Privacy Policy

Effective date: 1 January 2026 · Last updated: March 2026

    POPIA Compliance Notice: Ourel is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA). This Privacy Policy explains what data we collect, how we use it, and your rights as a data subject.
  

This Privacy Policy applies to all users of the Ourel platform, including school administrators and parents. By using Ourel, you consent to the collection and use of your information as described in this policy.

1. What Data We Collect

We collect the following categories of personal information:

School Administrators:

Full name and email address
School name, school code, and contact information
Verification documents (e.g. CIPC registration certificate)
PayFast merchant credentials (stored encrypted)

Parents / Guardians:

Full name and email address
Account password (stored as a secure hash — never in plain text)

Students:

Full name
Grade / class
South African ID number (if provided by the school for identity verification)

Payment Records:

Amount paid, month, year, and payment method
PayFast transaction reference number
Receipt numbers

We do not collect or store credit card numbers, bank account details, or other sensitive financial data — these are handled exclusively by PayFast.

2. How Data Is Stored

All data collected by Ourel is stored in Supabase, a cloud database platform. Supabase stores data on servers within the AWS af-south-1 region (Cape Town, South Africa), ensuring your data remains within South Africa's borders in compliance with POPIA cross-border transfer requirements.

Data is encrypted at rest and in transit using industry-standard TLS/SSL encryption.
Access to the database is restricted by Row-Level Security (RLS) policies — each user can only access their own data.
Passwords are hashed by Supabase Auth and are never stored or accessible in plain text.

3. POPIA Compliance Statement

Ourel processes personal information in accordance with POPIA's eight conditions for lawful processing:

Accountability: Ourel is the responsible party for data processed through this platform.
Processing limitation: We only collect information necessary for the operation of the platform.
Purpose specification: Data is collected solely to facilitate school fee management and payment processing.
Further processing limitation: We do not sell or share your data for marketing purposes.
Information quality: We maintain accurate records and rely on users to update their own information.
Openness: This Privacy Policy discloses our data practices clearly.
Security safeguards: We implement technical and organisational measures to protect your data.
Data subject participation: You may request access to or deletion of your data at any time.

4. Who Data Is Shared With

We share limited personal information with the following third parties, solely to operate the platform:

PayFast (payfast.io): Payment processing. When you initiate a payment, your name and email are shared with PayFast to process the transaction. PayFast is a licensed South African payment service provider subject to POPIA and PCI-DSS standards.
Resend (resend.com): Email delivery service. We use Resend to send transactional emails such as payment receipts, reminders, and account notifications. Your email address is shared with Resend for this purpose only.
Supabase (supabase.com): Database and authentication infrastructure. Supabase processes personal data as a sub-processor on our behalf.

We do not sell your personal information to any third parties. We do not use your data for advertising or marketing profiling.

5. How We Use Your Data

To verify school registrations and approve school accounts
To link parents to their children's school records
To process and record school fee payments
To send payment receipts, reminders, and account notifications
To generate reports for school administrators
To maintain audit records for financial compliance

6. Parent and School Rights (POPIA Section 23–25)

As a data subject under POPIA, you have the following rights:

Right of access: Request a copy of the personal information we hold about you.
Right to correction: Request correction of inaccurate personal information.
Right to deletion: Request deletion of your personal information, subject to legal retention requirements (e.g. payment records must be kept for 5 years).
Right to object: Object to processing of your personal information in certain circumstances.
Right to complain: Lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

To exercise any of these rights, email us at: hello@ourel.co.za. We will respond within 30 days.

7. Data Retention

Payment records: Retained for a minimum of 5 years for financial audit and legal compliance.
Student records: Retained for the duration of the school's active account on Ourel.
Parent accounts: Retained until deletion is requested, subject to the payment record retention requirement above.
School accounts: Retained until the school requests closure, or the account is deactivated for policy violations.

8. Cookies and Tracking

Ourel does not use advertising cookies or third-party tracking pixels. Session tokens are stored in your browser's local storage or session storage solely to maintain your authenticated session. These tokens expire automatically after 24 hours (parent portal) or 8 hours (admin portal).

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. Continued use of Ourel after changes constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related queries, data access requests, or deletion requests:

Email: hello@ourel.co.za
Subject line: "Privacy / POPIA Request"