Version 1.0 — Effective 1 January 2025
Our commitment: Pedagy does not sell personal information. We do not use learner data for advertising. We do not share data with third parties except as described in this policy.
1. Who We Are
Pedagy (Pty) Ltd ("Pedagy", "we", "us") is a South African software company that provides a learning management system (LMS) for schools. We are a registered operator under POPIA. Our Information Officer can be contacted at popia@pedagy.co.za.
Under POPIA, the School that uses our platform is the Responsible Party for the personal information of its learners, parents, and staff. Pedagy is an Operator — we process that information only on the School's instruction and on its behalf.
2. What Personal Information We Collect
School Administrators
- Full name, email address, phone number
- School name, registration number, EMIS number, address
- Billing and payment details (processed via secure payment gateway)
Teachers
- Full name, email address, phone number
- Gender, date of birth, ID number, employee number
- Highest qualification, subjects taught
- Profile photograph (optional)
Learners
- Full name, email address, phone number
- Gender, date of birth, ID number, student number
- Grade and class
- Academic records: marks, quiz scores, assignment submissions, results
- Profile photograph (optional)
Parents / Guardians
- Full name, email address, phone number, address
- Relationship to learner
- Profile photograph (optional)
Technical Data (all users)
- IP address, browser type, device type
- Login timestamps and last login date
- Pages accessed within the platform (for security and audit purposes)
3. How We Collect Information
We collect personal information in the following ways:
- School onboarding: When a school registers, the administrator provides school and initial staff information.
- User registration: When administrators create teacher, learner, and parent accounts within the platform.
- Platform use: When users submit assignments, complete quizzes, record marks, or send messages.
- Automatic collection: Technical data such as IP address and login time is collected automatically for security and audit purposes.
4. Why We Use Personal Information
| Purpose | Information Used |
|---|
| Providing and operating the Platform | All user account data |
| Displaying academic progress and results | Learner marks, quiz scores, assignments |
| Parent-teacher communication | Names, messages, contact details |
| Billing and subscription management | School admin and payment details |
| Platform security and fraud prevention | IP address, login timestamps |
| Support and troubleshooting | Account information and activity logs |
| Legal compliance | Identity and contact information |
| Platform improvement (anonymised only) | Aggregated, non-identifiable usage statistics |
5. Lawful Basis for Processing
Under POPIA, we rely on the following lawful grounds for processing personal information:
- Contractual necessity: Processing required to deliver the Platform services as agreed with the School.
- Legitimate interest: Security monitoring, fraud prevention, and platform improvement using anonymised data.
- Compliance with legal obligations: Where processing is required by South African law.
- Consent: For optional features such as profile photographs.
6. Children's Privacy
Important: The Pedagy platform is used by schools and may involve the personal information of learners who are minors. Schools, as the Responsible Party, are obligated under POPIA and the Children's Act 38 of 2005 to ensure they have appropriate parental consent before enrolling minor learners on the platform.
Pedagy's commitments regarding children's data:
- We will never use learner personal information for advertising or marketing purposes;
- We will never sell learner data to any third party;
- We will never share learner data with third parties except as strictly required to deliver the Platform services;
- Learner academic data is only accessible to the learner, their teachers, their school administrators, and their linked parents;
- We apply the same or higher level of data protection to children's data as to adult data.
7. Who We Share Information With
We do not sell personal information. We share personal information only in the following circumstances:
- Within the school: Teachers can see their learners' academic data. Admins can see all school data. Parents can see their linked child's data only.
- Service providers: We use trusted third-party providers for hosting (cloud infrastructure), email delivery, and payment processing. These providers are bound by confidentiality and data processing agreements and may not use the data for their own purposes.
- Legal requirements: We may disclose information if required by law, court order, or to protect the rights and safety of users.
- Business transfer: In the event of a merger, acquisition, or sale of Pedagy, personal information may be transferred to the acquiring entity, subject to equivalent privacy protections.
8. Data Retention
| Data Type | Retention Period |
|---|
| Active school and user accounts | Retained for the duration of the active subscription |
| Academic records (marks, results) | Retained for 5 years after last active subscription year |
| Messages and communications | Retained for 2 years after the subscription ends |
| Uploaded files (assignments, content) | Retained for 1 year after the subscription ends |
| School data after termination | 90 days, then permanently deleted |
| Security logs and access logs | 12 months rolling |
| Billing records | 7 years (SARS compliance) |
9. Security
We implement the following security measures to protect personal information:
- Encryption: All data is transmitted over HTTPS/TLS. Passwords are stored using bcrypt hashing and are never stored in plain text or reversible formats.
- Access control: Role-based access ensures that users only see data relevant to their role. Admins, teachers, learners, and parents have strictly separated access.
- Authentication: Forced password change on first login, session management, and session expiry on logout.
- Infrastructure: Hosted on reputable cloud infrastructure with regular backups, server-side firewalls, and intrusion detection.
- Data breach response: We have a documented data breach response procedure. In the event of a breach affecting personal information, we will notify the Information Regulator and affected schools within 72 hours of becoming aware of the breach, as required by POPIA.
10. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights:
- Right of access: You may request a copy of the personal information we hold about you.
- Right to correction: You may request that inaccurate or incomplete information be corrected.
- Right to deletion: You may request deletion of your personal information, subject to legal retention requirements.
- Right to object: You may object to the processing of your personal information on grounds relating to your particular situation.
- Right to complain: If you believe we have violated your privacy rights, you may lodge a complaint with the Information Regulator of South Africa at www.inforegulator.org.za.
To exercise your rights, visit our POPIA Compliance page or email popia@pedagy.co.za.
11. Cookies
Pedagy uses only strictly necessary session cookies to maintain your login state. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. See our full Cookie Policy for details.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to School Administrators by email at least 30 days before taking effect. The current version is always available at this page with the effective date displayed at the top.