1. Introduction
This Privacy Policy explains how TeachSA Connect (Pty) Ltd, a company registered in Randburg, Gauteng, South Africa ("TeachSA Connect", "we", "us", or "our"), collects, uses, stores, shares, and protects your personal information when you use the TeachSA Connect platform ("the Platform").
TeachSA Connect is a verification driven hiring platform for the South African education sector. We connect Seekers (educators seeking employment) with Posters (schools, institutions, and education organisations seeking to hire educators). Our Platform verifies qualifications, identity, and professional credentials to build trust in the hiring process.
This policy applies to all users of the Platform, including Seekers, Posters, and visitors to our website. It covers personal information collected through our web portals, mobile applications, and any associated services.
We process personal information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), including the conditions for lawful processing set out in Chapter 3.
Effective date: 13 April 2026. This policy supersedes all prior versions.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. For our broader POPIA commitments, see our POPIA Commitments page. For terms governing your use of the Platform, see our Terms of Service.
2. Information Officer
In terms of POPIA Section 55, TeachSA Connect has designated an Information Officer responsible for ensuring compliance with the Act and responding to requests relating to your personal information.
Designated Information Officer
Our Information Officer is registered with the Information Regulator (South Africa) as required by POPIA Section 55(2). The Information Officer is responsible for encouraging compliance with the conditions of lawful processing, dealing with requests made under POPIA, and working with the Information Regulator in relation to investigations.
All requests concerning your personal information — including access, correction, deletion, and objection — should be directed to the Information Officer at the email address above.
3. Categories of Personal Information We Collect
We collect and process different categories of personal information depending on whether you are a Seeker (educator) or a Poster (school/institution). Below is a detailed overview organised by category.
3.1 Identity Information
- Full name (first name, surname)
- Date of birth
- South African ID number (encrypted at rest; only the last 4 digits are stored in plaintext for display purposes)
- Passport number (encrypted at rest, for non SA citizens)
- Profile picture and banner image
3.2 Contact Information
- Email address
- Primary phone number
- Alternate phone number
- Physical address (city, province)
- GPS coordinates (for location based job matching)
3.3 Qualification and Professional Information (Seekers)
- Qualifications (type, NQF level, specialisation, subjects, teaching phases)
- Teaching experience (employer name, position, employment dates, subjects taught, grade levels)
- SACE (South African Council for Educators) registration number
- Language preferences and proficiencies
- Availability and preferred teaching phases
- Search radius and location preferences
3.4 Institutional Information (Posters)
- Institution name and type
- CIPC registration number or EMIS number (hashed with HMAC SHA256 for duplicate detection)
- Representative name and role
- Institution address, website, and location coordinates
3.5 Verification Documents
- Curriculum vitae (CV) in PDF or DOCX format
- Certified copies of qualifications
- Police clearance certificate
- Reference letters from previous employers
- SACE registration certificate
- Any additional supporting documentation
3.6 Financial Information
- Subscription plan details (Posters)
- Payment transaction references (processed via Paystack; we do not store full card numbers)
- Billing history and invoice data
3.7 Technical and Usage Data
- IP address and browser/device information
- Session identifiers and authentication tokens
- Device tokens used to deliver push notifications
- Platform activity logs (pages visited, features used, search queries)
- Error logs and performance data
3.8 Communications
- In platform messages between Seekers and Posters
- Support ticket content and correspondence
- Email notification preferences
- Feedback and survey responses
For further detail on how verification documents are processed, see our Verification Consent page.
4. How We Collect Your Information
We collect personal information through the following means:
4.1 Directly From You
- When you register an account as a Seeker or Poster
- When you complete or update your profile
- When you upload verification documents (qualifications, police clearance, CV, reference letters)
- When you contact our support team or submit feedback
- When you configure notification and communication preferences
- When you subscribe to a paid plan (payment details entered via Paystack's secure payment form)
4.2 Automatically
- Cookies and session data: Authentication tokens (httpOnly cookies), CSRF protection tokens, and session identifiers are set when you log in. See our Cookie Policy for full details.
- Activity logs: We log platform interactions for security monitoring, fraud detection, and service improvement.
- Device information: Browser type, operating system, screen resolution, and IP address are collected for security and compatibility purposes.
- Location data: GPS coordinates may be collected (with your consent) for location based job matching and search radius functionality.
4.3 From Third Parties
- CheckID API: Identity verification results confirming whether submitted ID documents match official records (SA ID or passport verification).
- Paystack: Payment confirmation and transaction status for subscription management.
