Privacy Policy

Last updated: 9 October 2025

We process personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA).

What this policy covers

  • Visitors and customers using our Site and checkout
  • Parents/guardians purchasing for learners
  • School representatives (including “Headmasters”) who manage a school’s participation and/or affiliate role

Information we collect

1) You provide to us

  • Account & checkout: name, surname, email, mobile/telephone, billing and (where applicable) delivery details, chosen school, order notes.
  • Forms: details you submit via our Become a Partner School and other forms (e.g., contact name, school name, role, email, phone, message).
  • Support/communications: content of your messages to us.
  • Comments (if enabled): the data shown in the comment form.

2) Collected automatically

  • IP address, browser/OS type and version, pages viewed, time/date, referrer, and basic device data (standard server logs and analytics).
  • Basic cookie information (see Cookies below).

3) From third parties

  • Payment gateway confirmation from PayFast (no card data is stored by us).
  • Affiliate system status/IDs from SliceWP when a Headmaster/affiliate is linked.

We do not collect or store card numbers or banking details on our servers.

Why we use your information (POPIA grounds)

  • To fulfil orders and provide our services (performance of a contract).
  • To manage your account, school selection, and delivery preferences (contract/legitimate interests).
  • To communicate about orders, delivery schedules, service updates (contract/legitimate interests).
  • To operate partner schools & affiliates (legitimate interests; consent where required).
  • To send marketing where you’ve opted in (consent; you can opt out anytime).
  • To improve security & prevent fraud (legal obligation/legitimate interests).
  • To comply with law, tax and accounting requirements (legal obligation).

Comments & Gravatar

When visitors leave comments (if enabled), we collect the data shown in the form, plus IP address and browser user-agent to help with spam detection.
An anonymised string (hash) of your email may be sent to Gravatar to check if you use it. After approval, your profile picture is public next to your comment. See Gravatar’s policy for details.

Media

If you upload images, avoid images with embedded location data (EXIF GPS). Visitors could download and extract location data from images on the Site.

Cookies

We use cookies and similar tech to keep you logged in, remember preferences, manage the cart/checkout, and improve performance.

  • Comment convenience cookies (if comments are enabled) may store your name/email/website so you don’t re-enter them later. They typically last up to 1 year.
  • A temporary login test cookie checks if your browser accepts cookies and is removed when you close the browser.
  • Login/session cookies keep you signed in (typically 2 days; “Remember Me” up to 2 weeks).
  • Screen options preferences may last up to 1 year.
  • Editing/publishing may set an additional cookie with the post ID; it contains no personal data and expires after 1 day.
  • WooCommerce sets cookies needed for cart/checkout functionality.

You can block cookies in your browser, but parts of the site (e.g., checkout) may not work correctly.

Anti-spam & security

  • WP Armour Honeypot is enabled on forms to reduce spam. It uses hidden fields and does not send your data to a third-party service.
  • Standard server logs and security tools help detect abuse/fraud.

Embedded content from other websites

Articles may include embedded content (e.g., videos, maps, images). Embedded content behaves as if you visited the external website and may collect data, use cookies, and track interactions subject to that site’s privacy policy.

Who we share your data with (disclosures)

We share only what’s necessary to provide our services:

  • Payment processing: PayFast to take payment securely (we never see or store card numbers).
  • Shipping/fulfilment: couriers and (where applicable) your partner School to organise delivery/collection.
  • Affiliate management: SliceWP to manage Headmaster/affiliate relationships and commissions.
  • Site operations: reputable hosting, backup, email, and analytics providers.
  • Legal/compliance: regulators, law enforcement, tax authorities where required.

We do not sell your personal information.

How long we keep your data

  • Orders & accounts: retained as needed for accounting, tax, and audit purposes (typically 5–7 years under SA law).
  • Form submissions: retained for as long as needed to process your request and manage School onboarding/relationship.
  • Comments: kept indefinitely to recognise and approve follow-ups automatically.
  • Affiliate/commission records: retained for as long as the programme requires for accurate accounting and audit.
  • When retention is no longer required, we securely delete or anonymise data.

Your rights (POPIA)

You have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete information we no longer need (subject to legal retention).
  • Object to certain processing or withdraw marketing consent at any time.
  • Lodge a complaint with the Information Regulator (South Africa).

To exercise your rights, contact School Fuel. We may need to verify your identity.

Payments

Payments are processed by PayFast. PayFast receives your payment details directly over an encrypted connection. We receive confirmation of payment and order metadata, but no card numbers are stored on our systems.

Affiliates / Headmasters

If a School assigns a “Headmaster” affiliate, we may associate purchases to that affiliate via SliceWP. We process minimal data to attribute commissions and manage the programme. Commission data may be adjusted for refunds, fraud, or policy breaches.

Children

Our Site is used by adults (parents/guardians/school staff). If you are under 18, please use the Site only with the involvement of a parent/guardian. We do not knowingly collect personal data from children without appropriate consent.

International transfers

Some providers may process data on servers located outside South Africa. Where applicable, we use providers that apply appropriate safeguards aligned to POPIA (e.g., contractual protections, secure processing).

How we protect your data

We use reputable hosting, HTTPS encryption, access controls, and least-privilege practices. While no system is perfectly secure, we continuously work to protect your information.

What rights you have over your data

If you have an account or have left comments, you can request an export of your personal data we hold, including any data you’ve provided. You can also request that we erase personal data, subject to information we must keep for administrative, legal, or security purposes.

Where your data is sent

Visitor comments and some submissions may be checked through automated anti-spam/security measures (e.g., WP Armour honeypot and standard server checks). Payment data is sent directly to PayFast over secure connections.

Changes to this policy

We may update this policy from time to time. The “Last updated” date shows the latest version. Material changes will be highlighted on this page.

Contact us

For privacy questions or requests, contact:
Email: Email
Address: Unit 2, 6 Aspen St, Fisantekraal, Cape Town, 7550

You may also lodge a complaint with the Information Regulator (South Africa): inforegulator.org.za