Effective date: [DD Month YYYY] Last updated: [DD Month YYYY]
⚠️ Template notice — This policy is a starting draft prepared by a non-lawyer. It is written to align with the Protection of Personal Information Act 4 of 2013 ("POPIA") and, where relevant, the EU GDPR for overseas students. It must be reviewed by a qualified South African attorney before publication. Replace every [bracketed placeholder] with your own details.
Mdubusi Mathematics ("we", "us"), operated by [PS Ndlovu / Mdubusi Mathematics (Pty) Ltd] of [address], is the Responsible Party (as defined in POPIA) for the personal information we process about you.
Our Information Officer is: - Name: [PS Ndlovu] - Email: [privacy@mdubusimaths.com] - Postal address: [address]
This Privacy Policy explains what personal information we collect when you visit [https://mdubusimaths.com] ("the Platform") or book a tutoring session, why we collect it, how we use and share it, and the rights you have in respect of it.
By using the Platform you acknowledge the processing described in this Policy. Where the law requires, we will obtain your specific consent before processing.
- Account information — your first name, last name, email address, password (stored hashed), academic level, phone number (optional), and profile picture (optional). - Booking information — session type, subject, topic notes you add, date and time. - Communications — messages, feedback, and support queries you send us.
- Log and device information — IP address, browser type, operating system, referring URL, timestamps, and pages viewed. - Cookies and similar technologies — used to keep you logged in and to measure traffic. See § 7. - Analytics events — anonymised usage events (e.g. "session booking started") if you have not opted out.
- Google — if you sign in with Google, we receive your name, email, and profile picture from Google's OAuth service. - Paystack — we receive payment status, the last 4 digits of the card, card type, and the issuing bank. We do not receive or store your full card number, CVV, or PIN. - Cal.com — we receive the booking time, duration, and attendee email when you schedule a session.
Our Services are aimed at university and post-graduate students. Where a Student is a minor (under 18) we require the consent of a parent or legal guardian in accordance with section 35 of POPIA. We do not knowingly collect personal information from children under 13.
| Purpose | Legal basis under POPIA | |---|---| | Create and secure your account | Contract performance | | Confirm and deliver booked tutoring sessions | Contract performance | | Process payments via Paystack | Contract performance | | Send transactional emails (receipts, booking confirmations, reminders) | Contract performance | | Send marketing or newsletters | Your explicit opt-in consent — you may withdraw at any time | | Prevent fraud, abuse, and secure the Platform | Our legitimate interest | | Comply with tax, accounting, and other legal obligations | Legal obligation | | Analyse usage to improve the Platform | Our legitimate interest, with anonymisation where feasible |
We share personal information only with parties that need it to deliver the Services, and only under written agreements that oblige them to protect it. Each processor listed below is bound by its own privacy policy, which we encourage you to review.
| Recipient | Purpose | Location | Privacy policy | |---|---|---|---| | Supabase Inc. | Database, authentication, storage | Data stored in [EU region — confirm in Supabase project settings] | [supabase.com/privacy](https://supabase.com/privacy) | | Paystack (Pty) Ltd | Payment processing | South Africa | [paystack.com/privacy](https://paystack.com/privacy) | | Cal.com, Inc. | Scheduling | United States | [cal.com/privacy](https://cal.com/privacy) | | Resend, Inc. | Transactional email delivery | United States | [resend.com/legal/privacy-policy](https://resend.com/legal/privacy-policy) | | Vercel Inc. | Web hosting | Primarily European and US edge regions | [vercel.com/legal/privacy-policy](https://vercel.com/legal/privacy-policy) | | Google LLC | Optional sign-in; video conferencing if used for the session | Global | [policies.google.com/privacy](https://policies.google.com/privacy) | | Sentry (Functional Software, Inc.) | Error tracking — only if enabled | United States / EU | [sentry.io/privacy](https://sentry.io/privacy) | | PostHog Inc. | Product analytics — only if enabled | United States / EU | [posthog.com/privacy](https://posthog.com/privacy) |
We do not sell your personal information, and we do not share it with advertising networks.
Where personal information is transferred outside South Africa, we rely on the lawful transfer mechanisms permitted by section 72 of POPIA — principally, binding contractual terms that ensure an equivalent level of protection. We may also disclose personal information where compelled by a valid court order, subpoena, or statutory request from a regulator.
| Category | Retention | |---|---| | Account information | While your account is active, plus 12 months after closure | | Booking records | 5 years from the session date (tax and audit requirements) | | Payment records | 5 years (Tax Administration Act) | | Support correspondence | 3 years | | Marketing consent records | Until consent is withdrawn, plus 3 years for audit | | Server and access logs | 90 days, unless retained longer for security investigations |
We delete or anonymise data once the retention period ends, unless law requires longer retention.
We will only send you direct marketing communications — whether by email, SMS, or automated call — where you have given us your explicit prior consent in accordance with section 69 of POPIA, or where you are an existing customer and the marketing relates to our own similar services. Every marketing email contains a one-click unsubscribe link; you may also withdraw consent at any time by emailing [privacy@mdubusimaths.com].
Transactional messages — booking confirmations, session reminders, payment receipts, policy updates, and security notices — are not direct marketing. You cannot opt out of these while you have an active account, because they are necessary to deliver the Services.
We do not use your personal information for profiling or behavioural advertising.
We use a small number of cookies, all strictly necessary or functional:
| Cookie | Purpose | Category | Duration |
|---|---|---|---|
| sb-access-token, sb-refresh-token | Keep you signed in | Strictly necessary | Session and 7 days |
| cookie-consent | Remember your cookie banner choice | Strictly necessary | 12 months |
| Vercel Analytics (_vercel_analytics) | Anonymous page views | Analytics (opt-in where required) | 12 months |
| PostHog (ph_*) | Anonymised product analytics — only if enabled | Analytics (opt-in) | 12 months |
You can control cookies via your browser. Disabling strictly necessary cookies will break sign-in.
Under POPIA you have the right to:
- Access — request a copy of the personal information we hold about you, free of charge once in any 12-month period. - Correction — ask us to correct or complete inaccurate or incomplete data. - Deletion — ask us to delete your information where it is no longer needed or where consent has been withdrawn (subject to legal retention obligations, such as tax records we must keep for five years). - Objection — object, on reasonable grounds, to processing based on legitimate interest. - Withdrawal of consent — withdraw any consent you have given, without affecting lawful processing that occurred before the withdrawal. - Data portability — request a copy of your personal information in a structured, commonly-used format. - Complaint — lodge a complaint with the Information Regulator (see § 13).
Email [privacy@mdubusimaths.com] with:
1. The right you wish to exercise. 2. Enough detail to identify your account (the email address you signed up with is usually sufficient). 3. Where the request is for deletion or portability, confirmation that you understand any legal or contractual consequences (for example, deletion closes your account and cancels future bookings).
We verify the identity of the requester before processing the request — typically by confirming control of the account email. We respond within 30 days as required by POPIA. The first request in any 12-month period is free; we may charge a reasonable fee for additional, repetitive requests, in line with the POPIA Regulations.
You may close your account at any time from your dashboard or by emailing us. On closure we delete or anonymise data not required by law, within 30 days. Backups containing your data are overwritten on our retention cycle (within 90 days of deletion).
- Encryption in transit — TLS 1.2 or higher on every connection to the Platform. - Encryption at rest — Supabase encrypts stored data with AES-256. - Access control — service-role credentials are held in a secure secrets manager and never exposed to the browser. Row-level security is enforced on all database tables. - Principle of least privilege — only the people who need access have it. - Breach response — if a breach affects your personal information in a way that puts you at risk, we will notify you and the Information Regulator without undue delay, in accordance with section 22 of POPIA.
We do not make legally significant or similarly significant decisions about you based solely on automated processing.
We may update this Policy from time to time. Material changes will be posted on the Platform and emailed to the address on file at least 14 days before they take effect. Continued use of the Platform after that date constitutes acceptance of the updated Policy.
Mdubusi Mathematics Information Officer: [PS Ndlovu] Email: [privacy@mdubusimaths.com] General support: [support@mdubusimaths.com]