Skip to main content

Alpha This is a new service. Take part in user research to help us improve it.

Privacy notice

How NDX collects and uses your data

Privacy notice

How NDX collects and uses your data.

The data controller for the NDX Platform is the Department for Science, Innovation and Technology (DSIT), as the parent organisation for GDS Digital Products. A data controller determines how and why personal data is processed. Read DSIT’s registration details with the Information Commissioner’s Office for more information.

What data we collect

When you use NDX, we may collect:

Account and authentication data

When you create an NDX account or sign in using your organisation’s identity provider, we collect:

  • your email address
  • your display name
  • your name (first and last)
  • your username
  • your organisational roles
  • your government organisation (derived from your email domain)

If you accept analytics cookies, we collect:

  • pages you visit
  • time spent on pages
  • links you click
  • how you arrived at the site

We use Google Analytics to process this data. Google acts as a data processor on our behalf. We do not allow Google to use or share analytics data for their own purposes.

User research

We may contact you, with your consent, to engage in user research surveys to understand your experiences while using our service offering for your organisation.

Try Before You Buy data

When you use the Try Before You Buy service, we collect:

  • service access requests
  • sandbox session details
  • usage patterns within sandbox environments

Session data

Temporary data stored in your browser to maintain your session, including authentication state and return URLs.

Why we collect this data

We collect data to:

  • create and manage your NDX account
  • provide and improve the NDX service
  • ensure only authorised government users can access sandbox environments
  • understand how the service is used
  • communicate important information about your account and sessions
  • ensure security and prevent misuse
  • comply with legal and audit obligations

We process your data under the following legal bases:

  • Public task - processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) UK GDPR) and to maintain security and audit logs (Article 6(1)© UK GDPR)
  • Consent - for analytics cookies and user research (you can withdraw consent at any time)

How long we keep your data

  • Session data - deleted when you sign out or close your browser and immediately after the 24 hour trial sandbox period allocated to your organisation.
  • Account data - retained for up to 5 years after your last activity, or until you request deletion.
  • Analytics data - retained for 2 years to enable statistical review of our services.
  • Sandbox activity logs - retained for up to 53 years for audit and compliance purposes.

Who we share your data with

We may share data with:

  • Google - as a data processor for analytics (if you consent to analytics cookies)
  • AWS (Amazon Web Services) - our cloud infrastructure provider
  • Your organisation - service usage information may be shared with your department for audit or service improvement purposes
  • Other government departments - when required for cross-government collaboration or audit
  • Law enforcement - only when legally required to under our UK GDPR legal obligations for the prevention of crime and fraud

We do not share your data with third parties for marketing purposes.

Cookies and browser storage

For information about how we use cookies, browser storage and how to withdraw consent for analytic cookies, see our cookies page.

International data transfers

Google Analytics may transfer data outside the UK. Google has certified compliance with appropriate data protection standards. Google maintain the US/Data Privacy Framework certification for the protection of any data processed in compliance with GDPR.

AWS as the service provider for session trials are US based and have the US/UK Data Privacy framework certification in place to ensure the data protection standards are applied to all data processing in scope of this service.

Your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of your personal data
  • that any inaccuracies in your personal data are rectified without delay
  • that any incomplete personal data is updated - you can include the missing information in your request
  • that your personal data is erased if there is no longer a justification for the data to be processed
  • in certain circumstances (for example, where accuracy is contested), that the processing of your personal data is restricted

If you have any of these requests, contact the GDS Data Protection Team.

GDS Data Protection Team
gds.data.protection@dsit.gov.uk

Contact us or make a complaint

Contact gds.data.protection@dsit.gov.uk if you:

  • have a question about anything in this privacy notice
  • think that your personal information has been misused or mishandled
  • want to make a ‘subject access request’ to find out more about how your personal information is collected and used

You can also directly contact our Data Protection Officer (DPO) who provides independent advice and monitoring of our use of personal information:

Data Protection Officer at the DSIT Data Protection Office
dataprotection@dsit.gov.uk

You can also make a complaint to the Information Commissioner, who is an independent regulator.

Information Commissioner
icocasework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545860
Monday to Friday, 9am to 4.30pm
Find out about call charges

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Making a complaint to the Information Commissioner will not affect your rights.

Changes to this notice

We may update this privacy notice. Any significant changes will be communicated through the service.

This notice was last updated on 12 February 2026.