acornorbit
public · legal

Privacy Policy

version 2026-06-24 · effective 2026-06-24

This page is maintained by Acorn & Orbit (a product of ECHO Technologies). It is written to be accurate and conservative but is not legal advice. For your specific situation please consult a qualified attorney.

1. Who is responsible for your personal information

For data you upload through a school's account (your child's records, attendance, photos, reports, messages), the school is the Responsible Party (POPIA) / Controller (GDPR) and Acorn & Orbit (ECHO Technologies) is the Operator / Processor. See the Operator Agreement.

For data we collect directly — visiting our marketing site, signing up for an Acorn & Orbit account, contacting support, paying our subscription invoices — Acorn & Orbit (ECHO Technologies) is the Responsible Party.

2. What we collect

  • Account data: name, email, password hash, phone (optional), profile photo (optional).
  • Usage data: pages visited, features used, device type, browser, IP address, approximate location from IP.
  • Communication data: messages you send us, email open/click events for transactional emails.
  • Billing data (schools): VAT number, billing contact, subscription history. Card details are processed by Paystack and never stored by us.
  • Cookies: see the Cookie Policy.

3. Lawful basis

  • Contract — to provide the platform you (or your school) signed up for.
  • Consent — for optional cookies, marketing emails, and for the granular child-data consents at parent signup.
  • Legal obligation — tax records, fraud prevention.
  • Legitimate interest — keeping the platform secure, preventing abuse.

4. Who we share with

Only with our subprocessors (see Subprocessors), the school whose account you use, and where the law requires it. We do not sell personal information.

5. International transfers

Some subprocessors host data outside South Africa (e.g. EU, USA). We use providers that offer contractual safeguards equivalent to POPIA s72 and, where relevant, GDPR Chapter V.

6. How long we keep it

See the Data Retention Schedule.

7. Your rights

Under POPIA / GDPR you have the right to:

  • Be told what personal information we hold about you.
  • Request a copy of it.
  • Ask for it to be corrected or deleted.
  • Object to processing based on legitimate interest.
  • Withdraw consent (without affecting prior lawful processing).
  • Lodge a complaint with the South African Information Regulator, or the relevant EU/UK supervisory authority.

To exercise these rights, contact privacy@investechotech.com. For data the school holds about your child, we will route the request to the school as Responsible Party.

8. Security

Personal information is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is limited to authorised personnel. We follow the breach-notification process described in our Breach Policy.

9. Children

We do not knowingly collect information from children directly. All child information is provided by a parent/guardian or by the school. See the Child Data Consent, and (for US schools) COPPA and FERPA addenda.

10. Information Officer

Acorn & Orbit's Information Officer (POPIA) is reachable at privacy@investechotech.com.

11. Changes

We will tell you about material changes by email and/or in-app at least 14 days before they take effect.

Questions? Email legal@investechotech.com.
all legal documents