PRIVACY POLICY — KRESHE
| Operated by | Kopanong Platforms (Pty) Ltd (“Kopanong”, “we”, “us”, “our”) |
| CIPC registration | 2026/334638/07 |
| Information Regulator registration | 2026-010867 |
| Effective date | 8 May 2026 |
| Version | 1.1 |
| Applies to | https://kreshe.co.za and the Kreshe platform |
| Companion documents | Website Terms of Use · PAIA Manual · Data Subject Request Form |
| Change history | v1.0 (initial draft) → v1.1 (Definitions section added; sub-operators genericised; cookies clarified; emails aligned) |
1. DEFINITIONS
In this Privacy Policy, unless the context indicates otherwise, the following terms have the meanings assigned to them below; cognate expressions bear corresponding meanings:
| Term | Meaning |
|---|---|
| ”Data Subject” | the person to whom Personal Information relates, being a natural person and, where applicable, a juristic person, including children, parents, principals, practitioners, transport drivers, employees, suppliers, prospective customers and website visitors |
| ”Information Officer” | the Information Officer of Kopanong, registered with the Information Regulator under registration number 2026-010867 |
| ”Kopanong” | Kopanong Platforms (Pty) Ltd (CIPC 2026/334638/07), referred to in this Policy as “we”, “us” or “our" |
| "Kreshe” | the Software-as-a-Service crèche and Early Childhood Development management platform supplied by Kopanong, hosted at kreshe.co.za |
| ”Operator” | a person who processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party, as defined in section 1 of POPIA |
| ”Personal Information” | information about an identifiable, living natural person, and where applicable an identifiable, existing juristic person, as defined in section 1 of POPIA. It includes (without limitation) name, surname, identity or passport number, date of birth, age, gender, race, residential and postal address, telephone number, email address, biometric information, banking and payment details, employment information, online identifiers (such as IP addresses and cookie identifiers), and any opinions, photographs or correspondence about the data subject |
| ”POPIA” | the Protection of Personal Information Act 4 of 2013, as amended, including the regulations published in respect thereof |
| ”Process” / “Processing” | any operation or activity concerning Personal Information, as defined in section 1 of POPIA, including collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use, dissemination, distribution, merging, linking, restriction, degradation, erasure or destruction |
| ”Regulator” | the Information Regulator (South Africa) established in terms of section 39 of POPIA |
| ”Responsible Party” | a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information, as defined in section 1 of POPIA |
| ”Special Personal Information” | the categories of personal information identified in section 26 of POPIA, including health, religious or philosophical beliefs, race or ethnic origin, biometric information and the personal information of children |
2. WHO WE ARE AND WHY THIS POLICY EXISTS
Kopanong operates Kreshe, a Software-as-a-Service crèche and Early Childhood Development management platform supplied to ECD centres in South Africa. We take the privacy of every person whose information we handle — children, parents, principals, practitioners, transport drivers, prospective customers and website visitors — very seriously.
This Privacy Policy explains:
(a) what personal information we collect and why;
(b) the legal basis on which we process it;
(c) who we share it with;
(d) how we protect it;
(e) where it is stored, including cross-border transfers;
(f) how long we keep it;
(g) the rights you have under the Protection of Personal Information Act 4 of 2013 (“POPIA”) and how to exercise them.
This Policy is published in compliance with section 18 of POPIA.
3. THE TWO HATS WE WEAR — RESPONSIBLE PARTY OR OPERATOR
POPIA distinguishes between a “Responsible Party” (the person who decides why and how personal information is processed) and an “Operator” (the person who processes personal information on behalf of, and on the instruction of, a Responsible Party).
We act in two different capacities, and the rules that apply depend on which:
2.1 We are the Responsible Party for:
- our own employees, contractors and suppliers;
- the principal users (the crèche owners, principals or administrators) of our crèche customers, in their capacity as our contracting counterparts (account onboarding, billing, support);
- prospective customers who contact us, request a demo or sign up for newsletters;
- visitors to our websites at kreshe.co.za and kopanongplatforms.co.za.
For these data subjects, we determine the purposes and means of processing and we are accountable to you under POPIA.
2.2 We are the Operator for:
- children, parents, practitioners and transport drivers whose information is processed by a crèche through the Kreshe platform.
For these data subjects, the crèche is the Responsible Party. The crèche decides why and how the data is processed; we process it only on the documented instruction of the crèche, in terms of an Operator Agreement and Master Services Agreement concluded with that crèche under section 21 of POPIA. Each crèche has its own privacy notice governing its use of the data, and your rights as a data subject of that data are exercised primarily against the crèche.
If you are a parent and want access to your child’s records held in the Kreshe platform, please contact your crèche directly. If they need our assistance to locate or extract the records, we will assist on their instruction.
4. WHAT WE COLLECT AND WHY
3.1 Information you give us directly
| What | When | Why we need it |
|---|---|---|
| Name, surname, email, phone, role, name of crèche | Contact form, demo request, sign-up | To respond to your enquiry, schedule a demo, or set up your account |
| Account credentials (email, password) | Sign-up to Kreshe | To authenticate you on the platform |
| Billing information (account holder name, banking details, VAT number where applicable) | When a paid subscription begins | To raise invoices, collect subscription fees by debit order, comply with tax obligations |
| Communications with us (emails, support tickets, chat messages) | Throughout the relationship | To provide support and to keep records of what we agreed |
| Marketing preferences | When you opt in or out | To respect your choices |
3.2 Information we collect automatically when you use our website
| What | Why |
|---|---|
| IP address, browser type and version, device type, operating system, referring URL, pages viewed, time spent | To make the website work correctly, diagnose problems, and improve the experience |
| Cookies and similar technologies (see section 5) | Authentication, preferences, analytics |
| Log files and audit trails | Security, fraud prevention, troubleshooting |
3.3 Information about children, parents, practitioners and transport drivers
This information is captured in the Kreshe platform by the crèche (not by us as Responsible Party). The categories include:
- children’s profile data (name, date of birth, gender, photographs uploaded by the crèche or parent, allergy and medical notes uploaded by the parent, daily activity logs, attendance);
- parent / guardian data (name, contact details, billing information used by the crèche for parent invoices and the Kreshe Collections module);
- practitioner / staff data (name, contact details, qualifications, employment information uploaded by the crèche);
- transport driver data (name, contact details, driver licence details where uploaded).
We process this information only as Operator on the instruction of the crèche. The crèche must obtain the necessary consents and provide the necessary notices to its parents, staff and contractors; we provide template notices and consent forms in our customer onboarding pack.
3.4 Special personal information and children’s information
POPIA imposes higher protections on special personal information (such as health information, race, religious beliefs and biometric data) and on children’s personal information. The Kreshe platform processes children’s personal information by design, and may process medical notes uploaded by parents to ensure the safety of the child at the crèche.
We have applied for prior authorisation under section 57(1)(d) of POPIA in respect of the cross-border processing of children’s personal information described in section 7 below. We do not process biometric information of children. The five-character codes used at the attendance kiosk are time-limited verification codes — they are not biometric.
5. COOKIES AND SIMILAR TECHNOLOGIES
We use cookies and similar technologies for the following purposes:
(a) Strictly necessary — to enable core functionality (login sessions, security, page navigation). These cannot be switched off without breaking the website;
(b) Functional — to remember your preferences (e.g. language, display settings);
(c) Analytics — to understand how visitors use the site so we can improve it. We use these on an anonymised or aggregated basis where possible;
(d) No advertising or third-party tracking cookies are deployed by Kopanong on Kreshe. We do not sell or share data with advertising networks.
No Personal Information is stored in a cookie itself. A cookie contains a small piece of data that can be read by a web server, but cannot be used to run programs or deliver malware. Where a cookie holds an identifier that is linked to Personal Information held in our systems, we treat that identifier as Personal Information and process it under this Policy.
You can control cookies through your browser settings. Refusing non-essential cookies will not prevent you from using the site, but some features may be less convenient.
6. THE LEGAL BASIS ON WHICH WE PROCESS
POPIA requires that processing rest on at least one of the lawful bases in section 11. We rely on the following bases, depending on the activity:
| Activity | Lawful basis under POPIA s 11 |
|---|---|
| Providing the Kreshe service to a crèche customer | Performance of a contract (s 11(1)(b)) |
| Billing, account management and customer support | Performance of a contract (s 11(1)(b)) |
| Compliance with tax, company and labour law | Compliance with a legal obligation (s 11(1)(c)) |
| Security, fraud prevention and audit logging | Legitimate interests (s 11(1)(f)) |
| Sending marketing emails and newsletters | Consent (s 11(1)(a)) — opt-in only |
| Processing children’s personal information at a crèche | Consent of a competent person (the parent or guardian) under s 35, secured by the crèche |
| Cross-border transfer of personal information | Section 72(1)(a) where the recipient country, or the contractual arrangement, provides a level of protection substantially similar to POPIA — supported by binding written agreements incorporating EU Standard Contractual Clauses or equivalent safeguards; alternatively s72(1)(d) where the transfer is necessary for the performance of the contract |
7. WHERE YOUR INFORMATION IS STORED — CROSS-BORDER TRANSFER
Some of the personal information processed through Kreshe — including operational data such as child profiles, attendance records and daily logs — is stored and processed on cloud infrastructure operated by service providers located outside the Republic of South Africa. We make these transfers only in compliance with section 72 of POPIA, which permits cross-border transfers of personal information where:
(a) the recipient country, or the contractual arrangement governing the transfer, provides a level of protection substantially similar to POPIA;
(b) the data subject has consented to the transfer; or
(c) the transfer is necessary for the performance or conclusion of a contract to which the data subject is party, or in the interest of the data subject.
Where we transfer personal information to providers in jurisdictions subject to the European Union General Data Protection Regulation (GDPR), we rely primarily on the adequacy basis in section 72(1)(a), supported by binding written contractual safeguards incorporating the European Commission Standard Contractual Clauses or equivalent mechanisms recognised under POPIA.
In addition, and out of an abundance of caution given the criminal sanctions in section 107 of POPIA in respect of children’s personal information, we have applied for prior authorisation from the Information Regulator under section 57(1)(d) of POPIA. We will update this section once that application has been determined.
The current list of named sub-operators and the jurisdictions in which they process personal information is available on request to the Information Officer.
8. WHO WE SHARE YOUR INFORMATION WITH
We share personal information only as set out below:
(a) The crèche customer, in respect of data we process as Operator on its behalf;
(b) Sub-operators and service providers, under written agreements that limit them to processing on our documented instruction. The categories of sub-operator we engage are:
- cloud hosting, database and infrastructure providers;
- email and customer-communication providers;
- customer support tooling providers;
- payment integrators — used solely for the Kreshe Collections module that facilitates parent payments to crèches. The payment integrators are themselves Responsible Parties for the payment data they process under the National Payment System;
- analytics and product-improvement providers, where applicable;
- security, monitoring and fraud-prevention service providers;
(c) Professional advisors (legal, accounting, tax) under confidentiality, where necessary;
(d) Regulators, courts and law-enforcement agencies, where we are legally obliged to disclose;
(e) A successor entity in the event of a sale, merger or restructuring of Kopanong, subject to the new entity being bound by terms at least as protective as this Policy.
The current list of named sub-operators is available on request to the Information Officer at info-officer@kopanongplatforms.co.za.
We do not sell your personal information. We do not share it with advertising networks, data brokers or unaffiliated third parties for their own purposes.
9. HOW WE PROTECT YOUR INFORMATION
We apply the technical and organisational measures required by section 19 of POPIA, including:
- encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
- role-based access controls and least-privilege access;
- multi-factor authentication for administrative accounts;
- regular vulnerability scanning, patching and review of security controls;
- access logging and audit trails;
- backups and disaster-recovery procedures;
- staff confidentiality undertakings and screening;
- incident detection, response and notification procedures.
