Privacy Policy

Last Updated: February 16, 2026

Introduction

This Privacy Policy explains how Koonection (PTY) Ltd (Registration Number: 2024/420393/07), trading as "Koonection" ("we," "us," or "our"), collects, uses, and protects personal information in accordance with the Protection of Personal Information Act (POPIA), the General Data Protection Regulation (GDPR), and other applicable laws. Our commitment is to protect your privacy and maintain the security of all personal information we process.

This Privacy Policy should be read together with our Terms of Use, Refund Policy, and Cancellation Policy.

Summary of Key Points

This summary provides key points from our Privacy Policy in plain language. For full details, please refer to the relevant sections below.

Who is responsible for your data? Schools are the data controllers (responsible parties) for student, parent, teacher, and clerk data. Koonection acts as the data processor (operator) and processes data on behalf of schools.
What data do we process? We process school administrator details, student records (including health information such as allergies), parent/guardian contact information, teacher professional details, and clerk credentials.
How is children's data protected? Children's data is processed only with parental or guardian consent obtained by the school. It is never used for marketing or profiling and is protected by strict access controls.
Who can see your data? Your data is accessible only to authorised school staff and Koonection's technical team for service delivery. We share data with essential service providers (cloud hosting, payment processing) under strict data protection agreements.
What are your rights? You may access, correct, or request deletion of your personal information. You may also object to processing, withdraw consent, or lodge a complaint with the South African Information Regulator.
How to contact us: Reach our Information Officer, Barry Joubert, at barry@koonection.co.za.
We never sell your data. Koonection does not sell personal information to third parties and does not share student, teacher, parent, or clerk data with advertisers. For full details, see the Disclosure of Information section.

Children's Personal Information

Koonection provides educational management services to preschools and kindergartens. As such, our platform processes personal information of children, including children under the age of 18.

In accordance with Section 35 of the Protection of Personal Information Act (POPIA), the processing of children's personal information requires the consent of a competent person, being a parent or legal guardian. We recognise the sensitive nature of children's data and apply the following safeguards:

Schools using our platform are responsible, as data controllers, for obtaining valid parental or guardian consent before entering any child's personal information into the system.
We collect only the minimum information necessary to provide our educational management services, such as the child's name, date of birth, class assignment, emergency contacts, and health information (e.g., allergies) required for the child's safety.
Children's personal information is never used for marketing, profiling, or any purpose unrelated to the delivery of educational management services.
Parents and guardians have the right to access, correct, or request deletion of their child's personal information through their school's administration.
Additional technical and organisational measures are applied to protect children's data, including strict access controls limiting data access to authorised school staff only.

Special Personal Information

Under POPIA (Sections 26–33), certain categories of personal information are classified as "special personal information" and are subject to additional protections. In the context of our educational management services, we may process the following special personal information:

Health Information: Allergies, medical conditions, and dietary requirements of children, recorded for the child's safety and wellbeing while in the care of the school.

This special personal information is processed on the following lawful grounds under POPIA Section 27:

Consent: Schools, as data controllers, obtain parental or guardian consent before recording health-related information on the platform.
Vital Interest: Health information (such as allergies) may be necessary to protect the vital interest of the child, particularly in emergency situations.

We apply additional safeguards to special personal information, including restricted access controls, encryption, and ensuring that such information is only visible to authorised school staff who require it for the child's care. Special personal information is never used for any purpose other than the safety and wellbeing of the child.

Data Controller and Processor Roles

Under POPIA and the GDPR, different roles carry different responsibilities regarding personal information:

Schools (Data Controllers / Responsible Parties): The educational institutions that subscribe to Koonection are the data controllers (referred to as "responsible parties" under POPIA). Schools determine the purposes and means of processing personal information of their students, parents/guardians, teachers, and clerks. Schools are responsible for adding users to the platform, obtaining all necessary consents, ensuring data accuracy, and complying with data subject requests.
Koonection (Data Processor / Operator): Koonection acts as the data processor (referred to as the "operator" under POPIA). We process personal information on behalf of schools and only in accordance with their instructions and the terms of our service agreement. We do not use school data for our own purposes beyond what is necessary to provide the service.

Our relationship with each school is governed by our Terms of Use, which set out the scope, purpose, and duration of processing, as well as the obligations of both parties regarding the protection of personal information.

By subscribing to and using the Koonection platform, each school warrants that it has obtained all necessary consents and has a lawful basis for processing the personal information it enters into the system, including special personal information and children's personal information. Schools indemnify Koonection against any claims, losses, or penalties arising from a failure to obtain proper consents or comply with applicable data protection laws. Full indemnification terms are set out in our Terms of Use.

