Privacy Policy
Effective Date: 20 March 2026
1. Introduction
Kindi (kindi.club) is a school management platform operated by GettinDrikkieWithIt (Pty) Ltd, designed for South African daycare centres, crèches, and early childhood development (ECD) programmes. We are committed to protecting your privacy and the personal information of all users, including children.
This Privacy Policy explains how we collect, use, store, and share your personal information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African legislation. By using Kindi, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
We collect the following categories of personal information:
- Personal information of account holders: Full name, email address, phone number, role (administrator, teacher, or parent/guardian), and login credentials.
- Children's information: Full name, date of birth, gender, classroom assignment, attendance records, developmental observations, progress reports, daily reports, and photographs uploaded by the School.
- Medical information: Allergies, medical conditions, dietary requirements, emergency contacts, and medicine administration logs as provided by the School or parent/guardian.
- Financial information: Invoice records, payment history, billing details, and school banking details (bank name, account number, branch code) provided by the school administrator for display on invoices. Staff banking details may also be stored for payroll processing. Note: Kindi does not store credit or debit card numbers; card payment processing is handled by our payment provider, Paystack.
- Location data (staff clock-in only): When a staff member clocks in or out via the Kindi mobile app, the device's location (latitude, longitude and GPS accuracy) is captured at that moment only, to verify on-site attendance for the school. Location is never tracked continuously, is visible only to the school's administrators alongside the timecard, and is retained with the timecard record. Staff can decline the location permission; clock-in then records without location.
- Usage data: Pages visited, features used, browser type, device information, IP address, and session data collected automatically when you use the Service.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery: To provide, operate, and maintain the Kindi platform, including managing attendance, daily reports, observations, messaging, and all other features.
- Communication: To send transactional emails and in-app notifications related to your account, such as invoice statements, daily report notifications, and system announcements.
- Billing and payments: To process subscription fees, generate invoices, and facilitate payments through Paystack.
- Analytics: To understand how the Service is used and to improve the user experience. We use Google Analytics 4 (GA4) for anonymous, aggregated usage statistics. GA4 is only loaded after you accept analytics cookies in our consent banner — decline and no analytics cookie is set.
- Legal compliance: To comply with applicable laws, regulations, and legal processes, including POPIA requirements.
- Security: To detect, prevent, and address fraud, abuse, and security issues.
4. Legal Basis for Processing (POPIA)
Under POPIA, we process personal information based on the following legal grounds:
- Consent: Where you have given explicit consent for us to process your personal information, such as when creating an account or opting in to notifications.
- Contract: Where processing is necessary for the performance of a contract to which you are a party, such as providing the Service under your subscription agreement.
- Legitimate interest: Where processing is necessary for our legitimate interests, such as improving the Service, provided these interests do not override your rights and freedoms.
- Legal obligation: Where processing is necessary to comply with a legal obligation, such as retaining financial records as required by South African tax law.
5. Who We Share Data With
We share personal information only with the following categories of third parties, and only to the extent necessary:
- Paystack: Our payment processor for South African subscriptions and invoice payments. Paystack receives billing information necessary to process payments and is PCI-DSS compliant.
- Hosting provider (Hetzner Online GmbH): Our infrastructure is hosted in Hetzner's data centre in Nürnberg, Germany (European Union). The EU maintains data protection standards recognised as adequate under POPIA. All data is stored on servers with appropriate access controls.
- Google Analytics (GA4): We share anonymous, aggregated usage data with Google for analytics purposes. No personally identifiable information is sent to Google Analytics.
- Google Firebase (mobile app only): The Kindi mobile app uses Firebase Cloud Messaging to deliver push notifications and Firebase Analytics to understand app usage. Firebase receives the device's push token (FCM registration ID), a Firebase Installation ID, and event interactions inside the app (screens viewed, taps). We have explicitly disabled the Android Advertising ID; Firebase does not receive any advertising identifier from your device. Push notifications are sent with generic titles (for example "New daily report") and internal record identifiers only — children's names, photos, message content and invoice details are never included in the notification payload; the app fetches that content over its authenticated connection to our servers after you tap. See Firebase's Privacy and Security page.
- Sentry (error monitoring): We use Sentry to capture application errors so we can diagnose and fix problems. Error reports may include technical diagnostics and an internal account identifier (your user ID, role and school ID) — they do not include your email address, password, child medical records, messages or financial details. See Sentry's Privacy Policy.
- Meta (WhatsApp Business Cloud API) — opt-in only: If you choose to receive notifications on WhatsApp (off by default; enable it in your notification preferences), your phone number and the content of those notifications (for example invoice reminders, daily report alerts, event notices) are transmitted to Meta Platforms to deliver the message. Meta processes this data outside South Africa under its WhatsApp Business Terms, which provide contractual safeguards consistent with section 72 of POPIA. Turn WhatsApp delivery off at any time in your preferences — email and in-app alerts are unaffected.
- Email delivery (Google Workspace / Gmail SMTP): Transactional email — password resets, sign-in links, invoices, report notifications — is currently delivered via Google's SMTP service. The content of those emails necessarily transits Google's servers (outside South Africa, under Google's data processing terms) in order to be delivered to you.
- Anthropic (AI drafting, schools' marketing tools only): When a school uses the optional AI marketing assistant, the prompt the school writes and its school profile (name, ethos, keywords) are sent to Anthropic's API to draft social-media copy. No child, parent or staff personal information is included in these requests.
We do not sell your personal information. We do not share your personal information with third parties for marketing purposes. We will only disclose personal information to law enforcement or government authorities if required to do so by law or court order.
6. Children's Data
Kindi takes the protection of children's personal information extremely seriously. Under POPIA, the processing of personal information relating to children requires the consent of a competent person (parent or guardian).
- Children's data is collected and managed by the School (as the Responsible Party) through their administrators and teachers.
- Parents and guardians provide information about their children during the enrolment process or through the parent portal.
- Children's data is used solely for educational and care purposes, including attendance tracking, daily reports, developmental observations, progress reports, and medical record management.
- Parents and guardians may request access to, correction of, or deletion of their child's personal information at any time by contacting their School or by emailing us at support@kindi.club.
- Kindi does not use children's data for marketing, profiling, or any purpose unrelated to the educational and care services provided by the School.
7. Data Storage & Security
We implement appropriate technical and organisational measures to protect your personal information:
- Encryption in transit: All data transmitted between your browser/mobile app and our servers is encrypted using TLS (Transport Layer Security). Our API enforces HTTPS for all connections.
- Data location: All personal data is stored on servers in Nürnberg, Germany (European Union), hosted by Hetzner Online GmbH. The EU is recognised as having adequate data protection under POPIA.
- Database access controls: Access to the production database is restricted to authorised personnel only, using secure credentials and network-level access controls.
- Regular backups: We perform regular automated backups of all data to ensure recovery in the event of data loss or system failure.
- Password security: User passwords are hashed using industry-standard algorithms and are never stored in plain text.
- Monitoring: We use error tracking and monitoring tools to detect and respond to potential security incidents.
8. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected:
- Active accounts: Personal information is retained for the duration of your active account and subscription.
- Deleted accounts: Upon account deletion or termination, personal information is permanently removed from our systems within 30 days, except where retention is required by law.
- Financial records: Invoice and payment records may be retained for a period required by South African tax legislation (currently five years).
- Medical information: A child's medical profile (allergies, conditions, medicines and administration logs) is deleted 12 months after the child is withdrawn from the school, unless the School has a longer lawful retention requirement. Schools may request earlier deletion at any time.
- Backups: Encrypted off-site backups are retained for up to 30 days for disaster recovery, after which they are automatically deleted. Data removed from live systems may therefore persist in backups until the backup cycle expires.
9. Data Breach Response
We maintain a data breach response procedure in accordance with POPIA Section 22. A data breach constitutes any unauthorised access to, or disclosure of, personal information held by Kindi.
In the event of a data breach, our response procedure includes the following steps:
- Contain the breach: Immediately secure affected systems to prevent further unauthorised access or disclosure.
- Assess the scope: Determine what data was affected and how many individuals were impacted.
- Notify the Information Regulator: Report the breach to the Information Regulator as soon as reasonably possible.
- Notify affected individuals: Where the breach poses a risk to the rights of data subjects, we will notify affected individuals directly.
- Document and remediate: Record the breach, its root cause, and all remedial steps taken to prevent recurrence.
We aim to notify the Information Regulator and affected individuals within 72 hours of becoming aware of a breach.
If you believe your data has been compromised, contact our Information Officer immediately at support@kindi.club. You may also report a breach directly to the Information Regulator at complaints.IR@justice.gov.za or via inforegulator.org.za.
10. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights:
- Right of access: You may request confirmation of whether we hold personal information about you and request access to that information.
- Right to correction: You may request that we correct or update any inaccurate or incomplete personal information.
- Right to deletion: You may request that we delete your personal information, subject to any legal obligations requiring retention.
- Right to object: You may object to the processing of your personal information on reasonable grounds.
- Right to data portability: You may request a copy of your personal information in a structured, commonly used format.
- Right to lodge a complaint: You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your personal information has been processed in violation of POPIA.
To exercise any of these rights, please contact us at support@kindi.club. We will respond to your request within a reasonable time and in accordance with POPIA requirements.
11. Cookies & Tracking
Kindi uses cookies and similar technologies for the following purposes:
- Essential session cookies: These cookies are necessary for the Service to function, including maintaining your login session and security tokens. They cannot be disabled.
- Google Analytics 4 (GA4): We use GA4 to collect anonymous, aggregated statistics about how the Service is used, such as pages visited and feature usage. GA4 does not collect personally identifiable information.
- No advertising cookies: Kindi does not use cookies for advertising, remarketing, or tracking across other websites.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.
- We will provide at least 30 days' notice before material changes take effect.
- For material changes that affect how we process children's data or share information with third parties, we will notify you via email.
- The updated effective date will be displayed at the top of this page.
- Your continued use of the Service after the effective date constitutes acceptance of the revised Privacy Policy.
13. Information Officer
In accordance with POPIA, GettinDrikkieWithIt (Pty) Ltd has designated an Information Officer who is responsible for ensuring compliance with data protection legislation and for handling all data-related enquiries and requests.
To contact our Information Officer regarding any privacy concerns, data access requests, or complaints:
- Email: support@kindi.club
- Website: kindi.club
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:
- Website: inforegulator.org.za
- Email: complaints.IR@justice.gov.za