Privacy Policy

Last updated: March 2026

This Privacy Policy describes how NxGN (Pty) Ltd (“the Company”, “we”, “us”, or “our”) collects, uses, stores, and discloses your personal information when you use our website, the Capstone platform, the Guardian platform, and any related services. It also explains your privacy rights under the Protection of Personal Information Act, 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR).

By using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as the legal basis for processing your personal information, we will obtain that consent separately and explicitly.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalised have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or plural.

Definitions

For this Privacy Policy:

  • Account means a unique account created for you to access our Service or parts of our Service.
  • Affiliate means an entity that controls, is controlled by, or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for the election of directors or other managing authority.
  • Company (referred to as either “the Company”, “we”, “us”, or “our” in this Policy) refers to NxGN (Pty) Ltd, Charlton House, Hampton Office Park, 20 Georgian Crescent East, Bryanston East, 2191, Johannesburg, South Africa.
  • Capstone refers to the Company’s operational intelligence platform, including any hosted or cloud-based instances, dashboards, and related interfaces.
  • Cookies are small files placed on your computer, mobile device, or other device by a website that contain details of your browsing history, among their many uses.
  • Country refers to South Africa.
  • Data Subject means the natural person to whom personal information relates; in this Policy, referred to as “you”.
  • Device means any device that can access the Service, such as a computer, a cellphone, or a digital tablet.
  • Guardian refers to the Company’s environment, health, and safety (EHS) management platform, including any hosted or cloud-based instances and related interfaces.
  • Information Officer means the person registered with the Information Regulator who is responsible for ensuring compliance with POPIA within the Company.
  • Information Regulator means the South African Information Regulator established under Section 39 of POPIA.
  • Operator means a Service Provider who processes personal information on behalf of the Company under a contract or mandate, as defined in POPIA; referred to in the GDPR as a “processor”.
  • Personal Information / Personal Data means information relating to an identifiable, living natural person and, where applicable, an identifiable existing juristic person as defined in POPIA Section 1, or any information relating to an identified or identifiable natural person as defined in GDPR Article 4.
  • Processing means any operation or activity, whether automated or not, concerning personal information, including collection, receipt, recording, organisation, storage, updating, modification, retrieval, consultation, use, dissemination, merging, linking, restriction, degradation, erasure, or destruction.
  • Responsible Party means the Company, being the person who determines the purpose of and means for processing personal information; referred to in the GDPR as a “controller”.
  • Service refers to the Website, the Capstone platform, the Guardian platform, and any related applications or services provided by the Company.
  • Service Provider means any natural or legal person who processes data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, provide the Service on the Company’s behalf, perform services related to the Service, or assist the Company in analysing how the Service is used.
  • Special Personal Information means personal information concerning a data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, or criminal behaviour, as defined in POPIA Section 26.
  • Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
  • Website refers to NxGN Solutions, accessible from https://www.nxgnsolutions.com
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Information Officer

POPIA Section 55 requires the Company to appoint an Information Officer who is responsible for encouraging compliance with POPIA, handling requests related to personal information, and cooperating with the Information Regulator. The Information Officer must be registered with the Information Regulator before commencing their duties.

The Company is in the process of appointing and registering an Information Officer. Until such time as the registration is complete, all privacy-related enquiries should be directed to:

  • Email: [email protected]
  • Address: Charlton House, Hampton Office Park, 20 Georgian Crescent East, Bryanston East, 2191, Johannesburg, South Africa

If you wish to lodge a complaint about how we handle your personal information, you may contact the Information Regulator directly:

If you are located in the European Economic Area, you may also lodge a complaint with your local data protection supervisory authority.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Providing this information is voluntary unless otherwise indicated; however, if you choose not to provide certain information, you may not be able to use all features of the Service. Personally identifiable information may include, but is not limited to:

  • Email address
  • First name and last name
  • Phone number
  • Address, Province, Postal code, City
  • Usage Data

We do not collect Special Personal Information as defined in POPIA Section 26 through this Website, unless explicitly stated and with your separate consent.

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as your device’s Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.

When you access the Service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers, and other diagnostic data.

We may also collect information that your browser sends whenever you visit our Service or access it by or through a mobile device.

Legal Basis for Processing

We process your personal information only when we have a lawful basis to do so. Under POPIA Section 11 and GDPR Article 6, the legal bases we rely on include:

  • Consent: You have given us clear, voluntary, and informed consent to process your personal information for a specific purpose. You may withdraw consent at any time by contacting us, and we will stop processing your information for that purpose unless another legal basis applies.
  • Contract: Processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.
  • Legal obligation: Processing is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate interest: Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided that your rights and interests do not override those interests. Our legitimate interests include improving and maintaining our Service, preventing fraud, and conducting internal analytics.