4.4 Via Automated Document Analysis
- Document analysis: When you upload verification documents, an automated document analysis system extracts text and structured data (such as qualification names, dates and institutions) from your documents. This extraction is used to pre-populate verification fields and assess document authenticity.
- Only document images are transmitted to the analysis service — no direct personal identifiers (such as your name or ID number) are sent separately.
- For more information on automated processing, see Section 7 below and our Verification Consent page.
5. Lawful Basis for Processing (POPIA Section 11)
Under POPIA, we may only process your personal information if at least one lawful condition is met. We rely on the following conditions as set out in POPIA Sections 11–14:
5.1 Consent (POPIA Section 11(1)(a))
- Registration and account creation — you consent when signing up
- Document uploads and AI assisted verification — explicit consent obtained at upload
- Location data collection for job matching
- Marketing communications (opt in)
- Cookies and analytics tracking (per our Cookie Policy)
You may withdraw consent at any time by contacting privacy@teachsaconnect.co.za or through your account settings. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
5.2 Contractual Necessity (POPIA Section 11(1)(b))
- Providing the Platform services as described in our Terms of Service
- Account management and user authentication
- Processing subscription payments and billing
- Job matching between Seekers and Posters
- Facilitating communication between Seekers and Posters
5.3 Legal Obligation (POPIA Section 11(1)(c))
- Retaining financial records as required by the Tax Administration Act
- Responding to lawful requests from regulatory authorities
- Reporting data breaches to the Information Regulator (POPIA Section 22)
- Retaining audit logs for compliance and dispute resolution
5.4 Legitimate Interest (POPIA Section 11(1)(f))
- Fraud prevention and trust scoring to protect all users
- Platform security monitoring and incident response
- Service improvement through aggregated, anonymised analytics
- Ensuring the integrity of the verification process
Where we rely on legitimate interest, we conduct a balancing test to ensure our interests do not override your fundamental rights and freedoms.
6. How We Use Your Information
We use the personal information we collect for the following purposes:
6.1 Account Management
- Creating and maintaining your account
- Authenticating your identity when you sign in
- Managing your profile, preferences, and notification settings
6.2 Identity and Document Verification
- Verifying your SA ID number or passport via a third party identity provider
- Analysing uploaded documents to extract qualification details, dates, and institutions
- Producing trust assessments to assist administrator review
- Detecting potential document fraud
6.3 Job Matching and Eligibility
- Matching Seekers to relevant job postings based on qualifications, location, and preferences
- Assessing eligibility criteria set by Posters
- Enabling location based search using your stated location and search preferences
6.4 Communication
- Sending transactional emails (account confirmations, password resets, verification updates)
- Delivering push notifications
- Facilitating in platform messaging between Seekers and Posters
- Sending service announcements and platform updates
6.5 Billing and Payments
- Processing subscription payments through our payment processor
- Managing invoices, receipts, and billing history
- Handling subscription upgrades, downgrades, and cancellations
6.6 Platform Security and Fraud Prevention
- Monitoring for suspicious activity and unauthorised access
- Scanning uploaded files for malware
- Detecting duplicate registrations
- Maintaining comprehensive audit logs
6.7 Analytics and Service Improvement
- Analysing aggregated, anonymised usage patterns to improve the Platform
- Monitoring Platform performance and reliability
- Understanding user behaviour to inform feature development
6.8 Legal Compliance and Support
- Responding to data subject requests (access, correction, deletion)
- Complying with lawful requests from courts and regulatory authorities
- Resolving disputes and enforcing our Terms of Service
- Providing user support and resolving reported issues
7. AI and Automated Processing
TeachSA Connect uses artificial intelligence and automated processing to support the verification of educator qualifications and identity documents. We believe in transparency about how these systems work and your rights in relation to them.
7.1 Categories of Automated Systems We Use
- Document analysis: An automated system extracts text and structured data from uploaded documents (qualification details, dates, institution names) and assesses document consistency. Output is used to pre-populate verification fields and to support administrator review.
- Identity verification: A third party identity verification provider is used to confirm submitted identity numbers against official records.
7.2 Automated Processing
- Document assessment: Each uploaded document is assessed for quality, consistency and extracted information. The assessment assists administrator review but does not determine the verification outcome on its own.
- Trust assessment: A trust assessment combines the results of the document and identity checks to flag cases that need closer human review.
- Preflight checks: Automated checks run before a verification case is submitted (e.g., document completeness, file format validation, size limits). Failed preflight checks provide immediate feedback so you can correct issues.
- Eligibility matching: Automated comparison of Seeker qualifications against Poster job requirements.
