Privacy Policy

Draft - For Review Only

This Privacy Policy is a draft and has not yet been reviewed by a qualified legal professional. It must undergo legal review before publication. Do not rely on this document as final legal guidance.

This Privacy Policy describes how Chumo ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use our live streaming and video-on-demand platform (the "Platform"). We are committed to protecting your privacy and processing your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) and other applicable data protection legislation.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use the Platform.

1. Information We Collect

1.1 Personal Information

When you register for an account, join an institute, or interact with the Platform, we may collect the following personal information:

  • Full name and display name
  • Email address
  • Profile information, including profile photo and biography
  • Professional qualifications and designations
  • Institute or organisational membership details
  • Contact information, including phone number and physical address where provided
  • Account credentials (passwords are stored in encrypted form)

1.2 Payment Information

When you make purchases on the Platform, we collect payment-related information to process transactions. This may include:

  • Billing name and billing address
  • Transaction history and purchase records
  • Payment method details (processed securely by our third-party payment providers, Stripe and Paystack — we do not store full card numbers on our servers)

1.3 Usage and Technical Data

We automatically collect certain technical and usage information when you interact with the Platform:

  • IP address and approximate geographic location
  • Browser type and version, device type, and operating system
  • Pages visited, features used, and navigation paths
  • Date and time of access, session duration, and frequency of visits
  • Referring URLs and search terms used to find the Platform
  • Error logs and performance data

1.4 CPD and Attendance Data

A core function of the Platform is tracking Continuing Professional Development (CPD) activities for professional institutes. In this context, we collect:

  • Event attendance records, including join and leave times for live events
  • Video-on-demand viewing history and progress (e.g. percentage watched, completion status)
  • CPD points or credits earned and associated certificates
  • Assessment and quiz results where applicable
  • Participation records, including chat messages and Q&A interactions during live events

1.5 Content You Provide

We store content that you voluntarily submit to the Platform, including:

  • Chat messages sent during live events
  • Documents and files uploaded to the Platform
  • Video content (for presenters and institute administrators)
  • Comments, feedback, and other communications

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Platform: To create and manage your account, enable access to live events and video-on-demand content, and deliver the core services of the Platform.
  • CPD Tracking and Reporting: To record your attendance and participation in professional development activities, generate CPD reports, and issue certificates on behalf of your institute.
  • Payment Processing: To process purchases, issue invoices and receipts, and manage billing.
  • Communication: To send transactional emails (e.g. event reminders, purchase confirmations), service announcements, and, where you have opted in, marketing communications.
  • Platform Improvement: To analyse usage patterns, diagnose technical issues, improve features, and enhance the user experience.
  • Security and Fraud Prevention: To detect, investigate, and prevent fraudulent or unauthorised activities and to protect the security of the Platform.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.
  • Institute Administration: To enable institutes to manage their members, events, and content within their tenant on the Platform.

3. Legal Basis for Processing (POPIA)

Under the Protection of Personal Information Act (POPIA), we process your personal information based on one or more of the following lawful grounds:

  • Consent: Where you have given us clear, voluntary, and informed consent to process your personal information for a specific purpose (e.g. marketing communications).
  • Contract: Where processing is necessary to fulfil our contractual obligations to you, such as providing access to the Platform and its services.
  • Legal Obligation: Where processing is necessary to comply with a legal duty, including tax, financial reporting, or regulatory requirements.
  • Legitimate Interest: Where processing is necessary for our legitimate interests or those of a third party, provided that your rights and interests do not override those interests. This includes platform security, fraud prevention, and service improvement.

You may withdraw your consent at any time where consent is the basis for processing. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 With Your Institute

Chumo operates as a multi-tenant platform. When you are a member of an institute on the Platform, the administrators of that institute may have access to your profile information, attendance records, CPD progress, and participation data. Each institute is responsible for its own use of member data in accordance with applicable laws.