The table below maps each processing purpose to its legal basis:

Purpose Legal Basis
Providing and maintaining the Service Contract; Legitimate interest
Managing your Account Contract
Performance of a contract Contract
Contacting you about the Service Contract; Legitimate interest
Direct marketing communications Consent (opt-in required)
Managing your requests Contract; Legitimate interest
Business transfers Legitimate interest
Analytics and improvement Legitimate interest

Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse our Service. The technologies we use may include:

  • Cookies or Browser Cookies. A cookie is a small file placed on your device. You can instruct your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if you do not accept Cookies, you may not be able to use some parts of our Service. Unless you have adjusted your browser settings to refuse Cookies, our Service may use Cookies.
  • Web Beacons. Certain sections of our Service and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while Session Cookies are deleted as soon as you close your web browser.

We use both Session and Persistent Cookies for the purposes set out below:

Necessary / Essential Cookies

  • Type: Session Cookies
  • Administered by: Us
  • Purpose: These Cookies are essential to provide you with services available through the Website and to enable you to use certain features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services you have requested cannot be provided, and we use them only to provide those services.

Cookies Policy / Notice Acceptance Cookies

  • Type: Persistent Cookies
  • Administered by: Us
  • Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

Functionality Cookies

  • Type: Persistent Cookies
  • Administered by: Us
  • Purpose: These Cookies allow us to remember choices you make when you use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you use the Website.

For more information about the cookies we use and your choices regarding cookies, please refer to the Tracking Technologies and Cookies section above.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

  • To provide and maintain our Service, including monitoring the usage of our Service.
  • To manage your Account: to manage your registration as a user of the Service. The Personal Data you provide can give you access to different functionalities of the Service that are available to you as a registered user.
  • For the performance of a contract: the development, compliance, and undertaking of the purchase contract for the products, items, or services you have purchased or of any other contract with us through the Service.
  • To contact you: to contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as push notifications regarding updates or informative communications related to the functionalities, products, or contracted services, including security updates, when necessary or reasonable for their implementation.
  • To provide you with direct marketing communications about goods, services, and events that we offer that are similar to those that you have already purchased or enquired about. In accordance with POPIA Section 69 and GDPR, we will only send you direct marketing by electronic means where you have given us your prior, explicit opt-in consent. You may opt out at any time by using the unsubscribe mechanism in any communication or by contacting us directly.
  • To manage your requests: to attend to and manage your requests to us.
  • For business transfers: we may use your information to evaluate or conduct a merger, divestiture, restructuring, reorganisation, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our Service users is among the assets transferred.
  • For analytics and improvement: we may use your information to analyse data, identify usage trends, determine the effectiveness of our promotional campaigns, and evaluate and improve our Service, products, services, marketing, and your experience.

Sharing Your Personal Information

We may share your personal information in the following situations:

  • With Service Providers (Operators): We may share your personal information with Service Providers to monitor and analyse the use of our Service, and to contact you. Where we engage an Operator to process personal information on our behalf, we ensure they are bound by a written contract in accordance with POPIA Section 21, requiring them to process your data only on our instructions and to maintain adequate security measures.
  • For business transfers: We may share or transfer your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
  • With Affiliates: We may share your information with our affiliates, in which case we will require those affiliates to honour this Privacy Policy. Affiliates include our parent company and any other subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.
  • With business partners: We may share your information with our business partners to offer you certain products, services, or promotions.
  • With your consent: We may disclose your personal information for any other purpose with your consent.

We do not sell your personal information to third parties.

Your Rights

Under POPIA and, where applicable, the GDPR, you have the following rights regarding your personal information. You may exercise any of these rights by contacting our Information Officer using the details provided above.

Rights under POPIA (Section 5 and related sections)

  • Right to be notified: You have the right to be informed that your personal information is being collected, as well as the purpose for which it is collected (Section 18).
  • Right of access: You may request confirmation of whether we hold personal information about you and request access to that information (Section 23).
  • Right to correction: You may request that we correct or delete personal information about you that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (Section 24).
  • Right to deletion: You may request that we delete or destroy your personal information that we are no longer authorised to retain (Section 24).
  • Right to object: You may object, on reasonable grounds relating to your particular situation, to the processing of your personal information (Section 11(3)). You may also object to the processing of your personal information for purposes of direct marketing by unsolicited electronic communications (Section 69).
  • Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing of your personal information that significantly affects you, unless appropriate measures are in place to protect your legitimate interests (Section 71).
  • Right to lodge a complaint: You have the right to lodge a complaint with the Information Regulator if you believe that we have interfered with the protection of your personal information (Section 74).

Additional rights under GDPR (where applicable)

If you are located in the European Economic Area, you have the following additional rights:

  • Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller (Article 20).
  • Right to restriction of processing: You have the right to request that we restrict the processing of your personal data under certain conditions (Article 18).
  • Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal (Article 7).
  • Right to lodge a complaint: You may lodge a complaint with your local supervisory authority (Article 77).

We will respond to your request within a reasonable period, and in any event within 30 days for POPIA requests or one month for GDPR requests. We will not charge a fee for fulfilling your request unless the request is manifestly unfounded or excessive.

Retention of Your Personal Data

The Company will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, in accordance with POPIA Section 14. Specifically:

  • Account and contact information: Retained for the duration of your relationship with us, plus a reasonable period afterward to manage any queries, complaints, or legal claims.
  • Contractual records: Retained for the duration of the contract, plus 5 years to comply with applicable South African commercial and tax legislation.
  • Usage Data: Generally retained for 24 months for analytics purposes, unless a longer retention period is required by law or is necessary for security purposes.
  • Marketing consent records: Retained for as long as you remain opted in, plus a reasonable period after opt-out for record-keeping.

Once the purpose for processing has been fulfilled and the retention period has expired, we will de-identify or destroy personal information in a manner that prevents its reconstruction.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. This information may be transferred to, and maintained on, computers located outside of your province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction.

In accordance with POPIA Section 72, we will only transfer your personal information to a recipient in another country if one or more of the following conditions are met:

  • The recipient country has adequate data protection laws.
  • The recipient is bound by a contract, binding corporate rules, or another legally enforceable instrument that provides adequate protection.
  • You have given your explicit consent to the proposed transfer after being informed of the possible risks.
  • The transfer is necessary to perform a contract between you and us.
  • The transfer is necessary to implement pre-contractual measures taken in response to your request.

Where GDPR applies, international transfers will be safeguarded by appropriate measures such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers will only be made to countries with an adequacy decision.

The Company will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your Personal Data will take place to an organisation or country unless adequate controls are in place, including controls over the security of your data and other personal information.

Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law Enforcement

Under certain circumstances, the Company may be required to disclose your Personal Data by law or in response to valid requests from public authorities (e.g., a court or a government agency).

Other Legal Requirements

The Company may disclose your Personal Data in good faith belief that such action is necessary to:

  • Comply with a legal obligation
  • Protect and defend the rights or property of the Company
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of users of the Service or the public
  • Protect against legal liability

Data Breach Notification

In the event of a security compromise that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal information, we will:

  • Notify the Information Regulator as soon as reasonably possible, in accordance with POPIA Section 22.
  • Notify affected data subjects as soon as reasonably possible after discovering the breach, unless a law enforcement agency requests a delay.
  • Provide sufficient information to allow you to take protective measures, including a description of the possible consequences and the measures we have taken or intend to take to address the breach.

Where GDPR applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, in accordance with GDPR Article 33.

Security of Your Personal Data

The security of your Personal Data is important to us. We implement appropriate technical and organisational measures to protect your personal information against unlawful access, loss, damage, or destruction. These measures include, but are not limited to:

  • Encryption of data in transit using TLS/SSL
  • Access controls limiting who within the organisation can access personal data
  • Regular review of our information collection, storage, and processing practices

While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. No method of transmission over the Internet or method of electronic storage is 100% secure.

Children’s Privacy

Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18. In terms of POPIA, a child is defined as a natural person under the age of 18 years who is not legally competent.

If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 18 without the consent of a competent person (parent or guardian), we will take steps to remove that information from our servers.

Automated Decision-Making

We do not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on you. If this changes, we will update this Privacy Policy and, where required, obtain your consent or provide a mechanism for you to request human intervention.

Links to Other Websites

Our Service may contain links to other websites that we do not operate. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service prior to the change becoming effective, and we will update the “Last updated” date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Governing Law

This Privacy Policy is governed by the laws of the Republic of South Africa, including the Protection of Personal Information Act, 2013 (POPIA). Where applicable, it also complies with the General Data Protection Regulation (EU) 2016/679.

Contact Us

If you have any questions about this Privacy Policy, wish to exercise any of your rights, or need to report a data-related concern, you can contact us:

To lodge a complaint with the Information Regulator: