Privacy Policy

Ndikhondinani Skills Development ("we", "our", "us") is committed to protecting your privacy. This policy explains what personal information we collect, how we use it, and the choices you have. It aligns with South Africa's POPIA and, where applicable, the EU GDPR.

We collect only what we need to provide and improve our services. Depending on how you use the platform (web app and mobile app), this may include:

• Account & Identity Data: name, email address, phone number (if provided), and authentication identifiers (e.g., Firebase UID).
• Enrolment & Programme Data: the qualifications, events, or workshops you view, apply for, or attend; submissions and forms you complete (e.g., enrolment forms, feedback).
• Device & Usage Data: IP address, device model, OS version, app version, language, time zone, crash diagnostics, performance metrics, and interaction logs for debugging and service quality.
• Communications: messages you send to us (support requests, feedback), and your preferences (e.g., notifications).
• Content You Provide: attachments or documents uploaded to support an application (e.g., certificates). Do not upload sensitive documents unless requested and necessary.
• Cookies & Similar Technologies: see Cookies & Similar Tech for details.

Special categories: We do not intentionally collect sensitive personal information (e.g., health, biometric, religious, or union data). If such data is required for a specific programme, we will request it explicitly and process it only with your consent and with appropriate safeguards.

• Provide core services: create and manage your account, process enrolments, register you for events, and show your dashboard.
• Communicate with you: confirmations, reminders, important updates about your enrolments or events, and responses to support queries.
• Improve the platform: monitor performance, fix bugs, and develop new features based on aggregated usage patterns.
• Safety and integrity: prevent fraud, abuse, or misuse; enforce our terms and applicable policies.
• Legal compliance: record-keeping and responding to lawful requests where required.
• Optional messaging: with your consent, send occasional programme updates or community news. You can opt out at any time.

We process personal information in line with South Africa’s Protection of Personal Information Act (POPIA) and, where applicable, the EU General Data Protection Regulation (GDPR). Our main legal bases include:

• Contractual necessity: to provide the services you request (e.g., manage enrolments and event registrations).
• Legitimate interests: to maintain and improve the service, secure our systems, and support users (balanced against your rights).
• Consent: for optional features such as certain analytics, marketing messages, or when sensitive data is required for a specific purpose. You can withdraw consent at any time.
• Legal obligation: where the law requires retention or disclosure.

We do not sell your personal information. We only share it in the following limited circumstances:

• Service providers (operators under POPIA / processors under GDPR): trusted vendors that host data, send emails, provide analytics or crash reporting, or support security (e.g., cloud infrastructure such as Firebase/Google Cloud). They are bound by contracts and may only process data on our instructions.
• Programme partners: where a course, qualification, or event is delivered with a partner organisation, we may share relevant enrolment information to administer the programme. We limit disclosure to what is necessary.
• Legal and compliance: to comply with law, court orders, or lawful requests by public authorities; to enforce our terms; or to protect rights, safety, and security.
• Business changes: in a restructuring, merger, or similar transaction, information may transfer subject to the same protections.

We keep personal information only as long as needed for the purposes described in this policy, and to meet legal, accounting, or reporting requirements. Typical retention guidelines include:

• Account data: retained while your account is active and for a reasonable period after closure (e.g., 12–24 months) for support, audit, and record-keeping unless you request earlier deletion where applicable.
• Enrolment & event records: retained to evidence participation, certifications, or attendance, subject to programme and regulatory requirements.
• Diagnostics & logs: short to medium retention (e.g., 30–180 days) unless extended for security or debugging.

When retention ends, we securely delete or de-identify information. If deletion isn’t possible immediately (e.g., backups), we will isolate data from further processing until deletion is feasible.

We use appropriate technical and organisational safeguards to protect personal information:

• Protection in transit and at rest: encryption, modern TLS, and secure key management by our cloud providers.
• Access controls: least-privilege access, role-based permissions, and authentication best practices.
• Monitoring & resilience: audit logs, alerts, and backups to support availability and incident response.
• Data minimisation: we collect only what is necessary and restrict retention.

No system is completely secure. If we become aware of a data incident that affects your rights, we will notify you and/or authorities as required by law.

We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the service is used. Types include:

• Strictly necessary: essential for login and core functionality. These cannot be switched off.
• Performance & analytics (optional): help us improve the app (aggregated, de-identified where possible).
• Preferences: remember choices like language or theme.

You can manage cookies in your browser or device settings. Some features may not function correctly if cookies are disabled.

Depending on your location and the applicable law (POPIA/GDPR), you may have the right to:

• Access: request a copy of your personal information.
• Rectify: correct incomplete or inaccurate data.
• Erase: request deletion in certain circumstances.
• Object / Restrict: object to or restrict processing where legally permitted, including for legitimate interest or direct marketing.
• Portability (GDPR): receive certain data in a structured, commonly used, machine-readable format.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise your rights, contact us at info@ndikhondinani.org. We may need to verify your identity before responding. You also have the right to lodge a complaint with your data protection regulator.

We may process or store information on servers located outside your country. Where data is transferred internationally, we implement appropriate safeguards to protect it, such as contractual clauses and verified provider protections. For POPIA, cross-border transfers comply with the conditions of section 72; for GDPR, we rely on adequacy decisions or standard contractual clauses where applicable.

Our services are intended for users aged 16 and older (or the age of digital consent in your jurisdiction). We do not knowingly collect personal information from children without appropriate consent. If you believe a child has provided us with personal information without consent, please contact us and we will take steps to delete it.

We may update this policy to reflect changes to our services or legal requirements. When we make material changes, we will take reasonable steps to notify you (e.g., in-app notice, email) and update the “Last updated” date at the top of this page.

Questions, requests, or complaints about privacy? Reach us at info@ndikhondinani.org. We aim to respond promptly and will work to resolve your concerns.

Ndikhondinani Skills Development — South Africa