Operator Limitation of Responsibility

Koonection processes personal information strictly on behalf of and under the instructions of subscribing schools. Koonection does not independently determine the purpose or means of processing personal information entered by schools into the platform.

Koonection shall not be liable for the legality, accuracy, completeness, or validity of personal information submitted by schools, including whether appropriate consent has been obtained from data subjects. Schools remain solely responsible for ensuring their own compliance with POPIA and all other applicable data protection laws in respect of the personal information they enter into the system.

POPIA Operator Security Commitment

In accordance with Section 21 of POPIA, Koonection, as operator, undertakes to:

Process personal information only with the knowledge or authorisation of the responsible party (the subscribing school).
Treat all personal information processed on behalf of the responsible party as confidential and not disclose it unless required by law or in the proper course of performing its obligations under the service agreement.
Implement appropriate technical and organisational security measures to protect personal information against loss, damage, unauthorised access, or unlawful processing.
Notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person.

Information Collection and Processing

In the course of providing our educational management services, we collect and process several categories of information. All user accounts (clerks, teachers, and parents/guardians) are created by the school administrator; users do not register themselves.

Mandatory and Optional Information

Certain personal information is mandatory and must be provided for the service to function. This includes the child's name, date of birth, and at least one emergency contact. Without this information, the school cannot enroll the child on the platform. Other information — such as health details (allergies), photographs, and additional contact preferences — is optional but recommended for the child's safety and a better service experience. Failure to provide optional information will not prevent access to core platform features.

School Administrator Information

Includes professional contact details, authentication credentials, school affiliations, administrative preferences, and, where applicable, payment and billing information. This information is essential for account management and system administration.

Clerk Information

Includes professional contact details and authentication credentials. Clerks are added by the school administrator and assist with administrative tasks within the platform.

Student Information

Encompasses basic biographical details, academic records, class assignments, health-related information (such as allergies) for safety purposes, emergency contact details, and participation records for various school activities.

Parent / Guardian Information

Includes contact details, communication preferences, family relationships and student associations, system usage patterns for service improvement, and communication history. Parent and guardian accounts are created by the school administrator and provide access to the Koonection mobile app.

Teacher Information

Comprises professional contact details, teaching assignments, schedules, professional qualifications where provided, and class management preferences. Teacher accounts are created by the school administrator and provide access to the Koonection mobile app.

Legal Basis for Processing

We process personal information based on the following lawful grounds, as required by POPIA and the GDPR:

Contract Performance: Processing necessary to deliver our educational management services under the subscription agreement with the school (e.g., account setup, service delivery, technical support).
Consent: Where required, particularly for the processing of children's personal information. Schools are responsible for obtaining parental or guardian consent on our behalf as data controllers.
Legal Obligation: Processing required to comply with applicable laws and regulations, including financial record-keeping, tax obligations, and responding to lawful requests from regulatory authorities.
Legitimate Interest: Processing necessary for our legitimate interests, such as maintaining system security, preventing fraud, improving service quality, and ensuring platform reliability, provided these interests are not overridden by the data subject's rights and freedoms.

Purpose of Processing

We process this information to:

Deliver and maintain our educational management services.
Process secure payments.
Provide system notifications and updates.
Address support inquiries.
Enhance service quality.
Meet legal and regulatory obligations.
Maintain system security and performance.

Cookies and Tracking Technologies

Our website and platform use cookies and similar tracking technologies to improve your experience and to understand how our services are used. Below is a summary of the technologies we use:

Essential Cookies

These cookies are necessary for the website to function properly. They enable core functionality such as session management and security features. These cookies do not require consent as they are strictly necessary.

Analytics Cookies

We use Google Analytics to collect anonymised information about how visitors interact with our website. This helps us understand usage patterns and improve our services. Google Analytics uses cookies to collect information such as pages visited, time spent on pages, and referral sources. This data is processed in aggregate and does not identify individual users.

Advertising and Conversion Tracking

We use Google Ads and Meta (Facebook) Pixel to measure the effectiveness of our advertising campaigns and to understand how visitors arrive at our website. These technologies may collect information such as:

Pages visited on our website.
Actions taken (e.g., signing up for a trial).
Referral source and general geographic region.

This information is used solely for advertising measurement and optimisation. We do not use these technologies within the Koonection platform where school or student data is processed.

Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling certain cookies may affect the functionality of our website. For more information on managing cookies, consult your browser's help documentation.

