Privacy Policy

1. Who is the responsible party?

The responsible party (data controller) under POPIA is Pamoja Academy, a sole proprietorship trading as “Pamoja Cyber Academy” in the Republic of South Africa. References below to “Pamoja”, “we”, “us” and “our” mean this entity.

2. What personal information we collect

We collect only what we need to deliver the service you have asked for:

• Identity & contact — full name, email address, optional phone number, and (if you complete a Verified Credential) ID-document data via Smile ID for facial-match verification.
• Account & learning data — password (hashed, never stored in plain text), course progress, lab submissions, exam attempts, scores, certificates earned, mentor-feedback transcripts.
• Payment data — payment confirmations and reference numbers via our payment processor (Paystack). We do not see, store or process your card numbers, CVVs or PIN codes.
• Technical data — IP address, browser user-agent, device type, session timestamps, page-view events, exam-session integrity logs (tab focus, server-side timing).
• Optional information — scholarship application details (employment status, household-income bracket), enterprise inquiry forms (company name, role, seat count), B-BBEE documentation if you elect to submit it.

3. Why we process your information (lawful basis)

• Contractual necessity — to provision your account, deliver the course you have purchased, mark your exams, issue certificates, and process refunds.
• Legitimate interests — to maintain platform security, prevent fraud and abuse, monitor exam integrity, and improve curriculum quality.
• Consent — for optional marketing emails, scholarship eligibility processing, and identity verification under Verified Credential.
• Legal obligation — to comply with South African tax, financial-reporting, consumer-protection, and anti-money-laundering laws.

4. Who we share information with

We do not sell your personal information. We share it only with the following operators (data processors), each bound by written agreements and POPIA-equivalent safeguards:

• Paystack (Pty) Ltd — payment processing.
• Abacus.AI Inc. — cloud application hosting, database, AI mentor inference, email delivery.
• Smile Identity Inc. — optional Verified Credential identity-document verification.
• Zoho Corporation — business email hosting (only when you correspond with us).
• Sponsoring organisations — if your seat is paid for by an employer, SETA, NPO or government department, we share only your name, course progress and final result with that sponsor.
• Authorities — where required by South African law, court order, or to investigate suspected fraud or platform abuse.

5. Cross-border transfers

Some of our processors (Abacus.AI, Smile Identity, Zoho) operate cloud infrastructure outside South Africa. Where this is the case, we rely on the recipient country having adequate data-protection laws, or on contractual safeguards equivalent to those required under section 72 of POPIA.

6. How long we keep your information

• Active learner accounts — for as long as you have an active account.
• Certificates & verification records — indefinitely, so that employers can continue to verify credentials at /verify.
• Financial records — 5 years from end of tax year, as required by SARS and the Tax Administration Act.
• Marketing consent records — until you unsubscribe.
• Inactive accounts — learning data anonymised after 36 months of inactivity, on request or proactively.

7. Your rights under POPIA

You have the right to:

• Confirm whether we hold information about you and request a copy.
• Request that we correct inaccurate or out-of-date information.
• Request deletion of information we no longer have a lawful basis to keep.
• Object to processing for direct-marketing purposes.
• Withdraw consent for any consent-based processing at any time.
• Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, email [email protected]. We respond within 14 calendar days. The Information Regulator may be contacted at inforegulator.org.za or via email at [email protected].

8. Cookies & analytics

We use strictly-necessary cookies to keep you logged in and to keep your session secure. Where you consent, we also use Google Analytics 4, Meta Pixel and TikTok Pixel for marketing-attribution and conversion analytics. You may opt out via your browser settings or operating-system tracking controls; opting out does not impair access to the service.

9. Security

We protect personal information using TLS 1.2+ for data in transit, AES-256 for data at rest, bcrypt password hashing, role-based access control, audit logging, and the principle of least privilege across our processors. No internet-connected system is perfectly secure, but we treat protection of your information as a foundational responsibility, not an after-thought.

10. Learners under 18

The platform is designed for learners aged 16 and above. If you are between 16 and 18, please make sure a parent or legal guardian has reviewed this Privacy Policy and our Terms of Service. We do not knowingly process personal information of children under 13.

11. Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material, we will give you notice via email or an in-app banner at least 30 days before they take effect.

12. How to contact us

• Privacy enquiries: [email protected]
• General support: [email protected]
• WhatsApp: +27 67 869 1181