- Fraud detection: Automated checks help administrators identify potentially fraudulent submissions.
7.3 Human Oversight
AI cannot auto reject any verification case. All automated scores and flags are reviewed by trained human administrators before any verification decision is made. Administrators may override AI scores and flag assessments.
7.4 Your Rights Under POPIA Section 71
In terms of POPIA Section 71, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects you. Because all verification decisions involve human review, our processes comply with this requirement. However, you may:
- Request information about the logic involved in any automated processing of your data
- Contest any automated decision by contacting our Information Officer
- Request human re review of any verification outcome
For full details on verification processing, see our Verification Consent page.
8. Information Sharing and Disclosure
We share personal information only as described below. We never sell your personal information to third parties.
8.1 Between Platform Users
- Seekers to Posters:When a Seeker applies for a position or is shortlisted, Posters can view the Seeker's profile information, including name, qualifications, experience, verification status, and profile picture. Contact details are shared only when a Poster initiates contact.
- Posters to Seekers: Seekers can view institution name, type, location, and job posting details. Poster representative contact details are shared only as part of the hiring process.
- Sensitive information (SA ID number, passport number, date of birth) is never shared with other users.
8.2 With Service Providers (Operators)
We use third party service providers ("operators" under POPIA Section 20–21) who process personal information on our behalf. These operators are bound by data processing agreements and may only use your information for the purposes we specify:
- CheckID API: Receives SA ID number or passport number and date of birth for identity verification. SA-based provider.
- Google Cloud Platform: Provides document storage and the automated document analysis service. Stores encrypted documents and does not receive direct personal identifiers separately.
- Paystack: Receives email address, payment amount, and transaction reference for payment processing. Paystack is PCI DSS compliant.
- Push notification provider: Receives device tokens only for delivering push notifications. No personal information is transmitted.
- Email delivery provider: Receives email addresses and template data for delivering transactional and notification emails.
- Malware scanner: Scans file streams for malware. No personal information is retained by the scanning process.
8.3 With Platform Administrators
Authorised administrators with specific role-based access can view personal information necessary for their functions (e.g., verification review, user support, fraud investigation). Access is controlled through 7 distinct admin roles with granular permissions. All admin access is logged in audit trails.
8.4 With Authorities
We may disclose personal information when required by law, court order, or lawful request from a regulatory authority, including the Information Regulator, SARS, or law enforcement agencies. We will notify you of such requests where legally permitted.
8.5 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred. We will notify you via email and/or a prominent notice on the Platform of any change in ownership or materially different use of your information.
9. Cross Border Data Transfers
POPIA Section 72 restricts the transfer of personal information outside the Republic of South Africa. We take the following positions regarding cross-border transfers:
9.1 Where Your Data May Be Processed
- Cloud storage and document analysis: Document storage and the automated document analysis service may run on cloud infrastructure located in the European Union or the United States. The provider is certified under multiple international frameworks and provides contractual commitments regarding data protection.
- Payment processor: Payment processing is provided by Paystack, which is headquartered in Nigeria with South African operations. Payment data may be processed in Nigeria or other jurisdictions where the processor operates.
- Identity verification provider: Identity verification is performed by a South African-based provider. Data remains within South Africa.
- Email delivery provider: Email delivery may occur via servers located outside South Africa.
9.2 Safeguards for Cross Border Transfers
In compliance with POPIA Section 72, we ensure that cross-border transfers of personal information are permitted only where:
- The recipient is subject to a law or binding agreement that provides an adequate level of protection equivalent to POPIA (Section 72(1)(a))
- You have consented to the transfer (Section 72(1)(b))
- The transfer is necessary for the performance of a contract between you and us (Section 72(1)(c))
- The transfer is for your benefit and it is not reasonably practicable to obtain your consent (Section 72(1)(d))
We have entered into data processing agreements with all operators that process personal information outside South Africa, incorporating standard contractual clauses that provide protections substantially similar to those under POPIA.
10. Data Retention
We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law (POPIA Section 14). The following retention periods apply:
10.1 Retention Periods by Category
- Verification documents and cases: 5 years from the date of the last verification decision. This supports dispute resolution and re-verification needs.
- Audit logs: 7 years. Required for compliance, security investigations, and legal obligations.
- User profiles: 3 years after the last account activity. After this period, inactive accounts are flagged for deletion.
- Support tickets: 2 years from the date of ticket closure.
- Financial records: As required by the Tax Administration Act and other applicable legislation (typically 5–7 years).
- Cookies and session data: Session cookies expire on browser close. Authentication tokens expire per our security policy (access token: 15 minutes; refresh token: 7 days).
