SCHOOL Platform โ Privacy Policy
Effective Date: 1 May 2026 Version: 1.0
Summary: SCHOOL collects only the personal information necessary to deliver educational services to you. We do not sell your data. Students who are minors receive extra protection. You have the right to access, correct, and delete your information. This policy complies with South Africa's POPIA and is compatible with the GDPR.
1. Who This Policy Applies To
This Privacy Policy applies to:
- Learners (students using the Platform for study, past papers, and AI coaching)
- Tutors (independent service providers on the tutor marketplace)
- Parents and Guardians (where they create or consent to accounts for minors)
- School Administrators (where a school or institution uses the Platform)
- Visitors to our website who do not hold an account
2. The Responsible Party (POPIA)
For the purposes of the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Responsible Party is:
DITSHEGO VENTURES (Pty) Ltd t/a SCHOOL Registration Number: 2026/349873/07 Physical Address: 273 Ferguson Crescent, Eersterus, Pretoria, 0022, Gauteng, South Africa Email: legal@school.ditshego-ventures.co.za Phone: +27 62 960 3988
Information Officer (as required by POPIA Section 55): Name: MK Ditshego Email: information-officer@school.ditshego-ventures.co.za Phone: +27 62 960 3988
The Information Officer has been registered with the Information Regulator of South Africa (Reference: pending โ registration in progress).
3. Legal Basis for Processing (POPIA Condition 2 โ Lawfulness)
We process your personal information only when at least one of the following conditions is met:
| Basis | When We Use It |
|---|---|
| Consent | For optional features (marketing emails, optional analytics), and for processing personal information of minors |
| Contract | To create your account, process wallet transactions, match learners with tutors |
| Legitimate interest | Platform security, fraud prevention, improving the Platform |
| Legal obligation | Tax records, PAIA requests, court orders |
For users in the European Economic Area (EEA), these conditions map to Article 6 of the GDPR as follows: consent (Art. 6(1)(a)), contract (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interest (Art. 6(1)(f)).
4. What Personal Information We Collect
4.1 Registration and Profile Information
| Information | Purpose |
|---|---|
| First and last name | Account identification, tutor profile display |
| Email address | Account login, communications, transactional notifications |
| Phone number | Two-factor authentication, WhatsApp notifications (where enabled) |
| Province and city | Localising curriculum content, tutor matching |
| School (optional) | Class and curriculum routing |
| Date of birth (where collected) | Age verification, parental consent workflow |
| Profile photo (optional) | Tutor profile display |
4.2 Academic and Learning Data
| Information | Purpose |
|---|---|
| Lesson progress and completion | Personalised study recommendations |
| Past paper attempts and scores | Weakness detection, progress tracking |
| Quiz responses | Mastery assessment |
| AI assistant conversation history | Continuity of AI coaching sessions |
| Study planner entries | Planner feature operation |
| Weak topic markers | Adaptive recommendation engine |
4.3 Financial and Transaction Data
| Information | Purpose |
|---|---|
| Wallet credit balance and ledger | Wallet operation |
| Transaction history (credits purchased, debited) | Financial record-keeping |
| Payment method details | Processed and stored by Stripe; SCHOOL stores only last-4 digits and card type |
| Billing address | Payment processing compliance |
| Top-up amounts | Anti-fraud monitoring |
4.4 Tutor-Specific Data
| Information | Purpose |
|---|---|
| Identity document (ID/Passport) | Tutor verification |
| Qualification documents | Tutor verification display |
| Banking details | Tutor payout processing |
| Session records | Dispute resolution, payment calculation |
| Ratings and reviews | Tutor profile quality |
4.5 Technical and Usage Data
| Information | Purpose |
|---|---|
| IP address | Security, fraud detection, geo-restriction |
| Device type and browser | Platform optimisation |
| Session timestamps and durations | Product analytics |
| Feature interaction events | Product improvement |
| Error logs | Bug resolution |
4.6 Communications
| Information | Purpose |
|---|---|
| In-platform messages between learners and tutors | Message delivery, dispute evidence |
| Support requests | Support resolution |
| Community posts (where applicable) | Community feature operation |
5. Special Categories of Personal Information
SCHOOL may, in limited circumstances, process the following special categories of personal information (as defined in POPIA Section 26):
- Information about a child (learner academic data for minors): processed only with parental consent.
- Health information: only where voluntarily disclosed in a support request context; not actively collected.
We do not collect or process information relating to race, ethnicity, religion, sexual orientation, biometric data, trade union membership, or criminal convictions as part of normal platform operation.
6. Children's Personal Information (POPIA Section 35 and Children's Act)
SCHOOL takes special care with the personal information of learners under 18 years of age.
6.1 Minors (Under 18)
We process personal information of minor learners only where:
- A parent or legal guardian has given consent; or
- A school or institution has confirmed that appropriate parental consents are in place.
6.2 Children Under 13
We do not knowingly collect personal information from children under 13 without verified parental consent. If we discover that we have collected information from a child under 13 without appropriate consent, we will delete it promptly.
If you believe a child under 13 has provided us with personal information without consent, contact us at: information-officer@school.ditshego-ventures.co.za.
6.3 Academic Data of Minors
Learner academic performance data (scores, progress, weak topics) is treated as sensitive educational records. We do not share this data with third parties except:
- The learner's own school or institution (where the school has an institutional account and the learner is enrolled);
- A parent or guardian who requests access;
- AI service providers operating under data processing agreements (see Section 8).
7. How We Use Your Personal Information
We use your personal information for the following purposes:
- Delivering educational services: lesson delivery, past paper access, AI coaching, planner tools.
- Account management: registration, authentication, settings, and security.
- Tutor marketplace: matching learners with tutors, processing sessions, calculating payouts, resolving disputes.
- Wallet operations: processing credit purchases, debiting credits for unlocks, maintaining ledger records.
- Platform improvement: anonymised analytics to improve features and content quality.
- Security and fraud prevention: detecting and preventing unauthorised access and financial fraud.
- Legal compliance: meeting obligations under POPIA, ECTA, the Value-Added Tax Act, and other applicable law.
- Communications: sending transactional emails (account alerts, receipts), service announcements, and (with your consent) promotional communications.
8. Third Parties We Share Data With
We do not sell your personal information. We share it with third parties only as follows:
| Third Party | Category | Purpose | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processor | Processing wallet top-up transactions | United States |
| OpenAI, L.L.C. (or equivalent AI provider) | AI service provider | Powering the AI study assistant | United States |
| Railway Corporation | Infrastructure provider | Hosting the Platform | United States |
| Amazon Web Services / S3 provider | Storage provider | Storing uploaded files and past papers | eu-west-1 (Ireland) or af-south-1 (Cape Town) |
| Sentry (if enabled) | Error monitoring | Logging application errors | EU (Ireland) โ optional, disabled by default |
| Our professional advisers | Legal, accounting, audit | Professional services | South Africa |
All third-party processors are bound by data processing agreements that require them to process personal information only on our instructions and in accordance with applicable law.
8.1 Cross-Border Transfers (POPIA Section 72)
Several of our third-party providers are based outside South Africa (principally in the United States). We transfer personal information to these providers only where:
- The recipient is subject to a law or agreement that provides substantially similar protection to POPIA; or
- You have consented to the transfer; or
- The transfer is necessary to perform our contract with you.
Where we transfer personal information of EEA users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Retention of Personal Information (POPIA Section 14)
We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law.
| Category | Retention Period |
|---|---|
| Account and profile data | Duration of account + 5 years after closure |
| Academic and learning data | Duration of account + 2 years after closure |
| Financial and transaction records | 5 years (VAT Act requirement) |
| Tutor verification documents | Duration of tutor relationship + 3 years |
| Communication logs | 2 years |
| Equipment quote records | 30 days (configurable per env) |
| Security and access logs | 1 year |
| Deleted account personal data | 30 days (after which it is anonymised or deleted) |
10. Your Rights (POPIA Section 23 and GDPR Chapter III)
You have the following rights in relation to your personal information:
| Right | Description | How to Exercise |
|---|---|---|
| Right of access | Request a copy of the personal information we hold about you | Email information-officer@school.ditshego-ventures.co.za |
| Right to correction | Request correction of inaccurate or incomplete information | Account settings or email us |
| Right to deletion | Request deletion of your personal information (subject to legal retention obligations) | Account closure or email us |
| Right to object | Object to processing based on legitimate interest (e.g., direct marketing) | Email us or unsubscribe link in emails |
| Right to restriction | Request restriction of processing in certain circumstances | Email us |
| Right to data portability (EEA users) | Receive your personal information in a structured, machine-readable format | Email us |
| Right to withdraw consent | Withdraw consent at any time without affecting prior processing | Account settings or email us |
Response time: We will respond to your request within 30 days (extendable by a further 30 days where the request is complex or numerous).
PAIA Manual: Our PAIA manual, setting out how to request access to records, is available at: school.ditshego-ventures.co.za/legal/paia
Complaints: If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:
- Website: https://www.justice.gov.za/inforeg/
- Email: inforeg@justice.gov.za
- Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
EEA users may also lodge a complaint with the supervisory authority in their EU member state.
11. Security (POPIA Section 19)
SCHOOL implements appropriate technical and organisational measures to protect your personal information against loss, unauthorised access, and unlawful processing, including:
- Passwords hashed using bcrypt;
- JWT authentication with signed cookies and CSRF protection;
- HTTPS encryption in transit;
- Role-based access controls;
- Regular dependency security audits (
npm audit); - Static application security testing (Semgrep);
- Secret scanning (gitleaks);
- Content Security Policy headers.
Security compromise notification: In the event of a security compromise affecting your personal information, we will notify the Information Regulator and (where required) you within 72 hours of becoming aware of the compromise, as required by POPIA Section 22.
To report a security vulnerability, contact: security@school.ditshego-ventures.co.za โ see the Security Policy for responsible disclosure guidelines.
12. Cookies and Tracking
We use cookies and similar tracking technologies as described in the Cookie Policy. Essential cookies are used to maintain your authenticated session. Analytics cookies are used only with your consent.
13. AI-Generated Content and Your Data
When you interact with the AI study assistant, your conversation is transmitted to our AI service provider (currently OpenAI) to generate responses. We:
- Do not use your personal conversation data to train AI models without your explicit consent;
- Transmit only the minimum data necessary to generate a useful response;
- Retain AI conversation history to provide conversation continuity, subject to the retention periods in Section 9.
14. Marketing Communications
We will send you promotional emails only if you have opted in. You can unsubscribe at any time using the unsubscribe link in any email or by contacting us. Transactional communications (receipts, security alerts, session confirmations) are not marketing and will continue regardless of marketing preferences.
15. Changes to This Policy
We may update this Privacy Policy at any time. For material changes (changes that affect how we use personal information in ways you would not reasonably expect), we will notify you by email with at least 30 days' notice. Continued use of the Platform after the effective date of the new Policy constitutes acceptance.
16. Contact
To exercise your rights, ask a question about this Policy, or raise a privacy concern:
Information Officer: Email: information-officer@school.ditshego-ventures.co.za Physical: 273 Ferguson Crescent, Eersterus, Pretoria, 0022, Gauteng
General enquiries: Email: legal@school.ditshego-ventures.co.za
DITSHEGO VENTURES (Pty) Ltd t/a SCHOOL โ Responsible Party under POPIA
Last reviewed: 1 May 2026