POPIA & privacy

Last updated: 2026.

Roles under POPIA

The school (Data Controller) owns all alumni personal data, determines the purposes of processing, and bears ultimate POPIA accountability.

SalesCollab (Data Operator) processes data on the school's behalf under a strict Data Processing Agreement, implements technical safeguards, and reports breaches immediately.

Lawful basis

Direct alumni communications operate on the basis of legitimate interest (alumni community). Third-party marketing always requires explicit consent.

Data subject rights

Alumni can request access, correction, deletion, and objection to processing at any time via the self-service privacy centre or by emailing info@legacylink.tech.

Breach response

72-hour notification protocol per Regulation 12. Incident response plan in place.

Cross-border transfers

Data hosted within South African / EU jurisdictions with adequate protection; any other transfers require contractual safeguards.

Technical & organisational controls

Tenant isolation via row-level security, append-only audit logs, AES-256 encryption at rest and TLS 1.2+ in transit, alumni-initiated export and deletion. See the security snapshot & controls FAQ for the full breakdown.

This page summarises the framework. A full per-tenant privacy policy is generated for each school.