Privacy Policy
Effective date: 6 July 2026 Applies to: learners enrolled at schools that use Skoolara, their parents/guardians, and school staff using the Skoolara platform.
This Privacy Policy explains how the school at which a learner is enrolled ("the school", "we", "us") collects, uses, shares and protects personal information through the Skoolara platform. The school is the Responsible Party under the Protection of Personal Information Act, 2013 ("POPIA") and, where applicable to learners or parents located in the European Union, the Controller under the General Data Protection Regulation ("GDPR"). Teleios IT Consulting (Pty) Ltd, operating the Skoolara platform ("Skoolara"), acts as the Operator (POPIA) / Processor (GDPR) on the school's behalf.
We use plain language wherever possible. Where precise legal language is necessary, we have used it and noted it.
1. Who we are
The School (Responsible Party / Controller)
The Responsible Party for a learner's personal information is the school at which that learner is enrolled. Each school's registered details and the contact details of its designated Information Officer are provided to parents and guardians at enrolment and are available inside the Skoolara app. Skoolara supports schools across South Africa, so this policy refers to "the school" generically — it means the specific school your child attends.
Skoolara (Operator / Processor)
- Registered name: Teleios IT Consulting (Pty) Ltd (operating the Skoolara platform)
- Company registration: 2025/487193/07
- Information Officer: Sachen Govender — registered with the Information Regulator of South Africa under reference 2026-005741 (appointed 2026-04-01).
- Contact for privacy queries:
privacy@skoolara.co.za - Website:
https://skoolara.co.za
If you have a question about your own or your child's personal information, you should normally contact your school first. Skoolara will only act on instructions from the school except where law requires otherwise.
2. What this policy covers
This policy covers personal information collected and processed through:
- the Skoolara website (including the school portal and any marketing pages);
- the Skoolara mobile application for parents, learners and staff; and
- the Skoolara staff dashboard used by teachers, administrative staff and school leadership.
It does not cover third-party websites linked from the platform. Those sites have their own privacy policies.
3. Personal information we collect
The information we collect depends on who you are. Much of the information we hold relates to children (learners under 18 years of age) and is therefore subject to additional protections — see section 6 below.
3.1 About learners (including children)
- identifying information: full name, preferred name, date of birth, gender, nationality, South African ID number or passport number, home-language;
- school-related information: grade, class, homeroom teacher, enrolment date, academic history;
- attendance records (daily and per-period);
- academic performance: marks, assessments, reports, progression data;
- documents: copies of identity document / birth certificate, proof of residence, previous school reports, immunisation records and other documents the school may require;
- medical information (where voluntarily provided): allergies, chronic conditions, medication, emergency contact information;
- communications: messages between the learner (if age-appropriate) and staff, submissions, homework uploads;
- images: school photographs, event media (with consent).
3.2 About parents and guardians
- full name, relationship to learner (parent, legal guardian, grandparent, etc.);
- contact details: mobile number, email address, physical and postal address;
- identity document / passport number (where required for guardianship verification);
- employment and emergency contact details (voluntary);
- communications with the school.
3.3 About teachers and staff
- employment information: full name, SACE number, ID number, qualifications, role;
- contact details;
- role-based data: classes taught, marks captured, attendance captured, messages sent;
- authentication and audit data (logins, actions performed in the system).
3.4 Technical information (all users)
- device type, operating system, app version;
- IP address and approximate location derived from it;
- authentication tokens and push-notification tokens;
- audit logs of actions taken within the platform.
4. Why we collect it (purposes)
We collect and use personal information for the following purposes:
- Education delivery — enrolling learners, assigning them to classes, recording marks, setting homework, publishing reports, facilitating communication between teachers, learners and parents.
- Attendance compliance — recording attendance as required by the South African Schools Act 84 of 1996 and provincial education regulations.
- Statutory reporting — submitting learner-level and aggregate data to the Department of Basic Education's information systems (including SA-SAMS and its successors) and to provincial departments of education.
- Safety and duty of care — verifying identity of adults collecting learners, emergency medical response, safeguarding.
- School–parent communication — sending notices, newsletters, attendance alerts, invoices, academic reports and direct messages.
- Billing and administration — fees, invoices, school-level reporting.
- Security, fraud prevention and audit — detecting unauthorised access, investigating incidents, maintaining audit trails.
- Legal compliance — responding to lawful requests from regulators, courts or authorised public bodies.
We will not use personal information for any purpose that is materially different from these without first obtaining fresh consent or establishing another lawful basis.
