Privacy Policy

01

Information Officer — POPIA Designation

Under POPIA Section 55, every responsible party must designate an Information Officer. This person handles all data subject requests, oversees POPIA compliance, and liaises with the Information Regulator of South Africa.

Designated Information Officer

Name: Thabang Maokeng

Role: Director & Information Officer

Email: support@studymax.co.za

Organisation: StudyMax

Responsibilities

Handles all data subject access and deletion requests
Manages POPIA compliance for StudyMax
Oversees data security and breach response procedures
Liaises with the Information Regulator of South Africa
Reviews and updates this privacy policy

02

Who We Are — Responsible Party

StudyMax is an academic productivity platform ("we", "us", "our"). StudyMax is the responsible party in terms of POPIA — meaning we determine the purpose and means of processing your personal information.

StudyMax is built specifically for South African university students to help them track assessments, manage study sessions, monitor grades, and improve academic performance.

Platform name: StudyMax
Operated by: StudyMax
Physical address: 09 John Chard, Brandwag, Bloemfontein, Free State, 9301
Email: support@studymax.co.za
Website: studymax.co.za

Hosting: StudyMax data is hosted on servers operated by Hostserv (Pty) Ltd via Plesk, within the Republic of South Africa.

03

Information We Collect & Why

We collect only the personal information necessary to provide the StudyMax service (the POPIA principle of purpose limitation and minimality). The table below sets out all categories of data we process:

Category	Specific Data Points	Purpose
Account Information	First name, last name, email address, bcrypt-hashed password	Account creation, authentication, communication
Academic Profile	Institution/university, programme/degree, year of study, phone number	Personalising study tools, module matching, notifications
Study & Assessment Data	Modules enrolled, assessment titles, due dates, weights, grades, marks obtained, study session durations, focus ratings, study streaks	Core platform functionality — tracking academic progress
Subscription & Billing	Subscription plan, subscription status, expiry date, PayFast transaction references and payment dates	Managing your premium subscription, billing records
Technical & Security Data	IP address, last login timestamp, login attempts, session tokens, password change timestamps	Security monitoring, fraud prevention, account protection
Activity Logs	Actions performed (login, password reset, assessment updates) with timestamps	Audit trail, account security, support investigations
Notification Preferences	Email/push notification settings, reminder preferences	Delivering the notification experience you configured

We do not store payment card details. All card data is processed exclusively by PayFast (Pty) Ltd's PCI-DSS compliant infrastructure. StudyMax only receives a transaction confirmation reference and payment status.

We do not store plain-text passwords. All passwords are hashed using bcrypt (cost factor 11) and are irreversibly transformed. Even we cannot read your password.

04

Lawful Basis for Processing POPIA s.11

Processing Activity	Lawful Basis (POPIA s.11)
Creating and managing your student account	Performance of a contract with you (s.11(1)(b))
Providing study tracking, assessment management, grade monitoring	Performance of a contract (s.11(1)(b))
Processing Premium subscription payments via PayFast	Performance of a contract (s.11(1)(b))
Sending assessment deadline reminders and notifications	Performance of a contract & your consent (s.11(1)(a)(b))
Sending marketing emails about StudyMax features	Your consent (s.11(1)(a)) — with opt-out right
Security monitoring, login logging, fraud prevention	Legitimate interest (s.11(1)(f))
Maintaining financial/transaction records	Legal obligation — tax and accounting law (s.11(1)(c))
Improving the platform using anonymised analytics	Legitimate interest (s.11(1)(f))

05

How We Use Your Information

5.1 Platform Service Delivery

Running the core StudyMax features: storing your modules, assessments, study sessions, grades and streaks; calculating analytics; generating smart notifications; and managing your subscription plan.

5.2 Communication & Notifications

Sending transactional emails via our SMTP server (support@studymax.co.za) including: account welcome emails, password reset links, assessment deadline reminders (7 days, 3 days, 1 day before due), trial expiry warnings, subscription confirmations, and weekly study progress digests.

5.3 Account Security

Logging IP addresses and login timestamps to detect suspicious activity, enforce rate-limiting on failed login attempts (5 attempts triggers a 5-minute lockout), and enabling you to identify unauthorised access.

5.4 Platform Improvement

Using anonymised, aggregated data to understand usage patterns, identify most-used features, improve performance, and develop new functionality. This data does not identify you individually.

5.5 Legal Compliance

Maintaining financial records as required by South African tax law; complying with valid court orders, subpoenas or regulatory requests from the Information Regulator of South Africa.

5.6 What We Do NOT Do

We do not sell, rent, or trade your personal information to any third party
We do not share your academic data with your institution, lecturers, or other students
We do not share your information with advertisers or data brokers
We do not use your data for automated profiling that significantly affects your rights
We do not send marketing emails without your prior consent

06

Data Sharing & Third-Party Operators POPIA s.21

Third Party	Purpose	Data Shared
PayFast (Pty) Ltd PCI-DSS Level 1	Premium subscription payment processing	Name, email address, subscription amount, order reference — no card data stored by us
Hostserv (Pty) Ltd Plesk hosting provider	Hosting StudyMax on South African servers	All stored data (encrypted at rest)
StudyMax SMTP (mail.studymax.co.za)	Sending transactional and notification emails	Your email address, your first name, notification content
Information Regulator of South Africa	Legal regulatory reporting obligation	Only as legally required (e.g. serious data breaches)
Law enforcement / courts	Compliance with valid legal process	Only when required by valid court order or warrant

We never sell your data. StudyMax does not share, sell, rent or license your personal information to any advertiser, data broker, marketing company, or third party for commercial gain.

07

Data Retention Periods POPIA s.14

Data Category	Retention Period	Reason
Account & profile data	Duration of account + 30 days after deletion request	Service provision; 30-day grace period for recovery
Academic data (modules, assessments, grades)	Duration of account	Core platform service
Study session logs	Duration of account	Analytics and progress tracking
Payment transaction records	5 years from transaction date	South African tax and accounting law (SARS)
Security and activity logs	90 days	Security monitoring and incident investigation
Password reset tokens	1 hour (or immediate use)	Security — tokens expire automatically
Email logs	30 days	Delivery troubleshooting
Anonymised analytics	Indefinitely	Platform improvement — no personal identifiers

When your account is deleted, all personal data is permanently removed from our active systems within 30 days. Payment records are retained for 5 years as required by South African law, in a pseudonymised form where possible.

08

Security Measures POPIA s.19

Technical Controls

HTTPS/SSL — all data in transit is encrypted via TLS
bcrypt password hashing (cost factor 11)
CSRF tokens — forms and AJAX requests protected
Login rate limiting — 5 failed attempts triggers lockout
Session security — HTTP-only, secure, SameSite cookies
Parameterised SQL queries — prevents SQL injection
Environment variables — credentials outside web root

Organisational Controls

Access to production database restricted
Admin panel uses separate session namespace
Admin actions logged with IP addresses
Sensitive config files protected by .htaccess
Regular backups on Plesk infrastructure
Production error messages hide system details

No system is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security against all cyber threats. We encourage you to use a strong, unique password and to protect your login credentials.

09

Data Breach Notification POPIA s.22

Notify the Information Regulator of South Africa as soon as reasonably possible after discovering the breach
Notify affected users directly via email (support@studymax.co.za) as soon as reasonably possible
Our notification will include: a description of the breach, the categories of data affected, our response measures taken, and recommended steps you can take to protect yourself

If you suspect your StudyMax account has been compromised, contact us immediately at support@studymax.co.za and use the "Forgot Password" feature to secure your account.

