POPIA

POPIA Compliance

Pedagy is committed to full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA). This page sets out our compliance posture and allows you to exercise your data subject rights.

POPIA in force: 1 July 2021 Information Officer appointed Response within 30 days
POPIA Act 4 of 2013 — Fully in force since 1 July 2021

Information Officer

Pedagy has appointed an Information Officer as required by section 55 of POPIA. The Information Officer is responsible for ensuring Pedagy's compliance with POPIA and handling all data subject requests.

DetailInformation
Information OfficerPedagy Information Officer
Emailpopia@pedagy.co.za
Postal addressPedagy (Pty) Ltd, South Africa
Information Regulator registrationRegistered as required under POPIA

The 8 Conditions for Lawful Processing

POPIA requires that personal information is processed in accordance with 8 conditions. Here is how Pedagy meets each condition:

ConditionHow Pedagy Complies
1. AccountabilityAn Information Officer is appointed. Privacy policies are published and maintained. Processing activities are documented.
2. Processing LimitationWe collect only what is necessary to provide the Platform. No data is collected for purposes beyond what is disclosed.
3. Purpose SpecificationAll personal information is collected for specified, explicit, and legitimate purposes as set out in our Privacy Policy.
4. Further Processing LimitationPersonal information is not processed in a manner incompatible with the original purpose. Learner data is never used for marketing.
5. Information QualitySchools are responsible for the accuracy of the data they enter. Users can update their profiles. We provide mechanisms to correct inaccurate data.
6. OpennessThis POPIA page, our Privacy Policy, and our Terms of Service fully disclose our processing activities. Users are notified at account creation.
7. Security SafeguardsPasswords are bcrypt-hashed. Data is transmitted over HTTPS. Role-based access controls apply. Breach response procedures are in place.
8. Data Subject ParticipationData subjects may access, correct, delete, or object to processing of their personal information using the form on this page.

Responsible Party vs Operator

Under POPIA, the School is the Responsible Party — they determine why and how learner, parent, and teacher data is processed. Pedagy is the Operator — we process that data only on the school's instruction, on its behalf, and with reasonable security measures in place.

This distinction matters:

  • Schools must obtain appropriate consent from parents before enrolling minor learners;
  • Schools are responsible for the accuracy of the data they capture;
  • Pedagy processes that data only to deliver the Platform services;
  • Pedagy and each School enter into a Data Processing Agreement (DPA) that formalises this operator relationship.

School Obligations Under POPIA

By using Pedagy, schools accept the following obligations as Responsible Parties:

  • Parental consent: Obtain and document parental consent before enrolling learners under the age of 18.
  • Data minimisation: Only capture personal information that is necessary. Do not upload sensitive personal information beyond what the platform requires.
  • Staff training: Ensure that teachers and administrators understand their obligations regarding learner data privacy.
  • Breach notification: Notify Pedagy immediately at popia@pedagy.co.za if you become aware of a suspected data breach involving Pedagy.
  • Access management: Remove accounts for staff who leave your employment. Do not share login credentials.
  • Retention: Request deletion of data that is no longer required.

Technical Security Safeguards

  • Password hashing: All passwords are stored using bcrypt — they cannot be reversed or read by any Pedagy staff member.
  • HTTPS: All communication between your browser and Pedagy is encrypted using TLS.
  • Role-based access: Each user role (admin, teacher, learner, parent) can only access data relevant to their function.
  • Session security: Sessions are regenerated on login and destroyed on logout. Sessions expire after inactivity.
  • Forced password change: New accounts are required to change their password on first login.
  • Audit logging: Login events, password changes, and administrative actions are logged.
  • Backups: Data is backed up regularly and stored securely.
  • File uploads: Uploaded files are validated for type and size before storage.

Data Breach Response Procedure

In the event of a suspected or confirmed data breach:

  1. Containment: We immediately isolate affected systems and suspend compromised accounts.
  2. Assessment: We assess the nature, scope, and likely consequences of the breach within 24 hours.
  3. Notification to Schools: Affected schools are notified by email within 48 hours of confirmation.
  4. Notification to Information Regulator: We notify the Information Regulator within 72 hours as required by POPIA section 22.
  5. Notification to Data Subjects: Affected individuals are notified as soon as practicable where there is a risk of harm.
  6. Remediation: We document the incident, implement fixes, and conduct a post-incident review.

To report a suspected breach, contact: popia@pedagy.co.za with subject line "SECURITY BREACH".

Your Rights as a Data Subject

RightWhat It MeansHow to Exercise
Access (Section 23)Request a copy of all personal information we hold about youSubmit form below
Correction (Section 24)Request correction of inaccurate or outdated informationSubmit form below or update in-platform
Deletion (Section 24)Request deletion of your personal informationSubmit form below
Objection (Section 11(3))Object to processing of your informationSubmit form below
Withdraw consentWithdraw consent for optional processing (e.g. profile photo)Update in-platform or contact us
ComplainLodge a complaint with the Information Regulatorinforegulator.org.za

We will respond to all data subject requests within 30 days as required by POPIA section 53.

Submit a Data Subject Access Request