10.2 Criteria for Retention
We determine retention periods based on:
- The purpose for which the information was collected
- Legal and regulatory requirements
- Contractual obligations
- Legitimate business needs (fraud prevention, dispute resolution)
- Your reasonable expectations regarding retention
10.3 Deletion and Anonymisation
When the retention period expires, personal information is either securely deleted or irreversibly anonymised so that it can no longer be associated with you. For details on the deletion process when you request account deletion, see Section 12 below.
11. Data Security
We implement robust technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction, in accordance with POPIA Section 19.
11.1 Encryption
- Field level encryption: Sensitive fields (SA ID numbers, passport numbers) are encrypted at rest using industry-standard authenticated encryption. Encryption keys are managed securely and rotated periodically.
- Hashing: Institution registration numbers are stored only as one-way cryptographic hashes for duplicate detection.
- Transport encryption: All data in transit is protected by HTTPS/TLS. No unencrypted connections are permitted.
- Storage encryption: Documents stored with our cloud storage provider are encrypted at rest using provider-managed encryption keys.
11.2 Authentication and Access Control
- Secure session tokens: Short-lived access tokens stored in httpOnly cookies, paired with refresh tokens and CSRF protection.
- Multi factor authentication (MFA): Optional two factor authentication for enhanced account security.
- Step up authentication: Additional authentication required for accessing or modifying sensitive personal information.
- Role based access control (RBAC): Distinct administrator roles with granular permissions. Administrators can only access information required for their specific function.
11.3 File Security
- Malware scanning: All uploaded files are scanned for malware before processing or storage.
- Signed URLs: Document access is controlled through time-limited signed URLs. Documents are not publicly accessible.
- MIME type validation: File types are validated server-side (not just by file extension) to prevent malicious uploads.
- Size limits: Verification documents are limited to 10MB per file.
11.4 Monitoring and Audit
- Comprehensive audit logging of all administrative actions and data access
- Automated monitoring for suspicious activity and security events
- Regular security reviews of access controls and encryption practices
- Incident response procedures for security breaches
While we implement industry-standard security measures, no system is completely impervious to attack. We encourage you to protect your account by using a strong, unique password and enabling multi factor authentication.
12. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights. You may exercise these rights by contacting our Information Officer at privacy@teachsaconnect.co.za.
12.1 Right of Access (POPIA Section 23)
You have the right to request confirmation of whether we hold personal information about you and to request access to that information. We provide a Subject Access Request (SAR) process:
- Submit a request to our Information Officer with proof of identity
- We will respond within 30 days of receiving your verified request
- Your data export will be provided in watermarked JSON/CSV format
- The export includes your profile data, document metadata, verification cases, and contact event records
- Export links expire after 24 hours and are limited to a single download
12.2 Right to Correction (POPIA Section 24)
You have the right to request correction or amendment of personal information that is inaccurate, incomplete, misleading, or not up to date. You may update much of your information directly through your account settings. For information you cannot update yourself, contact our Information Officer.
12.3 Right to Deletion (POPIA Section 24)
You have the right to request deletion of your personal information. Our deletion process works as follows:
- You initiate a deletion request through your account settings or by contacting our Information Officer
- Your account is immediately deactivated
- Encrypted personal information (SA ID, passport number) is purged within 30 days
- Uploaded documents are quarantined and subsequently deleted
- Audit logs are retained for 7 years as required for legal compliance
- After the 30-day purge period, your personal information cannot be recovered
Note: We may retain certain information where we have a legal obligation to do so (e.g., financial records, audit logs) or where necessary for the establishment, exercise, or defence of legal claims.
12.4 Right to Object (POPIA Section 11(3))
You have the right to object to processing of your personal information on reasonable grounds, unless the processing is required by law. You also have the right to object to processing for purposes of direct marketing at any time.
12.5 Right to Data Portability
You may request a copy of your personal information in a structured, commonly used, machine readable format (JSON or CSV). This is provided through our Subject Access Request process described in Section 12.1.
12.6 Right to Withdraw Consent
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing conducted before the withdrawal. Some Platform features may become unavailable if consent is withdrawn.
12.7 Right to Complain to the Information Regulator
If you believe we have not handled your personal information in accordance with POPIA, you have the right to lodge a complaint with the Information Regulator:
We encourage you to contact our Information Officer first so we can attempt to resolve your concern directly.
12.8 How to Exercise Your Rights
- Email privacy@teachsaconnect.co.za with your request and proof of identity
- We will acknowledge your request within 5 business days
- We will respond substantively within 30 days
- If we cannot comply with your request, we will provide written reasons
There is no fee for exercising your rights under POPIA, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee as permitted by Section 23(3).
