoicing, payment methods, and refunds. We do not receive or store credit card details. See Paddle’s Privacy Policy and Paddle’s Buyer Terms.

Meta WhatsApp Business API (Messaging)

Sends onboarding messages, placement notifications, and attendance reminders via WhatsApp. We only share phone numbers when messages are initiated by the institution or triggered by system events you have opted into. When messages are sent via the WhatsApp Business API, phone numbers and message metadata are processed by Meta Platforms Ireland Ltd., who may act as a joint controller for the collection and transmission of this data (cf. CJEU C-40/17, Fashion ID). For details on Meta’s data processing, see WhatsApp Business Data Processing Terms and Meta Privacy Policy.

Vercel (Hosting & CDN)

Hosts the Rebeka web application. Hosted in the US. Vercel is SOC 2 compliant (security and availability audited).

We do not sell your data to advertisers or marketing companies.Data is only shared with processors necessary to deliver the service.

5. Cross-Border Data Transfers

Rebeka's processors operate in the EU and US. When data is transferred outside Nigeria:

  • Transfers are necessary for service delivery — we cannot provide the platform without these processors.
  • Adequacy safeguards are in place. All processors comply with international security standards (GDPR, SOC 2, PCI-DSS, encryption).
  • Standard contractual clauses (SCCs) are in place with all processors to ensure data protection equivalent to Nigerian standards.

What this means for you: Your data is as secure in the EU or US as it would be stored in Nigeria. All processors use encryption, regular security audits, and contractual protections that meet Nigerian data protection standards.

6. How Long We Keep Your Data

We only keep data for as long as necessary:

Active Account Data

Retained while your institution's account is active.

Clinical Records

Retained for 7 years after a student's last activity. Required by nursing accreditation bodies for audit and verification purposes.

Payment & Invoice Records

Retained for 7 years (Nigeria's tax and accounting requirements).

SMS Logs

Retained for 12 months for support and audit purposes.

Deleted Account Data

When an institution closes their account, all non-essential data is permanently deleted within 90 days. Clinicial records required for accreditation are retained as above.

7. Your Rights Under Nigeria's NDPA 2023

You have the following rights regarding your personal data:

Right of Access

You can request a copy of the personal data Rebeka holds about you.

Right to Rectification

If your data is inaccurate or incomplete, you can ask us to correct it.

Right to Erasure (Right to Be Forgotten)

You can request deletion of your personal data, except where we are legally required to retain it (e.g., clinical records for 7 years for accreditation).

Right to Restrict Processing

You can ask us to limit how we use your data while we address a dispute or verify accuracy.

Right to Data Portability

You can request your data in a structured, commonly used format (e.g., CSV) so you can move it to another service.

Right to Object

You can object to processing based on legitimate interest (e.g., analytics, security improvements).

Right to Withdraw Consent

Where we process data based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

How to exercise your rights: Email privacy@rebeka.app with your request. Include your institution name and the right you wish to exercise. We will respond within one month.

8. Data Security

We take data protection seriously. Here's how we protect your information:

  • Encryption in transit: All data moving to/from Rebeka is encrypted using TLS 1.2+.
  • Encryption at rest: Data stored in Supabase is encrypted using AES-256.
  • Access controls: Only authorized staff can access data. Multi-factor authentication is required for administrative access.
  • Regular audits: We conduct security assessments and penetration testing.
  • Secure processor agreements: All third parties sign data processing agreements requiring equivalent security measures.

No system is 100% secure. While we implement strong protections, we cannot guarantee absolute security. We encourage you to use strong passwords and report security concerns to privacy@rebeka.app.

9. Data Breach Notification

If a breach occurs and your personal data is compromised:

  • We notify the relevant supervisory authoritywithin 72 hours: the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) under GDPR Art. 33, and the Nigeria Data Protection Commission (NDPC) under NDPA 2023.
  • We notify affected data subjects immediately if there is a high risk to your rights and freedoms (e.g., identity theft risk, unauthorized payment activity).
  • We provide guidance on steps you can take to protect yourself.

10. Children's Privacy

Rebeka is designed for nursing education institutions (coordinators, staff, and nursing students — typically aged 18 and above). We do not knowingly collect personal data from children under 18 years of age. If we become aware that data of a person under 18 has been collected without appropriate institutional or parental authorisation, we will delete it promptly. If you believe a minor’s personal data has been collected, email privacy@rebeka.app.

11. Changes to This Privacy Notice

We may update this privacy notice to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you via email or display a prominent notice on the Rebeka platform. Your continued use of Rebeka after changes constitutes acceptance of the updated notice. The "Last updated" date at the top of this page indicates when it was last revised.

12. Contact Us & Lodge a Complaint

Have questions about this privacy notice or how we handle your data?

Privacy Inquiries & Rights Requests:
privacy@rebeka.app

Data Controller:
ML Upskill Agents UG (haftungsbeschränkt)
Hohe Straße 13, 92249 Vilseck, Germany
Phone: +49 156 79602536
Full company details (Impressum)

Lodge a complaint with Nigeria's Data Protection Authority:

National Data Protection Commission (NDPC)
Nigeria's independent regulator for data protection under the NDPA 2023.
www.ndpc.gov.ng
You have the right to file a complaint with the NDPC if you believe your rights have been violated.

Cookies

Rebeka uses a minimal number of cookies, all of which are functional or essential:

rebeka_market

Stores your selected country/market so you do not need to choose it on every visit. Preference cookie, set when you visit a market-specific page. Expires after 1 year.

rebeka_consent

Records your cookie consent preference. Expires after 1 year.

Clerk session cookies

Essential authentication cookies set by Clerk when you sign in. Required for the Service to function. No consent required.

Rebeka does not use analytics, advertising, or tracking cookies. No third-party consent management platform is loaded.

Data Controller and Processor Roles

ML Upskill Agents UG — Data Controller

We are the data controller for all service data (account information, platform usage, and support communications).

Paddle — Independent Data Controller

Paddle is an independent data controller for all payment and billing data. When you subscribe, Paddle processes your payment information under its own privacy policy.

Supabase — Data Processor

Supabase hosts our database and processes data on our behalf under a data processing agreement.

Clerk — Data Processor

Clerk handles authentication on our behalf under a data processing agreement.

Your Rights Under the EU GDPR

As the data controller is established in Germany, the EU GDPR applies in addition to any local data protection law. Under the GDPR, you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data (Articles 15–22 GDPR).

You also have the right to lodge a complaint with a supervisory authority. For Germany, the competent authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
www.lda.bayern.de

In Summary

Rebeka is built on trust. We collect only the data needed to deliver clinical placement management services to nursing institutions. We don't sell data, we protect it with industry-standard security, we give you control over your information, and we comply with Nigeria’s NDPA 2023, South Africa’s POPIA, and the EU GDPR. If you have any questions, we're here to help — just reach out to privacy@rebeka.app.