Privacy first, matching second

Privacy Policy

This policy explains what May Cross Hub plans to collect, why it is needed for educator transfer matching, what other users may see, and the choices available to each educator.

Draft for pre-launch review Last updated: 18 June 2026 South Africa

Scope and current status

This policy is for May Cross Hub, a proposed service that helps educators discover possible reciprocal transfer matches. It applies to the public website, account registration, educator profiles, privacy preferences, match results, match requests and accepted-request conversations.

May Cross Hub is not a provincial education department, employer or official transfer authority. Finding a possible match does not approve or complete a transfer.

Current implementation: registration sends account details to Firebase Authentication and writes a private educator profile plus a separate sanitised match profile to Firestore. Matches and requests require a signed-in, email-verified account. Conversations are limited to the two participants in an accepted request.

Information May Cross Hub collects

Only information reasonably needed to create an account, compare reciprocal transfer routes, assess professional compatibility, manage requests and protect the service should be collected.

Account detailsName, email address, cellphone number, account verification and sign-in records.
Current postSchool, province, district, optional circuit or ward, quintile, phase, grades, subjects and post level.
Transfer preferencesDesired province, district, town, optional preferred school, nearby-area preference and availability.
Optional transfer reasonInformation an educator chooses to provide. Users should avoid unnecessary health, family or other highly sensitive details.
Privacy choicesVisibility settings, request permissions and consent records.
Match activityCompatibility results, saved matches, requests, responses, accepted-request messages and safety or support records.

Information not needed for matching

May Cross Hub should not ask for identity numbers, payroll details, bank information, copies of identity documents or payment-card information as part of ordinary transfer matching.

How information is used

  • Create and verify an educator account.
  • Compare current and desired locations to identify reciprocal routes.
  • Compare phase, grades, subjects and post level to estimate professional compatibility.
  • Show privacy-controlled match results, manage match requests and support conversations after acceptance.
  • Send essential account, verification, safety and request notifications.
  • Prevent misuse, investigate reports and maintain service security.
  • Meet applicable legal obligations and respond to lawful requests.

The operator must document an appropriate justification for each processing purpose before launch. Optional marketing should require a separate choice and should not be bundled into registration.

What matched educators may see

The recommended starting point is to show enough professional information to assess a match while keeping direct identifiers and contact details private.

Shown for matchingSubjects, phase and gradesSupports professional compatibility checks.
Shown for matchingProvince and districtSupports reciprocal route matching without an exact address.
Shown for matchingPost level and availabilityHelps educators assess whether a request is realistic.
Hidden initiallyFull name and school nameMay be revealed later only under clear user-controlled rules.
Hidden initiallyEmail and cellphone numberShould remain private until the educator actively chooses to share them.
Hidden initiallyOptional transfer reasonShould not be shown to other educators by default.

Privacy settings must be enforced by database security rules, not only hidden on the page. Interface controls alone do not protect stored information.

Sharing, service providers and transfers

May Cross Hub should not sell personal information. Information should be shared only where needed for the service, where the educator has chosen to reveal it, where a contracted provider processes it securely, or where disclosure is required or permitted by law.

RecipientWhat may be sharedPurpose and control
Potential matched educatorsPrivacy-controlled professional profile, broad location and messages sent after request acceptanceAssess compatibility, manage match requests and hold participant-only conversations.
Firebase / Google CloudAccount, profile and technical service dataAuthentication, database hosting and security, subject to final configuration and contractual review.
Authorised May Cross Hub administratorsOnly information needed for support, safety or administrationRole-based access, confidentiality and access logging should apply.
Authorities or legal recipientsInformation covered by a valid legal obligation or requestHandled carefully and limited to what is required.

Before launch, the operator must confirm and document where Firebase data is stored, assess any cross-border processing, verify the selected service region and update this policy with accurate provider details.

Security, incidents and retention

Implemented controls include verified authentication, separate private and match-safe profile documents, participant-only request and conversation access, immutable messages and Firestore security rules supplied with the website. Before launch, the operator must publish and test those rules and complete administrator access controls, monitoring, backups and an incident response process.

What happens after a security incident?

The operator should investigate promptly, contain the incident, document decisions and give any notifications required by POPIA to the Information Regulator and affected people. The actual response process and responsible contacts must be completed before launch.

How long will information be kept?

A final retention schedule has not yet been approved. Before launch, May Cross Hub must define periods for active accounts, closed accounts, request history, security logs and backups. Information should not be retained longer than necessary for its documented purpose or a legal requirement.

Does this website use cookies?

Firebase Authentication uses necessary browser storage to maintain secure sessions, and the homepage initialises Firebase Analytics where the browser supports it. Advertising is not included. Any additional optional tracking must be disclosed and, where required, offered as a separate choice.

Your choices and privacy rights

Subject to applicable law and any valid limitations, an educator may ask about personal information held by May Cross Hub and exercise relevant rights under POPIA.

AccessAsk whether information is held and request access to it.
CorrectionUpdate information that is inaccurate, incomplete, misleading or out of date.
DeletionRequest deletion or destruction where the legal requirements are met.
ObjectionObject to certain processing on reasonable grounds where POPIA provides for it.
Withdraw a choiceChange optional visibility and communication choices without affecting earlier lawful processing.
ComplainRaise a concern with May Cross Hub or lodge a complaint with the Information Regulator.

Identity may need to be confirmed before acting on a privacy request, but May Cross Hub should request only what is reasonably necessary for verification.

Contact, complaints and official resources

Privacy questions and requests should first be sent to the operator responsible for May Cross Hub. Accurate contact and Information Officer details must be published before any real personal information is collected.

Responsible party:Add before launch

Information Officer:Appoint and register

Privacy email:Add monitored address

Physical or postal address:Add before launch

Educators may also contact or complain to South Africa's Information Regulator. Users should consult the regulator's current website for official forms, contact details and procedures.

Information Regulator: POPIA resources South African Government: POPIA