Back to Thandi

Learner Data Protection Guidelines

Special protections for learner data

Learner Data Protection Guidelines

THANDI AI (PTY) LTD | Registration No: 2025/939429/07 | POPIA Reg: 2025-068149

Information Officer: Seelan Govender | hello@thandi.online | privacy@thandi.online | 0781298701

---

OVERVIEW

Thandi is available to South African schools. These guidelines ensure maximum protection for learner data and comply with POPIA and the South African Schools Act.

---

FOR SCHOOLS

1. INFORMED CONSENT REQUIREMENTS

Before allowing learner access, schools must obtain documented consent:

For learners 18+ (Matric/Post-matric):

  • Signed consent form acknowledging:
  • Data collection purposes (subjects, marks, interests)
  • Right to withdraw consent anytime
  • How to request data deletion
  • Independent verification requirement

    • For learners under 18 (Grades 8-11):

  • PARENT/GUARDIAN SIGNATURE REQUIRED (non-negotiable)
  • Separate age-appropriate consent form
  • School acts as intermediary and consent verifier
  • Form must be explained in parent's home language if needed
  • Template available: Email hello@thandi.online with subject "School Consent Template"

    • 2. SCHOOL OBLIGATIONS

    By participating with Thandi, schools agree to:

  • Appoint a staff coordinator as single point of contact
  • Verify consent for all participating learners before providing access codes
  • Distribute parent information letters (available in English, isiZulu, Afrikaans, Xhosa)
  • Provide emergency contact for technical issues during school hours
  • Report concerns within 48 hours of discovery
  • Facilitate data deletion requests from parents/learners
  • Participate in feedback to help improve the platform

    • 3. SUPERVISION RECOMMENDATIONS

    For first-time use, we strongly recommend:

  • Teacher-facilitated session in computer lab/classroom
  • Brief 5-minute orientation on how AI recommendations work
  • Emphasize: "This is a guide, not gospel - verify everything"
  • Encourage discussion of results with school counselor
  • Discuss digital literacy and critical thinking around AI tools

    • Sample teacher script available on request.

    4. DATA MINIMIZATION

    We limit collection to only what is necessary:

  • ✅ Subjects and marks (minimum for accuracy)
  • ✅ Grade level (not full birthdate)
  • ✅ Career interests (categorical, not free text)
  • NOT collected: ID numbers, physical addresses, race (unless for bursary matching with explicit consent), medical info, family income

    • Schools should not provide any learner data directly to us — learners enter their own information.

    ---

    FOR LEARNERS & PARENTS

    WHAT WE COLLECT & WHY

    | Data Type | Why We Need It | How Long We Keep It | Can Delete? |

    |-----------|----------------|---------------------|-------------|

    | Subject marks | Calculate admission eligibility | 3 years from last assessment or account deletion, whichever is earlier | ✅ Yes |

    | Career interests | Personalize recommendations | 3 years from last assessment or account deletion, whichever is earlier | ✅ Yes |

    | Grade level | Show age-appropriate options | 3 years from last assessment or account deletion, whichever is earlier | ✅ Yes |

    | Email address | Send results securely | Until you delete account | ✅ Yes |

    | School name | Improve regional accuracy | 3 years from last assessment or account deletion, whichever is earlier | ⚠️ Partial |

    YOUR PROTECTIONS

    No commercial use of your data

    Independent verification warnings on every recommendation

    Immediate deletion upon request (email: privacy@thandi.online)

    Anonymized participation in research (opt-out available)

    Secure storage on encrypted Supabase and Vercel infrastructure

    No third-party selling - ever

    B-BBEE status protected - we are a 100% black-owned Level 1 contributor

    WHAT TO VERIFY INDEPENDENTLY

    ⚠️ CRITICAL DISCLAIMERS:

  • University admission requirements change annually - Always check official prospectuses on university websites
  • Bursary deadlines and criteria - Confirm directly with bursary providers (many change mid-year)
  • Career paths - May have additional requirements: medical tests, portfolios, driver's license, security clearance
  • Marks calculations - Some universities use different weightings (e.g., dropping lowest subject)
  • Use Thandi as a starting point, not final authority

    • Verification guide included with every learner report.

    PARENT/GUARDIAN RIGHTS

    Parents/guardians of learners under 18 can:

  • Request access to all data collected about their child (within 7 days)
  • Request deletion of all data immediately
  • Request data export in portable format
  • Object to school participation
  • Withdraw consent at any time (school dashboard access deactivated within 24 hours)
  • Complain to Information Regulator if rights are violated

    • To exercise rights: Email privacy@thandi.online with subject: "Parent Request - [Learner Name] - [School Name]"

    ---

    TECHNICAL SAFEGUARDS

    Learner data isolation

  • Row-level security policies on all learner data tables
  • Individual learner sessions — no learner can see another's results
  • School dashboard access requires both guardian consent and school-share consent

    • Security

  • Independent security review completed (May 2026)
  • API rate limiting on all data routes
  • Automatic session management
  • Zero third-party sharing of identifiable data

    • Hosting Security (Vercel & Supabase)

  • SOC 2 Type II compliant infrastructure
  • Automatic DDoS protection
  • Edge network encryption
  • Isolated function execution

    • ---

    INCIDENT RESPONSE

    If we discover a data protection issue:

    | Timeframe | Action |

    |-----------|--------|

    | Within 1 hour | Immediate containment and investigation initiation |

    | Within 6 hours | School coordinator notification via phone + email |

    | Within 24 hours | Full assessment and parent/learner notification (if risk identified) |

    | Within 48 hours | Notification to Information Regulator as required by POPIA Section 22 |

    | Within 7 days | Complete remediation report to affected parties |

    Emergency contact for schools: 0781298701 (Seelan Govender)

    ---

    WITHDRAWING FROM THANDI

    For learners:

  • Stop using the service at any time
  • Email privacy@thandi.online requesting deletion
  • All data deleted within 10 business days of verified request
  • Receive confirmation of deletion

    • For parents/guardians:

  • Withdraw consent at any time by emailing privacy@thandi.online
  • Learner's school loses dashboard access within 24 hours
  • Learner's own access to their results is unaffected

    • ---

    QUESTIONS & SUPPORT

  • Technical issues: support@thandi.online (aim for 2-hour response during business hours)
  • Privacy concerns: privacy@thandi.online or hello@thandi.online (Information Officer direct)
  • Emergency contact: 0781298701 (Seelan Govender)

    • Business Hours: Monday - Friday, 8:00 AM - 5:00 PM SAST

    ---

    DOCUMENT VERSION

    Version: 1.2

    Issue Date: 26 May 2026

    Next Review: October 2026

    THANDI AI (PTY) LTD

    170 Innes Road, Morningside, Durban, Kwa-Zulu Natal, 4001

    Registration: 2025/939429/07 | POPIA: 2025-068149 | B-BBEE Level 1

    Author: Seelan Govender - Information Officer

    Document provided by THANDI AI (PTY) LTD

    POPIA Registration: 2025-068149

    Contact Information Officer