4.2 With Service Providers

We engage trusted third-party service providers to help us operate the Platform. These providers have access to your information only to perform specific tasks on our behalf and are contractually obligated to protect your data. These providers include:

  • Payment Processors: Stripe and Paystack, for processing financial transactions securely.
  • Cloud Hosting and Infrastructure: For storing and serving Platform data.
  • Email and Communication Services: For sending transactional and marketing emails.
  • Analytics Providers: For understanding Platform usage and improving our services.
  • Video Streaming Services: For delivering live and on-demand video content.

4.3 For Legal Reasons

We may disclose your information if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation or respond to a valid legal request
  • Protect and defend our rights, property, or safety
  • Prevent fraud or address security or technical issues
  • Protect the rights, property, or personal safety of our users or the public

4.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on the Platform, analyse usage, and support our operations.

5.1 Types of Cookies We Use

  • Essential Cookies: Required for the Platform to function correctly, including session management and authentication. These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors interact with the Platform by collecting aggregated, anonymous usage data.
  • Functional Cookies: Remember your preferences and settings to provide a more personalised experience.

5.2 Managing Cookies

You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform. Most browsers allow you to refuse or delete cookies; consult your browser's help documentation for instructions.

6. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods include:

  • Account Data: Retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations and resolve disputes.
  • CPD and Attendance Records: Retained for the period required by your institute or professional body, and in accordance with applicable regulatory requirements.
  • Payment Records: Retained as required by tax and financial reporting legislation.
  • Usage and Analytics Data: Retained in aggregated or anonymised form for analytical purposes.
  • Chat Messages and Content: Retained for the duration of the associated event or content, and may be removed upon request subject to legitimate business or legal requirements.

When personal information is no longer required, we will securely delete or anonymise it in accordance with our data retention procedures.

7. Your Rights Under POPIA

Under the Protection of Personal Information Act, you have the following rights in relation to your personal information:

  • Right of Access: You have the right to request confirmation of whether we hold personal information about you and to request access to that information.
  • Right to Correction: You have the right to request the correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  • Right to Deletion: You have the right to request the deletion or destruction of personal information that we are no longer authorised to retain.
  • Right to Object: You have the right to object to the processing of your personal information on reasonable grounds, unless legislation provides for such processing.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your personal information has been processed in violation of POPIA.

To exercise any of these rights, please contact our Information Officer using the details provided in the Contact Information section below. We will respond to your request within a reasonable time and in accordance with the timeframes prescribed by POPIA.

8. Data Security

We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include:

  • Encryption of data in transit using TLS/SSL protocols
  • Encryption of sensitive data at rest
  • Access controls and authentication mechanisms to restrict access to personal information
  • Regular security assessments and monitoring
  • Secure coding practices and vulnerability management

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to taking all reasonable steps to safeguard your data.

9. International Data Transfers

Chumo is based in South Africa. Some of our service providers may operate in jurisdictions outside of South Africa. Where your personal information is transferred to a country that does not provide an adequate level of data protection, we will ensure that appropriate safeguards are in place, including:

  • Contractual agreements with service providers that require them to protect your personal information to a standard consistent with POPIA
  • Ensuring that the recipient country has adequate data protection laws or that the transfer is otherwise permitted under POPIA
  • Obtaining your consent for specific transfers where required

10. Children's Privacy

The Platform is designed for use by professional institutes and their members, and is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us using the details below, and we will take steps to delete such information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the date at the top of this policy and, where appropriate, providing additional notice through the Platform or via email.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Platform after any changes to this policy constitutes your acceptance of the updated terms.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

  • Company: Chumo
  • Email: privacy@chumo.com

Information Officer

In accordance with POPIA, Chumo has designated an Information Officer who is responsible for ensuring compliance with data protection legislation and for addressing any requests or complaints related to your personal information.

  • Information Officer: [Name to be confirmed]
  • Email: informationofficer@chumo.com

Information Regulator (South Africa)

If you are not satisfied with our response to your request or complaint, you have the right to lodge a complaint with the Information Regulator of South Africa: