Legal · Privacy
Privacy Policy
Effective date: 23 February 2026 · Last updated: 23 February 2026
Mei-Sgela (PTY) Ltd ("TMS", "we", "us", or "our") operates the Mei-SgelaPro platform — a multi-tenant educational institution management system serving schools, universities, colleges, training centres, and early-childhood centres worldwide (the "Platform").
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you access or use the Platform, whether as an institution administrator, educator, student, parent or guardian, or visitor.
Data controller vs. data processor. For personal data processed within an institution's tenant, the institution is the data controller and TMS acts as a data processor on its behalf. For data we process for our own operational purposes (e.g., account creation, billing, security), TMS is the data controller. Where applicable, each institution's own privacy notice supplements this policy.
1. Information We Collect
1.1 Information you provide directly
- Identity data: full name, date of birth, national ID or passport number, gender, nationality
- Contact data: email address, phone number, postal address
- Academic data: enrolment status, year level, class, grades, attendance records, academic transcripts, disciplinary notes
- Guardian data: parent or guardian name, relationship, contact information, identification number
- Financial data: fee records, payment history, scholarship status (we do not store full payment card numbers)
- Profile data: photograph, username, platform-generated student number and email
- Application data: information submitted through admission application forms, uploaded documents
- Communications: messages sent through the Platform's internal messaging system
1.2 Information collected automatically
- Usage data: pages visited, features used, timestamps, actions taken
- Device and log data: IP address, browser type, operating system, referring URL
- Cookies and similar technologies: see our Cookie Notice
2. How We Use Your Information
We use personal data for the following purposes:
| Purpose | Legal basis (GDPR / POPIA) |
|---|---|
| Creating and managing user accounts | Contract performance |
| Processing student admissions | Contract performance; legitimate interest |
| Delivering academic and communication features | Contract performance |
| Sending transactional emails (OTPs, invitations, confirmations) | Contract performance; legitimate interest |
| Generating ID cards and reports with institution branding | Contract performance |
| Security monitoring, fraud prevention, and audit logging | Legitimate interest; legal obligation |
| Improving the Platform (anonymised analytics) | Legitimate interest |
| Complying with applicable law and court orders | Legal obligation |
| Marketing communications (newsletter, updates) | Consent (opt-in) |
3. Children's Privacy
The Platform is designed for use by educational institutions and may process the personal data of children, including those under 13 years of age. Institutions are responsible for obtaining appropriate parental or guardian consent before submitting a child's data to the Platform, and for complying with applicable children's privacy laws in their jurisdiction, including:
- COPPA (US — Children's Online Privacy Protection Act) for children under 13
- GDPR Article 8 (EU/EEA) for children under 16, or the lower age set by each Member State
- POPIA (South Africa) for children under 18
- Equivalent laws in all other jurisdictions where the Platform is used
We do not knowingly collect personal data directly from children without institutional intermediation. If you believe we have inadvertently collected such data without proper consent, please contact us at privacy@mei-sgela.com.
4. Sharing and Disclosure
We do not sell personal data. We share data only in the following circumstances:
4.1 Within the Platform
Users within the same institution's tenant can see data appropriate to their role. Role-based access controls limit visibility (e.g., students cannot see other students' grades).
4.2 Sub-processors (third-party service providers)
| Provider | Purpose | Location |
|---|---|---|
| Appwrite (self-hosted) | Database, authentication, file storage | Hostinger VPS (configurable region) |
| Resend | Transactional email delivery | United States |
| Cloudflare | CDN, DDoS protection | Global |
4.3 Legal requirements
We may disclose data where required by applicable law, court order, or to protect the safety, rights, or property of TMS, our users, or the public.
4.4 Business transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred. Affected parties will be notified.
5. International Data Transfers
Mei-SgelaPro is operated from South Africa and serves institutions globally. Personal data may be transferred to and processed in countries other than the country in which it was originally collected, including countries that may not have the same data protection laws as your jurisdiction.
Where we transfer personal data from the EU/EEA or UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) adopted by the European Commission, or other transfer mechanisms recognised under applicable law. For South African data subjects, we comply with the cross-border transfer requirements under POPIA.
6. Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:
- Active accounts: retained while the institution subscription is active
- Student academic records: retained for the institution's defined retention period (typically 7 years after graduation)
- Audit logs: 2 years
- Financial records: 7 years (statutory requirement in most jurisdictions)
- Application data (rejected): 1 year after final decision
- Deleted accounts: anonymised within 90 days of deletion request
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, contact your institution's administrator or us directly at privacy@mei-sgela.com:
- Access: request a copy of your personal data we hold
- Correction: request correction of inaccurate or incomplete data
- Erasure ("right to be forgotten"): request deletion of your data (subject to legal retention obligations)
- Restriction: request we limit processing of your data in certain circumstances
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interest
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing
- Non-discrimination (CCPA): we will not discriminate against you for exercising your rights
- Opt-out of sale (CCPA): we do not sell personal data
You also have the right to lodge a complaint with your local data protection authority. In South Africa: the Information Regulator (www.justice.gov.za/inforeg). In the EU/EEA: your national supervisory authority.
8. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 for sensitive fields)
- Role-based access controls limiting data visibility within institutions
- Rate limiting and brute-force protection on all authentication endpoints
- Audit logging of all administrative actions
- Encrypted file storage for all uploaded documents and media
- Regular security reviews and vulnerability assessments
Despite these measures, no system is entirely secure. In the event of a data breach that is likely to result in high risk to individuals, we will notify affected parties and relevant authorities as required by applicable law (within 72 hours for GDPR, as soon as reasonably practicable for POPIA).
9. Cookies
We use cookies and similar tracking technologies. For full details, including how to manage your preferences, see our Cookie Notice.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and notify institution administrators by email at least 30 days before the changes take effect. Your continued use of the Platform after that date constitutes acceptance of the updated policy.
11. Contact Us
For privacy-related enquiries, requests, or complaints: