About this policy

This is the Privacy Policy of CambriLearn (“we”, “us” or “our”). It tells you what personal information we collect about you and, where applicable, your child; why we collect it; who we share it with; how long we keep it; how we keep it safe; and the rights you have in relation to it.

It is written in plain language so that parents, guardians and learners can understand it. If there is anything you do not understand, please contact our Information Officer using the details in section 17 below.

This policy applies to:

• Parents and guardians who enrol learners with CambriLearn or who contact us.
• Learners enrolled on the CambriLearn platform, whether they are children or adults.
• Visitors to our website at https://cambrilearn.com and our learning platform at https://campus.cambrilearn.com.
• Prospective customers, affiliates, employees and job applicants whose personal information we process.

This policy covers the entirety of CambriLearn’s activities. It is the only privacy policy you need to consult to understand how we handle your personal information. Where we introduce a new tool or feature, we describe it in this policy rather than maintaining a separate notice for each.

Who we are

CambriLearn is operated, for the purposes of the processing of personal information in South Africa, by Top Dog Internet Sales (Pty) Ltd t/a CambriLearn (registration number 2010/013984/07), a company incorporated in the Republic of South Africa with its registered office at 155 West Street, Sandton, 2031, South Africa.

Our affiliated United States entity is CambriLearn USA, Inc. The South African and United States entities operate under a shared brand and shared platform. For personal information collected in connection with services provided in or from South Africa - which includes all of the learning platform and assessment processing described in this policy - the South African entity is the “responsible party” for the purposes of the Protection of Personal Information Act 4 of 2013 (“POPIA”), and the “controller” for the purposes of the European Union General Data Protection Regulation (“GDPR”), to the extent the GDPR applies.

Personal information we collect

We collect the following categories of personal information, depending on your interaction with us:

Information you give us

• Names, surnames, dates of birth and gender of parents/guardians and learners.
• Contact details: email address, telephone numbers, and postal address.
• Country and city of residence.
• Identity numbers or passport numbers where required for examination registration with accredited examination bodies.
• Banking and payment information for the payment of school fees (processed through a third-party payment gateway; see Section 9).
• Information about the learner’s prior education, school reports, and where applicable, any learning support or accessibility needs.
• Communications with us, including support requests, feedback, and any documents or photographs you upload.

Information generated by your use of our platform

• Login credentials and authentication logs.
• Lesson attendance, assessment submissions, marks, progress and performance statistics.
• Contributions made in chat, forums, the CambriCommunity, and live group sessions.
• Recordings of live lessons in which the learner participates, where lessons are recorded for revision purposes.

Information collected automatically

• Internet Protocol (IP) address, internet service provider, device type, browser type, operating system.
• Dates, times, and pages accessed on our sites.
• Referring URL and click patterns.
• Cookies and similar technologies. See Section 10.

Why we collect your personal information

We collect personal information for the following purposes:

• To enrol learners and provide the educational services contracted for, including teaching, assessment, marking, reporting, and the issuing of certificates.
• To register learners with examination bodies and accredited bodies (for example, Pearson Edexcel, Cambridge Assessment International Education, SACAI, IEB, Cognia) for the purpose of formal assessment.
• To communicate with parents, guardians, and learners about academic matters, school operations, and administrative matters.
• To process payment of school fees.
• To provide technical support and respond to enquiries.
• To improve our platform, including analysis of usage patterns in an aggregated form.
• To comply with our legal obligations, including obligations under POPIA, the Children’s Act, examination board requirements, and applicable financial and tax laws.
• With separate consent, to send you marketing communications about our products and services. You can withdraw this consent at any time. See Section 15.

Lawful basis for processing

We process personal information on the following lawful bases under POPIA:

• Consent (section 11(1)(a)): for the processing of children’s personal information, we rely on the prior consent of a parent or legal guardian (a “competent person”). For adult learners, we rely on the learner’s own consent. For direct marketing by electronic means, we rely on a separate opt-in.
• Contractual necessity (section 11(1)(b)): for processing necessary to perform the enrolment contract with you and to provide the educational services you have contracted for.
• Legal obligation (section 11(1)(c)): for processing required by law, including examination registration, record-keeping, and financial reporting.
• Legitimate interest (section 11(1)(f)): for processing necessary for our legitimate interests in operating and improving our platform and in keeping the learning environment safe, provided that those interests do not override your rights.

Monitoring of communications through our platform

Where you or your child uses any feature on our platform through which communications take place - including the online chat, live group sessions and lessons, forums, CambriCommunity, comments, and any other channel we provide - the communications take place on systems we operate and may be monitored, moderated, recorded or reviewed by CambriLearn for the following purposes:

• Ensuring the safety of learners, particularly minors.
• Enforcing our community rules and our Code of Conduct in the Terms and Conditions.
• Investigating reports of inappropriate or unlawful conduct.
• Improving the platform and our services.
• Complying with our legal obligations.

This monitoring is limited to communications that take place through CambriLearn channels. It does not extend to communications between you and any third party outside of the platform. Where lessons are recorded, this is disclosed at the time of the lesson and the recordings are retained in accordance with Section 12 below.

To the extent that this monitoring is governed by the Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (“RICA”), you consent to it for the purposes set out above. You should not transmit, through any CambriLearn channel, any communication that you wish to remain private from CambriLearn.

Our use of AI for assessment marking (CambriGrader)

CambriLearn uses an AI-assisted marking tool called CambriGrader to support our teachers in marking learner assessments. This is one of the tools we use to deliver our service and we describe it here for transparency.

How CambriGrader works:

• When a learner submits a written assessment on our platform, the submission is sent through a secure connection (HTTPS / TLS) to Google’s Gemini large language model, operated by Google LLC.
• Gemini converts the answers into machine-readable text and extracts the questions and answers into a structured format.
• Identifying information is then stripped from the data (a process called “de-identification”).
• The de-identified data is sent back to Gemini, which applies the marking criteria and teacher-prepared comments to produce a proposed grade and feedback.
• A qualified teacher then reviews the AI’s proposed grade and feedback. The teacher may accept, edit or replace the AI’s output. No grade is finalised without teacher review.
• The marked assessment is returned to the learner.

Important points to note:

• We use the paid tier of the Gemini API for CambriGrader. Google does not use the data we send through that paid API to train its models, and Google’s logs of prompts and responses are retained for a limited period only for the purpose of detecting abuse of the service. These commitments are made by Google in its terms for the paid Gemini API.
• Google is bound to us by Google’s Cloud Data Processing Addendum, which is a written data-processing contract that requires Google to maintain appropriate security measures and to treat the information as confidential.
• Because Google may process the information on servers located outside South Africa, the use of CambriGrader involves a cross-border transfer of personal information. See Section 11.
• Because every AI output is reviewed by a teacher before a grade is finalised, no decision affecting a learner is made by automated processing alone.

You have the right to object to the use of CambriGrader in respect of your or your child’s assessments. If you do, please contact our Information Officer (Section 17) and we will arrange for the affected assessments to be marked manually by a teacher. Objection does not affect any other aspect of the enrolment.

Who we share your personal information with

We share personal information only with the following categories of recipient and only to the extent necessary:

Operators (data processors acting on our behalf)

Operators process personal information on our behalf, in accordance with our instructions, and are bound by written contracts requiring them to maintain appropriate security and confidentiality. Our principal operators are:

• Google LLC — for AI-assisted assessment marking via the Gemini API (see Section 7), and for cloud infrastructure services, analytics and email.
• Our website hosting and platform infrastructure providers.
• Our payment gateway provider, which processes school fee payments.
• Our customer relationship management and communications providers.

A full list of operators is maintained in our internal Record of Processing Activities and is available on request to the Information Officer.

Examination bodies and accredited bodies

Where a learner is registered for formal assessment, we share the necessary registration details with the relevant examination body (such as Pearson Edexcel, Cambridge Assessment International Education, the IEB, SACAI or Cognia). These bodies act as independent responsible parties in respect of the personal information they receive.

Tutors and learning centres

Where a learner attends a CambriLearn-affiliated tutor centre, we share the necessary information with that centre to coordinate the learner’s support.

