Privacy Policy
Last Updated: 26 January 2026 | Effective Date: 26 January 2026
🔒 Quick Summary (TL;DR)
Hey! Here's what you need to know about your data:
- Your data is yours – We only collect what we need to run the programme
- We never sell your info – Your data stays with BlastBeat, never shared for marketing
- Parents/guardians have control – If you're under 18, your parent/guardian must consent
- You can delete your account – Ask us anytime and we'll remove your data
- Events are real – Photos/videos from events may be shared (with consent)
- We keep you safe – Strong security protects everything you share
1. Who We Are
BlastBeat Education(trading name of Climate Actions Now Ltd) is a youth entrepreneurship education platform operating across South Africa, Ireland, Japan, Rwanda, and Namibia.
Data Controller Information
| Detail | Information |
|---|---|
| Organisation | BlastBeat Education (Climate Actions Now Ltd) |
| < a href="mailto:privacy@blastbeat.education">privacy@blastbeat.education | |
| Address | 9 Winchester Road, Cape Town, Western Cape 7925, South Africa |
| Phone | +27 73 804 8409 |
2. What Data We Collect
We collect different types of data depending on who you are:
For Students (Age 13-18)
- Identity: Full name, date of birth, age
- Contact: Email address, phone number (optional)
- Education: School name, grade/year, teacher name
- Programme Data: Team role, achievements, points, badges
- Content: Photos, videos, and work created during the programme
For Teachers & School Staff
- Professional: Name, school, position, professional email
- Training: Certifications, CPD records, facilitation history
For Parents/Guardians
- Identity: Name, relationship to student
- Contact: Email, phone number
- Consent Records: What you've agreed to and when
🛡️ Data Minimisation:
We only collect data that is necessary for running the BlastBeat programme. We do not collect sensitive data like religion, health information, or political views.
3. Why We Collect Your Data
| Purpose | Legal Basis (POPIA/GDPR) |
|---|---|
| Registering you for the programme | Consent (and parental consent for minors) |
| Running ESE teams and events | Legitimate interest / Contract performance |
| Issuing certificates and badges | Contract performance |
| Safeguarding and child protection | Legal obligation / Vital interests |
| Improving our programme | Legitimate interest |
| Marketing (promotional photos/videos) | Explicit consent only |
4. Special Protections for Children
BlastBeat serves students aged 13-18. We take extra care with children's data:
⚠️ Parental Consent Required:
- In South Africa (POPIA): Consent required for children under 18
- In EU/Ireland (GDPR): Consent required for children under 16
- We follow COPPA principles for all children under 18
Our Child Protection Commitments
- All staff undergo police vetting and safeguarding training
- Children's data is encrypted and access-restricted
- No direct marketing to students under 18
- Parents can review, correct, or delete their child's data at any time
- We report concerns to relevant child protection authorities as required by law
5. How We Share Your Data
We share data only with trusted partners for specific purposes:
| Who | Why | Safeguards |
|---|---|---|
| Schools & Teachers | Programme delivery, student progress | Data Processing Agreements |
| Government Education Departments | Programme accreditation, reporting | Official MOUs, anonymised where possible |
| Platform Providers (Supabase, Duda) | Technical infrastructure | GDPR-compliant providers, encryption |
| Event Sponsors | Aggregate impact data only | Never individual student data |
🚫 We NEVER:
- Sell personal data to third parties
- Share student data for advertising purposes
- Allow sponsors to contact students directly
6. How We Keep Your Data Safe
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access – only authorised staff can access data
- Regular Audits: Security reviews every 6 months
- Incident Response: 72-hour breach notification commitment
- Staff Training: Mandatory data protection training for all team members
7. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Student programme records | 5 years after programme completion |
| Teacher/facilitator records | Duration of engagement + 3 years |
| Consent records | 7 years (legal requirement) |
| Event photos/videos | 5 years or until consent withdrawn |
| Financial records (student profits) | 7 years (tax compliance) |
8. Your Rights
Under POPIA, GDPR, and applicable laws, you have the right to:
- Access – Get a copy of your data
- Correction – Fix inaccurate data
- Deletion – Request we delete your data (right to be forgotten)
- Portability – Receive your data in a portable format
- Object – Stop processing for marketing purposes
- Withdraw Consent – Change your mind about what you've agreed to
- Complain – Lodge complaints with data protection authorities
How to Exercise Your Rights
Email privacy@blastbeat.education with "Data Request" in the subject line. We will respond within 30 days.
Complaints to Authorities
- South Africa: Information Regulator – www.justice.gov.za/inforeg/
- Ireland/EU: Data Protection Commission – www.dataprotection.ie
9. International Data Transfers
BlastBeat operates in multiple countries. We ensure appropriate safeguards when transferring data:
- EU to South Africa: Standard Contractual Clauses (SCCs)
- Cloud Providers: All providers are GDPR-compliant with servers in EU/SA
- Cross-border programmes: Data minimised to what's essential for the specific country
10. Cookies and Tracking
Our website uses cookies. See our full Cookie Policy for details.
- Essential Cookies: Required for the website to function
- Analytics Cookies: Help us improve (you can opt out)
- No Advertising Cookies: We don't use tracking for ads
11. Changes to This Policy
We may update this policy to reflect changes in law or our practices. Significant changes will be communicated via:
- Email notification to registered users
- Notice on our website
- Schools notified for student-affecting changes
Contact Us About Privacy
Data Protection Contact:
📞 +27 73 804 8409
📍 9 Winchester Road, Cape Town, Western Cape 7925, South Africa
Legal Compliance
This Privacy Policy complies with:
- POPIA – Protection of Personal Information Act 4 of 2013 (South Africa)
- GDPR – General Data Pr