Privacy notice
How we handle the information you give us when you apply
This notice describes what Koyo Learn collects from founding-cohort applicants, where we process it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR), South Africa's Protection of Personal Information Act (POPIA), and Zambia's Data Protection Act 2021 (DPA 2021). It is intentionally short and plain. Last updated: 2026-05-15.
1. Who we are (data controller / responsible party)
The data controller (under GDPR) and responsible party (under POPIA) for the information you submit through this site is Koyo HQ, the company behind the Koyo Learn product. General contact: admin@koyohq.com, WhatsApp +263 71 210 4065.
Under POPIA s55-56, every responsible party must designate an Information Officer who is registered with the Information Regulator. Koyo HQ's Founder is designated as Information Officer for the founding-cohort signup and will register with the South African Information Regulator before processing any South African school's pilot data. The Information Officer is the point of contact for all POPIA-related requests and complaints.
For all data-protection enquiries — data subject requests, POPIA complaints, GDPR rights — write to privacy@koyohq.com (or admin@koyohq.com while the dedicated address is being provisioned) with the subject line "Data request" or "POPIA request". We will respond within 30 days as required by GDPR Article 12 and POPIA s23.
2. What we collect
When you submit the founding cohort application form we collect:
- Your name, email, and WhatsApp number
- Your role (principal, teacher, parent, tutor, sponsor, etc.)
- Your country and city / region, and (for sponsors) the country the learner studies in
- The school or organisation you are applying on behalf of
- School type, learner count, tutor count, curriculum, current learning setup, and the needs you select
- Your pricing preference and the challenge you describe
- Your browser language and rough technical metadata (browser user-agent, IP address) for fraud prevention and security audit
- The fact that you gave explicit consent at the time of submission
3. Lawful basis under GDPR and POPIA
We process your data on two lawful bases. The mapping between GDPR and POPIA is direct:
- GDPR Article 6(1)(a) / POPIA s11(1)(a) — your explicit consent, given by ticking the consent box on the application form. POPIA requires consent to be voluntary, specific, and informed; the consent box satisfies all three. You can withdraw consent at any time (see §8) by emailing privacy@koyohq.com.
- GDPR Article 6(1)(f) / POPIA s11(1)(d) — our legitimate interest in fraud prevention and security audit, for the IP address and browser user-agent metadata. Under POPIA, this is processing "necessary for pursuing the legitimate interests of the responsible party". This interest is balanced against your right to privacy and these fields are not used for marketing.
We do not process your personal information for any purpose outside §4 below without obtaining fresh consent.
4. What we use it for
- To contact you about your founding cohort application
- To match the cohort to schools that fit our pilot criteria
- To improve the signup experience, only in anonymised, aggregated form
- We do not sell your details. We do not share them with marketers or other third parties for their own marketing.
5. Where it is processed (data residency)
Application data submitted through this site (your name, email, WhatsApp number, school details, and the rest of the form) is stored on infrastructure located in Germany (Hetzner Online GmbH, Falkenstein data centre). All transmission is over HTTPS / TLS 1.2+. Database backups are encrypted at rest and retained inside the EU.
The signup form on this site does not send your application data to any AI model.
The separate Koyo Learn product (not this signup form) uses Anthropic's API as its AI processor. Anthropic's primary processing infrastructure is located in the United States. This is an international transfer outside the EU/EEA and outside South Africa, performed under EU Standard Contractual Clauses (2021) as part of Anthropic's Data Processing Addendum (which we have signed), and — for South African data subjects — under the cross-border conditions of POPIA section 72. Anthropic does not use API customer data (your conversations, assignments, or learner content) to train AI models.
See §10 below for the full GDPR + POPIA international-transfer analysis.
6. How long we keep it
We retain personal information only as long as necessary for the purpose for which it was collected, in line with GDPR Article 5(1)(e) and POPIA s14:
- Successful application data (applicant joins the pilot): retained for the duration of the pilot relationship plus 12 months for audit and onboarding handover, then deleted, unless you ask us to delete it sooner.
- Unsuccessful application data (applicant is not selected, or does not respond): 12 months from the date of submission, then deleted. This is shorter than the 24 months in our earlier draft and reflects POPIA s14's minimum-necessary requirement.
- Encrypted backups: rotated and deleted on a 90-day cycle.
- Audit / security logs (IP, user-agent): 12 months, then deleted.
You can request earlier deletion at any time (see §8). Successful applicants will receive a separate, longer-lived Data Processing Agreement (DPA) covering the pilot itself, which sets retention for pilot operational data.
7. Sub-processors
We use a small number of named sub-processors to operate this site and the founding-cohort process:
- Hetzner Online GmbH (Germany, Falkenstein data centre) — application data storage and site hosting. EU-based controller. Hetzner Data Processing Agreement signed.
- Anthropic, PBC (United States) — AI processor for the separate Koyo Learn product (not for this signup form). Standard Contractual Clauses + Data Processing Addendum signed. API customer data is not used to train Anthropic's AI models.
- Plausible Insights OÜ (Estonia, EU) — privacy-respecting analytics. Cookie-free, no personal data collected. Aggregated page view and CTA click metrics only.
A current sub-processor list, our Data Processing Addendum (DPA), and the Anthropic SCCs/DPA are available to schools considering the pilot — write to admin@koyohq.com.
8. Your rights
8a. Under GDPR (EU / EEA / UK)
- Right of access (Art. 15) — ask us what data we hold about you
- Right to rectification (Art. 16) — ask us to correct inaccurate data
- Right to erasure / "right to be forgotten" (Art. 17) — ask us to delete your data
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — get a copy of your data in a machine-readable format
- Right to object to processing (Art. 21)
- Right to withdraw consent at any time (Art. 7) — withdrawal does not affect lawfulness of processing before the withdrawal
- Right to lodge a complaint with a supervisory authority in your EU member state of residence, work, or where the alleged infringement took place
8b. Under POPIA (South Africa)
If you are a South African data subject, POPIA gives you parallel rights:
- Right to be notified (POPIA s18) that your personal information is being collected — this notice fulfils that obligation
- Right of access (POPIA s23) — ask us what personal information we hold about you and request a record of it
- Right to correction or deletion (POPIA s24) — ask us to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully
- Right to object to processing (POPIA s11(3)) — including the right to object to direct marketing (we do not direct-market through this site)
- Right to withdraw consent at any time (POPIA s11(2)(b))
- Right to lodge a complaint with the Information Regulator (POPIA s74): https://inforegulator.org.za · complaints.IR@justice.gov.za
8c. Under DPA 2021 (Zambia)
If you are a Zambian data subject, Zambia's Data Protection Act No. 3 of 2021 gives you parallel rights. Koyo HQ commits to registering as a data controller with the Office of the Data Protection Commissioner before processing pilot data for Zambian schools and learners.
- Right to be informed (DPA 2021 s32) of the collection and use of your personal data — this notice fulfils that obligation
- Right of access (DPA 2021 s33) — ask us what personal data we hold about you
- Right to rectification (DPA 2021 s34) — ask us to correct inaccurate personal data
- Right to erasure (DPA 2021 s35) — ask us to delete your personal data
- Right to restrict processing (DPA 2021 s36)
- Right to data portability (DPA 2021 s37) — get a copy of your data in a machine-readable format
- Right to object to processing (DPA 2021 s38) — including direct marketing
- Right to withdraw consent at any time (DPA 2021 s10)
- Right to lodge a complaint with the Data Protection Commissioner (DPA 2021 s50): under the Ministry of Technology and Science of Zambia. The Office is the supervisory authority for Zambian data subjects.
A Data Protection Impact Assessment (DPIA) for the Koyo Learn pilot is available to schools, NGO partners, and donors on request — write to privacy@koyohq.com. DPIAs are typically required by World Vision Zambia, UNICEF Zambia, Camfed Zambia, Plan International Zambia, and similar donor-funded programmes before signing MoUs that involve child personal data.
To exercise any of these rights — under either regime — email privacy@koyohq.com (or admin@koyohq.com) with the subject line that matches your request (e.g., "Erasure request", "POPIA access request"). We will respond within 30 days. We will not charge you for exercising your rights.
9. Children's data
The signup form on this site is intended for adults applying on behalf of a school, organisation, or family. We do not knowingly collect personal information of individual children through this form. Where the form asks for "learners served", that is an aggregate count band (e.g. "201-400"), not individual learner records.
Under POPIA (South Africa)
POPIA s1 defines a child as a person under 18. Personal information of a child is treated as special personal information under POPIA s26-27, and its processing requires one of the lawful grounds in POPIA s35 (parental/guardian consent, public-interest research, legal obligation, or prior authorisation from the Information Regulator under POPIA s57).
The Koyo Learn product processes learner data inside each pilot school. In that context, the school is the responsible party for learner data (Koyo HQ is the operator / processor). The school is responsible for obtaining parental consent at enrolment, and the Data Processing Agreement signed with each pilot school addresses POPIA s26-27 specifically. Where prior authorisation from the Information Regulator under POPIA s57 is required for a specific use case, Koyo HQ will support the school's application.
Under GDPR (EU / EEA / UK)
GDPR Article 8 sets the age of consent for information-society services at 16 by default (member states may lower to 13). Learner-facing AI features in the Koyo Learn product are off-by-default and gated by teacher activation; for under-16 learners, parental consent is obtained through the school as part of the school's enrolment data processing agreement.
Under the Children's Code of Zambia (2022) and DPA 2021
Zambia's Children's Code Act 2022 and DPA 2021 s27 require enhanced protection for personal data of children (persons under 18). Where the Koyo Learn product processes child personal data, the school (or the parent/guardian where direct) is the responsible data controller and obtains consent at enrolment. Koyo HQ acts as the data processor and provides a DPIA and DPA template that addresses Zambian child-data requirements.
See the AI governance section on the main page for the product-level controls. Full product documentation, the Koyo HQ → School Data Processing Agreement template, and our compliance posture (POPIA s57 prior-authorisation, DPA 2021 child-data, GDPR Art 8) are available to schools and donor programmes considering the pilot.
10. International transfers
Application data submitted through this site stays in the EU (Germany). It is not transferred outside the EU/EEA, and for South African applicants it is not transferred outside South Africa in any way that would not also satisfy POPIA s72.
Product AI processing in the separate Koyo Learn product is performed via Anthropic's API, whose primary infrastructure is in the United States. This is an international transfer of personal data outside the EU/EEA, and — for South African data subjects — a cross-border transfer outside the Republic of South Africa.
10a. GDPR safeguard (EU / EEA / UK)
The transfer is performed under the EU Standard Contractual Clauses (2021), Module 2 (Controller-to-Processor), incorporated into Anthropic's Data Processing Addendum, which Koyo HQ has signed. We have completed a Transfer Impact Assessment (TIA) per EDPB Recommendations 01/2020 and Schrems II; the TIA is available to schools considering the pilot.
10b. DPA 2021 cross-border conditions (Zambia)
Zambia's Data Protection Act 2021 (Part X) governs cross-border transfer of personal data of Zambian data subjects. The Anthropic-US transfer for the Koyo Learn product is supported by the same combination of grounds applicable elsewhere: explicit data subject consent (DPA 2021 s10); performance of contract (DPA 2021 s58); and binding contractual safeguards equivalent to the EU SCCs (signed Anthropic DPA). A full DPA 2021 cross-border assessment is available to schools, donor programmes, and the Office of the Data Protection Commissioner on request.
10c. POPIA s72 cross-border test (South Africa)
POPIA s72 permits transfer of personal information about a data subject to a third country only if at least one of the following applies. For the Koyo HQ → Anthropic (US) transfer, three of the four apply, in combination:
- s72(1)(a) — recipient is subject to comparable protection. Anthropic's binding contractual safeguards (the SCCs + DPA) impose protection substantially similar to POPIA's eight conditions for lawful processing. POPIA s72 expressly recognises binding corporate rules or binding agreements between responsible party and operator as a valid mechanism.
- s72(1)(b) — the data subject consents. Consent is obtained via the explicit consent checkbox on the application form and at the school's enrolment for the product.
- s72(1)(c) — the transfer is necessary for the performance of a contract between the data subject (or school) and Koyo HQ, or for pre-contractual steps taken at the data subject's request. AI inference is part of the Koyo Learn product's contracted feature set.
A full POPIA s72 cross-border assessment for the Anthropic-US transfer is documented in our internal compliance folder and is available to schools considering the pilot on request.
10d. Anthropic commitments
Anthropic's commitments under the signed DPA include: not using API customer data to train AI models, a 30-day retention window for trust-and-safety review followed by deletion, and security controls aligned with SOC 2 Type II.
We do not use any other sub-processor located outside the EU/EEA.
11. Cookies and tracking
This site does not use third-party advertising cookies. We use a privacy-respecting analytics tool (Plausible) that collects anonymous page views and CTA clicks. No personal data is collected through analytics, and no cross-site tracking cookies are set.
12. Changes to this notice
We will update this notice when our processing changes. Material changes (new sub-processors, changes to data residency, changes to retention periods) will be communicated to existing applicants by email before they take effect.
Contact
Privacy / data requests:
privacy@koyohq.com (preferred — being provisioned)
or admin@koyohq.com
General: admin@koyohq.com
WhatsApp: +263 71 210 4065
(a South African +27 contact line is being established for SA data subjects and pilot schools)