Heritage Pro Data Privacy Policy

1. Scope and Legal Basis

This policy applies to Heritage Pro's school management platform, related support services, implementation services, integrations, hosting, backups, reporting, communications, and product administration. It is written for government schools, public education bodies, private schools, parents, sponsors, students, staff, and procurement teams who need to understand how Heritage Pro handles school data.

Heritage Pro handles personal data in line with the Botswana Data Protection Act, 2024. The Act regulates data controllers and data processors, requires appropriate security, regulates processor contracts and sub-processors, and sets breach notification and data subject rights obligations.

2. Our Role: Processor and Limited Controller

For school operational records, Heritage Pro usually acts as a data processor. The school, council, ministry, or authorised education body remains the data controller because it decides why the data is collected, which learners or staff are recorded, what school processes are run, who receives school communications, and how long official education records must be kept.

Heritage Pro acts as a data controller only for its own business and service administration data, such as sales enquiries, customer contracts, billing records, support tickets, license management, website usage, product security logs, staff access administration, supplier records, and procurement correspondence.

3. School Data We Process

• Student and applicant data, including names, dates of birth, gender, nationality, ID or passport numbers, grades, classes, application status, attachments, and enrolment information.
• Parent, sponsor, guardian, emergency contact, and billing responsibility information.
• Academic data, including subjects, assessments, marks, report cards, comments, attendance, progression, activities, documents, and learning records.
• Staff and user data, including accounts, roles, permissions, departments, employment-related school records, attendance, and system activity.
• Health, welfare, safeguarding, conduct, disability, counselling, medical, and other sensitive records where a customer uses the relevant modules.
• Finance, fees, transport, library, assets, communications, audit logs, uploaded files, and operational records needed to run the school system.

4. Why We Process School Data

Heritage Pro processes school data only to provide, secure, support, and improve the services requested by the customer. This includes:

• hosting and operating the Heritage Pro platform and school portals;
• supporting admissions, student records, assessments, attendance, welfare, fees, transport, communications, documents, reporting, and administration workflows;
• migrating data, configuring schools, managing users, troubleshooting issues, and providing customer support;
• generating reports, exports, notifications, emails, SMS messages, and integrations configured by the customer;
• maintaining backups, audit logs, security monitoring, product reliability, and incident response; and
• helping customers meet education, audit, procurement, and data protection obligations.

5. Processor Commitments

Where Heritage Pro acts as a processor, we process personal data only on documented instructions from the controller, including instructions in the customer contract, implementation scope, support request, configuration choices, or lawful written direction from an authorised customer contact.

• We do not sell school data or use it for unrelated advertising.
• We limit access to personnel and approved support providers who need access to deliver the service.
• We require confidentiality from personnel who may access customer data.
• We use sub-processors only where needed for service delivery and subject them to appropriate data protection obligations.
• We assist controllers, where reasonably possible, with data subject requests, security obligations, breach response, audits, and data protection impact assessments.
• At the end of service, we return, delete, archive, or retain data according to the customer contract, lawful instructions, and applicable legal requirements.
• We inform the controller if we believe an instruction is unlawful or creates a material data protection risk.

6. Security Measures

Heritage Pro applies technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. The measures depend on the service, deployment model, customer configuration, and assessed risk.

• Role-based access controls, user permissions, authentication, and least-privilege administration.
• Audit logs and activity records for key actions where supported by the module.
• Backups, recovery procedures, and availability controls appropriate to the deployment.
• Secure file handling, controlled support access, and separation of customer environments where applicable.
• Encryption, transport security, hosting controls, and infrastructure safeguards where appropriate.
• Staff confidentiality expectations, internal access governance, incident review, and supplier due diligence.

7. Children and Sensitive Data

School records often include children's data and sensitive personal data, including health, welfare, disability, safeguarding, disciplinary, financial, and family records. Heritage Pro treats these records as high-care data and processes them only for configured school purposes, authorised support, security, compliance, or lawful instructions from the controller.

Customers are responsible for ensuring that their collection and use of sensitive records has an appropriate lawful basis. Heritage Pro supports that responsibility by providing access controls, auditability, module configuration, and secure processing practices.

8. Sub-Processors and Third Parties

Heritage Pro may use trusted service providers to deliver the platform, such as hosting providers, storage and backup providers, email and SMS services, payment or accounting integrations, support tools, monitoring services, and implementation partners. These providers may access personal data only where needed to provide their services to Heritage Pro or the customer.

Where Heritage Pro engages a sub-processor for school data, we remain responsible to the controller for that sub-processor's relevant data protection obligations, subject to the customer contract and applicable law.

9. Cross-Border Transfers

Some infrastructure, support, backup, email, SMS, or integration services may process or store data outside Botswana. Heritage Pro will make cross-border transfers only where authorised by the controller, required for the contracted service, or permitted by law, and subject to appropriate safeguards under the Botswana Data Protection Act, 2024.

10. Retention, Return, and Deletion

For school data, the controller decides retention periods and official record keeping requirements. Heritage Pro retains data for as long as needed to provide the service, meet contractual support obligations, maintain backups and audit records, resolve disputes, comply with law, or follow documented customer instructions.

When a service ends, Heritage Pro will return, delete, anonymise, archive, or retain school data as set out in the contract, lawful customer instructions, backup cycles, and applicable legal obligations.

11. Personal Data Breaches

If Heritage Pro becomes aware of a personal data breach affecting school data, we will notify the relevant controller without undue delay and provide available information to support assessment, containment, remediation, and required notifications.

Under the Act, controllers notify the Information and Data Protection Commission without undue delay and, where feasible, within 72 hours where required. Controllers also communicate high-risk breaches to affected data subjects where required. Heritage Pro supports those obligations, unless the contract or law assigns a different responsibility.

12. Data Subject Requests

Students, parents, sponsors, guardians, staff, and other data subjects should usually direct access, correction, deletion, objection, restriction, portability, or complaint requests to the relevant school, council, ministry, or education body because that organisation controls the school record.

Where Heritage Pro receives a request relating to school data, we will route it to the relevant controller where identifiable and appropriate. We will assist the controller with responses where required by the contract and the Act. For Heritage Pro's own business data, requests may be sent to support@heritagepro.co.

13. Heritage Pro Business Data

Heritage Pro acts as controller for its own business data, including enquiries, demonstrations, proposals, contracts, billing, customer administration, support tickets, license records, website visits, security logs, staff access records, and supplier information. We use this data to operate the business, provide support, manage contracts, secure the service, communicate with customers, comply with law, and improve the product.

14. Government School Assurance

Heritage Pro understands that many customers are government schools and public education bodies. We support procurement and compliance expectations by maintaining processor commitments, audit and support records, access controls, incident handling procedures, data protection cooperation, and privacy-by-design practices appropriate to a school management system.

This public policy should be read together with the customer contract, data processing terms, implementation documents, service descriptions, and any lawful instructions issued by the relevant controller.

15. Contact Us

For privacy questions about Heritage Pro's processor commitments, security practices, customer support handling, or Heritage Pro's own business data, contact us using the details below.

16. Updates to This Policy

We may update this policy to reflect changes in the Heritage Pro platform, customer contracts, security practices, service providers, or applicable law. The latest version will be published on this page.