Affiliates

Where a subscription is purchased through one of our affiliates, we may share with that affiliate such information as is necessary to administer the affiliate relationship and the subscription. We do not share personal information with affiliates for their own marketing purposes.

Required disclosures

We will disclose personal information where the law requires us to do so, or where disclosure is necessary to protect our rights or the safety of any person, including in response to subpoenas, court orders or other legal process.

What we do not do

We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes. We do not transfer personal information to any operator that does not undertake to maintain appropriate security and confidentiality.

Payment information

Payments are processed by an external payment gateway. CambriLearn does not store full payment card numbers on its own systems. The payment gateway is responsible for compliance with the Payment Card Industry Data Security Standard (PCI DSS) in respect of card data.

Cookies and similar technologies

Our website uses cookies and similar technologies, including Google Tag Manager and analytics cookies, to operate the site and to understand how it is used. Cookies fall into the following categories:

• Strictly necessary cookies: required for the website and learning platform to function (for example, to keep you logged in). These cannot be switched off.
• Analytics cookies: help us understand how visitors use our site so that we can improve it. We use these only with your consent.
• Marketing cookies: used to deliver advertising relevant to you. We use these only with your consent.

You can manage your cookie preferences through your browser settings and through the cookie banner on our website. Withdrawing consent to analytics and marketing cookies will not affect your access to the learning platform.

International transfers

Because we use international providers (in particular Google LLC for the Gemini AI marking service, and various cloud infrastructure providers), some of your personal information may be transferred to, and stored or processed in, countries outside South Africa, including the United States, the European Union and the United Kingdom.

We rely on the following safeguards under section 72 of POPIA to ensure that your information remains adequately protected:

• Our operators, including Google LLC, are bound by written agreements (such as Google’s Cloud Data Processing Addendum) which incorporate the European Standard Contractual Clauses and which require security measures and confidentiality undertakings substantially similar to those required by POPIA.
• Where you (or the competent person on behalf of a learner who is a minor) have given consent to the transfer, we rely on that consent in addition to the contractual safeguards above.
• Where the transfer is necessary for the performance of the enrolment contract, we rely on that necessity.

If you have questions about the safeguards in place for any particular transfer, please contact our Information Officer.

How long we keep your information

We keep personal information only for as long as is necessary for the purpose for which it was collected, or as required by law. Our default retention periods are:

• Enrolment records, academic records and assessment results: retained for the duration of the learner’s enrolment and for seven (7) years thereafter, in line with examination body requirements and the prescription periods applicable to educational records.
• Financial and tax records: retained for five (5) years from the end of the financial year to which they relate, in accordance with the Income Tax Act 58 of 1962 and the Tax Administration Act 28 of 2011.
• Marketing data: retained until you withdraw your consent or for two (2) years after your last interaction with us, whichever is shorter.
• Website analytics data: retained in identifiable form for a maximum of fourteen (14) months.
• Support communications: retained for three (3) years after closure of the matter.
• Recordings of live lessons: retained for the duration of the relevant course version and for one (1) year thereafter, after which the recordings are deleted or anonymised.

Google’s logs of prompts and responses on the paid Gemini API are retained by Google for a limited period for the sole purpose of detecting and preventing abuse, as described in Google’s terms.

At the end of the applicable retention period, we delete or de-identify the personal information.

How we keep your information safe

We take the security of your personal information seriously. We have implemented appropriate technical and organisational measures, including:

• Encryption of personal information in transit using HTTPS / TLS.
• Access controls limiting access to personal information to authorised personnel.
• Authentication and password protection on learner, parent and staff accounts.
• Logging of access to sensitive data.
• Written confidentiality undertakings from employees, contractors and operators.
• Regular review of our security measures.

No system is completely secure. If you suspect that the security of your account has been compromised, please contact our Information Officer immediately.

Learners who are children, and learners who are adults

Many of our learners are children under the age of 18; many others, particularly at A-Level and equivalent post-matric levels, are adults of 18 or older. The position differs between the two groups.

