Legal
We take privacy seriously. This policy explains how Real Edu protects and processes personal information entrusted to our platform.
We process the data schools provide to deliver the platform: student demographics (names, dates of birth, identity numbers), guardian contacts, academic records (grades, assignments, attendance), billing entries, staff information, and user credentials. We also capture usage analytics (login times, feature usage, system performance metrics) to improve reliability and performance. Technical data includes IP addresses, browser types, device information, and session data.
Data powers core features such as portals, notifications, reporting, and integrations. We use information to: (a) provide and maintain the service, (b) process billing and payments, (c) communicate with users about service updates, (d) ensure platform security and prevent fraud, (e) comply with legal obligations, and (f) improve our services through analytics. We do not sell personal information to third parties. We may use aggregated, anonymized data for research and product development.
Real Edu employs industry-standard security practices including: encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, multi-factor authentication for administrators, regular security audits and penetration testing, automated backup systems, and intrusion detection systems. Sensitive operations leverage Clerk authentication and infrastructure hardened for multi-tenant environments. Our servers are hosted in secure, SOC 2 compliant data centers.
We use trusted third-party service providers to help deliver our services. These include: Clerk (authentication), Stripe/Paynow (payment processing), Cloudinary (image hosting), MinIO (file storage), and SendGrid/SMTP providers (email delivery). Each processor is contractually obligated to protect your data and use it only for the specific services they provide to us. We conduct due diligence on all processors to ensure they maintain adequate security standards.
We retain personal data for as long as necessary to provide the service and fulfill the purposes described in this policy. Active account data is retained while your subscription is active. Upon account termination, you have 30 days to export your data. After this period, we delete or anonymize your data within 90 days, except where longer retention is required by law (e.g., financial records are retained for 7 years for tax purposes). Anonymized usage statistics may be retained indefinitely.
Our platform is designed for educational institutions and may process data about children under 18. Schools using our platform must: (a) obtain appropriate consent from parents/guardians where required, (b) ensure they have legal authority to share student data with us, and (c) comply with local regulations regarding children's data. We do not knowingly collect data directly from children without institutional authorization. If you believe we have inadvertently collected such data, contact us immediately.
Your data is primarily stored on servers within South Africa. Where data is transferred internationally (e.g., to service providers in other countries), we ensure adequate safeguards are in place, such as standard contractual clauses, to protect your information in accordance with POPIA and GDPR requirements.
Under South Africa's Protection of Personal Information Act (POPIA), you have the right to: (a) access your personal information, (b) correct inaccurate data, (c) request deletion of your data (subject to legal retention requirements), (d) object to processing, (e) request data portability, and (f) lodge a complaint with the Information Regulator. To exercise these rights, contact support@xofreal.com. We will respond within 30 days.
In the event of a data breach that may adversely affect your personal information, we will notify you and the relevant regulatory authorities within 72 hours of becoming aware of the breach, as required by POPIA. Notifications will include: the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.
Schools must: (a) manage user permissions appropriately, (b) ensure only authorized individuals access data, (c) obtain necessary consents from parents/guardians, (d) notify us promptly if credentials are compromised, (e) comply with applicable data protection laws when using our platform, and (f) maintain their own backup copies of critical data.
We use essential cookies to maintain user sessions and platform functionality. We also use analytics cookies to understand how users interact with our platform and improve service quality. You can control cookie preferences through your browser settings, but disabling essential cookies may affect platform functionality.
We may update this policy as our platform evolves or regulations change. Material changes will be communicated via email to your registered address at least 30 days before taking effect. Continued use after changes indicates acceptance. Updates will be posted here with a revised effective date. We encourage you to review this policy periodically.
For questions about this policy or to exercise your data rights, contact support@xofreal.com. If you are not satisfied with our response, you have the right to lodge a complaint with the South African Information Regulator at inforeg@justice.gov.za or visit www.justice.gov.za/inforeg.
Last updated: 2025