POPIA Compliance

Section 01

What is POPIA?

The Protection of Personal Information Act (POPIA), Act 4 of 2013, is South Africa's primary data protection law. It came into full effect on 1 July 2021 and governs how organisations collect, store, use, share, and destroy personal information about individuals.

POPIA is enforced by the Information Regulator of South Africa and applies to any organisation that processes personal information within South Africa, including schools, EdTech platforms, and software companies like iSkool.

iSkool operates under POPIA as a responsible party (the entity that determines the purpose and means of processing) and in some cases as an operator (processing data on behalf of schools as responsible parties).

Section 02

Who We Are (Responsible Party)

The responsible party for personal information processed through iSkool is:

Entity

K2023260831 (South Africa) (Pty) Ltd (Reg. No. 2023/260831/07)

Information Officer

Mandla Simphiwe Mahlangu

Email

policy@iskool.online

Address

2047 Mandisa Street
Tokoza, 1426
South Africa

Section 03

What Personal Information We Collect

We collect only the personal information necessary to provide the iSkool platform. This includes:

School administrators and teachers:

Full name and professional role
Work email address and phone number
School name, EMIS number, province, and school type
Usage data (login times, features accessed)

Learners:

First name and surname
Grade and class
Assessment scores, submission data, and gradebook records
AI Invigilator session data (tab switches, focus events) during live assessments only

Parents / guardians:

Name and email address (provided by the school)
Communication records with teachers

We do not collect ID numbers, financial information, biometric data, racial or ethnic information, health records, or any special personal information as defined under POPIA Section 26 — unless explicitly required and consented to for a specific purpose.

Section 04

Why We Collect It (Purpose Specification)

All personal information collected by iSkool is collected for specific, explicitly defined, and lawful purposes related to delivering the iSkool platform to schools. These include:

Creating and managing user accounts for teachers, learners, and parents
Delivering assessments and recording results in the gradebook
Monitoring assessment integrity via the AI Invigilator
Providing analytics and reports to teachers, HODs, and principals
Enabling parent-teacher communication
Providing technical support and responding to queries
Complying with our legal obligations under South African law

We do not use personal information for advertising, profiling for third parties, or any purpose incompatible with the above.

Section 05

The Eight Conditions for Lawful Processing

POPIA sets out eight conditions that all responsible parties must comply with. Here is how iSkool meets each one:

01

Accountability

iSkool has a designated Information Officer responsible for ensuring POPIA compliance across the platform.

02

Processing Limitation

We only collect information that is adequate, relevant, and not excessive for the stated purpose. Users can use the platform with minimal data.

03

Purpose Specification

All data is collected for specified, lawful purposes and is not retained longer than necessary. See Section 04 and Section 09.

04

Further Processing Limitation

Personal information is not further processed in a manner incompatible with the original purpose without fresh consent.

05

Information Quality

Schools are responsible for ensuring learner and staff data entered into the platform is accurate. We provide tools to update and correct records.

06

Openness

We maintain this POPIA compliance notice and a Privacy Policy that is easily accessible. We notify users of our data practices before collection.

07

Security Safeguards

We implement technical and organisational measures to protect personal information. See Section 08 for details.

08

Data Subject Participation

Data subjects have the right to access, correct, and request deletion of their personal information. See Section 06 and Section 14.

Section 06

Your Rights as a Data Subject

Under POPIA Section 5, every data subject whose personal information we hold has the following rights:

Right to be notified

You have the right to know when your personal information is being collected and what it will be used for.

Right of access

You can request a copy of the personal information iSkool holds about you.

Right to correction

You can request that inaccurate, incomplete, or outdated information be corrected.

Right to deletion

You can request the deletion of your personal information, subject to our legal obligations and retention policy.

Right to object

You can object to the processing of your personal information on reasonable grounds.

Right to withdraw consent

Where processing is based on consent, you may withdraw that consent at any time.

Right to opt out of direct marketing

You can opt out of receiving direct marketing communications from iSkool at any time.

Right to lodge a complaint

You have the right to lodge a complaint with the Information Regulator of South Africa at inforeg.org.za.

Section 07

Learner Data and Minor Protections

iSkool processes personal information about learners, who may be minors (persons under 18). We take this responsibility seriously and apply additional protections:

Learner accounts are created by the school, not by learners themselves, ensuring institutional oversight.
Learner data is only accessible to their assigned teachers, HOD, and principal within the same school.
We do not display learner data publicly or make it accessible outside the school's institutional account.
AI Invigilator data is accessible only to teachers and administrators at the relevant school, and solely for academic integrity purposes.
Schools are required under our Terms of Service to inform learners and their parents that monitoring occurs during assessments.

iSkool does not use learner data for advertising, product profiling, or any commercial purpose. Learner data is processed exclusively to deliver educational services to the school.

Section 08

Security Safeguards

We implement appropriate technical and organisational measures to prevent loss, damage, or unauthorised access to personal information. These include:

Encryption: All data transmitted between users and iSkool is encrypted using TLS. Sensitive stored data is encrypted at rest.
Access controls: Role-based access ensures users only see information relevant to their role (learner, teacher, principal).
Data hosting: iSkool data is hosted by Namecheap, Inc. on servers located in the United States. This cross-border transfer is carried out in accordance with POPIA Section 72. Namecheap is contractually bound by their own data protection commitments.
Regular security reviews: We conduct regular security assessments of our infrastructure and code.
Staff training: All iSkool staff with access to personal information are trained on their POPIA obligations.
Data integrity: iSkool takes reasonable measures to ensure data availability and integrity through backup and recovery processes maintained by our hosting provider.

Section 09

Data Retention

We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law. Our retention periods are:

Active accounts: Personal information is retained for the duration of the school's subscription or pilot agreement.
After account closure: Data is retained for 12 months after account deactivation, to allow for data export requests. It is then permanently deleted.
Assessment records: Assessment scores and gradebook data may be retained for up to 24 months to support academic record requirements, unless the school requests earlier deletion.
Legal holds: In the event of a legal dispute or regulatory investigation, we may retain relevant data for longer as required by law.

Schools may request early deletion of all data at any time by contacting policy@iskool.online. We will action this within 30 days.

Section 10

Third-Party Operators

iSkool uses a limited number of trusted third-party service providers (operators) to deliver the platform. All operators are contractually bound to process personal information only on our instructions and in compliance with POPIA.

Cloud infrastructure: Namecheap, Inc. — servers and databases (United States). Namecheap processes data solely to host and serve the platform and is bound by their data protection commitments.
Email delivery: For transactional system emails (password resets, notifications)
Error monitoring: For platform stability and debugging (anonymised where possible)

We do not sell personal information to third parties. We do not share personal information with advertisers. We do not share data with any party beyond what is required to deliver the iSkool service.

Section 11

Cross-Border Transfers

iSkool data is hosted by Namecheap, Inc. on servers located in the United States of America. This means that personal information collected through the iSkool platform is transferred outside of South Africa for storage and processing purposes.

This cross-border transfer is carried out in accordance with POPIA Section 72. By using the iSkool platform, schools and users acknowledge and consent to this transfer. We have taken the following steps to ensure your data remains protected:

Namecheap, Inc. is contractually bound by their own privacy policy and terms of service, which govern the security and handling of data on their infrastructure.
All data in transit between your device and our servers is encrypted using TLS/HTTPS.
Namecheap processes your data solely to host and serve the iSkool platform and does not use it for any other purpose.

If you have questions about our cross-border data transfers or wish to understand more about Namecheap's data protection commitments, contact us at policy@iskool.online.

Section 12

Cookies and Tracking Technologies

The iSkool platform uses session cookies strictly to maintain your logged-in state while using the platform. We do not use advertising cookies, preference cookies, or third-party tracking of any kind.

Session cookies: Required to keep you logged in while using the platform. These expire when you close your browser.
Internal platform data: iSkool's own backend systems record standard activity data such as login events and feature usage to maintain and improve the platform. This data stays on iSkool's servers and is never shared with third parties.

By using the iSkool platform, you consent to our use of essential session cookies. You can disable cookies in your browser settings, but this will affect your ability to log in and use the platform.

Section 13

Data Breaches

In the event of a data breach that compromises personal information, iSkool will:

Notify the Information Regulator as soon as reasonably possible after becoming aware of the breach, in the prescribed manner.
Notify all affected data subjects (schools, teachers, and where relevant, learners and parents) of the nature of the breach, what information was affected, and the steps being taken.
Conduct a post-incident review and implement remediation measures to prevent recurrence.

If you suspect your iSkool account has been compromised, contact us immediately at policy@iskool.online.

Section 14

Exercising Your Rights

To exercise any of your rights under POPIA (access, correction, deletion, objection, or withdrawal of consent), please submit a written request to our Information Officer. Requests must include:

Your full name and the email address associated with your iSkool account
The name of your school
A clear description of the right you wish to exercise and the specific information concerned
A copy of a valid form of identification (ID or passport)

We will acknowledge your request within 3 business days and respond fully within 30 business days, as required by POPIA regulations (Form 2).

Requests can be submitted to: policy@iskool.online — subject line: "POPIA Data Subject Request"

Section 15

Contact Us & Complaints

For any POPIA-related queries, concerns, or complaints, contact our Information Officer:

Information Officer

Mandla Simphiwe Mahlangu

Privacy Email

policy@iskool.online

General Support

support@iskool.online

Address

K2023260831 (South Africa) (Pty) Ltd
2047 Mandisa Street
Tokoza, 1426
South Africa

Information Regulator

inforeg.org.za

If you are not satisfied with our response to a complaint, you have the right to escalate the matter directly to the Information Regulator of South Africa at inforeg.org.za.