Contents
- Who We Are
- What Personal Information We Collect
- How and Why We Use Your Information
- How We Share Your Information
- Cross-Border Transfer of Personal Information
- Data Retention
- Your Rights
- Security
- Cookies and Session Data
- Children's Privacy
- Changes to This Policy
- Contact Us & Information Officer
- How to Lodge a Complaint
1. Who We Are
Toppers Tutoring Pty Ltd (registration pending), trading as X-Area, is a South African company that provides a cloud-based tutoring management platform ("the Platform") to educational organisations, tutoring centres, and similar institutions ("Clients").
For the purposes of the Protection of Personal Information Act 4 of 2013 (POPIA) and the EU General Data Protection Regulation (GDPR), Toppers Tutoring Pty Ltd acts as the Responsible Party / Data Controller in respect of personal information collected directly from users of the Platform.
Where Clients use the Platform to manage their own students and staff, Toppers Tutoring Pty Ltd acts as an Operator / Data Processor on behalf of those Clients (who are the Responsible Parties for that data).
Information Officer: Toppers Tutoring Pty Ltd designates the company Director as its Information Officer as required by POPIA Section 55. Contact: info@topperstutoring.com
2. What Personal Information We Collect
We collect personal information in the following categories, depending on your role:
2.1 Platform Administrators, Managers & Tutors (Organisation Members)
- Full name and email address
- Phone number (optional)
- Job role within the organisation
- Login credentials (password stored as a secure hash; we never store plaintext passwords)
- Date and time of account creation and terms acceptance
- Activity logs (pages accessed, actions taken, for security and audit purposes)
2.2 Students
- Full name and email address
- Phone number (optional)
- Student identification number (auto-generated by the Platform)
- Attendance records: session dates, check-in and check-out times, attendance status (present, late, absent, excused)
- Subject enrolments
- Excuse notes and supporting reasons
2.3 Information Collected Automatically
- IP address and browser/device type (stored in server logs for up to 30 days)
- Session tokens (stored client-side in a secure, HTTP-only cookie)
We do not collect special category personal information (e.g. race, health data, biometric data) unless explicitly required for an excused absence and provided voluntarily by the student or their guardian.
3. How and Why We Use Your Information
| Purpose | Lawful Basis (POPIA) | Lawful Basis (GDPR) |
|---|---|---|
| Creating and managing your account | Contractual necessity | Art. 6(1)(b) — Contract performance |
| Recording and reporting attendance | Legitimate purpose of the Client | Art. 6(1)(b) & (f) — Contract / Legitimate interests |
| Sending in-platform notifications | Legitimate purpose | Art. 6(1)(f) — Legitimate interests |
| Providing reports and analytics to Clients | Legitimate purpose of the Client | Art. 6(1)(b) — Contract performance |
| Security and fraud prevention | Legal obligation / Legitimate purpose | Art. 6(1)(c) & (f) — Legal obligation / Legitimate interests |
| Complying with legal obligations | Legal obligation | Art. 6(1)(c) — Legal obligation |
| Improving the Platform | Legitimate purpose | Art. 6(1)(f) — Legitimate interests |
We do not use your personal information for direct marketing without your separate consent.
4. How We Share Your Information
We do not sell your personal information. We share it only in the following circumstances:
4.1 Sub-Processors
We use the following third-party service providers who process personal information on our behalf under written data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, and file storage | EU West — Ireland (AWS eu-west-1) |
Supabase complies with GDPR as a data processor and provides a Data Processing Agreement (DPA). Data is hosted in Ireland, within the European Economic Area.
4.2 Client Organisations
Student data entered into the Platform is accessible to the Client organisation (the tutoring centre or school that engaged with X-Area). Clients are responsible for their own compliance with POPIA and other applicable data protection laws in respect of their students' data.
4.3 Legal Disclosure
We may disclose personal information if required to do so by law, court order, or where we reasonably believe disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.
4.4 Business Transfers
If Toppers Tutoring Pty Ltd is acquired, merged, or undergoes a similar transaction, personal information may be transferred to the successor entity, subject to the same obligations under this Policy.
5. Cross-Border Transfer of Personal Information
Your personal information is stored on servers located in Ireland (EU), operated by Supabase Inc. Ireland is a member state of the European Union and is subject to the GDPR, which provides a level of data protection that meets the adequacy threshold recognised by South Africa's Information Regulator under POPIA Section 72.
For users in the European Economic Area, no further transfer mechanism is required, as data remains within the EEA.
For users in the United Kingdom, processing is conducted in accordance with the UK GDPR and the Data Protection Act 2018.
For users in other jurisdictions, we implement appropriate safeguards including contractual clauses and technical security measures to protect your information in compliance with applicable local laws.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and member records (active accounts) | For the duration of the account |
| Account and member records (after deletion) | 30 days (for recovery), then permanently deleted |
| Student attendance records | 3 years from the session date, unless the Client instructs earlier deletion |
| Server and access logs | 30 days |
| Announcements and notifications | 1 year, or until deleted by an admin |
| Terms acceptance records | 5 years (required for legal compliance purposes) |
After the applicable retention period, data is securely deleted or irreversibly anonymised.
7. Your Rights
Depending on your location, you have the following rights regarding your personal information:
7.1 Rights under POPIA (South Africa)
- Right of access: Request confirmation of whether we hold your personal information and obtain a copy.
- Right to correction or deletion: Request that we correct inaccurate or delete unnecessary information.
- Right to object: Object to the processing of your personal information.
- Right to complain: Lodge a complaint with the Information Regulator (see Section 13).
7.2 Additional Rights under GDPR (EU/EEA & UK)
- Right to erasure ("right to be forgotten"): Request deletion of your personal data in certain circumstances.
- Right to data portability: Receive your personal data in a structured, machine-readable format.
- Right to restrict processing: Request restriction of processing in certain circumstances.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
7.3 Rights under CCPA (California, USA)
- Right to know what personal information is collected and how it is used.
- Right to delete personal information.
- Right to opt out of the sale of personal information (we do not sell personal information).
- Right to non-discrimination for exercising these rights.
To exercise any of these rights, contact our Information Officer at info@topperstutoring.com. We will respond within 30 days (POPIA / GDPR standard).
Note: Where student data is held on behalf of a Client organisation, data access requests should be directed to that organisation in the first instance, as they are the Responsible Party for that data.
8. Security
We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss, alteration, or disclosure, including:
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted by our infrastructure provider (Supabase / AWS).
- Passwords are hashed using industry-standard algorithms and never stored in plaintext.
- Access to production systems is restricted to authorised personnel only.
- Row-level security policies restrict each organisation's data to that organisation only.
- Session tokens are rotated on authentication and stored in secure, HTTP-only cookies.
In the event of a data breach that is likely to result in a risk to data subjects' rights, we will notify the Information Regulator within 72 hours as required by POPIA and GDPR, and will notify affected data subjects without undue delay.
9. Cookies and Session Data
We use only strictly necessary cookies. No advertising, analytics, or third-party tracking cookies are used.
| Cookie | Purpose | Duration |
|---|---|---|
session |
Maintains your login session and application state | Up to 8 hours (or until sign-out) |
Because we only use strictly necessary cookies, no cookie consent banner is displayed. You may disable cookies in your browser settings, but this will prevent you from logging in.
10. Children's Privacy
The Platform may be used by Client organisations to manage attendance for students who are minors. In such cases, the Client organisation is responsible for obtaining any necessary parental or guardian consent in compliance with applicable law, including POPIA Section 35 (processing of personal information of children).
Direct accounts on the Platform (administrators, managers, tutors) are limited to individuals who are 18 years of age or older.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via an in-platform notification and/or email at least 14 days before taking effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.
Where required by law (e.g. where changes affect rights under GDPR), we will obtain your explicit consent before the changes take effect.
12. Contact Us & Information Officer
Toppers Tutoring Pty Ltd
Trading as X-Area
South Africa
Information Officer / Data Privacy Queries:
Email: info@topperstutoring.com
We aim to respond to all privacy queries within 5 business days and to all formal data subject requests within 30 days.
13. How to Lodge a Complaint
If you believe we have not handled your personal information appropriately, please contact us first at info@topperstutoring.com so that we can resolve the matter. You also have the right to lodge a complaint directly with the relevant supervisory authority:
| Jurisdiction | Authority | Website |
|---|---|---|
| South Africa | Information Regulator (SA) | inforegulator.org.za |
| European Union / Ireland | Data Protection Commission (Ireland) | dataprotection.ie |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| United States (California) | California Privacy Protection Agency | cppa.ca.gov |