Privacy Policy

Last updated: May 2026. This policy is issued in accordance with the Data Protection Act, 2018 of the Republic of Botswana.

1. Who we are (the data controller)

Bantu Plaza is operated from Plot 11866 Ntshinoge, Mochudi, Botswana. For privacy matters: info@bantuplaza.com.

2. What personal data we collect

• Account data: name, email, password (hashed), date of birth, role (student or tutor).
• Profile data (tutors): bio, city, country, languages taught, hourly rate, availability, profile photo, date of birth (to enforce the 18+ baseline and 21+ minimum for tutors who opt in to “Kids welcome”), and the “Kids welcome” opt-in itself.
• Guardian / minor data (parent & guardian accounts only): if you register on behalf of a child in your care, we record the child’s first name and date of birth and a timestamp + IP of your consent. We do not collect the child’s surname, address, school, or other identifiers. You are the data controller for your child’s data; we process it as your processor for the limited purpose of delivering lessons you book.
• Booking data: lessons booked, datetimes, lesson type, status. Bookings made by a guardian account are flagged with the child’s first name so the tutor can address the lesson correctly.
• Lesson recordings (minor lessons only): when a lesson is booked by a parent / guardian for a learner aged 8–17, Bantu Plaza records the lesson automatically as a safeguarding measure. The recording is captured in the tutor’s browser when they open the lesson through Bantu Plaza’s lesson page, uploaded in chunks to Bantu Plaza’s secured storage (deny-rule-protected directory; download is served by a capability-checked endpoint), and retained for 30 days before automatic deletion by a daily prune cron (bp_daily_recording_prune). Every recording upload, access and deletion is written to our audit log. Adult-to-adult lessons are not recorded. The parent / guardian may request earlier deletion at any time.
• Direct messages: when you send or receive a message through your Bantu Plaza dashboard we store the sender, recipient, timestamp and message body in our database. Messages are normally readable only by the sender and recipient; Bantu Plaza’s trust-and-safety staff may review messages where there is a credible safeguarding concern (every such review is recorded in the audit log as dm_admin_read). We do not share message content with any third party except where required by valid legal process.
• Payment data: processed by WooCommerce and the payment gateway (e.g. PayPal). We do not store full card numbers — only the order id, amount, currency and last-4 digits where available.
• Technical data: IP address, browser, pages visited (used for security, fraud detection and analytics).
• Audit log: when staff perform governance actions (approve a tutor, issue a refund, hide a review, send an announcement, change commission rates, upload / access / delete a lesson recording) we record the staff member’s account, the action, the affected record and the request IP. The audit log retains the most recent ~200,000 events and prunes older rows daily.

3. Why we process this data (lawful basis under section 13 of the DPA 2018)

• Performance of a contract — to deliver the lessons you book.
• Legitimate interests — to keep the Platform secure, prevent fraud and improve the service.
• Legal obligation — to retain accounting and tax records (Botswana Income Tax Act).
• Consent — for optional marketing emails. You can withdraw consent at any time.

4. Who we share data with

We share the minimum data necessary with: the payment gateway (PayPal / card processor), our email provider (for transactional emails), and the tutor or student you have booked with. We do not sell personal data.

5. International transfers

Some of our service providers are located outside Botswana. Where personal data is transferred outside Botswana we rely on contractual safeguards consistent with section 48 of the Data Protection Act, 2018.

5a. Cross-border data protection laws (POPIA, GDPR, UK GDPR)

Where you reside in South Africa, the Protection of Personal Information Act, 2013 (POPIA) may also apply to our processing of your personal data. Where you reside in the European Union or United Kingdom, the General Data Protection Regulation (GDPR) / UK GDPR may also apply. In each case you retain the rights granted by whichever law affords you the greatest protection — including the right to access, rectify, erase, restrict, or port your data, and the right to lodge a complaint with your local supervisory authority (the Information Regulator in South Africa, the relevant national data-protection authority in the EU, or the Information Commissioner's Office in the UK).

6. How long we keep data

We retain personal data for as long as it is needed for the purposes set out in section 3, and for as long as we are required to retain it by Botswana law (in particular accounting and tax records under the Income Tax Act). Specifically:

• Active accounts: retained while the account exists.
• Closed accounts: when you ask us to delete your account, we anonymise your booking history (your user id is removed from each lesson record so the lesson can still be counted in tutor totals, but the lesson is no longer linked to you) and delete your profile data. Order and accounting records retained as required by tax law (typically 7 years).
• Audit log: retained as a rolling buffer of the most recent ~200,000 governance events; older events are pruned daily.
• Anonymised aggregates: retained indefinitely for service analytics.

To request deletion, email info@bantuplaza.com.

7. Your rights under the Data Protection Act 2018

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — ask us to delete your data (subject to legal retention obligations).
• Restriction & objection — ask us to limit or stop processing.
• Portability — receive your data in a portable format.
• Complaint — lodge a complaint with the Information and Data Protection Commission of Botswana.

Email info@bantuplaza.com to exercise any of these rights. We respond within 30 days.

8. Security

We use HTTPS, password hashing, rate-limited authentication and least-privilege access controls. No system is 100% secure — we will notify you and the Commission of a personal data breach without undue delay, as required by section 30 of the Act.

9. Children

Bantu Plaza accounts must be held by someone aged 18 or over. Learners aged 8–17 may use the Platform only through their parent or legal guardian’s account, with the parent / guardian acting as the data controller for the child’s information. We do not knowingly create a separate account in a child’s own name, and we do not collect children’s data directly from children.

When a parent or guardian indicates at sign-up that the account is for a child, we collect the child’s first name and date of birth (so we can confirm the learner is at least 8 years old and route the account to “Kids welcome” tutors only) and a timestamp + IP record of the parent / guardian’s consent. We do not collect the child’s surname, address, school, or other identifiers. The parent / guardian may delete or correct any of this data at any time by emailing us at info@bantuplaza.com.

Lesson recordings for minor learners. Every lesson booked through a parent / guardian account for a learner aged 8–17 is recorded automatically by Bantu Plaza, captured in the tutor’s browser when they join the lesson through Bantu Plaza’s lesson page, uploaded in chunks to Bantu Plaza’s secured storage, and retained for 30 days before automatic deletion. Recordings are accessible only to the parent / guardian, the booked tutor, and Bantu Plaza’s safeguarding / trust-and-safety staff under a strict need-to-know basis (each download is audit-logged). Recordings are not sold, used for advertising, used to train AI models, or shared with any party for any other purpose, except where Bantu Plaza is required to disclose them in response to valid legal process or to make a credible safeguarding referral to the Botswana Police Service’s Child Protection Unit. The parent / guardian may request earlier deletion of any recording at any time by emailing info@bantuplaza.com with the lesson reference; we will action the request within 7 days, except where the recording is the subject of an active safeguarding investigation.

This posture is taken with reference to the Children’s Act, 2009 of Botswana, the heightened-protection principle in section 27 of the Data Protection Act 2018, section 34 of POPIA (South Africa) for children resident in South Africa, and Article 8 of GDPR for children resident in the EU / UK.

If you believe a person under 18 has registered an account in their own name (rather than through a parent / guardian account), please tell us and we will delete the account without delay.

10. Changes

We will post the date of the latest revision at the top of this page. Material changes will be emailed to active accounts at least 7 days before taking effect.