1. Overview
Parent Link ("we", "our", "the Platform") is a mobile application and web service operated in the Republic of South Africa. The Platform enables schools to document student behavioural incidents and automatically notify parents and guardians.
This Privacy Policy applies to all users of the Platform, including school administrators, principals, teachers, and parents who receive notifications. By using the Platform, you consent to the practices described in this policy.
2. Data We Collect
We collect different categories of personal information depending on your role within the Platform. We follow the principle of data minimisation - we only collect what is necessary to provide the service.
2.1 School & Administrator Data
| Data Type | Examples | Purpose |
|---|---|---|
| School details | School name, address, contact email, phone number | Account creation, communication |
| Administrator details | Full name, email address, phone number | Account management, authentication |
| Payment information | Transaction references (via Paystack) | Subscription billing |
2.2 Teacher Data
| Data Type | Examples | Purpose |
|---|---|---|
| Profile details | Full name, email address | Account creation, authentication |
| Class assignment | Class name, grade | Linking incidents to correct classes |
| Activity logs | Incidents created, timestamps | Audit trail, accountability |
2.3 Student Data
| Data Type | Examples | Purpose |
|---|---|---|
| Identity details | First name, last name, grade | Student identification |
| Class information | Class assignment | Organisational grouping |
| Incident records | Type, description, severity, date, photos | Behavioural documentation |
2.4 Parent & Guardian Data
| Data Type | Examples | Purpose |
|---|---|---|
| Contact details | Full name, email, WhatsApp number | Incident notifications |
| Relationship | Relationship to student (mother, father, guardian) | Context for communication |
| Notification preferences | WhatsApp on/off, email on/off | Respecting communication preferences |
3. How We Use Your Data
Personal information is processed for the following purposes:
- Service delivery - Creating and managing school accounts, user profiles, student records, and incident reports.
- Notifications - Sending WhatsApp and email notifications to parents when an incident involving their child is reported.
- Analytics - Providing aggregated, school-level behavioural analytics to administrators and principals.
- Authentication & security - Verifying user identities, managing teacher approvals, and enforcing access controls.
- Billing - Processing subscription payments through Paystack and maintaining payment history.
- Support - Responding to support requests and troubleshooting issues.
- Improvement - Analysing anonymised usage patterns to improve the Platform's features and performance.
We never use personal information for advertising, marketing profiling, or selling to third parties.
4. Legal Basis for Processing
Under POPIA, we process personal information based on the following lawful grounds:
- Consent - Schools provide explicit consent during registration. Parents are informed by the school that the Platform is used for incident reporting.
- Contractual necessity - Processing is necessary to fulfil the subscription agreement between the school and Parent Link.
- Legitimate interest - Schools have a legitimate interest in documenting student behaviour and communicating with parents about their children's conduct.
- Legal obligation - Schools may have regulatory obligations to document certain incidents, which the Platform facilitates.
5. Data Sharing & Third Parties
We share personal information only with service providers who are essential to operating the Platform. We have data processing agreements in place with each provider.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication, file storage | All Platform data | AWS (configurable region) |
| Meta (WhatsApp Cloud API) | WhatsApp message delivery | Parent phone numbers, message content | United States |
| Resend | Email notification delivery | Parent email addresses, message content | United States |
| Paystack | Payment processing | Administrator name, email, payment amounts | South Africa |
| Sentry | Error monitoring | Anonymised crash reports (no PII) | United States |
We do not sell, rent, or trade personal information. We will only disclose data to law enforcement or government authorities when legally compelled to do so by a valid court order or subpoena.
6. Data Security
We implement multiple layers of security to protect personal information:
- Encryption in transit - All data transmitted between the app and our servers is encrypted using TLS 1.3.
- Encryption at rest - All stored data, including images, is encrypted using AES-256.
- Row Level Security (RLS) - Database-level policies ensure complete data isolation between schools. A teacher at School A can never access data from School B.
- JWT authentication - Short-lived, signed tokens with automatic refresh ensure secure session management.
- Password hashing - All passwords are hashed using bcrypt. We never store plaintext passwords.
- Secure file storage - Incident images are stored in encrypted buckets accessible only via signed URLs with role-based permissions.
- Input validation - All user inputs are validated and sanitised to prevent injection attacks.
- Payment security - We never handle or store credit card details. All payment processing is handled by Paystack, which is PCI-DSS compliant.
7. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes described in this policy:
| Data Category | Retention Period | After Retention |
|---|---|---|
| Active school data | Duration of subscription | Available for export, then deleted |
| Incident reports & images | Duration of subscription + 1 year | Anonymised or deleted |
| Inactive school data | 1 year after last login | Anonymised or deleted |
| Payment records | 5 years (legal requirement) | Permanently deleted |
| Application logs | 90 days | Automatically purged |
When a school cancels its subscription, administrators are given 30 days to export their data before it is scheduled for deletion.
8. Your Rights Under POPIA
As a data subject, you have the following rights regarding your personal information:
Right of Access
Request a copy of the personal information we hold about you.
Right to Correction
Request corrections to inaccurate or incomplete personal information.
Right to Deletion
Request deletion of your personal information, subject to legal retention requirements.
Right to Object
Object to the processing of your personal information for specific purposes.
Right to Portability
Request your data in a commonly used electronic format (CSV, JSON).
Right to Complain
Lodge a complaint with the Information Regulator if you're unsatisfied with our response.
To exercise any of these rights, contact us at privacy@parentlink.co.za. We will respond within 30 days of receiving your request.
9. Children's Data
Our Platform processes personal information about children (students) on behalf of schools. This processing is conducted with the knowledge and consent of the school, which acts in its capacity as an educational institution with responsibility for the student.
We take extra care with children's data:
- Children do not create accounts or interact with the Platform directly.
- Student data is only entered and managed by authorised school staff (teachers, admins, principals).
- Student data is strictly limited to first name, last name, grade, and class - the minimum needed for incident identification.
- Incident reports about students are only shared with the student's linked parents or guardians.
- Student data is subject to all the same encryption and isolation protections as other data.
Schools are responsible for obtaining any necessary parental consent for processing student data through the Platform, in accordance with their own policies and applicable regulations.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform's features, or legal requirements. When we make material changes:
- We will update the "Last updated" date at the top of this page.
- We will notify school administrators via email at least 14 days before changes take effect.
- For significant changes affecting how we process personal information, we will request renewed consent where required.
We encourage you to review this policy periodically.
12. Contact Us
If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about how your data is handled, please reach out to us.
Information Officer
Our appointed Information Officer is available to assist with any privacy-related enquiries or requests.