Privacy Policy

Little Loop (“we”, “us”, “our”) is a school communication and management platform operated by Galant Holdings. We are committed to protecting the personal information of all users, including school administrators, teachers, parents, guardians, and the children they represent.

This Privacy Policy complies with the Protection of Personal Information Act, 2013 (POPIA) of South Africa and outlines how we collect, use, store, and protect personal information.

Our designated Information Officer can be contacted at:

• Email: hello@littleloopapp.co.za
• Postal address: Galant Holdings, South Africa

You may contact the Information Officer for any queries regarding your personal information, to exercise your rights under POPIA, or to lodge a complaint.

We collect the following categories of personal information:

3.1 Guardian / Parent Information

• Full name, email address, phone number
• ID number (optional, for identification purposes)
• Home address and suburb (for school logistics)
• Occupation and work phone (optional)
• Relationship to child(ren)
• Profile photo (optional)

3.2 Child Information (Special Personal Information under POPIA)

• Full name, date of birth, gender
• Home language, cultural and religious affiliations
• Medical information: allergies (with severity), medications, conditions, doctor details, medical aid information
• Dietary requirements and food restrictions
• Emergency contact details
• Custody information (where applicable)
• Photos taken at school (subject to explicit consent)
• Attendance records, daily notes, report cards
• Comfort profiles and private notes to school

3.3 Staff Information

• Full name, email address, phone number
• Role and class assignments
• Profile photo (optional)

3.4 Technical Information

• Device information and push notification tokens
• IP addresses (recorded in audit logs)
• Authentication session data

We process personal information for the following purposes:

• School administration: Attendance tracking, daily notes, report cards, class management
• Communication: Sending notifications, newsletters, and updates relevant to your child or role
• Safety and wellbeing: Emergency contact management, medical information access, sickness tracking, custody compliance
• Photo management: Sharing approved school photos with guardians (subject to explicit consent)
• Financial management: Fee tracking, invoicing, tuckshop orders
• Governance and compliance: Audit logging, consent management, data integrity
• Platform improvement: Error logging and resolution, analytics (aggregated, non-identifying)

• Consent: Guardians provide explicit consent during onboarding for photo sharing, marketing communications, and emergency medical authorisation. Consent can be withdrawn at any time.
• Contract: Processing necessary for the provision of our services to schools under our service agreement.
• Legal obligation: Where required by law (e.g., maintaining attendance records).
• Legitimate interest: For platform security, error resolution, and fraud prevention.

We operate a granular consent system. Guardians can independently manage the following consent types:

• Photo — Internal Communications: Permission to include your child's photos in class updates and school newsletters shared within the school community.
• Photo — Marketing: Permission to use your child's photos on school social media or marketing materials.
• Emergency Medical Authorisation: Authorisation for the school to seek emergency medical treatment for your child.
• Policy Acknowledgement: Acknowledgement that you have read and accept the school's policies (required).

All consent changes are recorded with a timestamp and the identity of the guardian who made the change, for compliance purposes. Consent can be updated at any time through the mobile app.

Children's personal information is classified as special personal information under POPIA Section 26 and receives enhanced protection:

• All child data requires guardian consent before collection
• Photos of children require explicit consent before being shared with any parent
• All photos must be approved by a designated staff member before becoming visible
• Medical information is accessible only to authorised staff and the child's guardians
• Child profiles are never exposed publicly or to unauthorised users
• Teachers see only the children in their assigned class(es)
• Parents see only their own child(ren)'s information

We do not sell, rent, or trade personal information to any third party.

We share personal information only with:

• Supabase (database and authentication provider): Hosted infrastructure for data storage and user authentication. Supabase is SOC 2 Type II compliant.
• The school your child attends: Staff at the school can access relevant child and guardian information as required for their role.

We do not display advertisements. We do not share data with advertisers. We will never monetise your personal information.

We implement the following security measures:

• Authentication: JWT-based authentication via Supabase Auth with secure token management
• Authorisation: Four-layer guard chain (Authentication → Tenant Isolation → Role-Based Access → Feature Flags)
• Encryption: All data transmitted over HTTPS/TLS. Database connections encrypted.
• Tenant isolation: Each school's data is logically isolated. Staff at School A cannot access School B's data.
• Audit trail: All sensitive operations are logged with user identity, timestamp, action type, and IP address
• Account deactivation: Deactivated accounts are immediately blocked from authentication
• Photo governance: Photo approval workflow prevents unauthorised image distribution
• Student map privacy: Location data is aggregated to suburb level only. Minimum 5 families per area before data is displayed. No home addresses or coordinates are exposed.

We retain personal information for the following periods:

• Active accounts: Data is retained while the account is active and the school maintains a service agreement with us.
• Deactivated accounts: Account data is retained for 12 months after deactivation, then permanently deleted upon request.
• Audit logs: Retained for 36 months for compliance and dispute resolution purposes.
• Child records: Retained for the duration of the child's enrolment plus 12 months. After this period, data is archived or deleted upon school or guardian request.
• Photos: Retained while the school's account is active. Guardians can request deletion of specific photos of their child at any time.

You have the following rights regarding your personal information:

• Right of access: Request a copy of all personal information we hold about you or your child. You can export your data through the mobile app or by contacting us.
• Right to correction: Request that we correct or update inaccurate personal information.
• Right to deletion: Request that we delete your personal information. You can delete your account through the mobile app settings, or by contacting us at hello@littleloopapp.co.za.
• Right to object: Object to the processing of your personal information for specific purposes.
• Right to withdraw consent: Withdraw any previously given consent at any time through the app or by contacting us.
• Right to lodge a complaint: Lodge a complaint with the Information Regulator at www.justice.gov.za/inforeg.

Our web application uses only essential cookies required for authentication and session management. We do not use:

• Advertising cookies
• Third-party analytics trackers
• Social media tracking pixels
• Cross-site tracking of any kind

Our mobile app does not use cookies. Push notification tokens are stored solely for the purpose of delivering notifications and are deleted when the user logs out or uninstalls the app.

Your personal information may be processed by the following service providers located outside South Africa. In accordance with POPIA Section 72, we ensure that each provider maintains an adequate level of data protection through contractual agreements (Data Processing Agreements) and compliance with equivalent international data protection laws.

The legal basis for these transfers is contractual necessity (POPIA Section 72(1)(a)) — these services are required to operate the platform. Where applicable, we rely on standard contractual clauses and the receiving jurisdiction's data protection framework (GDPR for EU providers, state-level privacy laws for US providers).

In the event of a data breach that compromises personal information:

• We will notify the Information Regulator as soon as reasonably possible
• We will notify affected data subjects (users) as soon as reasonably possible
• We will provide details of the breach, what information was affected, and what steps we are taking to address it
• We will take immediate steps to mitigate the impact and prevent recurrence

We may update this Privacy Policy from time to time. When we make material changes, we will notify users through the app and/or by email. The “Last updated” date at the top of this page indicates when the policy was last revised.

For any privacy-related enquiries, data access requests, or complaints:

• Email: hello@littleloopapp.co.za
• General enquiries: hello@littleloopapp.co.za

You also have the right to lodge a complaint with the Information Regulator:

• Website: www.justice.gov.za/inforeg
• Email: complaints.IR@justice.gov.za