Do-Not-Track Signals

Some web browsers and mobile devices include a Do-Not-Track ("DNT") feature or setting that you can activate to signal your privacy preference. At this time, no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy. In the meantime, you may use the cookie management options described above to control tracking on our website.

Third-Party Service Providers

We use the following third-party service providers (sub-processors) to deliver our services. Each provider processes data only for the purposes described below and is bound by appropriate data protection agreements:

Google Cloud Platform: Cloud hosting, database storage, cloud functions, and authentication services. Processes all platform data including school, student, parent, and teacher information.
Paystack: Payment processing for subscription billing. Paystack is PCI DSS compliant and handles all payment card data directly. Koonection does not store, process, or have access to full payment card numbers — we only retain transaction references and subscription status.
Google Analytics: Website usage analytics. Processes anonymised browsing data from our marketing website only, not from within the platform.
Google Ads: Advertising conversion tracking on our marketing website only.
Meta (Facebook) Pixel: Advertising conversion tracking on our marketing website only.

We regularly review our sub-processors to ensure they maintain appropriate levels of data protection. We will notify schools of any material changes to our sub-processor arrangements.

Disclosure of Information

In addition to the third-party service providers listed above, we may disclose personal information in the following circumstances:

Legal and Regulatory Requirements: We may disclose personal information where required by law, regulation, court order, or in response to a lawful request from a government authority, including to meet national security or law enforcement requirements.
Professional Advisors: We may share information with our professional advisors, including auditors, lawyers, and accountants, who are bound by professional confidentiality obligations.
Business Transfers: In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, personal information may be transferred to the acquiring entity. In such circumstances, we will notify affected schools before their data becomes subject to a different privacy policy, and the acquiring entity will be bound by the same or equivalent data protection obligations.
Protection of Rights: We may disclose information where necessary to protect the rights, property, or safety of Koonection, our users, or others, including to enforce our Terms of Use and to prevent fraud.
Aggregated and Anonymised Data: We may share aggregated or anonymised data that does not identify any individual for purposes such as industry analysis, benchmarking, and service improvement.

We do not sell personal information to third parties. We do not share student, teacher, parent, or clerk data with advertisers.

Mobile Application Data

Koonection provides companion mobile applications for teachers and parents/guardians. These applications are accessed using the credentials provided when the school administrator creates the user's account. The applications collect the following information:

All App Users (Teachers and Parents/Guardians)

Authentication Credentials: Email address and password for login purposes.
Push Notification Tokens: Device identifiers required to deliver push notifications such as school announcements, messages, and alerts.
Basic Device Information: Operating system version and app version for compatibility and troubleshooting purposes.

Teacher Application

In addition to the above, the teacher application may access:

Camera and Photo Library: Used for capturing or attaching photos related to student activities, reports, and school events. Photos are uploaded to the platform and stored securely. Camera access is requested only when the teacher initiates a photo-related action and can be revoked through device settings at any time.

Data Not Collected

Our mobile applications do not collect location data, contact lists, microphone data, or any other device data beyond what is described above.

Direct Marketing

In accordance with POPIA Section 69, we are transparent about our direct marketing practices:

Koonection may send marketing and promotional communications (such as newsletters, product updates, and special offers) to school administrators only. These communications are sent on the basis of the existing business relationship between Koonection and the subscribing school.
Personal information of students, parents/guardians, teachers, and clerks is never used for direct marketing purposes by Koonection.
School administrators have the right to opt out of receiving marketing communications at any time by clicking the unsubscribe link included in every marketing email or by contacting us at info@koonection.co.za.
Opting out of marketing communications will not affect the delivery of essential service-related notifications such as billing reminders, security alerts, and platform updates.

Communications Monitoring

The Koonection platform includes messaging and communication features that allow schools, teachers, and parents/guardians to exchange announcements, messages, and notifications. In relation to these communications:

Messages sent through the platform are stored on our servers for the purpose of service delivery and are retained in accordance with our data retention schedule (communication logs are maintained for two years).
Koonection does not routinely monitor or read the content of in-platform communications. However, we reserve the right to access communications in the following limited circumstances: to respond to support requests from users; to investigate reports of abuse, harassment, or violations of our Terms of Use; or to comply with a legal obligation, regulatory request, or court order.
Any access to communication content is restricted to authorised Koonection personnel and is conducted in accordance with applicable laws, including the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA).

Data Storage and Security

Our data storage infrastructure maintains rigorous security standards with primary data storage in the European Union (EU-West region). We implement enterprise-grade security protocols including:

Advanced access control systems.
Multi-factor authentication for sensitive operations.
Real-time security monitoring.
Encrypted data transmissions.
Regular security assessments to maintain system integrity.
Automated patch management.
Secure backup systems.
Comprehensive disaster recovery protocols.

Data Protection Principles

Our data processing adheres to core principles:

Purpose Limitation: We use data solely for stated purposes.
Data Minimization: We collect only necessary information.
Accuracy: We maintain data correctness through regular updates.
Storage Limitation: We retain data only as long as needed.
Integrity and Confidentiality: We ensure secure processing.
Accountability: We maintain transparent processing practices.

International Data Transfers

For data transfers between regions, we implement appropriate safeguards through comprehensive data transfer agreements and regular compliance monitoring. Where required, we utilize standard contractual clauses and conduct ongoing assessments of data protection standards.

Cross-border transfers of personal information are conducted in accordance with Section 72 of POPIA, which requires that the recipient of the information is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection substantially similar to the conditions for the lawful processing of personal information under POPIA. Our primary data storage in the European Union benefits from the comprehensive data protection framework provided by the General Data Protection Regulation (GDPR), which is widely recognised as providing an adequate level of protection.

Your Rights

Under applicable data protection laws, you maintain the right to:

Access your personal information.
Correct inaccurate data.
Request data deletion where appropriate.
Object to certain processing activities.
Request data portability.
Lodge complaints with relevant authorities.

To exercise any of these rights, please contact our Information Officer (details below) or your school administrator.

Access to Information (PAIA)

In terms of the Promotion of Access to Information Act, 2000 ("PAIA"), you may request access to records held by Koonection. Koonection maintains a PAIA Section 51 Manual, which describes the types of records held, the categories of data subjects, and the procedures for requesting access to information. To request a copy of our PAIA Manual or to submit a formal data access request under PAIA, please contact our Information Officer at barry@koonection.co.za. Confirmation of whether we hold personal information about you may be requested free of charge.

Lodging a Complaint

If you believe that your personal information has been processed in a manner that does not comply with POPIA, we encourage you to first attempt to resolve the matter directly with our Information Officer. If you are not satisfied with the outcome, you have the right to lodge a complaint with the South African Information Regulator:

Website: https://inforegulator.org.za
Email: POPIAComplaints@inforegulator.org.za
General Enquiries: enquiries@inforegulator.org.za
Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017

Data Retention

We maintain specific retention periods for different data categories:

Student Records: Retained for the duration of enrollment plus five years.
Financial Records: Kept for seven years as required by law.
Communication Logs: Maintained for two years.
Inactive Accounts: Retained for one year before deletion.

Security Incident Response

In the event of a security incident, we will:

Notify the South African Information Regulator and affected data subjects as soon as reasonably possible, as required by POPIA Section 22.
Where the GDPR applies, notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals without undue delay where the breach poses a high risk to their rights and freedoms.
Investigate and document the incident thoroughly.
Implement necessary remedial measures.
Review and update security protocols.
Cooperate with relevant authorities.

Limitation of Liability for Data Breaches

Koonection implements industry-standard technical and organisational security measures to protect personal information against unauthorised access, loss, or destruction. However, no method of electronic storage or transmission over the internet is completely secure, and Koonection cannot guarantee the absolute security of personal information.

To the maximum extent permitted by applicable law, Koonection shall not be liable for any indirect, incidental, special, or consequential damages arising from or related to any unauthorised access to, or breach of, personal information, including but not limited to loss of revenue, loss of business opportunities, reputational damage, or costs of remediation.

Nothing in this clause excludes or limits Koonection's liability where such exclusion or limitation is not permitted by law, or where the unauthorised access or breach is directly caused by Koonection's gross negligence or wilful misconduct.

Policy Updates

We may update this Privacy Policy periodically. We will notify users of significant changes through email notifications, service announcements, and website updates.

Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of South Africa. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of South Africa.

Contact Information

For any privacy-related queries or concerns, please contact us at:

Information Officer: Barry Joubert

Registered with the South African Information Regulator in accordance with POPIA.
Registration Number: 2025-060522
Registration can be verified at inforegulator.org.za.

Data Protection Contact:

Email: barry@koonection.co.za

General Enquiries:

Email: info@koonection.co.za

Postal Address:

Koonection (PTY) LTD
Registration Number: 2024/420393/07
940 18th Avenue
Wonderboom-South
Pretoria
South Africa

We respond to all privacy-related inquiries within two business days.