Skip to main content

Alpha This is a new service. Help us improve it and give your feedback by email.

Privacy Policy

How we handle your personal information when using NDX:Try

Privacy Policy

Last updated: 28 February 2026

Who we are

NDX:Try is operated by the National Digital Exchange (NDX) partnership, working with UK local authorities to enable safe evaluation of cloud technologies.

What data we collect

When you request a partner tour

We collect:

  • Council name
  • Your name
  • Email address
  • Phone number (if you provide it)
  • Which scenario you’re interested in
  • Your availability for a session
  • Any additional context you provide

When you browse the website

We collect standard web server logs including:

  • Your IP address
  • Pages you visit
  • Browser type and version
  • Date and time of your visit

Cookies and analytics

We use cookies to make this service work and to collect information about how you use it.

Essential cookies

We use essential cookies to remember your cookie preferences. These are strictly necessary for the service to function.

Analytics cookies

With your permission, we use Google Analytics 4 to understand how people use this service. This helps us improve it.

Google Analytics sets the following cookies:

Cookie Purpose Duration
_ga Distinguishes unique users 2 years
_ga_S4542PPYLS Maintains session state 2 years

We have configured Google Analytics to:

  • anonymise your IP address
  • not share data with third parties
  • retain data for 14 months

You can change your cookie settings at any time.

For more details, see our cookies page.

How we use your data

Partner tour requests

Your information will be:

  • Shared only with the AWS implementation partner assigned to your tour request
  • Used solely to arrange and conduct your evaluation session
  • Not used for marketing purposes without additional consent
  • Retained for up to 12 months for service improvement

Website analytics

Anonymised browsing data helps us:

  • Understand which scenarios are most useful
  • Improve the website experience
  • Identify and fix technical issues

We process your data under the following legal bases:

  • Consent - When you submit a partner tour request, you consent to us sharing your details with an implementation partner
  • Legitimate interests - To improve our services and understand how the website is used

Your rights

Under UK GDPR, you have the right to:

  • Access - Request a copy of the personal data we hold about you
  • Rectification - Request that we correct any inaccurate personal data
  • Erasure - Request that we delete your personal data
  • Restriction - Request that we limit how we use your data
  • Objection - Object to us processing your personal data
  • Portability - Request your data in a portable format

To exercise any of these rights, contact us at ndx@dsit.gov.uk.

Data retention

Data type Retention period
Partner tour requests 12 months
Website server logs 90 days
Sandbox session data Deleted after 24 hours

Data security

We protect your data through:

  • Encryption in transit (HTTPS)
  • Access controls limiting who can view your information
  • Regular security reviews
  • Secure cloud infrastructure (AWS)

Third parties

Implementation partners

When you request a partner tour, we share your contact details with a vetted AWS implementation partner. These partners are:

  • Accredited AWS Partners with local government experience
  • Bound by data protection agreements
  • Required to use your data only for arranging the requested tour

AWS

Sandbox evaluation environments run on AWS infrastructure in the US (us-east-1 N. Virginia region). We use US regions for sandbox evaluations because they offer the widest AWS service availability and lower carbon intensity. Sandbox environments use only sample and synthetic data and contain no real citizen data.

AWS processes data in accordance with their Data Privacy FAQ and holds UK G-Cloud 14 framework approval.

International transfers

We process two categories of data differently:

  • Partner tour requests (your name, email, council name): processed within the UK and European Economic Area only
  • Sandbox evaluation data (sample and synthetic data only): processed in the US (us-east-1 N. Virginia) AWS region. No real personal or citizen data is used in sandbox evaluations

For sandbox data processed in the US, appropriate safeguards are in place including AWS’s GDPR-compliant Data Processing Addendum, Standard Contractual Clauses (SCCs), and AWS certifications including ISO 27001, ISO 27018, and SOC 2. AWS is approved on the UK Government G-Cloud 14 framework.

Changes to this policy

We may update this privacy policy from time to time. The “Last updated” date at the top of this page shows when it was last changed.

Contact us

If you have questions about this privacy policy or how we handle your data:

Email: ndx@dsit.gov.uk

Address:
NDX Partnership
c/o Central Digital and Data Office
Cabinet Office
70 Whitehall
London SW1A 2AS

Complaints

If you’re not satisfied with how we’ve handled your data, you can complain to the Information Commissioner’s Office (ICO):