POPIA-aligned. By design.
LearnerGuard was built with South African data protection law as a design constraint, not an afterthought. Every collection, retention, and access control decision has a legal basis.
How LearnerGuard implements POPIA
The Protection of Personal Information Act requires that personal information be collected lawfully, used for a specific purpose, and protected throughout its lifecycle.
Accountability
LearnerGuard designates a responsible party for all personal information processing. Every data mutation is attributed to a specific user and role.
Processing Limitation
Data is only collected when a lawful basis exists — primarily contractual necessity for transport services and compliance with NLTA obligations.
Purpose Specification
Each data type has a documented collection purpose. GPS location is collected only during active trips. NFC data is collected only at boarding events.
Further Processing Limitation
Data collected for scholar transport operations is not repurposed for marketing or shared with third parties outside of explicit operational necessity.
Information Quality
Role-based workflows enforce data quality at collection. Document uploads require metadata validation. Address and identity fields are format-validated.
Openness
LearnerGuard maintains a processing register. Parents, students, and drivers are notified of what data is collected and why at onboarding.
Security Safeguards
JWT-based authentication, role-based access controls, encrypted connections, and audit logging protect personal information at rest and in transit.
Data Subject Participation
Any data subject can request access, correction, or deletion of their personal information through the DSAR workflow built into the platform.
Minimisation
GPS location logs are retained for only 90 days. Data not required for operational or legal purposes is not retained beyond its specified period.
Data Retention Policy
Retention periods are set by the minimum legally required period for each data type. Personal information is deleted or anonymised at retention expiry.
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| GPS location logs | 90 days | POPIA minimisation |
| NFC boarding events | 1 year | Operational audit |
| SLA audit records | 5 years | Legal defensibility |
| Payment history | 5 years | Financial regulation |
| Safety incident reports | 5 years | Safeguarding record |
| User action logs | 2 years | Platform audit |
Data Subject Access Requests (DSAR)
Any data subject — parent, student, driver, or operator — has the right to request access to, correction of, or deletion of their personal information held by LearnerGuard.
DSARs submitted through the platform are routed to a service administrator for review within 72 hours. The data subject receives a confirmation within the statutory period.
Submit DSAR
Via the platform settings or by emailing our designated Information Officer.
Identity Verification
We verify the requestor's identity to protect against unauthorised disclosure.
Review & Compile
Service administrator compiles all personal information held for the data subject.
Response
Data provided in a portable format (JSON/CSV) within the statutory period.
Audit Trail
Every action on the LearnerGuard platform that modifies personal information is recorded in an immutable audit log. This supports both regulatory compliance and legal defensibility.
Driver document upload
2 yearsUser ID, timestamp, document type, file hash
Hard-lock override
5 yearsAdmin ID, justification, vehicle/driver affected
Compliance status change
5 yearsBefore/after state, operator ID, timestamp
NFC boarding event
1 yearStudent ID, vehicle ID, driver ID, GPS, timestamp
Distress alert trigger
5 yearsActor ID, GPS coordinates, notified parties
DSAR submission
5 yearsRequest ID, subject ID, actions taken, completion
Payment transaction
5 yearsInvoice ID, amount, PayFast reference, status
NLTA Act 5 of 2009 — Full Alignment
LearnerGuard was designed against the full text of NLTA Act 5 of 2009 and the associated regulations. Key sections enforced at the platform level:
Operating Licences
Required per operator and per vehicle. Hard-locked at expiry.
Public Liability Insurance
Required per operator and per vehicle. Hard-locked at expiry.
Identity Verification
SA ID or Passport required for all drivers. Hard-locked.
Criminal Clearance
Criminal clearance certificate required per driver. Monitored.