Learners who are children

For learners who are children, we process personal information only with the prior consent of a parent or legal guardian (a “competent person” as defined in POPIA), given at enrolment through our Terms and Conditions. The consent extends to all the processing described in this policy, including the use of CambriGrader and the cross-border transfers described in Section 11. The competent person may withdraw consent at any time by contacting our Information Officer. Withdrawal will not affect the lawfulness of any processing carried out before the withdrawal but may affect our ability to continue providing services.

Learners who are adults

For learners who are 18 years of age or older (or who have reached the age of adulthood in their country of residence), the learner gives consent in their own capacity at enrolment. References elsewhere in this policy to consent given by a parent or legal guardian apply, in the case of adult learners, to consent given by the learner directly.

Marketing

We do not market to children. Marketing communications are sent only to (a) parents and guardians who have opted in, or (b) adult learners who have opted in.

Direct marketing

We will only send you marketing communications by electronic means (such as email or SMS) if you have separately opted in to receiving them, or if you are an existing customer and the marketing relates to similar products or services to those you have already purchased.

Every marketing communication includes an unsubscribe link or instructions for opting out. You can also opt out at any time by emailing hello@cambrilearn.com or by contacting our Information Officer.

Your rights

You have the following rights in relation to the personal information we hold about you and your child:

• Right to be notified of what personal information we collect and why — this policy is one way in which we comply with that right.
• Right of access (section 23): you can ask us what personal information we hold about you or your child and request a copy of it.
• Right to correction or deletion (section 24): you can ask us to correct information that is inaccurate, incomplete or out of date, or to delete information that we are no longer entitled to keep.
• Right to object (sections 11(3) and 69(3)): you can object to processing based on legitimate interest, and to direct marketing.
• Right to withdraw consent: where we rely on your consent, you can withdraw it at any time.
• Right not to be subject to a decision based solely on automated processing (section 71): as explained in Section 7, no decision affecting a learner is taken by automated means alone.
• Right to lodge a complaint: see Section 18 below.

To exercise any of these rights, please contact our Information Officer (Section 17). We will respond within 30 days of receiving a complete request. There is no charge for exercising these rights, although we may charge a reasonable fee for the production of copies of voluminous records, in accordance with the prescribed fees under POPIA.

Contact our Information Officer

Our Information Officer is the person responsible for compliance with POPIA in our organisation. The Information Officer is registered with the Information Regulator of South Africa.

You can contact the Information Officer at:

Top Dog Internet Sales (Pty) Ltd t/a CambriLearn

Attention: The Information Officer

155 West Street, Sandton, 2031

Email: hello@cambrilearn.com

Telephone: +27 010 020 8570

How to lodge a complaint

If you believe that we have processed your personal information unlawfully, or that we have not properly responded to a request you have made, you have the right to complain.

Complain to us first

We would prefer the opportunity to address your concern. Please contact our Information Officer at the details in Section 17. We will acknowledge your complaint within seven (7) days and provide a substantive response within thirty (30) days.

18.2 Complain to the Information Regulator

If you are not satisfied with our response, or if you would prefer to complain directly, you may lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

PO Box 31533, Braamfontein, Johannesburg, 2017

Telephone: +27 (0)10 023 5200

General enquiries: enquiries@inforegulator.org.za

POPIA complaints: POPIAComplaints@inforegulator.org.za

Website: https://inforegulator.org.za

The Regulator publishes a complaint form on its website. You may use that form or write to the Regulator setting out the substance of your complaint.

Data breach notification

If your personal information is involved in a security compromise that is likely to cause you harm, we will notify you and the Information Regulator as soon as reasonably possible after we become aware of the compromise and have established its scope. Our notification will include the nature of the compromise, the steps we have taken to address it, and any steps we recommend you take to protect yourself.

Changes to this policy

We may update this policy from time to time. Minor changes — such as updates to contact details or clarifications of existing provisions — will take effect immediately on publication of the updated policy.

Material changes that introduce new processing purposes, new categories of recipient, or new categories of personal information will not apply to your personal information unless we have given you specific notice of the change and, where required, obtained fresh consent. Continued use of our services after a material change will not by itself be treated as consent to that change.

The effective date of this policy is set out at the top of this document.

If you would like a copy of this policy in an alternative accessible format, please contact our Information Officer.