Mlinzi Cyber Ltd ("Mlinzi Cyber," "we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, share, store, and protect information about you when you use the Mlinzi Cyber cybersecurity training platform, including our website at mlinizicyber.com, mobile applications, APIs, and all related services (collectively, the "Platform").
This Policy applies to all users of the Platform worldwide, including learners, corporate subscribers, institutional partners, and visitors. Please read this Policy carefully. By using the Platform, you acknowledge that you have read and understood this Policy.
This Policy is incorporated into and forms part of our Terms and Conditions. Capitalised terms not defined here have the meanings given in our Terms and Conditions.
Data Controller. Mlinzi Cyber Ltd is the data controller responsible for your personal data. Our principal place of business is Nairobi, Kenya, with operations in Chicago, Illinois, USA.
Data Protection Officer. We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact our DPO at:
Email: [email protected] Address: Data Protection Officer, Mlinzi Cyber Ltd, Nairobi, Kenya / Chicago, Illinois, USA
EU Representative. For users in the European Economic Area (EEA), Mlinzi Cyber's EU representative can be contacted at [email protected].
Regulatory Authorities. You have the right to lodge a complaint with your local data protection authority at any time. In Kenya, this is the Office of the Data Protection Commissioner (ODPC). In South Africa, this is the Information Regulator. In the EU, this is your national supervisory authority.
We collect the following categories of personal data:
Account and Identity Data. When you register for an account, we collect your name, email address, username, password (stored in hashed form), country of residence, and preferred language. For corporate accounts, we also collect your organisation name, job title, and billing address.
Learning and Progress Data. We collect data about your interactions with the Platform, including courses enrolled in, lessons completed, quiz scores, assessment results, certificates earned, learning paths followed, time spent on each module, and skill level assessments.
Payment and Billing Data. When you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We receive from Stripe a tokenised payment reference, the last four digits of your card, card expiry date, billing country, and transaction history. We do not receive or store your full card number or CVV code.
Technical and Device Data. We automatically collect certain technical data when you use the Platform, including your IP address, browser type and version, operating system, device identifiers, screen resolution, referring URLs, pages visited, time and date of visits, and session duration.
Communication Data. If you contact us by email, chat, or support ticket, we retain records of that correspondence, including your contact details and the content of your messages.
Cookie and Tracking Data. We use cookies and similar tracking technologies as described in Section 9 of this Policy.
User-Generated Content. If you post content on the Platform (such as forum posts or feedback submissions), we collect and store that content.
Corporate and Institutional Data. For enterprise subscribers, we may collect additional data about your organisation's employees or students as directed by the corporate account administrator, who acts as a separate data controller for that data.
Sensitive Data. We do not intentionally collect sensitive personal data (such as health data, racial or ethnic origin, political opinions, or biometric data). Please do not submit such data through the Platform.
For users in the European Economic Area (EEA) and South Africa, we process your personal data on the following legal bases:
Contract Performance. We process Account and Identity Data, Learning and Progress Data, and Payment and Billing Data to perform our contract with you — specifically, to provide you with access to the Platform, deliver courses, issue certificates, and process payments. This is the primary legal basis for most of our data processing.
Legitimate Interests. We process Technical and Device Data and Cookie Data to maintain the security and performance of the Platform, detect and prevent fraud, improve our services, and conduct analytics. We have conducted a balancing test and determined that our legitimate interests are not overridden by your interests or fundamental rights.
Legal Obligation. We may process your data where necessary to comply with a legal obligation, including tax and accounting requirements, anti-money laundering obligations, and responses to lawful requests from public authorities.
Consent. Where we rely on consent as a legal basis (for example, for marketing emails or non-essential cookies), you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Vital Interests. In exceptional circumstances, we may process personal data where necessary to protect the vital interests of you or another person.
We use your personal data for the following purposes:
Platform Delivery. To create and manage your account, provide access to courses and learning materials, track your progress, issue certificates of completion, and process subscription payments.
Personalisation. To personalise your learning experience, including recommending courses based on your progress and interests, adjusting content difficulty, and providing AI-powered learning suggestions.
Communications. To send you transactional emails (such as account confirmations, payment receipts, and certificate notifications), service announcements, and, where you have opted in, marketing communications about new courses, features, and promotions.
Security and Fraud Prevention. To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities; to enforce our Terms and Conditions; and to protect the rights and safety of Mlinzi Cyber, our users, and the public.
Analytics and Improvement. To analyse usage patterns, measure the effectiveness of our courses, identify technical issues, and improve the Platform's features and content.
Legal Compliance. To comply with applicable laws and regulations, including tax obligations, data protection laws, and responses to lawful requests from courts or regulatory authorities.
Corporate Reporting. For corporate subscribers, to provide administrators with aggregated and individual progress reports on their team members' learning activities.
Mlinzi Cyber operates globally, with infrastructure and service providers located in multiple countries including Kenya, South Africa, the United States, and the European Union. Your personal data may be transferred to and processed in countries outside your country of residence.
Transfers from the EEA. Where we transfer personal data from the European Economic Area to countries not recognised by the European Commission as providing an adequate level of data protection, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognised transfer mechanisms.
Transfers from South Africa. Where we transfer personal data from South Africa to recipients in other countries, we ensure that the recipient country provides an adequate level of protection, or that appropriate safeguards are in place as required by POPIA.
Transfers from Kenya. Where we transfer personal data from Kenya, we comply with the requirements of the Kenya Data Protection Act 2019, including ensuring that the recipient country provides adequate protection or that appropriate safeguards are in place.
You may request a copy of the safeguards we use for international transfers by contacting [email protected].
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Account Data. We retain your account data for the duration of your account and for 3 years after account closure, to allow you to reactivate your account and to comply with legal obligations.
Learning and Progress Data. We retain your course progress, quiz scores, and assessment results for the duration of your account and for 5 years after account closure, to support certificate verification and to comply with educational record-keeping requirements.
Certificate Records. Records of issued certificates are retained indefinitely to support the certificate verification system.
Payment Records. We retain payment transaction records for 7 years from the date of the transaction to comply with tax and accounting obligations.
Communication Records. Support correspondence is retained for 2 years from the date of the last communication.
Technical Logs. Server logs and security logs are retained for 90 days.
Anonymised Data. We may retain anonymised, aggregated data indefinitely for analytics and research purposes.
Upon the expiry of the applicable retention period, we will securely delete or anonymise your personal data. If deletion is not immediately possible (for example, because data is stored in backup archives), we will securely isolate your data and protect it from further processing until deletion is possible.
Depending on your jurisdiction, you may have the following rights in relation to your personal data. To exercise any of these rights, please contact [email protected].
Right of Access. You have the right to request a copy of the personal data we hold about you, along with information about how we use it.
Right to Rectification. You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure ("Right to Be Forgotten"). You have the right to request that we delete your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and there is no other legal basis for processing.
Right to Restriction of Processing. You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have disputed.
Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller, where technically feasible.
Right to Object. You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis. You also have an absolute right to object to processing for direct marketing purposes.
Rights Related to Automated Decision-Making. You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you. Mlinzi Cyber does not currently make such automated decisions.
Right to Withdraw Consent. Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
POPIA Rights (South Africa). South African users have the rights described above under POPIA, including the right to complain to the Information Regulator.
Kenya DPA Rights. Kenyan users have the rights described above under the Kenya Data Protection Act 2019, including the right to complain to the Office of the Data Protection Commissioner.
We will respond to all legitimate requests within 30 days. Occasionally it may take longer if your request is particularly complex or you have made multiple requests. In this case, we will notify you and keep you updated.
We have implemented appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
Encryption. All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Passwords are stored using industry-standard hashing algorithms (bcrypt). Payment data is handled exclusively by Stripe, which is PCI DSS Level 1 certified.
Access Controls. Access to personal data is restricted to authorised personnel on a need-to-know basis. All staff with access to personal data are subject to confidentiality obligations.
Infrastructure Security. Our infrastructure is hosted on reputable cloud providers with ISO 27001 certification. We implement firewalls, intrusion detection systems, and regular vulnerability scanning.
Incident Response. We maintain a data breach response plan. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR and POPIA), and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Limitations. While we implement robust security measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data.
The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent. If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us at [email protected] and we will take steps to delete that data.
For institutional programmes that include learners between the ages of 16 and 18, the institution acts as the data controller and is responsible for obtaining appropriate parental consent and complying with applicable laws relating to minors.
We may send you marketing communications about new courses, features, promotions, and events where you have opted in to receive such communications, or where we have a legitimate interest in contacting you about similar products and services you have previously purchased.
You can opt out of marketing communications at any time by: (a) clicking the "unsubscribe" link in any marketing email; (b) updating your notification preferences in your account settings; or (c) contacting us at [email protected].
Opting out of marketing communications does not affect transactional communications, such as account confirmations, payment receipts, or security alerts, which we may continue to send as necessary to provide the Platform.
The Platform contains links to third-party websites, including employer websites, LinkedIn, Indeed, and external resources. This Privacy Policy does not apply to those third-party websites. We encourage you to read the privacy policies of any third-party websites you visit.
Mlinzi Cyber is not responsible for the privacy practices or content of third-party websites. The inclusion of a link does not imply our endorsement of the linked website.
European Economic Area (EEA) Users. In addition to the rights described in Section 10, EEA users may lodge a complaint with their national data protection supervisory authority. You may also use the EU Online Dispute Resolution platform. Our processing of EEA personal data is governed by the GDPR.
South African Users. Our processing of South African personal data is governed by POPIA. You may lodge a complaint with the Information Regulator at inforeg.org.za. The Information Regulator's contact details are: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001; email: [email protected].
Kenyan Users. Our processing of Kenyan personal data is governed by the Data Protection Act 2019. You may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.
Mozambican Users. Mozambique does not currently have a comprehensive data protection law in force. We apply GDPR standards as a baseline for all Mozambican users' data.
Botswana Users. Our processing of Botswana personal data is governed by the Data Protection Act 2018. You may lodge a complaint with the Information and Data Protection Commission.
United States Users. For users in California, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact [email protected].
Nigerian Users. Our processing of Nigerian personal data is governed by the Nigeria Data Protection Act 2023 (NDPA). You may lodge a complaint with the Nigeria Data Protection Commission (NDPC).
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by: (a) posting the updated Policy on the Platform with a revised "Last Updated" date; (b) sending an email notification to your registered email address; or (c) displaying a prominent notice on the Platform.
We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact our Data Protection Officer:
Email: [email protected] Legal enquiries: [email protected] Address: Data Protection Officer, Mlinzi Cyber Ltd, Nairobi, Kenya / Chicago, Illinois, USA
We will respond to all enquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority as described in Section 15.
For privacy-related enquiries, contact our Data Protection Officer at [email protected].