HomePrivacy Policy

Privacy Policy

We take the privacy of students, parents, and educators seriously. This policy explains how Parent Link collects, uses, stores, and protects personal information in compliance with the Protection of Personal Information Act (POPIA).

Last updated: 1 May 2026
POPIA Compliant

1. Overview

Parent Link ("we", "our", "the Platform") is a mobile application and web service operated in the Republic of South Africa. The Platform enables schools to document student behavioural incidents and automatically notify parents and guardians.

This Privacy Policy applies to all users of the Platform, including school administrators, principals, teachers, and parents who receive notifications. By using the Platform, you consent to the practices described in this policy.

Responsible Party
Crafted Bits (Pty) Ltd is the responsible party under POPIA for processing personal information through the Platform. Individual schools are joint responsible parties for the student and parent data they manage within the system.

2. Data We Collect

We collect different categories of personal information depending on your role within the Platform. We follow the principle of data minimisation - we only collect what is necessary to provide the service.

2.1 School & Administrator Data

Data TypeExamplesPurpose
School detailsSchool name, address, contact email, phone numberAccount creation, communication
Administrator detailsFull name, email address, phone numberAccount management, authentication
Payment informationTransaction references (via Paystack)Subscription billing

2.2 Teacher Data

Data TypeExamplesPurpose
Profile detailsFull name, email addressAccount creation, authentication
Class assignmentClass name, gradeLinking incidents to correct classes
Activity logsIncidents created, timestampsAudit trail, accountability

2.3 Student Data

Data TypeExamplesPurpose
Identity detailsFirst name, last name, gradeStudent identification
Class informationClass assignmentOrganisational grouping
Incident recordsType, description, severity, date, photosBehavioural documentation

2.4 Parent & Guardian Data

Data TypeExamplesPurpose
Contact detailsFull name, email, WhatsApp numberIncident notifications
RelationshipRelationship to student (mother, father, guardian)Context for communication
Notification preferencesWhatsApp on/off, email on/offRespecting communication preferences
What We Don't Collect
We do not collect ID numbers, financial information from parents, biometric data, health records, or any special personal information as defined by POPIA - unless a school voluntarily includes such details in an incident description.

3. How We Use Your Data

Personal information is processed for the following purposes:

  • Service delivery - Creating and managing school accounts, user profiles, student records, and incident reports.
  • Notifications - Sending WhatsApp and email notifications to parents when an incident involving their child is reported.
  • Analytics - Providing aggregated, school-level behavioural analytics to administrators and principals.
  • Authentication & security - Verifying user identities, managing teacher approvals, and enforcing access controls.
  • Billing - Processing subscription payments through Paystack and maintaining payment history.
  • Support - Responding to support requests and troubleshooting issues.
  • Improvement - Analysing anonymised usage patterns to improve the Platform's features and performance.

We never use personal information for advertising, marketing profiling, or selling to third parties.

5. Data Sharing & Third Parties

We share personal information only with service providers who are essential to operating the Platform. We have data processing agreements in place with each provider.

ProviderPurposeData SharedLocation
SupabaseDatabase hosting, authentication, file storageAll Platform dataAWS (configurable region)
Meta (WhatsApp Cloud API)WhatsApp message deliveryParent phone numbers, message contentUnited States
ResendEmail notification deliveryParent email addresses, message contentUnited States
PaystackPayment processingAdministrator name, email, payment amountsSouth Africa
SentryError monitoringAnonymised crash reports (no PII)United States
Cross-Border Transfers
Some of our service providers are located outside South Africa. Where personal information is transferred internationally, we ensure adequate safeguards are in place as required by POPIA Section 72, including contractual protections and reliance on providers with strong data protection certifications.

We do not sell, rent, or trade personal information. We will only disclose data to law enforcement or government authorities when legally compelled to do so by a valid court order or subpoena.

6. Data Security

We implement multiple layers of security to protect personal information:

  • Encryption in transit - All data transmitted between the app and our servers is encrypted using TLS 1.3.
  • Encryption at rest - All stored data, including images, is encrypted using AES-256.
  • Row Level Security (RLS) - Database-level policies ensure complete data isolation between schools. A teacher at School A can never access data from School B.
  • JWT authentication - Short-lived, signed tokens with automatic refresh ensure secure session management.
  • Password hashing - All passwords are hashed using bcrypt. We never store plaintext passwords.
  • Secure file storage - Incident images are stored in encrypted buckets accessible only via signed URLs with role-based permissions.
  • Input validation - All user inputs are validated and sanitised to prevent injection attacks.
  • Payment security - We never handle or store credit card details. All payment processing is handled by Paystack, which is PCI-DSS compliant.
Security Incident Notification
In the unlikely event of a data breach, we will notify affected schools and the Information Regulator within 72 hours of becoming aware of the breach, as required by POPIA.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this policy:

Data CategoryRetention PeriodAfter Retention
Active school dataDuration of subscriptionAvailable for export, then deleted
Incident reports & imagesDuration of subscription + 1 yearAnonymised or deleted
Inactive school data1 year after last loginAnonymised or deleted
Payment records5 years (legal requirement)Permanently deleted
Application logs90 daysAutomatically purged

When a school cancels its subscription, administrators are given 30 days to export their data before it is scheduled for deletion.

8. Your Rights Under POPIA

As a data subject, you have the following rights regarding your personal information:

Right of Access

Request a copy of the personal information we hold about you.

Right to Correction

Request corrections to inaccurate or incomplete personal information.

Right to Deletion

Request deletion of your personal information, subject to legal retention requirements.

Right to Object

Object to the processing of your personal information for specific purposes.

Right to Portability

Request your data in a commonly used electronic format (CSV, JSON).

Right to Complain

Lodge a complaint with the Information Regulator if you're unsatisfied with our response.

To exercise any of these rights, contact us at privacy@parentlink.co.za. We will respond within 30 days of receiving your request.

Information Regulator (South Africa)
If you wish to file a complaint, you may contact the Information Regulator at enquiries@inforegulator.org.za.

9. Children's Data

Our Platform processes personal information about children (students) on behalf of schools. This processing is conducted with the knowledge and consent of the school, which acts in its capacity as an educational institution with responsibility for the student.

We take extra care with children's data:

  • Children do not create accounts or interact with the Platform directly.
  • Student data is only entered and managed by authorised school staff (teachers, admins, principals).
  • Student data is strictly limited to first name, last name, grade, and class - the minimum needed for incident identification.
  • Incident reports about students are only shared with the student's linked parents or guardians.
  • Student data is subject to all the same encryption and isolation protections as other data.

Schools are responsible for obtaining any necessary parental consent for processing student data through the Platform, in accordance with their own policies and applicable regulations.

10. Cookies & Tracking

Our mobile application does not use cookies. If you visit our marketing website, we may use:

  • Essential cookies - Required for the website to function (session management). These cannot be disabled.
  • Analytics cookies - Used to understand how visitors use the website (e.g., page views, traffic sources). These are anonymised and can be disabled.

We do not use advertising cookies, remarketing pixels, or tracking scripts from social media platforms. We do not build advertising profiles or participate in cross-site tracking.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform's features, or legal requirements. When we make material changes:

  • We will update the "Last updated" date at the top of this page.
  • We will notify school administrators via email at least 14 days before changes take effect.
  • For significant changes affecting how we process personal information, we will request renewed consent where required.

We encourage you to review this policy periodically.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about how your data is handled, please reach out to us.

Information Officer

Our appointed Information Officer is available to assist with any privacy-related enquiries or requests.