Student Data Protection Guidelines

Status: ✅ READY

BETA PROGRAM - SCHOOLS, STUDENTS & PARENTS

THANDI AI (PTY) LTD | Registration No: 2025/939429/07 | POPIA Reg: 2025-068149

Information Officer: Seelan Govender | hello@thandi.online | 0781298701

---

OVERVIEW

Thandi.ai is currently in beta testing with South African schools. These guidelines ensure maximum protection for student data during our pilot phase and comply with POPIA and the South African Schools Act.

---

FOR SCHOOLS PARTICIPATING IN BETA

1. INFORMED CONSENT REQUIREMENTS

Before allowing student access, schools must obtain documented consent:

For Students 18+ (Matric/Post-matric):

Signed consent form acknowledging:

Beta status and potential inaccuracies

Data collection purposes (subjects, marks, interests)

Right to withdraw consent anytime

How to request data deletion

Independent verification requirement

For Students Under 18 (Grades 8-11):

PARENT/GUARDIAN SIGNATURE REQUIRED (non-negotiable)

Separate age-appropriate consent form

School acts as intermediary and consent verifier

Form must be explained in parent's home language if needed

Template available: Email hello@thandi.online with subject "School Consent Template"

2. SCHOOL OBLIGATIONS

By participating in the beta program, schools agree to:

Appoint a staff coordinator as single point of contact

Verify consent for all participating students before providing access codes

Distribute parent information letters (available in English, isiZulu, Afrikaans, Xhosa)

Provide emergency contact for technical issues during school hours

Report concerns within 48 hours of discovery

Facilitate data deletion requests from parents/students

Participate in feedback survey at end of 4-week pilot

3. SUPERVISION RECOMMENDATIONS

For first-time use, we strongly recommend:

Teacher-facilitated session in computer lab/classroom

Brief 5-minute orientation on how AI recommendations work

Emphasize: "This is a guide, not gospel - verify everything"

Encourage discussion of results with school counselor

Discuss digital literacy and critical thinking around AI tools

Sample teacher script available on request.

4. DATA MINIMIZATION (BETA PHASE)

We limit collection to only what is necessary:

✅ Subjects and marks (minimum for accuracy)

✅ Grade level (not full birthdate)

✅ Career interests (categorical, not free text)

❌ NOT collected: ID numbers, physical addresses, race (unless for bursary matching with explicit consent), medical info, family income

Schools should not provide any student data directly to us - students enter their own information.

---

FOR STUDENTS & PARENTS

WHAT WE COLLECT & WHY

| Data Type | Why We Need It | How Long We Keep It | Can Delete? |

|-----------|----------------|---------------------|-------------|

| Subject marks | Calculate admission eligibility | 12 months | ✅ Yes |

| Career interests | Personalize recommendations | 12 months | ✅ Yes |

| Grade level | Show age-appropriate options | 12 months | ✅ Yes |

| Email address | Send results securely | Until you delete account | ✅ Yes |

| School name | Improve regional accuracy | Anonymized after 12 months | ⚠️ Partial |

YOUR PROTECTIONS

✅ No commercial use of your data during beta

✅ Independent verification warnings on every recommendation

✅ Immediate deletion upon request (email: hello@thandi.online)

✅ Anonymized participation in research (opt-out available)

✅ Secure storage on encrypted Vercel/Google servers

✅ No third-party selling - ever

✅ B-BBEE status protected - we are a 100% black-owned Level 1 contributor

WHAT TO VERIFY INDEPENDENTLY

⚠️ CRITICAL BETA DISCLAIMERS:

University admission requirements change annually - Always check official prospectuses on university websites

Bursary deadlines and criteria - Confirm directly with bursary providers (many change mid-year)

Career paths - May have additional requirements: medical tests, portfolios, driver's license, security clearance

Marks calculations - Some universities use different weightings (e.g., dropping lowest subject)

Use Thandi.ai as a starting point, not final authority

Verification guide included with every student report.

PARENT/GUARDIAN RIGHTS

Parents/guardians of students under 18 can:

Request access to all data collected about their child (within 7 days)

Request deletion of all data immediately

Request data export in portable format

Object to school participation in beta program

Withdraw consent mid-program (student access will be deactivated)

Complain to Information Regulator if rights are violated

To exercise rights: Email hello@thandi.online with subject: "Parent Request - [Student Name] - [School Name]"

---

TECHNICAL SAFEGUARDS (BETA)

Student Data Isolation

Per-school encrypted databases (prevents cross-school data leakage)

Individual student workspaces (no student can see another's results)

Read-only access for most Thandi.ai staff (only 2 people have edit access)

Beta-Specific Security

Weekly penetration testing during pilot phase

Daily data integrity checks

Bug bounty program for security researchers (report issues to security@thandi.online)

Zero third-party sharing of identifiable data

Automatic session timeout after 30 minutes of inactivity

Hosting Security (Vercel)

SOC 2 Type II compliant infrastructure

Automatic DDoS protection

Edge network encryption

Isolated function execution

---

INCIDENT RESPONSE (BETA PROTOCOL)

If we discover a data protection issue:

| Timeframe | Action |

|-----------|--------|

| Within 1 hour | Immediate containment and investigation initiation |

| Within 6 hours | School coordinator notification via phone + email |

| Within 24 hours | Full assessment and parent/student notification (if risk identified) |

| Within 48 hours | Public disclosure (if required by POPIA) on thandi.online/security |

| Within 7 days | Complete remediation report to affected parties |

Emergency contact for schools: 0781298701 (Seelan Govender)

---

WITHDRAWING FROM BETA

For Students:

Stop using the service anytime

Email hello@thandi.online requesting deletion

All data deleted within 24 hours of request

Receive confirmation email with deletion certificate

For Schools:

Provide 30-day written notice via email

We provide full data export for all participating students

Assist with parent communication

Conduct exit interview to gather final feedback

For Parents:

Can withdraw consent immediately (no notice period)

Student access deactivated same day

All data deleted within 24 hours

---

QUESTIONS & SUPPORT

Technical issues: support@thandi.online (aim for 2-hour response during business hours)

Privacy concerns: hello@thandi.online (Information Officer direct)

Emergency contact: 0781298701 (Seelan Govender)

School coordinator hotline: WhatsApp Business: [Setup Pending]

Business Hours: Monday - Friday, 8:00 AM - 5:00 PM SAST

---

BETA PROGRAM TIMELINE

Current Phase: School Pilot (Dec 2025 - Feb 2026)

Target Schools: 5-10 pilot schools

Students per School: 50-100 Grade 10-12 students

Duration: 4 weeks per school

Feedback Required: Weekly check-ins + final survey

After Beta: Data review, system improvements, full launch with updated legal framework.

---

DOCUMENT VERSION

Version: 1.0 (Beta)

Issue Date: 21 December 2025

Next Review: End of Beta Program (February 2026)

THANDI AI (PTY) LTD

170 Innes Road, Morningside, Durban, Kwa-Zulu Natal, 4001

Registration: 2025/939429/07 | POPIA: 2025-068149 | B-BBEE Level 1

Author: Seelan Govender - Information Officer