5. Legal basis for processing
Under POPIA, we rely on the following justifications (s11) depending on the data and purpose:
- Consent of a competent person (POPIA s11(1)(a) and s35) — for the processing of a child's personal information, we rely on the consent of the child's parent or legal guardian. For adult learners (18+), we rely on the learner's own consent.
- Performance of a contract (s11(1)(b)) — the contract of enrolment between the school and the parent/guardian.
- Compliance with an obligation imposed by law (s11(1)(c)) — e.g. the South African Schools Act, the Children's Act 38 of 2005, education policy requirements.
- Protection of a legitimate interest of the data subject (s11(1)(d)).
- Proper performance of a public-law duty by a public body (s11(1)(e)) — where the school is a public school.
- Legitimate interest of the responsible party or a third party (s11(1)(f)) — e.g. security and audit logging, balanced against the interests of learners and parents.
For learners or parents located in the EU, the parallel GDPR bases are applied:
- Article 6(1)(a) — consent.
- Article 6(1)(b) — performance of a contract.
- Article 6(1)(c) — legal obligation.
- Article 6(1)(e) — public interest task.
- Article 6(1)(f) — legitimate interests.
- Article 8 — conditions applicable to child's consent in relation to information society services (where the learner is below the age at which consent can be given on their own behalf).
- Article 9 — additional protections for special-category data (e.g. health information provided for medical-care purposes).
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect processing carried out before withdrawal, nor does it affect processing where we have another lawful basis (for example, statutory reporting obligations).
6. Children's data — special protections
Because the Skoolara platform is designed for use by schools, most of the personal information we hold relates to children. We apply the following additional safeguards:
- Parental / guardian consent (POPIA s35). A child's personal information may be processed only with the consent of a competent person, or under one of the limited exceptions set out in POPIA s35(1)(b)–(e). At enrolment, the school obtains consent from the parent or legal guardian via the POPIA collection notice (see the POPIA Collection Notice).
- GDPR Art 8 (EU learners). Where a learner or parent is in the EU, parental authorisation is required for learners below the applicable age threshold (16 by default, or the lower threshold set by the relevant member state, down to 13).
- Child-friendly notice. We provide a plain-language summary for children, in fulfilment of POPIA s18 and GDPR Art 12(1) transparency obligations.
- No direct marketing to children. Skoolara and the school will not send direct marketing, advertising or promotional content to children. Marketing communications about the platform are directed to adults (parents, staff, school decision-makers).
- No automated profiling of children. Skoolara does not subject children's personal information to automated decision-making or profiling within the meaning of GDPR Art 22. Any analytics used to support teaching (for example, identifying learners who may need support) are designed to assist teachers, not to take decisions without human involvement.
- Minimisation. We collect only the information necessary for education delivery, statutory reporting and the child's safety. Voluntary fields are clearly marked.
7. Who sees personal information
Within the school, access is role-based:
- Class teachers — see the learners in their classes.
- Subject teachers — see academic information for the subjects they teach.
- School administrators and the principal — see information necessary for running the school.
- Linked parents / guardians — see only their own children's information and their own information.
- The learner — age-appropriate access, subject to parental controls.
Outside the school, personal information may be disclosed to:
- Authorised officials of the Department of Basic Education and the relevant provincial education department, to the extent required by law (for example, SA-SAMS submissions).
- The Information Regulator or other regulators, where legally required.
- Courts and law enforcement, pursuant to a lawful order.
- Auditors and professional advisers bound by duties of confidentiality.
Operators / Processors engaged by the school or by Skoolara include:
- Teleios IT Consulting (Pty) Ltd (trading as Skoolara) — platform operator.
- Cloud infrastructure providers — reputable third-party providers engaged, under written data-processing terms, for application hosting and database services, secure storage of uploaded files, transactional email, and push-notification delivery.
Skoolara does not process school-fee payments; fee information in the app is a bookkeeping record only. A complete and current list of the specific sub-processors engaged is maintained in the Operator Agreement between the school and Skoolara and is available from the school on request.
8. Where your information is stored
Personal information processed through Skoolara is stored and processed within the Republic of South Africa.
The only routine cross-border element is the delivery of push notifications to mobile devices, which relies on a global messaging service. Those notifications are data-minimised: they contain only an opaque device identifier and a generic, non-personal message — never a learner's name, marks or message content. The app fetches the actual content via an authenticated request, served from within South Africa, when the user opens the notification. To the extent this involves any transfer, Skoolara relies on the safeguards permitted by POPIA s72 (and, where applicable to EU-located users, GDPR Chapter V), including Standard Contractual Clauses or equivalent contractual safeguards with the relevant provider.
9. How long we keep personal information
We keep personal information only for as long as necessary for the purposes for which it was collected, or as required by law. The following are default retention periods; a school may configure retention in line with its own policies and applicable regulations. A detailed retention schedule is maintained by Skoolara and is available from the school on request.
| Category | Default retention |
|---|---|
| Active learner records | During enrolment + 7 years after the learner leaves the school |
| Academic marks and reports | Statutory period (generally the learner's lifetime for certification purposes) |
| Attendance records | 7 years |
| Parent contact information | Lifetime of the school relationship + 1 year |
| Teacher/staff records | 7 years after termination of employment |
| Audit logs | 7 years |
| Backups | Rolling 35 days |
At the end of the retention period, personal information is securely deleted or irreversibly anonymised.
10. Your rights
POPIA and GDPR give you rights in relation to your (or your child's) personal information, including:
- Access (POPIA s23 / GDPR Art 15) — to know whether we hold your information and to receive a copy.
- Correction (POPIA s24 / GDPR Art 16) — to have inaccurate information corrected.
- Deletion (POPIA s24 / GDPR Art 17) — to request deletion where we no longer need the information or where processing was unlawful.
- Objection (POPIA s11(3) / GDPR Art 21) — to object to processing based on legitimate interests or public-interest tasks.
- Restriction (GDPR Art 18) — to have processing suspended while a dispute is resolved.
- Data portability (GDPR Art 20) — to receive, in a structured, commonly used, machine-readable format, information you provided to us.
- Withdraw consent — where processing is based on consent.
- Lodge a complaint with the Information Regulator (or your EU supervisory authority).
We aim to respond to requests within 30 days. Complex requests may take longer, in which case we will tell you why and keep you informed.
11. How to request access, deletion or correction
You may exercise your rights by:
- emailing your school's Information Officer (contact details are in your enrolment pack and the Skoolara app);
- using the "Privacy requests" screen in the Skoolara app (Settings → Privacy → Request access / deletion / correction); or
- writing to the school at the address in section 1.
Please tell us clearly what you are asking for and provide enough information for us to verify your identity. If you are asking on behalf of a child, we may confirm that you are their parent or legal guardian.
12. Security
We take the security of personal information seriously. Measures include:
- Encryption in transit using TLS 1.2 or higher.
- Encryption at rest for databases, backups and document storage.
- Role-based access control in the staff dashboard.
- Multi-factor authentication available for staff accounts.
- Audit logging of sensitive actions (access to learner records, exports, deletions).
- Regular backups with tested restoration procedures.
- Vulnerability management and security testing of the platform.
- Staff training on privacy and information security.
No system is perfectly secure. We continually improve our controls and respond promptly to identified risks.
13. Breach notification
If a security compromise occurs affecting personal information, we will act in accordance with POPIA s22 and, where applicable, GDPR Articles 33 and 34:
- The school's Information Officer will be notified without unreasonable delay.
- The Information Regulator will be notified as required by law.
- Affected parents, guardians and other data subjects will be notified unless the identity of the data subjects cannot be established.
- Notifications will describe the nature of the compromise, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.
We maintain standard breach-notification procedures and templates internally so that any required notification is made promptly and consistently.
14. Complaints
If you are concerned about how your (or your child's) personal information has been handled, you can:
- Contact your school's Information Officer (details in your enrolment pack and the Skoolara app).
- Contact Skoolara at
privacy@skoolara.co.za. - Lodge a complaint with the Information Regulator (South Africa):
- Information Regulator (South Africa)
- JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
- P.O. Box 31533, Braamfontein, 2017
- Complaints email:
POPIAComplaints@inforegulator.org.za- General email:inforeg@justice.gov.za- Website:https://inforegulator.org.za
If you are in the EU, you may also lodge a complaint with your national supervisory authority.
15. Changes to this policy
We may update this policy from time to time. When we do, we will:
- update the
version:andlast_reviewed:fields; - post the new version on the Skoolara platform; and
- for material changes, notify parents, guardians and staff by email or in-app message and, where required, re-obtain consent.
16. Contact
Your school (Responsible Party) Contact your school's designated Information Officer first — their contact details are in your enrolment pack and in the Skoolara app.
Skoolara operator contact
Teleios IT Consulting (Pty) Ltd (trading as Skoolara)
Information Officer: Sachen Govender (Information Regulator registration 2026-005741)
Email: privacy@skoolara.co.za
End of Privacy Policy.