13. Children's Privacy
TeachSA Connect is a professional platform designed for educators and educational institutions. The Platform is not directed at individuals under the age of 18.
We do not knowingly collect personal information from children as defined in POPIA Section 35. The conditions for processing personal information of children set out in POPIA Section 34 apply.
If we become aware that we have inadvertently collected personal information from a person under the age of 18, we will:
- Notify the parent or guardian (if identifiable) within a reasonable time
- Delete the personal information within 30 days of discovery
- Deactivate the associated account immediately
If you believe that a child under 18 has created an account on the Platform, please contact our Information Officer at privacy@teachsaconnect.co.za immediately.
14. Direct Marketing
In terms of POPIA Section 69, we process personal information for direct marketing only with your prior consent or where we have an existing relationship with you and the marketing relates to similar services.
14.1 Our Practices
- Marketing emails are sent on an opt in basis only
- You may opt in or out of marketing communications during registration or at any time through your account settings
- Every marketing email includes a clear unsubscribe mechanism
- We honour all unsubscribe requests promptly
14.2 What We Will Never Do
- We will never sell, rent, or share your contact information with third parties for their marketing purposes
- We will never send marketing via SMS without explicit opt in consent
- We will never contact you for marketing purposes after you have opted out
14.3 Transactional Communications
Certain communications are transactional in nature (e.g., verification status updates, security alerts, account notifications) and are not considered direct marketing. These cannot be opted out of while your account is active, as they are necessary for the operation of the Platform. We operate over 40 email templates for transactional communications.
15. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the Platform, maintain security, and improve your experience.
15.1 Essential Cookies
- Authentication cookies: httpOnly session cookies that store encrypted access tokens. Required for you to remain signed in.
- CSRF tokens: Cookies that protect against cross site request forgery attacks. Required for Platform security.
- Session identifiers: Track your active session for security and state management.
15.2 Analytics Cookies
- We may use analytics cookies to understand how the Platform is used
- Analytics data is aggregated and does not identify individual users
For a comprehensive breakdown of all cookies used, their purposes, and how to manage your preferences, see our Cookie Policy.
16. Data Breach Notification
In compliance with POPIA Section 22, we have procedures in place to detect, investigate, and respond to personal data breaches.
16.1 Our Obligations
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, we will:
- Notify the Information Regulator as soon as reasonably possible after the discovery of the breach, providing all required details including the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken to address the breach.
- Notify affected data subjects as soon as reasonably possible, providing sufficient information to allow you to take protective measures. This notification will include a description of the breach, the categories of information compromised, and our recommendations for mitigating potential harm.
- Document the breach in our internal records, including the facts, effects, and remedial actions taken.
16.2 Our Response
- We maintain an incident response plan for all security events
- Breaches are investigated immediately upon detection
- Affected systems are isolated and secured
- Post incident reviews are conducted to prevent recurrence
Notification may be delayed only where a law enforcement agency determines that notification will impede a criminal investigation (POPIA Section 22(4)).
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law.
17.1 How We Notify You
- Advance notice:We will provide at least 30 days' notice before material changes take effect.
- Email notification: Registered users will receive an email notification summarising the key changes.
- Platform notice: A prominent notice will be displayed on the Platform.
- Version history: The effective date at the top of this policy will be updated with each revision.
17.2 Material Changes
Where changes materially alter how we collect, use, or share your personal information, we may require you to re-consent to the updated policy. If you do not consent to the updated policy, you may request deletion of your account and personal information in accordance with Section 12.3.
Continued use of the Platform after the effective date of an updated policy constitutes acceptance of the changes, except for material changes that require explicit re-consent.
18. Contact Us and Complaints
If you have any questions about this Privacy Policy, wish to exercise your rights, or want to lodge a complaint, please contact us:
TeachSA Connect Information Officer
Escalation Process
- Step 1 — Contact us directly: Email our Information Officer. We will acknowledge your query within 5 business days and aim to resolve it within 30 days.
- Step 2 — Formal complaint: If you are not satisfied with our response, you may submit a formal written complaint. We will investigate and provide a written outcome within 30 days.
- Step 3 — Information Regulator: If the matter remains unresolved, you may lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa)
We take all complaints seriously and are committed to resolving them fairly and promptly. Our goal is to address your concerns at Step 1 wherever possible.
For other legal information, see our Terms of Service, POPIA Commitments, Cookie Policy, and Verification Consent.