Privacy Policy

Effective Date: 20 March 2026

1. Introduction

Kindi (kindi.club) is a school management platform operated by GettinDrikkieWithIt (Pty) Ltd, designed for South African daycare centres, crèches, and early childhood development (ECD) programmes. We are committed to protecting your privacy and the personal information of all users, including children.

This Privacy Policy explains how we collect, use, store, and share your personal information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African legislation. By using Kindi, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

We collect the following categories of personal information:

  • Personal information of account holders: Full name, email address, phone number, role (administrator, teacher, or parent/guardian), and login credentials.
  • Children's information: Full name, date of birth, gender, classroom assignment, attendance records, developmental observations, progress reports, daily reports, and photographs uploaded by the School.
  • Medical information: Allergies, medical conditions, dietary requirements, emergency contacts, and medicine administration logs as provided by the School or parent/guardian.
  • Financial information: Invoice records, payment history, billing details, and school banking details (bank name, account number, branch code) provided by the school administrator for display on invoices. Staff banking details may also be stored for payroll processing. Note: Kindi does not store credit or debit card numbers; card payment processing is handled by our payment providers, Paystack (South Africa) and Paddle (international).
  • Usage data: Pages visited, features used, browser type, device information, IP address, and session data collected automatically when you use the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: To provide, operate, and maintain the Kindi platform, including managing attendance, daily reports, observations, messaging, and all other features.
  • Communication: To send transactional emails and in-app notifications related to your account, such as invoice statements, daily report notifications, and system announcements.
  • Billing and payments: To process subscription fees, generate invoices, and facilitate payments through Paystack (South Africa) and Paddle (international).
  • Analytics: To understand how the Service is used and to improve the user experience. We use Google Analytics 4 (GA4) for anonymous, aggregated usage statistics.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes, including POPIA requirements.
  • Security: To detect, prevent, and address fraud, abuse, and security issues.

4. Legal Basis for Processing (POPIA)

Under POPIA, we process personal information based on the following legal grounds:

  • Consent: Where you have given explicit consent for us to process your personal information, such as when creating an account or opting in to notifications.
  • Contract: Where processing is necessary for the performance of a contract to which you are a party, such as providing the Service under your subscription agreement.
  • Legitimate interest: Where processing is necessary for our legitimate interests, such as improving the Service, provided these interests do not override your rights and freedoms.
  • Legal obligation: Where processing is necessary to comply with a legal obligation, such as retaining financial records as required by South African tax law.

5. Who We Share Data With

We share personal information only with the following categories of third parties, and only to the extent necessary:

  • Paystack: Our payment processor for South African subscriptions and invoice payments. Paystack receives billing information necessary to process payments and is PCI-DSS compliant.
  • Paddle: Our merchant of record for international subscription billing. Paddle receives billing information necessary to process payments and is PCI-DSS compliant. See Paddle's Privacy Policy.
  • Hosting provider (Hetzner Online GmbH): Our infrastructure is hosted in Hetzner's data centre in Nürnberg, Germany (European Union). The EU maintains data protection standards recognised as adequate under POPIA. All data is stored on servers with appropriate access controls.
  • Google Analytics (GA4): We share anonymous, aggregated usage data with Google for analytics purposes. No personally identifiable information is sent to Google Analytics.
  • Google Firebase (mobile app only): The Kindi mobile app uses Firebase Cloud Messaging to deliver push notifications and Firebase Analytics to understand app usage. Firebase receives the device's push token (FCM registration ID), a Firebase Installation ID, and event interactions inside the app (screens viewed, taps). We have explicitly disabled the Android Advertising ID; Firebase does not receive any advertising identifier from your device. No name, email, child information, photos, messages or invoices are sent to Firebase. See Firebase's Privacy and Security page.

We do not sell your personal information. We do not share your personal information with third parties for marketing purposes. We will only disclose personal information to law enforcement or government authorities if required to do so by law or court order.

6. Children's Data

Kindi takes the protection of children's personal information extremely seriously. Under POPIA, the processing of personal information relating to children requires the consent of a competent person (parent or guardian).

  • Children's data is collected and managed by the School (as the Responsible Party) through their administrators and teachers.
  • Parents and guardians provide information about their children during the enrolment process or through the parent portal.
  • Children's data is used solely for educational and care purposes, including attendance tracking, daily reports, developmental observations, progress reports, and medical record management.
  • Parents and guardians may request access to, correction of, or deletion of their child's personal information at any time by contacting their School or by emailing us at kindiapp.club@gmail.com.
  • Kindi does not use children's data for marketing, profiling, or any purpose unrelated to the educational and care services provided by the School.

7. Data Storage & Security

We implement appropriate technical and organisational measures to protect your personal information:

  • Encryption in transit: All data transmitted between your browser/mobile app and our servers is encrypted using TLS (Transport Layer Security). Our API enforces HTTPS for all connections.
  • Data location: All personal data is stored on servers in Nürnberg, Germany (European Union), hosted by Hetzner Online GmbH. The EU is recognised as having adequate data protection under POPIA.
  • Database access controls: Access to the production database is restricted to authorised personnel only, using secure credentials and network-level access controls.
  • Regular backups: We perform regular automated backups of all data to ensure recovery in the event of data loss or system failure.
  • Password security: User passwords are hashed using industry-standard algorithms and are never stored in plain text.
  • Monitoring: We use error tracking and monitoring tools to detect and respond to potential security incidents.

8. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected:

  • Active accounts: Personal information is retained for the duration of your active account and subscription.
  • Deleted accounts: Upon account deletion or termination, personal information is permanently removed from our systems within 30 days, except where retention is required by law.
  • Financial records: Invoice and payment records may be retained for a period required by South African tax legislation (currently five years).
  • Medical information: Medical records are retained in accordance with the School's own data retention policy and applicable health legislation.

9. Data Breach Response

We maintain a data breach response procedure in accordance with POPIA Section 22. A data breach constitutes any unauthorised access to, or disclosure of, personal information held by Kindi.

In the event of a data breach, our response procedure includes the following steps:

  • Contain the breach: Immediately secure affected systems to prevent further unauthorised access or disclosure.
  • Assess the scope: Determine what data was affected and how many individuals were impacted.
  • Notify the Information Regulator: Report the breach to the Information Regulator as soon as reasonably possible.
  • Notify affected individuals: Where the breach poses a risk to the rights of data subjects, we will notify affected individuals directly.
  • Document and remediate: Record the breach, its root cause, and all remedial steps taken to prevent recurrence.

We aim to notify the Information Regulator and affected individuals within 72 hours of becoming aware of a breach.

If you believe your data has been compromised, contact our Information Officer immediately at kindiapp.club@gmail.com. You may also report a breach directly to the Information Regulator at complaints.IR@justice.gov.za or via inforegulator.org.za.

10. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

  • Right of access: You may request confirmation of whether we hold personal information about you and request access to that information.
  • Right to correction: You may request that we correct or update any inaccurate or incomplete personal information.
  • Right to deletion: You may request that we delete your personal information, subject to any legal obligations requiring retention.
  • Right to object: You may object to the processing of your personal information on reasonable grounds.
  • Right to data portability: You may request a copy of your personal information in a structured, commonly used format.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your personal information has been processed in violation of POPIA.

To exercise any of these rights, please contact us at kindiapp.club@gmail.com. We will respond to your request within a reasonable time and in accordance with POPIA requirements.

11. Cookies & Tracking

Kindi uses cookies and similar technologies for the following purposes:

  • Essential session cookies: These cookies are necessary for the Service to function, including maintaining your login session and security tokens. They cannot be disabled.
  • Google Analytics 4 (GA4): We use GA4 to collect anonymous, aggregated statistics about how the Service is used, such as pages visited and feature usage. GA4 does not collect personally identifiable information.
  • No advertising cookies: Kindi does not use cookies for advertising, remarketing, or tracking across other websites.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

  • We will provide at least 30 days' notice before material changes take effect.
  • For material changes that affect how we process children's data or share information with third parties, we will notify you via email.
  • The updated effective date will be displayed at the top of this page.
  • Your continued use of the Service after the effective date constitutes acceptance of the revised Privacy Policy.

13. Information Officer

In accordance with POPIA, GettinDrikkieWithIt (Pty) Ltd has designated an Information Officer who is responsible for ensuring compliance with data protection legislation and for handling all data-related enquiries and requests.

To contact our Information Officer regarding any privacy concerns, data access requests, or complaints:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa: