Legal

POPIA Compliance

TeachSA Connect (Pty) Ltd is committed to the responsible and lawful processing of personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA). This notice explains how we meet our obligations as a responsible party.

Our Commitment to POPIA

TeachSA Connect (Pty) Ltd ("TeachSA", "we", "us", or "our") is fully committed to compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) and all subsidiary regulations issued by the Information Regulator of South Africa.

This compliance notice is effective from 13 April 2026 and applies to all personal information processed through the TeachSA Connect platform, including the seeker portal, poster portal, admin portal, marketing website, and mobile applications.

As a responsible party under POPIA, we process personal information of job seekers (teachers and education professionals), job posters (schools, education institutions, and recruitment agencies), and platform administrators. We take our obligations seriously and have implemented comprehensive technical, organisational, and governance measures to protect your personal information.

The Eight POPIA Conditions

POPIA establishes eight conditions for the lawful processing of personal information. Below we detail each condition and how TeachSA Connect complies:

1. Accountability (Section 8)

We have designated an Information Officer who is registered with the Information Regulator of South Africa. Our compliance framework includes internal policies, staff training, regular audits, and documented data processing activities. The Information Officer is accountable for ensuring all processing meets POPIA requirements.

2. Processing Limitation (Sections 9–12)

Personal information is processed only where we have a lawful basis to do so. We rely on the following grounds:

Consent: Freely given, specific, informed consent obtained at registration, during verification, and through our verification consent form.
Minimality: We collect only the personal information that is necessary for the specific purpose. We do not collect information "just in case".
Directly from data subject: We collect personal information directly from you wherever possible, except where authorised by law or with your consent.

3. Purpose Specification (Sections 13–14)

We collect personal information for clearly defined purposes including: identity verification, professional qualification verification, job matching and recruitment, payment processing, platform security, support services, and compliance with legal obligations. Information is retained only for as long as necessary to fulfil the purpose for which it was collected, subject to our retention schedule below.

4. Further Processing Limitation (Section 15)

We do not process your personal information for purposes incompatible with the original collection purpose. Any further processing is assessed against the compatible purpose test, considering the relationship between purposes, the nature of the information, consequences for you, the manner of collection, and any contractual rights and obligations.

5. Information Quality (Section 16)

We take reasonable steps to ensure personal information is complete, accurate, not misleading, and updated where necessary. You can review and correct your personal information through your profile settings at any time, or by contacting us directly.

6. Openness (Sections 17–18)

This compliance notice serves as our notification to data subjects under POPIA. We maintain transparency about what information we collect, why we collect it, how we use it, who we share it with, and how long we keep it. Our Privacy Policy provides additional detail on our processing activities.

7. Security Safeguards (Sections 19–22)

We implement comprehensive technical and organisational security measures to protect personal information against loss, damage, unauthorised access, and unlawful processing:

Encryption at rest: Industry standard authenticated encryption for sensitive data fields including identity documents and verification records.
Encryption in transit: TLS 1.2+ for all data transmission between clients and servers.
Password security: Strong cryptographic hashing for all credentials, passwords are never stored in plaintext.
Malware protection: All uploaded files are scanned for malware before processing or storage.
Access control: Role Based Access Control (RBAC) with distinct admin roles, enforced at the API level.
Audit logging: Comprehensive audit trail of all data access and modifications.
Breach notification: Documented procedures for notifying the Information Regulator and affected data subjects within the timeframes prescribed by Section 22.

8. Data Subject Participation (Sections 23–25)

You have the right to access your personal information, request correction of inaccurate information, and request deletion of your information subject to legal retention requirements. See "Your Rights as a Data Subject" below for the full list of rights and how to exercise them.

Information Officer Details

Our Information Officer is registered with the Information Regulator of South Africa in compliance with Section 55 of POPIA.

Organisation: TeachSA Connect (Pty) Ltd
Email: privacy@teachsaconnect.co.za
Registration: Registered with the Information Regulator of South Africa

The Information Officer is responsible for encouraging compliance with POPIA, handling data subject requests, and working with the Information Regulator on investigations or assessments.

Lawful Grounds for Processing

We process personal information based on one or more of the following lawful grounds:

Consent (Section 11(1)(a)): You provide consent when you register an account, submit documents for verification, accept the verification consent form, and opt in to communications. You may withdraw consent at any time, though this may affect your ability to use certain platform features.
Contractual Necessity (Section 11(1)(b)): Processing is necessary for the performance of our service agreement with you, including account management, job matching, verification services, payment processing, and customer support.
Legal Obligation (Section 11(1)(c)): We are required to process certain information to comply with employment law, tax legislation (Income Tax Act, SARS requirements), the Companies Act, and other applicable South African law.
Legitimate Interest (Section 11(1)(f)): We process information where we have a legitimate interest that is not overridden by your rights. This includes fraud prevention, platform security monitoring, abuse detection, statistical analytics (aggregated and anonymised), and improving service quality.

Special Personal Information (Sections 26–33)

POPIA provides enhanced protections for special personal information. We handle such information as follows:

Criminal records (police clearance): We process police clearance certificates as part of teacher verification, with your explicit consent, to confirm suitability for working with learners. These documents are encrypted at rest and access is strictly limited to authorised verification staff.
Biometric information (selfie for ID verification): We collect a selfie photograph for identity verification purposes (matching against your ID document). This is processed with your explicit consent and retained only for the duration of the verification process plus the retention period required for audit purposes.
Health information: Not collected. We do not request or process any health related personal information.
Religious or philosophical beliefs: Not collected.
Political persuasion: Not collected.
Race or ethnic origin: Not collected.
Trade union membership: Not collected.

Where we do process special personal information, we do so only with your explicit consent (Section 27) or where authorised by law, and we apply additional security safeguards.

Automated Decision Making (Section 71)

TeachSA Connect uses automated processing in the following areas:

AI verification scoring: Documents submitted for verification are assessed using artificial intelligence to extract text, classify documents, and score confidence levels.
Trust scores: Composite trust scores are generated based on verification results, document quality, and consistency checks.
Eligibility matching: Automated matching of seeker profiles against job posting requirements including qualifications, subjects, location, and experience.
Automated preflight checks: Pre submission validation of documents for format, size, readability, and completeness before human review.

Human oversight: No automated decision that significantly affects you is made without the opportunity for human review. Automated scores and classifications are used to assist, not replace, human decision making in the verification process.

Your rights regarding automated decisions:

The right to be notified that a decision has been made solely by automated means.
The right to request human review of any automated decision.
The right to contest the outcome of an automated decision.
The right to receive a meaningful explanation of the logic involved in the decision.

Cross Border Data Transfers (Section 72)

Certain personal information may be transferred to, stored, or processed in jurisdictions outside of South Africa. We ensure that adequate safeguards are in place for all cross-border transfers:

Google Cloud Platform (US/EU servers): Infrastructure hosting, automated document analysis, and cloud storage. Google maintains comprehensive data protection agreements and is certified under multiple international frameworks.
Paystack (Nigeria): Payment processing for subscription and billing services. Paystack is PCI DSS compliant and maintains standard contractual clauses for cross-border data protection.
Push notification provider: Push notification delivery for mobile applications. Minimal personal information is transferred (device tokens and notification content).

Safeguards applied to all transfers:

The recipient country or organisation provides an adequate level of protection (Section 72(1)(a)).
Standard contractual clauses or binding corporate rules are in place.
You have consented to the transfer after being informed of possible risks (where applicable).
The transfer is necessary for the performance of a contract between you and TeachSA Connect.

Data Breach Procedures (Section 22)

In the event of a security compromise that results in unauthorised access to, or the loss, damage, or destruction of personal information, we follow a documented breach response procedure:

Detection and assessment: Our monitoring systems are designed to detect unauthorised access. Upon discovery, the breach is assessed for severity, scope, and the nature of the information affected.
Notification to the Information Regulator: We notify the Information Regulator within 72 hours of becoming aware of a breach that poses a risk to data subjects, as required by Section 22.
Notification to affected data subjects: We notify affected individuals as soon as reasonably possible, providing details of the breach, the information affected, what steps we have taken, and what steps you can take to protect yourself.
Remedial actions: We implement immediate containment measures, conduct a root cause analysis, and apply corrective actions to prevent recurrence.
Breach register: All breaches and near misses are recorded in our breach register, including the facts, effects, and remedial actions taken.

Children's Personal Information (Sections 34–35)

The TeachSA Connect platform is designed exclusively for users aged 18 years and older. We do not knowingly collect, process, or store personal information from children (persons under the age of 18).

If we discover that we have inadvertently collected personal information from a minor, we will:

Immediately delete the information from our systems.
Deactivate the associated account.
Notify the parent or guardian where reasonably possible.
Record the incident in accordance with our data protection procedures.

If you believe a minor has registered on the platform or that we hold information about a child, please contact us immediately at privacy@teachsaconnect.co.za.

Direct Marketing (Section 69)

We comply fully with Section 69 of POPIA regarding direct marketing communications:

Opt in consent: We only send direct marketing communications where you have provided explicit opt in consent.
Existing customer exception: If you are an existing user, we may contact you about similar services to those you have already used on TeachSA Connect, provided you have not opted out.
Unsubscribe mechanism: Every marketing communication includes a clear and functional unsubscribe option. Opt out requests are processed within 2 business days.
No third party sharing: We do not share your personal information with third parties for their direct marketing purposes.

You can manage your communication preferences in your account settings or by contacting privacy@teachsaconnect.co.za.

Your Rights as a Data Subject

Under POPIA, you have the following rights regarding your personal information:

Right to be informed: You have the right to know what personal information we hold about you, why we process it, and who we share it with.
Right of access (Subject Access Request): You may request a copy of all personal information we hold about you. Our SAR process: submit your request → we verify your identity → we compile a watermarked export of your data → delivered to you within 30 days.
Right to correction: You may request that we correct or update inaccurate, incomplete, or misleading personal information.
Right to deletion: You may request the deletion of your personal information, subject to our legal retention obligations. Upon a valid request, we will delete or anonymise your information within 30 days, unless retention is required by law. We will confirm deletion in writing.
Right to restriction: You may request that we restrict the processing of your information in certain circumstances, for example while a dispute is being resolved.
Right to objection: You may object to the processing of your personal information where we rely on legitimate interest as the lawful ground.
Right to data portability: You may request your personal information in a structured, commonly used, machine readable format.
Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
Right to complain: If you are not satisfied with our handling of your information, you have the right to lodge a complaint with the Information Regulator of South Africa (see contact details below).

How to Exercise Your Rights

To exercise any of your rights as a data subject, follow these steps:

Submit your request: Email privacy@teachsaconnect.co.za with the subject line "Data Subject Request" and clearly describe what you are requesting.
Identity verification: For your protection, we will ask you to verify your identity before processing any request. This may include confirming your registered email address and providing a copy of your South African ID (we will accept a redacted copy showing only the information necessary for verification).
Response timeline: We will acknowledge your request within 5 business days and provide a substantive response within 30 days of verifying your identity.
No fee: There is no charge for exercising your rights unless a request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or decline the request with reasons.
Escalation: If you are unsatisfied with our response, you may escalate your complaint to the Information Regulator of South Africa (see below).

Information Regulator Contact

If you wish to lodge a complaint or enquiry with the regulator:

Name: The Information Regulator (South Africa)
Address: SALU Building, 316 Thabo Sehume Street, Pretoria
Postal: P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: POPIAComplaints@inforegulator.org.za
Telephone: +27 12 406 4818
Website: https://inforegulator.org.za

Retention Schedule

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. The table below summarises our standard retention periods:

Data Category	Retention Period	Basis
Verification documents	5 years	Legal compliance, audit requirements
Audit logs	7 years	Companies Act, regulatory compliance
User profiles	3 years after last activity	Service delivery, account recovery
Support tickets	2 years	Service improvement, dispute resolution
Payment records	5 years	SARS requirements, financial audits
Communication logs	2 years	Service quality, dispute resolution
Cookies / session data	Session / 12 months	Platform functionality, see Cookie Policy

When the retention period expires, personal information is securely deleted or irreversibly anonymised in accordance with our data disposal procedures.

Updates to This Notice

We may update this POPIA compliance notice from time to time to reflect changes in our practices, legal requirements, or platform functionality.

Advance notice: We will provide at least 30 days' advance notice before material changes take effect.
Email notification: For material changes affecting how we process your personal information, we will notify you by email to your registered address.
Continued use: Your continued use of TeachSA Connect after the notice period constitutes acceptance of the updated notice.
Historical versions: Previous versions of this notice are available upon request.

We encourage you to review this notice periodically. If you have questions about any changes, contact privacy@teachsaconnect.co.za.

View Privacy Policy →