If we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and you in accordance with section 22 of POPIA.
10. HOW LONG WE KEEP YOUR INFORMATION
We keep personal information only as long as necessary for the purposes for which it was collected, or for any longer period required or permitted by law. The general retention periods we apply are:
| Category | Retention |
|---|---|
| Active customer records (while subscription is live) | Throughout the contract term |
| Customer records after termination | 5 years after termination, in line with the Tax Administration Act 28 of 2011 and the Companies Act 71 of 2008 |
| Parent and child records held as Operator | As instructed by the crèche; on termination of the crèche’s contract, exported and returned to the crèche, and deleted from our systems within 90 days unless a longer retention is instructed |
| Marketing preferences and opt-out records | Indefinitely, to ensure we honour your preferences |
| Website analytics (anonymised / aggregated) | Up to 25 months |
| Server logs | 12 months unless a security incident requires longer |
| Backups | Rolling 35-day cycle, then overwritten |
After the retention period, personal information is deleted or anonymised in accordance with section 14 of POPIA.
11. YOUR RIGHTS UNDER POPIA
You have the following rights:
(a) the right to be notified that personal information about you is being collected (section 18) — this Policy provides that notification;
(b) the right to know whether we hold personal information about you, and to access that information (section 23);
(c) the right to request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained (section 24);
(d) the right to object to processing on reasonable grounds, and to object to processing for direct marketing (section 11(3));
(e) the right to withdraw consent at any time, where processing is based on consent (section 11(2)(b)) — withdrawal does not affect the lawfulness of processing before withdrawal;
(f) the right not to be subject to a decision based solely on the automated processing of your personal information that produces legal consequences for you (section 71); and
(g) the right to lodge a complaint with the Information Regulator (section 74).
To exercise any of these rights, please use our Data Subject Request Form, or contact us:
Information Officer Mr Nkululeko Nhlapo Kopanong Platforms (Pty) Ltd Email: info-officer@kopanongplatforms.co.za
We will respond within a reasonable time, and in any event within 30 days. Confirming whether we hold information about you is free. Where access to that information attracts a fee, we will give you a written estimate before proceeding.
If you are dissatisfied with our response, you may lodge a complaint with the Information Regulator:
Information Regulator (South Africa) JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 Email: complaints.IR@inforegulator.org.za Website: www.inforegulator.org.za
12. DIRECT MARKETING
We will only send you marketing communications if you have opted in. Every marketing email contains an unsubscribe link. You can also withdraw consent at any time by emailing info-officer@kopanongplatforms.co.za.
In line with section 69 of POPIA, we do not send unsolicited electronic marketing communications to people who are not existing customers, unless they have given specific consent.
13. CHILDREN
Kreshe is a B2B platform; the website is intended for adult prospective customers (crèche principals and owners). The Kreshe application processes children’s personal information, but only on the instruction of the crèche, which obtains parental consent in accordance with section 35 of POPIA. The website itself is not aimed at, and we do not knowingly collect personal information directly from, children.
14. CHANGES TO THIS POLICY
We may update this Policy from time to time. Material changes will be communicated to existing customers by email and posted on this page with a revised effective date and version number. The current version is the version published at https://kreshe.co.za/legal/privacy-policy.
15. CONTACT US
| Information Officer | Mr Nkululeko Nhlapo |
| Email (Information Officer / data subject requests) | info-officer@kopanongplatforms.co.za |
| Email (legal correspondence) | legal@kopanongplatforms.co.za |
| Email (general business) | info@kopanongplatforms.co.za |
| Email (Kreshe customer support) | support@kreshe.co.za |
| Postal address | Kopanong Platforms (Pty) Ltd, 1792 Ext 3, Qalabotjha, Villiers, Free State, 9840 |
| Information Regulator registration | 2026-010867 |
End of Privacy Policy.