Privacy Policy

Last updated: June 10, 2026

CDA Hub is a learning, monitoring, and assessment platform that helps civil society organisations (CSOs) strengthen their digital security posture through self-paced lessons, quizzes, digital assessments, and optional field monitoring tools.

Who is responsible

Service Owner / Data Controller: Hivos Malawi

Developer / Technical Operator: ITES (itesmw.com)

This privacy notice explains how CDA Hub (the “Service”) handles your personal data when you register, learn, complete quizzes, submit feedback, and complete monitoring assessments using the mobile application and related web services.

What the app does

CDA Hub allows registered users to:

Create an account with their organisation and basic profile information.
Access learning content on digital security and related topics.
Complete quizzes and assessments and track their own progress.
Capture optional monitoring assessments for civic space and human rights defender support.
Save certain learning content and monitoring drafts for offline use where connectivity is limited.
Optionally provide feedback to improve the training content and platform.
Update their profile details and change their password securely within the app.

Data we collect

Account and profile data:

Name
Email address (used as your login identifier)
Affiliation, district, organisation / CSO, and role where provided
Password (stored in hashed form only, never in plain text)

Learning and assessment data:

Which lessons and modules you have started and completed.
Quiz and assessment responses, scores, and completion status.
Certificates and completion records issued by the platform.
Learning content that you choose to save for offline access on your device.

Monitoring assessment data:

Monitoring assessment responses, evidence notes, verification details, incidents, and recommendations.
Assessment metadata such as selected district, collecting organisation, assessment status, and timestamps.
Draft monitoring assessments saved locally for later submission when connectivity is available.

Optional location data for monitoring assessments:

Location access is optional and is only requested when you choose to use Monitoring features that capture the location of a field assessment.
Learning content, quizzes, certificates, feedback, profile updates, and general app use do not require location access.
When location capture is used, CDA Hub may collect latitude, longitude, accuracy, timestamp, and related device-provided location metadata.
Location capture is used to support trustworthy field data collection, improve monitoring data quality, and help authorised programme teams understand where monitoring assessments were collected.
CDA Hub does not use location data for advertising, selling user data, or unrelated tracking.

Feedback and support:

Feedback that you submit about the platform or learning content.
Support requests you send to the CDA Hub support team.

Technical and security logs:

IP address and basic device information at the time of login.
Timestamps of logins, password reset requests, password changes, and key actions.
Technical logs used for security, troubleshooting, audit, and abuse prevention.

CDA Hub does not request access to your contacts, photos, microphone, or SMS. Location access is not required for learning content, quizzes, certificates, feedback, profile updates, or general use of the app. The app requests location access only if you choose to use Monitoring features that capture field assessment location for data quality and verification purposes.

How your information is used

To create and manage your CDA Hub user account.
To deliver learning modules, quizzes, monitoring tools, and assessments to you.
To track your learning progress and generate certificates.
To support field monitoring, assessment review, reporting, and programme follow-up.
To record and verify the location where monitoring assessments are collected, only when you choose to use location-enabled Monitoring workflows.
To allow offline draft capture and later synchronisation when internet connectivity is available.
To respond to feedback and support requests you submit.
To secure the platform, detect abuse, and troubleshoot technical issues.
To generate anonymised or aggregated statistics about how the platform is used.

Legal basis

CDA Hub processes your personal data on the basis of:

Your consent when you register and choose to use the Service;
Your consent when you choose to allow location access for optional monitoring assessment workflows; and
Legitimate interests in providing, securing, auditing, and improving the platform.

Sharing

We do not sell your personal data.
Within the CDA programme, anonymised or aggregated reports may be shared with authorised partners to understand overall learning, monitoring, and assessment trends.
Where named certificates or reports are required (for example, to prove course completion), your name, organisation, and completion status may be shared with authorised programme partners.
Monitoring assessment records may be visible to authorised CDA programme staff, reviewers, administrators, or partner managers for review, reporting, data quality, and programme follow-up purposes.
We use service providers (such as cloud hosting and email services) who process data on our behalf under confidentiality and security obligations.

Offline use and synchronisation

Some CDA Hub features may allow users to save learning content or monitoring drafts for offline use. Offline monitoring drafts may be stored temporarily on the device until they are submitted or synchronised with the CDA Hub backend. Users should keep their devices secure and avoid sharing their device with unauthorised persons.

Retention

Account and learning records are retained for as long as your CDA Hub account remains active and for a reasonable period afterward to support reporting and certificate verification, unless you request earlier deletion (see below).

Monitoring assessment records, including related location records where collected, may be retained together with the assessment record for programme reporting, audit, data quality, and accountability purposes, unless deletion or anonymisation is requested and can be completed without compromising legal, security, audit, or programme reporting obligations.

Technical logs are kept only as long as necessary for security, troubleshooting, and audit purposes and are then minimised or anonymised.

Security

All communications between the mobile app and the CDA Hub backend are protected using HTTPS/TLS encryption in transit. Passwords are stored using industry-standard hashing algorithms. Access to administrative functions is restricted to authorised personnel.

Users can change their password from within the app. The app requires the current password before a password change is accepted.

Children

CDA Hub is designed for adult professionals in participating organisations and is not intended for children. We do not knowingly create accounts for or collect personal data from children.

How to request deletion of your account

You can request that your CDA Hub account and associated personal data be deleted. When your account is deleted, you will no longer be able to log in or access your learning history or certificates.

To request account deletion:

Send an email to support@itesmw.com with the subject line “Delete my CDA Hub account”.
Include the email address you use to log in to CDA Hub and, if possible, the name of your organisation.

We will verify your request and, once confirmed, delete or irreversibly pseudonymise your account data, subject to any minimal information that must be retained for legal, security, audit, or programme reporting purposes.

How to request deletion of specific data

If you prefer to keep your account but request deletion of specific personal data (for example, certain quiz attempts, feedback messages, support tickets, or monitoring assessment records), you can contact us using the same email address: support@itesmw.com.

To request deletion of specific data:

Use the subject line “CDA Hub data deletion request”.
Describe what you would like us to delete (for example, “delete my feedback messages”, “delete quiz attempts before [date]”, or “delete monitoring assessment draft submitted on [date]”).

We will explain what can be deleted while still maintaining the integrity of programme-level reporting and will process your request as quickly as possible.

We may retain anonymised, pseudonymised, or aggregated data that no longer identifies you individually.

Your rights

Depending on your jurisdiction, you may have rights to access, correct, or delete your personal data, or to object to or restrict certain forms of processing. You can exercise these rights by contacting us at support@itesmw.com.

Contact

Programme / Data Controller queries: Please use the contact channels provided by the CDA Hub programme partners.

Technical support: support@itesmw.com