Global Privacy Policy
Data Protection Statement & Fair Processing Notice
This Privacy Policy describes how My Swim School ("Provider", "we", "us") collects, uses, and protects personal information through our Swim School Management SaaS Platform. We acknowledge that our Platform processes the sensitive data of minors; therefore, Privacy by Design and Default are the core pillars of our architecture.
Contents
1. Compliance Framework
2. Our Role (Operator and Responsible Party)
3. Information We Collect
4. Purpose of Processing and Usage
5. Children's Data and Special Personal Information
6. Cookies and Tracking
7. Sub-Processors
8. Cross-Border Transfers
9. Data Security and Retention Policy
10. Your Rights and How to Exercise Them
1.1 South Africa (POPIA)
We process personal information in accordance with the Protection of Personal Information Act. The primary production database is provisioned within the Microsoft Azure South Africa North region, and automatic geo-replication of that database to regions outside South Africa is disabled by default. Limited cross-border processing by our sub-processors is described in the Cross-Border Transfers and Sub-Processors sections below.1.2 USA (Designed to Support COPPA)
The Platform is designed to support the Children's Online Privacy Protection Act. The Tenant (Swim School) acts as the operator and is responsible for obtaining verifiable parental consent before creating any profile for a child where COPPA applies.1.3 UK (Designed to Support GDPR and AADC)
The Platform is designed to support the Age Appropriate Design Code. We prioritise the best interests of the child and do not use children's data for marketing, profiling, or behavioural advertising.Our role under POPIA depends on whose data is being processed.
Operator (processor) for Tenant data: For the personal information that a Swim School (the Tenant) and its parents, swimmers, and staff submit to the Platform, the Swim School is the responsible party (controller) and we act as its operator (processor). We process that data only to provide the Platform and on the Tenant's instructions, as reflected by the Tenant's use of the Platform. Data subject requests about that data are directed to the Swim School in the first instance.
Responsible party (controller) for our own data: For the data we collect for our own purposes, including school administrator accounts, our billing and subscription records, the pseudonymous Signals analytics described below, and security and audit logging, we are the responsible party and are accountable for that processing.
We adhere to the principle of Data Minimization. We only collect data strictly necessary to deliver the Service.
Swimmer Data
Name, Date of Birth (for age-appropriate grouping), and Skill Progress.
Health Data (Special Category)
Critical medical alerts (e.g., asthma, allergies) relevant to swimming safety.
Financial Data
We do not store credit card numbers. Payments are processed via Paystack; we retain only secure transaction tokens for recurring billing.
Parent/Guardian Data
Names, contact details, and emergency contact information.
Staff Payroll Data
Banking details and tax identifiers for automated staff remuneration.
Events & Gala Booking Data
Registration details for school events and galas, used solely to manage attendance and communications.
Chat & Messaging Content
In-app messages between coaches and parents. This is operator data held on behalf of the school; it is not sold or analysed for advertising purposes.
We process data solely for the purpose of providing the Swim School Management Service:
Class Management: Scheduling lessons, tracking attendance, and facilitating 'Stand-in Management' for coach substitutions.
Progress Tracking: Recording skill acquisition and generating digital certificates.
Safety: Providing coaches with medical alerts via the secure Coach Portal.
Communication: Automated operational notifications and correspondence sent by email, and browser push notifications where the recipient has opted in.
Data Migration: Processing legacy school data imported via spreadsheets for platform onboarding.
Remuneration: Calculating and processing staff payroll based on attendance and class schedules.
The Platform is used to manage the personal information of children. Under POPIA, the personal information of a child may be processed only with the consent of a competent person (the child's parent or guardian) as contemplated in Section 35. The Swim School (Tenant), as the responsible party for that data, is responsible for obtaining and recording that consent before a child's information is entered into the Platform.
Special personal information. The Platform records limited health information, such as critical medical alerts (for example asthma or allergies), so that coaches can keep swimmers safe in and around the water. This is special personal information under POPIA, and it is processed on the Section 27 basis that the processing is necessary to protect a legitimate interest of the data subject, namely their safety during swimming activities. We do not use children's data for marketing, profiling, or behavioural advertising.
