SchoolBag

Privacy Policy

Effective date: 1 May 2026

SchoolBag is committed to protecting your privacy in compliance with the Protection of Personal Information Act (POPIA) of South Africa and, where applicable, the General Data Protection Regulation (GDPR).

This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and what rights you have over your data.

1. Who We Are

SchoolBag ("we", "us", "our") is the operator of the SchoolBag platform, a digital academic management tool designed for students, teachers, tutors, and educational institutions across Southern Africa.

2. Information We Collect

We collect the following categories of personal information:

Account information: Full name, email address, password (hashed), role, and registration date.
Profile information: Academic level, school name, date of birth, gender, phone number, city/town, student number, and profile photo (all optional).
Emergency contact: Name, phone number, and relationship — optional, used for institutional safety purposes only.
Academic files: Documents, images, and other files you upload to your Locker.
Usage data: Login timestamps, IP addresses, device type, and user-agent strings logged for security purposes.
AI interaction data: Chat messages sent to the AI Assistant and the responses generated.
Tutoring and booking data: Session requests, confirmations, and communications with tutors.
Marketplace data: Listings, purchases, and seller account details where applicable.

3. How We Use Your Information

To provide, operate, and improve the SchoolBag platform.
To authenticate your identity and secure your account.
To deliver the AI Assistant, tutoring matching, exam preparation, and marketplace features.
To send transactional emails (account verification, password resets).
To detect and prevent fraud, abuse, or security threats (including login rate limiting).
To comply with legal obligations under POPIA, GDPR, and applicable South African law.

4. Legal Basis for Processing

We process your personal information on the following grounds:

Contract performance: Processing necessary to provide the Service you have signed up for.
Legitimate interest: Security monitoring, fraud prevention, and platform improvement.
Consent: Where you have explicitly opted in (e.g., optional profile fields).
Legal obligation: Where required by South African law or court order.

5. Data Sharing

We do not sell your personal information. We may share data with:

AI service providers (e.g., Anthropic, Google) solely to process your AI Assistant requests. These providers operate under their own data processing agreements.
Other users you connect with — tutors you book, peers you share files with, class members in rooms you join — to the extent necessary to operate those features.
Institutions you are affiliated with, where you have accepted an institution's invitation.
Law enforcement or regulators when required by a valid legal process.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account, all personal data is permanently and irreversibly deleted within a reasonable technical timeframe. Aggregated, anonymised analytics may be retained.

7. Your Rights (POPIA / GDPR)

Depending on your jurisdiction, you have the right to:

Access: Request a copy of all personal data we hold about you (available via Settings > Account > Download My Data).
Correction: Update inaccurate or incomplete information via your profile settings.
Erasure: Permanently delete your account and all associated data via Settings > Account > Delete Account.
Restriction: Request that we limit processing of your data in certain circumstances.
Portability: Receive your data in a structured, machine-readable format (ZIP export).
Objection: Object to processing based on legitimate interest.
Lodge a complaint: With the Information Regulator of South Africa (inforegulator.org.za) or your national data protection authority.

8. Security

We implement industry-standard technical and organisational measures to protect your personal information, including:

Bcrypt password hashing — plaintext passwords are never stored.
Login rate limiting — accounts are temporarily locked after repeated failed attempts.
File isolation — uploaded files are served via authenticated PHP endpoints, never exposed directly by the web server.
Session management with server-side invalidation on logout.

No system is perfectly secure. In the event of a data breach that affects your rights, we will notify affected users and the Information Regulator as required by POPIA.

9. Children's Privacy

SchoolBag may be used by learners aged 13 and above. Where a user is under 18, we require parental or guardian consent. Institutions deploying SchoolBag to minor learners are responsible for ensuring appropriate consent processes are in place and that they comply with applicable child-protection legislation.

10. Cookies and Tracking

We use only strictly necessary session cookies to maintain your login state. We do not use third-party advertising trackers or behavioural profiling cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you via email or an in-platform notice at least 14 days before material changes take effect. The "Effective date" at the top of this page will always reflect the most recent version.

To exercise your data rights or for privacy-related enquiries, contact our Information Officer at privacy@schoolbag.app