HDSR Intensives Privacy Policy

1. Introduction

NGL ("we", "us" or "our") is a South Africa–registered education technology company (2025 / 841799 / 07) committed to protecting your privacy and handling your personal information responsibly. We primarily serve adult learners and working professionals globally through courses co-created with leading universities and institutes. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our educational products and services.

We adhere to applicable data protection laws – including the EU General Data Protection Regulation (GDPR), UK GDPR, South Africa’s Protection of Personal Information Act (POPIA), the California Consumer Privacy Act (CCPA), and U.S. education privacy laws like FERPA – which regulate the use of educational data and grant you various rights. Our services are not intended for people under 18, and we do not knowingly collect data from them in compliance with COPPA. By engaging with our platform (e.g. enrolling in a course, participating in a session, or using our site), you acknowledge the practices described in this Privacy Policy.

2. Data Collection and Consent

We believe in transparency and user control regarding data collection. Before or during enrolment in our courses or use of our platform, we will inform you of the data we collect and the purposes for processing. In many cases, we will seek your explicit consent for certain data uses, especially those not strictly necessary for delivering the core service. This consent is voluntary, granular, and may be withdrawn at any time without penalty.

For example, during signup you may be asked to agree to specific uses of your data (detailed below) such as personalising your learning or receiving marketing emails. Where consent is our legal basis (per GDPR Article 6(1)(a)), we will only process your data for those agreed purposes. In other cases, we rely on additional legal bases like contractual necessity or legitimate interests (with appropriate safeguards).

If you decline or withdraw consent for optional uses, you will still have access to core educational features.

Purposes of Collection (Consent Scope)

When we request consent, we clearly explain each purpose. These include:

Personalised Learning Experience: Using your data to tailor content, feedback, and course pacing to your needs.
Teaching Team Insights: Providing instructors and academic staff with reports on class progress and learning trends.
Educational Research: Analysing anonymised or pseudonymised data to improve learning outcomes and our platform’s effectiveness.
Marketing Communications: Sending updates on new courses, services, or surveys (only with your opt-in).

Consent will be obtained separately for each of the above where required, and you may choose which aspects to opt into. We will not use your personal data for any purpose that is incompatible with these specified uses without asking for additional consent.

3. Data We Collect

We collect only the personal data that is relevant and necessary to provide you with our educational services and improve our platform. This includes:

Contact Information: e.g. your name, email address, phone number, and organisation/employer (used for account setup and communication).
Professional & Profile Information: e.g. your job title, industry, areas of expertise, or education history (to tailor course content and networking).
Learning Activity Data: e.g. your course enrolments, attendance records, assignment submissions, quiz results, progress metrics, and feedback responses (collected to track your learning progress and enhance your experience).
Technical Data: e.g. device and browser information, IP address, login times, and usage logs of our platform (collected automatically to ensure platform functionality, security, and to troubleshoot technical issues).
Recorded Content: If applicable, audio/video recordings of live sessions, AI-generated transcripts of classes, chat or forum contributions, and any projects or content you create on the platform. These are collected to enable learning review, AI tutoring features, or community interaction. We minimise capturing sensitive audio/video; recordings focus on instructors’ content, and we anonymise participant inputs where possible.
Payment and Transaction Data: If you make payments for courses or services, we (or our payment processor) collect information such as your payment card details (handled securely by our payment partner), billing address, and transaction history. Note: NGL uses trusted third-party payment processors (e.g. Stripe) and does not store your full financial account numbers on our systems.

Data Collection Methods: We collect data directly from you (through forms, surveys, course activities), automatically through your interactions with our platform (using cookies and analytics tools), and from third parties when you integrate external accounts or when we receive info from partner universities involved in delivering a co-created course. All data is collected in accordance with applicable law and with your knowledge. Where required, we will obtain your consent.

4. How We Use Your Data

We use your personal data to deliver, support, and improve our educational services. Specifically, the key uses of your data are outlined below. For each category, we list the purpose, the legal basis for processing (under applicable laws), compliance measures, and your rights regarding that use.

4.1 Learning Personalisation

Purpose: We use your personal data (such as your learning activity and performance data) to enhance and personalise your learning experience. This includes adjusting content recommendations, providing tailored feedback or hints, and adapting the pacing or difficulty of material based on your engagement and progress. Our AI-driven tutoring systems and recommendation engines analyse your interactions to offer a customised learning path just for you.

Legal Basis & Compliance: The primary legal basis for this personalised processing is your explicit consent under GDPR Article 6(1)(a) (where required). We adhere to the GDPR’s principles of purpose limitation and data minimisation – using your data only to accomplish the personalisation you have agreed to. In regions like Europe, this kind of adaptive learning analytics is only performed with appropriate transparency and user approval.

In the United States, if our services are used in a school context, we ensure compliance with FERPA by treating personalised learning data as part of the educational record that cannot be disclosed beyond the school/authorised provider without consent. All personalisation algorithms are designed with privacy-by-design safeguards: for example, any automated decisions affecting you (e.g. adjusting your course difficulty) are never made in a way that produces legal or significant effects without human oversight. We explain the logic of such features to you and always allow for human review or intervention upon request, in line with GDPR provisions on automated decision-making.

Your Rights: Participation in personalised learning is optional. You can access the personal data used for personalisation and request an explanation of any automated recommendations made to you. You have the right to opt out of personalised content or analytics at any time. If you opt out, we will cease using your data for personalisation promptly. You retain all other rights over your data, including the right to have any profiling data corrected or erased as applicable.

4.2 Teaching Team and Faculty Insights

Purpose: We may provide aggregated and individual performance insights to your course instructors, teaching assistants, or academic faculty involved in your program. This helps them understand the class’s overall progress, identify common difficulties or frequently missed questions, and tailor their teaching strategies or offer targeted help.

For example, an instructor might see a dashboard of which quiz questions most students struggled with, or be notified if an individual learner is falling behind on assignments so they can reach out with support. These insights enable better lesson planning, timely interventions, and more relevant content updates to improve the learning experience for everyone.

Legal Basis & Compliance: For users in jurisdictions under GDPR, this processing is based on NGL’s legitimate interest in improving educational outcomes (GDPR Article 6(1)(f)), balanced against your data protection rights. We implement safeguards to ensure this data sharing with faculty is minimally intrusive: wherever possible, data is pseudonymised or aggregated before being shared, so instructors see trends and analytics without unnecessary personal identifiers.

Individually identifiable data is only provided to staff when necessary (for example, to alert an instructor that you specifically might need help, if such alerting is part of the learning support process) and always under strict confidentiality. In South Africa, we treat student performance data as sensitive and ensure compliance with POPIA’s requirements for handling special personal information, meaning we justify this use and apply extra security and privacy safeguards.

In the US, if applicable, FERPA allows sharing of student information internally with school officials (including teachers or contracted online providers like NGL) for legitimate educational interests under the “school official” exception, as long as the data is used only for educational purposes and not disclosed further. NGL acts as an extension of the educational institution in such cases, maintaining direct control and not redisclosing personal data beyond the authorised education personnel.

Your Rights: Your personal information and learning records will never be visible to other students or any external parties without your consent. Insights shared with teaching staff are used solely to support your education. If you have concerns, you may request that your individual data be excluded from certain analytics or progress reports that are not essential to your course (for instance, you could ask that your participation data not be included in aggregated class statistics used for research or product improvement – and we will honour such requests where feasible). We will not deny you any service or academic benefit if you exercise this right; however, note that instructors may still receive necessary information about your coursework if it is relevant to grading or providing academic support (which is a core part of the service).

4.3 Use of Data for Educational Research

Purpose: We are continuously striving to improve learning outcomes, refine our course design, enhance teaching methods, and measure the effectiveness of our platform. To these ends, we may use data generated on our platform for educational research and product development. Research uses might include analyses of how students learn with AI tutors, studies of which course components lead to better retention of knowledge, or academic research papers in collaboration with universities on learning science.

Whenever possible, we use anonymised or pseudonymised data for research – meaning the data is stripped of direct personal identifiers and aggregated, so it cannot be readily linked back to any specific individual.

Legal Basis & Compliance: Under GDPR, research aimed at improving education can be considered a purpose compatible with initial data collection and may fall under the regime of scientific or historical research. If we use your data for genuine research purposes, we implement the requisite safeguards, such as technical and organizational measures to ensure respect for data minimization and to prevent re-identification. Where research cannot be done with fully anonymous data, we will either seek your explicit consent to include your personal data in the study or ensure another valid legal basis. We also subject formal research projects to ethical review or institutional oversight when appropriate (for example, if partnering with a university’s researchers, we follow academic ethics board guidelines). In all cases, any research findings published or shared will be in aggregate form or with identities removed.

We also comply with other applicable privacy laws in this context: for example, South Africa’s POPIA and California’s CCPA both mandate transparency and strict purpose limitation for any secondary use of data. We do not use research data to make decisions about you individually unless you have explicitly consented to such use. This means, for instance, if our analysis reveals a certain learning pattern, we will not take action affecting your progress based on that analysis alone unless it is part of the service you signed up for. Research analyses remain separate from individualised services unless you opt in.

Your Rights: Participation in research uses of data is optional. You will have the opportunity to opt in or out of having your data included in research that goes beyond routine product improvement. Even if you initially consent, you retain the right to withdraw from ongoing research at any time. If you do opt out or withdraw, we will cease using your identifiable data for research promptly. If data has already been anonymised and aggregated in a research project, we may not be able to remove that data (because it can no longer be linked to you), but any non-anonymised research records would be deleted. You can also request that we delete any research-related data about you that is not fully anonymised, and we will honour such requests wherever feasible (unless it’s necessary to keep the data for legal/regulatory reasons, in which case we will inform you). Opting out of research will not affect your access to NGL’s learning services.

4.4 Use of Data for Marketing Communications

Purpose: If you choose to, you can allow us to use your contact information (such as your email address or phone number) to send you marketing communications. These communications may include newsletters about new courses or programs, personalised course recommendations, special offers, surveys about your learning interests, or updates and news about NGL. We strive to send content that is relevant and valuable to you, and we will not inundate you with marketing messages. Typically, you will receive such communications only if you have opted in to receive them.

Legal Basis & Compliance: We rely on your consent to send direct electronic marketing messages, in line with GDPR requirements and the EU ePrivacy Directive which generally requires prior opt-in for email/SMS marketing. (For example, by ticking a checkbox to subscribe to a newsletter or by not unchecking a default-off box during registration.) If you are a California resident, please note we do not “sell” your personal information as defined under CCPA. In any case, CCPA gives you the right to opt out of any sale or sharing of your info, and we honor that right (we actually never sell or rent user data to third parties). We also comply with all applicable anti-spam and marketing laws – this means every marketing email will have a clear unsubscribe link and accurate sender information, and we will promptly honor opt-out requests. Additionally, GDPR Article 21 gives you the right to object to direct marketing at any time; we make it easy for you to exercise this by allowing instant unsubscribe or profile preference changes.

Your Rights: If you have given consent to marketing, you can withdraw that consent at any time. Every promotional email from us will include an “unsubscribe” link at the bottom – clicking that will stop further emails. You can also adjust your communication preferences in your NGL account settings or by contacting us directly. Once you opt out, we will cease using your contact info for marketing purposes immediately (except for communications related to service announcements or transactions, which are not promotional). Opting out of marketing will not affect your access to our core educational services or your enrolment in any courses. Even after you unsubscribe, you may still receive necessary service emails (for example, course reminders, receipts for payments, or policy updates). If you have any issues managing your communication preferences, you can reach out to us and we will assist.

5. Data Security and Storage

We take the security of your personal data very seriously. NGL implements robust technical and organisational security measures to protect your information from unauthorised access, loss, or misuse.

These measures include, at a minimum: encryption of personal data in transit and at rest (to prevent eavesdropping or theft of data), access controls ensuring that only authorised NGL personnel or contractors can access the data they need for their job (for example, instructors only see data for their students, and support staff can only access your data when helping you with an issue), regular security audits and penetration testing of our systems, and continuous monitoring for potential vulnerabilities.

We follow industry best practices for software development and cloud security, including keeping our systems updated and patched. All data is stored on secure servers using modern cloud infrastructure with high reliability and compliance standards. Specifically, our primary servers and databases are hosted in the London (UK) region of Google Cloud Platform (ensuring compliance with UK and EU data protection standards), and we use EU-based or compliant data centres whenever feasible.

We also conduct training for our staff on data privacy and security. In the unlikely event of a security incident (data breach), we have a detailed response plan to contain and fix the issue, and we will notify affected users and relevant authorities as required by law. We want you to learn with confidence knowing that your data is safe with us.

6. Data Minimisation and Retention

We only collect the minimum amount of personal data needed to achieve the purposes described in this policy. We are committed to the principle of data minimisation, which means we do not ask for or retain data that isn’t relevant to your learning experience or our service’s operation.

We also limit how long we keep personal data. Retention periods are defined based on operational needs and legal requirements. In general, we retain your personal information only for as long as it is necessary to fulfil the purposes it was collected for, or as required by law or legitimate business interests (such as accounting, audit obligations, or fraud prevention).

For example, course participation records and any associated recordings are retained for an appropriate period to: allow you to review content after the course, enable us to evaluate course delivery and success, and meet operational or compliance requirements.

Once personal data is no longer needed for these purposes, we securely delete or irreversibly anonymise it. Anonymised learning data (which no longer identifies you) may be retained for longer periods (potentially indefinitely) for research or product development purposes. Account information may be retained as long as you have an active account with us, and for a reasonable period thereafter to support reactivation or to meet record-keeping obligations.

If you request deletion of your data, we will securely erase it (subject to any legal obligations to retain certain information, which we will communicate to you). Our data retention practices comply with GDPR and POPIA requirements for storage limitation and accuracy.

7. Data Sharing and Third-Party Processors

We do not sell or rent your personal data to anyone. We only share your information in the specific circumstances outlined below, and always under strict conditions designed to safeguard your privacy.

With Course Instructors and Partner Institutions

If your course is delivered by live instructors or co-created with a university or educational partner, we share only the information necessary to facilitate teaching, support, and assessment. For example, instructors may have access to your name, course profile, and relevant learning activity to help you succeed in the programme. These individuals and institutions are contractually bound by confidentiality obligations and, where applicable, data protection agreements. They are permitted to use your information solely for educational purposes in accordance with this Privacy Policy. We never share information that is not relevant to your specific course, and your data is not visible to other learners without your consent.

With Service Providers (Third-Party Processors)

To operate our platform and provide a seamless learning experience, NGL works with carefully selected third-party service providers. These include:

Cloud infrastructure providers for hosting servers, databases, and platform services in secure environments, with a strong focus on compliance and data residency (e.g., UK and EU-based storage).
AI and learning technologies that enable interactive tutorials, adaptive feedback, and automated transcription or summarisation—used only when necessary to deliver educational value and governed by data minimisation and privacy-by-design principles.
Platform engineering and monitoring services that support secure development, error tracking, and operational continuity.
Analytics and optimisation tools that help us understand how our website and platform are used, so we can improve performance and user experience. These services do not receive personally identifiable information unless essential, and we apply IP anonymisation and cookie controls where required.
Communications and support tools that power our helpdesk, live chat, and learner engagement activities. These systems may retain your messages, preferences, or support tickets in order to assist you more effectively.
Marketing systems (used only with your explicit opt-in) that manage newsletters, updates, and course announcements, with tracking enabled solely to assess content performance and engagement.
Payment processors that securely handle course enrolments and transactions. Financial data is transmitted directly to the payment provider and never stored on NGL’s servers.

These processors act strictly on our instructions and are contractually prohibited from using your personal data for any purpose beyond providing their services to us. Each provider is vetted for compliance with GDPR, POPIA, and other relevant data protection standards, and where required, we have Data Processing Agreements (DPAs) in place. For international transfers, we ensure appropriate safeguards such as Standard Contractual Clauses.

Note: We do not list the names of all third-party processors in this policy to protect NGL’s proprietary technology architecture. However, a detailed list is available to partners under confidentiality as part of our data protection agreements, or to individuals upon legitimate request.

With Legal or Regulatory Authorities

We may disclose personal data if required by law, regulation, legal process, or government request. This includes compliance with subpoenas, court orders, or lawful requests by regulators. In all such cases, we will limit the disclosure to what is strictly necessary and lawful, and where possible, we will inform you before disclosing your data.

In the Event of a Business Transfer

If NGL undergoes a merger, acquisition, or asset transfer, your data may be part of the assets transferred to the new entity. In such cases, the successor will be required to honour this Privacy Policy, and you will be notified of any change in data stewardship.

Except for the scenarios listed above, we do not disclose your personal data to any other parties, including other learners, customers, advertisers, or data brokers. All parties who process your data on our behalf are bound by strict confidentiality and data protection obligations.

8. Data Breach Response

Despite all our safeguards, no method of transmission or storage is 100% secure. In the unlikely event of a data breach (meaning personal data is accessed by unauthorised persons, lost, or stolen), NGL will act promptly to contain and remedy the situation. We have a detailed incident response plan in place that includes: immediate investigation and mitigation of the breach, measures to prevent further unauthorized access, and an assessment of the scope and impact.

We will notify affected users as soon as possible if the breach poses a high risk to your rights and freedoms. We will also fulfill any regulatory notification requirements – for example, under GDPR we will notify the relevant Data Protection Authority within 72 hours of becoming aware of a significant breach.

Our notification to you will include details of what happened, what data was involved (in general terms), what we are doing about it, and any steps you may consider taking to protect yourself (like changing passwords if relevant). We will provide updates as we learn more. NGL is committed to full transparency in such situations and to learning from incidents to further strengthen our security.

9. Your Data Rights

You have significant rights regarding your personal data. NGL is committed to facilitating the exercise of these rights. Specifically, you have the right to:

Access Your Data: You can request a copy of the personal data we hold about you, as well as information about how we use it.
Rectification: If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or update it.
Deletion: You can ask us to delete your personal data in certain circumstances (subject to legal retention requirements).
Restriction of Processing: You have the right to request that we limit the processing of your data in certain scenarios.
Data Portability: For data you provided to us, you have the right to obtain it in a common machine-readable format.
Withdraw Consent: If we are processing any personal data based on your consent, you have the right to withdraw that consent at any time.
Object to Processing: In certain cases, you have the right to object to our processing of your data (including direct marketing).
Not Be Subject to Automated Decisions: NGL does not make any legally significant decisions about you purely by algorithms without human involvement.

To exercise any of these rights, you can contact us at any time. We will respond to your request as required by law (typically within one month for GDPR, for example). We will not discriminate against you for exercising your privacy rights.

Please note that some rights may be subject to certain exemptions or limitations by law. If we cannot fulfill a request in whole or in part, we will explain the reason to you.

Additionally, we do not discriminate or limit access to our services based on disability, background, or any protected characteristic. For details on our accessibility and inclusion commitments, see the Accessibility, Inclusion, and Non-Discrimination section in our Platform Terms of Use.

10. Cross-Border Data Transfers

NGL’s users are global, so your data may be transferred or accessed by our team and service providers in countries other than your own. We primarily store data in South Africa, the European Union/UK (London data centre), and in some cases in the United States. Whenever we transfer personal information across national borders, we take steps to ensure the transfer complies with applicable data protection laws and that adequate protections are in place.

For EU/EEA or UK Individuals: If we transfer your personal data out of the UK or European Economic Area (for example, to the US or South Africa), we will ensure an appropriate transfer mechanism is in place. Typically, this means we rely on European Commission-approved Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement as part of our contracts with the receiving party, obligating them to protect your data according to GDPR standards.

For South African Individuals: POPIA restricts transfers of personal information outside of South Africa unless certain conditions are met. We will only transfer your data to a third party in another country if that country’s laws provide an adequate level of protection or if we have an agreement with the recipient ensuring they will protect the information to the standard required by POPIA.

Other Regions: We similarly comply with any local cross-border transfer requirements. Regardless of where your data is processed, NGL will ensure that your data is afforded a high level of protection consistent with this Privacy Policy.

11. Cookie Policy

Like most online platforms, NGL uses cookies and similar tracking technologies to ensure our website and learning platform function properly, to analyse usage, and to personalise your experience.

What Are Cookies? Cookies are small text files placed on your device (computer, tablet, smartphone) by websites that you visit. Similar technologies include web beacons, pixels, local storage, and SDKs in mobile apps. For simplicity, we refer to all of these as “cookies.”

How We Use Cookies: NGL uses cookies for several reasons:

Necessary Cookies: Essential for the operation of our site and platform (e.g. keeping you logged in, remembering preferences).
Analytics and Performance Cookies: Help us understand usage (e.g. Google Analytics). We have configured Google Analytics to anonymize IP addresses.
Functionality Cookies: Enable enhanced features and personalisation (e.g. support chat sessions, login continuity).
Marketing and Communication Cookies: We currently do not host third-party ads, but we use certain tools to help with marketing communications and preference management.

Cookie Consent: When you first visit our website, you will see a cookie notice or banner that informs you about the use of cookies. Where required by law, we will obtain your consent before using or storing non-essential cookies on your device.

Managing Cookies: You can control cookies using our on-site preferences tools and/or your browser settings. If you disable cookies entirely, some features of our site or platform may not function properly.

Do-Not-Track Signals: Some browsers offer a “Do Not Track” (DNT) signal. Currently, there is no standard interpretation of DNT signals across websites. However, we treat a DNT signal as an opt-out of tracking for marketing/analytics on our site to the extent feasible.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out to us. We’re here to help. You can contact our privacy team at:

Email: support@nxgl.ai
Website: https://www.nxgl.ai (see the Contact or Support section)

We will respond to inquiries or requests as soon as possible, and certainly within any timeframes required by law. If you need to exercise your data rights, it will be helpful if you can mention what right you wish to exercise and provide details to verify your identity.

If you feel that we have not adequately addressed your privacy questions or concerns, we would appreciate the chance to address your concerns directly first, and we are committed to finding a resolution.

Thank you for trusting NGL with your learning journey. We are dedicated to safeguarding your personal information and continually improving our practices to better protect your privacy.

This Privacy Policy was last updated on 31 October, 2025.