10

Your POPIA Rights POPIA ss.23–25

Right to Access

Request a copy of all personal information we hold about you (POPIA s.23)

Right to Correction

Request correction of inaccurate, incomplete or misleading information (POPIA s.24)

Right to Deletion

Request deletion of your account and personal data, subject to retention obligations (POPIA s.24)

Right to Object

Object to the processing of your personal information on grounds of legitimate interest (POPIA s.11(3))

Right to Opt Out

Withdraw consent to marketing and promotional emails at any time (POPIA s.69)

Right to Complain

Lodge a complaint with the Information Regulator of South Africa (POPIA s.73)

How to exercise your rights: Email support@studymax.co.za with your request. We will respond within 30 days. You can also update most of your profile data directly in your StudyMax account settings. To delete your account, contact us directly.

11

Cookies & Sessions

Cookie Name	Type	Purpose	Duration
`PHPSESSID`	Essential	Maintains your login session and authentication state	Browser session (1 hour idle timeout)
Session CSRF token	Essential	Protects all forms against cross-site request forgery attacks	Per session

No advertising cookies. StudyMax does not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioural tracking technologies.

You can disable cookies in your browser settings, but this will prevent you from logging in to StudyMax as sessions are required for authentication.

12

Marketing Emails & Opt-Out POPIA s.69

Transactional Emails (Always Sent)

Welcome email upon registration
Password reset links
Subscription confirmations and expiry notices
Payment receipts

Notification Emails (Configurable)

Assessment deadline reminders
Weekly study progress digests
Study streak milestones
Overdue assessment alerts

Marketing & Announcements (Opt-In)

Emails about new features, updates, or StudyMax promotions are only sent with your consent. You may withdraw consent at any time by emailing support@studymax.co.za or updating your notification preferences. We will process opt-out requests within 5 business days.

13

Children's Privacy POPIA s.34–36

StudyMax is designed for university students and is primarily intended for persons aged 18 years or older. We do not knowingly collect personal information from children under the age of 18 without prior consent from a parent or legal guardian.

If you are under 18 and wish to use StudyMax, you must obtain the consent of your parent or legal guardian before registering. POPIA Section 34 prohibits the processing of a child's personal information without such consent.

If we become aware that we have collected personal information from a user under 18 without verifiable parental consent, we will delete that account and its associated data promptly. Contact us at support@studymax.co.za if you believe this has occurred.

14

Cross-Border Data Transfers POPIA s.72

Google Fonts & CDN libraries — used for visual presentation only; no personal data is transmitted
PayFast — a South African company; your payment data remains in South Africa
Font Awesome CDN (Cloudflare) — static asset delivery; your IP may be processed internationally for CDN routing

Where any cross-border transfer of personal information occurs, we ensure the recipient country or organisation provides an adequate level of protection equivalent to POPIA, in compliance with Section 72 of POPIA.

15

Information Regulator of South Africa

Information Regulator (South Africa)
JD House, 27 Stiemens Street
Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za
Website: inforegulator.org.za

Before Escalating

We encourage you to first contact us directly at support@studymax.co.za. We will do our best to resolve your concern within 30 days. The Information Regulator is the appropriate escalation path if we are unable to resolve it to your satisfaction.

16

Policy Changes & Version History

We may update this Privacy Policy from time to time. When we make material changes, we will: update the "Last Updated" date, send a notification email to all registered users, and display an in-app notification. Continued use of StudyMax after changes are published constitutes acceptance.

Version	Date	Summary of Changes
1.0	May 2026	Initial privacy policy for StudyMax platform launch. Covers account data, academic data, PayFast payments, POPIA rights, SMTP email, session security, and data retention schedules.

Contact Us — Privacy Enquiries & Data Subject Requests

Information Officer

Thabang Maokeng — Director & Information Officer

support@studymax.co.za

09 John Chard, Brandwag, Bloemfontein, 9301

studymax.co.za

Response Times

General privacy enquiries: within 2 business days
Access / correction / deletion requests: within 30 days
Marketing opt-out: within 5 business days
Suspected breach reports: immediately

Related Pages

Terms & Conditions

Contents