01 Who We Are (Responsible Party)
Under POPIA, the Responsible Party is the person who determines the purpose and means of processing personal information. For The Magic Lab, that is:
Information Officer: Ruhan Janse van Rensburg is the designated Information Officer for The Magic Lab, responsible for compliance with POPIA. You may direct all privacy-related queries to the email address above.
02 What Information We Collect
We collect the minimum information necessary to provide you with a personalised learning experience. Here is exactly what we collect and why:
| Information |
When collected |
Why |
| Email address |
When you register |
Account login and communication |
| Display name |
When you register |
To personalise your experience |
| Password (hashed) |
When you register |
Account security — stored as a one-way hash, never in plain text |
| School grade (optional) |
When you register |
To show curriculum-appropriate content |
| Role (student / teacher) |
When you register |
To show the correct dashboard and features |
| Lesson progress |
As you use tools |
To track which lessons you have completed |
| Quiz results |
As you answer questions |
To track accuracy, award XP, and provide feedback |
| XP and badge data |
As you earn them |
To power the gamification and dashboard |
| Daily activity dates |
Each day you use the platform |
To calculate your learning streak |
| AI Tutor messages |
When you use the AI Tutor |
Sent to Anthropic's API to generate a response — see Section 7 |
| Code runs |
When you run code |
To track engagement and award XP — code is not permanently stored |
We do not collect: ID numbers, home addresses, phone numbers, financial information, biometric data, health information, or any special personal information as defined in section 26 of POPIA.
03 How We Use Your Information
We use your personal information only for the following purposes:
- Providing the service: Authenticating your account, showing your progress, enabling tool features, and displaying your achievements
- Personalisation: Showing grade-appropriate content, resuming where you left off, and tracking your learning history
- Gamification: Calculating and displaying XP, levels, badges, and streaks
- Communication: Sending important service-related emails (e.g. password reset). We do not send marketing emails without your consent
- Platform improvement: Understanding how the platform is used in aggregate — without identifying individual users — to improve content and features
- Safety and security: Detecting and preventing misuse, fraud, or unauthorised access
We do not use your information for advertising, do not sell your data, and do not share it with third parties for their own marketing purposes.
04 Lawful Basis for Processing
Under POPIA, we must have a lawful basis for processing your personal information. We rely on the following:
- Contractual necessity: Processing your account information, lesson progress, and quiz data is necessary to provide you with the service you signed up for
- Consent: Where you are under 18, we rely on the consent of your parent, guardian, or school (where the school has entered into an agreement on behalf of its learners)
- Legitimate interest: We process aggregate usage data to improve the platform — this does not identify individual users
- Legal obligation: We may process information where required by South African law
05 Children's Privacy
The Magic Lab is designed for school learners, many of whom are under the age of 18. We take the privacy of young users seriously and apply the following protections:
- We collect the minimum information necessary for learners to use the platform
- We do not collect location data, phone numbers, or photographs from any user
- We do not display advertising to any user
- Learner progress data is only visible to the learner themselves and, where a school licence is in place, to the learner's teacher
- AI Tutor conversations are not stored on our servers beyond the active session
Under 13: If a child under the age of 13 registers, we require the prior written consent of a parent or legal guardian in terms of section 35 of POPIA and the Children's Act 38 of 2005. Schools registering learners on behalf of their students take responsibility for obtaining appropriate consent.
06 How We Store and Protect Your Data
Your personal information is stored using Supabase, a cloud database platform with servers located in the European Union (AWS Frankfurt region). All data is:
- Encrypted in transit using TLS/HTTPS
- Encrypted at rest using AES-256 encryption
- Accessible only through authenticated API requests with Row Level Security (RLS) enforced — meaning each user can only access their own data
- Password data is hashed using bcrypt and never stored in plain text
We apply the principle of least privilege — only the minimum access required to operate the platform is granted to any system or person.
Data location note: Although Supabase servers are currently in the EU, your data is processed under South African law and this Privacy Policy. The EU hosting location means your data also benefits from GDPR-standard infrastructure protections.
07 Third-Party Services
We use a small number of trusted third-party services to operate the Platform. These are:
| Service | Purpose | Data shared | Privacy Policy |
|---|
| Supabase |
Database, authentication, and storage |
All user account and progress data |
supabase.com/privacy |
| Anthropic (Claude API) |
AI Tutor responses |
Your AI Tutor messages (not your name or account details) |
anthropic.com/privacy |
| Google Fonts |
Typography |
Your IP address (standard CDN request) |
Google Privacy Policy |
| jsDelivr CDN |
JavaScript libraries (Lucide icons) |
Your IP address (standard CDN request) |
jsDelivr Privacy Policy |
We do not use Google Analytics, Facebook Pixel, advertising networks, or any other tracking services. The platform contains no advertisements.
AI Tutor note: When you use the AI Tutor, your messages are sent to Anthropic's API to generate a response. Do not include personal information — such as your full name, ID number, address, or passwords — in AI Tutor messages. Anthropic processes these messages according to their own privacy policy.
08 Sharing of Information
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
- With your school: If your school has a licence agreement with us, your teacher may be able to view your lesson progress, XP, and quiz performance for the purpose of supporting your learning. You will be informed of this arrangement at registration.
- With service providers: We share necessary data with Supabase and Anthropic as described in Section 7, solely to operate the Platform.
- For legal compliance: We may disclose information where required by South African law, court order, or to protect the rights, property, or safety of users or the public.
- With your consent: For any other purpose, we will ask for your explicit consent first.
09 Retention of Information
We retain your personal information for as long as your account is active or as needed to provide you with the service. Specifically:
- Account data (email, display name, grade, role): retained until you delete your account
- Learning progress and XP: retained until you delete your account — this is the core value of having an account
- Daily activity data: retained for 2 years, then deleted automatically
- AI Tutor conversations: not stored by us beyond the active browser session; Anthropic's own retention applies to API calls
When you delete your account, we will delete or anonymise your personal information within 30 days, except where we are required to retain it for legal or regulatory reasons.
10 Your Rights Under POPIA
As a data subject under POPIA, you have the following rights regarding your personal information:
Right of Access
You can request a copy of the personal information we hold about you at any time.
Right to Correction
You can request that we correct inaccurate or incomplete personal information about you.
Right to Deletion
You can request that we delete your personal information. We will do so within 30 days unless we have a legal reason to retain it.
Right to Object
You can object to the processing of your personal information in certain circumstances, including for direct marketing.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to Complain
You have the right to lodge a complaint with the Information Regulator of South Africa if you believe we have violated your rights.
To exercise any of these rights, contact us at ruhan@themagiclab.co.za. We will respond within 30 days.
Information Regulator
If you are not satisfied with our response to a privacy complaint, you may contact the Information Regulator of South Africa:
11 Cookies and Local Storage
The Magic Lab uses browser local storage (not tracking cookies) for the following limited purposes:
- Remembering whether you have seen the welcome screen for each tool (
ml_welcome_seen_*)
- Supabase authentication tokens, which allow you to stay logged in between sessions
We do not use advertising cookies, analytics cookies, or third-party tracking cookies. No cookie consent banner is displayed because we do not use non-essential cookies.
You can clear your browser's local storage at any time through your browser settings. This will log you out and reset your tool welcome screens.
12 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email.
We encourage you to review this policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated policy.
13 How to Contact Us
For any questions, requests, or concerns about this Privacy Policy or the handling of your personal information, please contact our Information Officer: