Privacy Policy

1. Responsible Party

The responsible party for the processing of your personal information is MyReportComments, operated in South Africa. You can contact our Information Officer at privacy@myreportcomments.com for any POPIA-related queries or requests.

2. What Personal Information We Collect

2.1 Free HTML Tool (Offline)

When using the free downloadable HTML tool, no personal information is collected by us. All data — including learner names and generated comments — is stored locally in your browser's storage and never transmitted to our servers.

2.2 Web App (Registered Users)

When you create an account on myreportcomments.com, we collect:

• Account information: email address, display name
• Usage data: number of credits used, comment generation history (for duplicate-avoidance purposes), account settings
• Payment data: transaction records processed via Stripe — we do not store card numbers or banking details
• Device and session data: IP address, browser type, and session tokens for security purposes

We do not collect learner personal information (learner names, grades, or performance data) through the web app. Learner data entered into the tool is processed only within your session and is not stored against your account unless you explicitly save a class list.

3. Lawful Basis for Processing

We process your personal information on the following lawful grounds under POPIA:

Purpose	Lawful basis
Creating and managing your account	Contractual necessity
Processing payments	Contractual necessity
Sending transactional emails (receipts, password resets)	Contractual necessity
Sending marketing emails about new features and report season reminders	Consent (opt-in at registration)
Detecting and preventing fraud or abuse	Legitimate interest
Improving the service through anonymised usage analytics	Legitimate interest

4. How We Use Your Information

We use your personal information only for the purposes for which it was collected, which include:

• Providing and maintaining access to the MyReportComments service
• Processing credit purchases and managing your account balance
• Sending you transactional communications such as payment receipts and account updates
• Sending marketing communications if you have consented to receive them
• Ensuring the security and integrity of the platform
• Complying with our legal obligations

5. Learner Data and Special Categories

MyReportComments is designed to minimise the collection of learner personal information. We strongly encourage users not to enter full learner names or any identifying information beyond what is necessary for the tool to function.

We do not collect, store, or process any special personal information as defined by POPIA (including health data, racial or ethnic origin, religious beliefs, or biometric information).

6. Data Sharing and Third Parties

We do not sell your personal information. We share personal information with third parties only where necessary:

• Supabase — cloud database and authentication provider (data stored within AWS infrastructure; governed by Supabase's privacy policy and data processing agreement)
• Stripe — payment processing (governed by Stripe's privacy policy; we receive only transaction confirmation, not card details)
• Vercel — web hosting infrastructure
• Mailchimp — email communications, for users who opt in to marketing

All third-party providers are required to handle personal information in accordance with applicable privacy laws.

7. Data Retention

We retain your account information for as long as your account is active, plus a reasonable period to comply with legal obligations. Payment records are retained for 5 years as required by South African tax law. If you delete your account, your personal information will be removed from active systems within 30 days, except where retention is required by law.

8. Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, or misuse. These include encrypted data transmission (HTTPS), secure authentication via Supabase Auth, and access controls limiting who can view personal data within our systems.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Regulator within 72 hours of becoming aware of the breach, as required by POPIA.

9. Your Rights as a Data Subject

Under POPIA, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — request that inaccurate or incomplete information be corrected
• Deletion — request that your personal information be deleted (subject to legal retention obligations)
• Objection — object to the processing of your personal information on grounds of legitimate interest
• Withdrawal of consent — withdraw consent for marketing communications at any time via the unsubscribe link in any email
• Complaint — lodge a complaint with the Information Regulator of South Africa at www.justice.gov.za/inforeg

To exercise any of these rights, contact our Information Officer at privacy@myreportcomments.com. We will respond within 30 days.

10. Cookies

The MyReportComments website uses essential cookies only — these are required for authentication and session management and cannot be disabled without affecting your ability to use the service. We do not use advertising or tracking cookies. We do not use third-party analytics cookies.

11. Cross-Border Data Transfers

Your data may be processed by our third-party providers in countries outside South Africa (including the United States, where Supabase and Stripe infrastructure is hosted). Where this occurs, we ensure appropriate safeguards are in place consistent with POPIA's requirements for cross-border transfers.

12. Children

MyReportComments is not directed at children under 18. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided us with personal information, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to registered users at least 14 days before taking effect. The "last updated" date at the top of this page will always reflect the most recent version.

14. Contact

For any privacy-related queries, requests, or complaints, contact our Information Officer at privacy@myreportcomments.com.

To lodge a complaint with the South African Information Regulator: www.justice.gov.za/inforeg