Essential cookies. We use strictly necessary cookies to keep you signed in and to keep your session secure. These cannot be switched off without breaking core functionality, and they are not used for advertising.
Signals analytics (pseudonymous). To understand how our marketing site and the Platform are used and to improve them, we operate a first-party analytics pipeline called Signals. It records pseudonymous events that do not contain your name or other direct identifiers. Each event may include an anonymous visitor identifier, a session identifier, a one-way hashed form of your IP address, a hashed user-agent string, the page visited, the referrer, and any campaign parameters (UTM source, medium, campaign, term, and content). We use this data for product and marketing analytics. Signals events are retained for 365 days by default and are then purged.
We do not currently operate a cookie-consent banner. If you wish to limit analytics, you can use your browser's privacy controls.We engage a limited number of trusted operators (sub-processors) to help us deliver the Platform. Each is bound to process personal information only on our instructions and to keep it secure. The sub-processors currently in use are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Application hosting and the primary database | South Africa North |
| Azure Communication Services | Transactional and notification email delivery | Microsoft Azure |
| Azure Key Vault | Secure storage of application secrets and keys | Microsoft Azure |
| Paystack | Card payment processing | Outside South Africa, including Nigeria |
| WebPush / VAPID | Browser push notification delivery, where you opt in | Your browser vendor's push service |
| Investec (bank feed) | Optional bank transaction feed, only where a school connects it | South Africa |
| Nedbank (bank feed) | Optional bank transaction feed, only where a school connects it | Accessed via a United Kingdom Open Banking gateway |
Our primary database is kept in the Microsoft Azure South Africa North region. Some of our sub-processors necessarily process limited personal information outside South Africa: card payments are processed by Paystack (which operates infrastructure outside South Africa, including in Nigeria), email is delivered through Azure Communication Services, and the optional Nedbank bank feed is accessed through a United Kingdom Open Banking gateway. Where personal information is transferred outside South Africa, we rely on a basis permitted by Section 72 of POPIA, including that the transfer is necessary to perform our contract with you or with the Tenant and that the recipient is subject to obligations affording an adequate level of protection.
We utilize enterprise-grade security measures within the Microsoft Azure ecosystem.
Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Role-Based Access Control (RBAC): Coaches are granted "Least Privilege" access. They can only view data for students currently in their assigned classes; they cannot view the full school database.
Retention and deletion schedule:
Tenant Service Data is retained for the duration of the Tenant's active subscription.
After cancellation or termination, data is kept for a deletion grace period (30 days by default) and is then permanently deleted.
Accounts that remain unpaid are suspended and, after the same deletion grace period, their data is permanently deleted. Trial accounts that are not converted are removed together with their data at the end of the trial.
Operational and host logs are retained for approximately 30 days.
Pseudonymous Signals analytics events are retained for 365 days by default and are then purged.
Security and audit logs are retained according to the configured audit-log retention period (365 days by default).
Where your Swim School is the responsible party and we act as its operator, please direct requests about that data to your Swim School in the first instance, and we will support the school in responding. For data for which we are the responsible party, you may exercise the rights below directly with us using the contact details in the card at the foot of this page. We will acknowledge a request promptly and respond within a reasonable period, and within any timeframe required by law.
Right to Access
You may request a copy of the personal information held about you or your child.Right to Rectification
You may correct inaccurate or incomplete data, often directly via the Parent Portal.Right to Erasure
You may request deletion of your account and data, subject to any legal retention obligations.Right to Object and Withdraw Consent
You may object to certain processing and withdraw any consent you gave, without affecting processing already carried out lawfully.Marketing Opt-Out
You can opt out of marketing email at any time using the unsubscribe link in any marketing message.Right to Complain
You may lodge a complaint with the Information Regulator, whose details appear below.Contact the Data Protection Officer (DPO)
For privacy inquiries or to lodge a complaint.
Information Officer (POPIA): The Information Officer of My Swim School, contactable at privacy@myswimschool.co.za.
Email: privacy@myswimschool.co.za
Address: 321 Furrow Road, Equestria, Pretoria, Gauteng, 0184
© 2026 MySwimSchool. All rights reserved.
My Swim School, reg 2026/266644/07