Privacy Policy

Who we are

The Now Generation Network (NGN) Portal is operated by the Mo Ibrahim Foundation ("MIF", "we", "us"). MIF is the data controller for personal data processed through the portal at nowgeneration.network.

For privacy questions or to exercise your rights, contact us at ngn@moibrahimfoundation.org.

Who this policy applies to

This policy applies to invited members, mentors, mentees, programme administrators, and other authorised users of the NGN Portal. Access is invitation-only; there is no public registration.

What data we collect

We process the following categories of personal data depending on how you use the portal:

• Account data: name, email address, password hash (managed by Supabase Auth), role, and invitation metadata.
• Profile data: display name, country of residence, heritage countries, organisation, role title, biography, sectors, expertise, languages, skills, accomplishments, mentorship preferences, profile photo, and visibility settings.
• Mentorship data: mentorship requests, pair assignments, intake forms, session logs, goals, programme surveys, and related notifications.
• Messaging data: 1:1 conversation metadata, message content, read timestamps, blocks, and reports.
• Events data: event registrations, community event submissions, and calendar interactions.
• Technical data: session cookies required for authentication, IP address and browser metadata in server logs, and (with your consent) anonymised usage analytics via PostHog.
• Administration data: audit log entries for sensitive actions, moderation records, and support correspondence.

How we use your data

We use personal data for the following purposes and lawful bases under UK GDPR:

• Providing the portal and your membership (contract / legitimate interests): profiles, directory, mentorship, events, and messaging.
• Programme administration (legitimate interests / contract): matching, reporting, and quality assurance for the mentorship programme.
• Safety and moderation (legitimate interests): reviewing reports, enforcing the Code of Conduct, and protecting members.
• Transactional communications (contract / legitimate interests): invitations, mentorship reminders, survey prompts, and security notices via email.
• Analytics and product improvement (consent): usage events when you accept analytics cookies — we do not send message bodies or email content to analytics.
• Legal compliance (legal obligation): responding to lawful requests and maintaining required records.

Who can see your information

The portal is a private member community. Authenticated members can browse the member directory and view profiles according to the fields you choose to share. Mentorship data is visible to you, your mentor or mentee, and authorised programme administrators. Messages are visible to conversation participants; administrators may access message context when investigating a report you submit.

Partner staff with a limited role may access anonymised or aggregate mentorship reporting only, not general member browsing.

Processors and subprocessors

We use trusted service providers who process data on our instructions:

• Supabase (database and authentication, EU West — London region).
• Vercel (application hosting).
• Resend (transactional email delivery).
• PostHog (EU-hosted product analytics, only when you consent to analytics cookies).
• Sentry (error monitoring, when enabled in production).

International transfers

We aim to keep member data in the UK/EEA. Where a subprocessor processes data outside the UK, we rely on appropriate safeguards such as Standard Contractual Clauses or UK adequacy regulations.

Retention

We retain personal data while your membership is active and as needed to operate the programme. Accounts inactive for 12 months may be flagged for review; data may be archived after 24 months of inactivity unless we must retain it for legal or programme reasons.

Message reports and related moderation records are retained to handle disputes and improve safety, typically for up to 24 months after resolution unless a longer period is required.

When you delete your account, we remove or anonymise personal data within a reasonable period, except where retention is required by law or for legitimate audit purposes.

Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, or object to processing of your personal data, and to data portability where applicable. You may also withdraw consent for analytics at any time via cookie settings.

You can export a copy of your portal data from Settings → Export my data. You can request account deletion from Settings → Delete my account, or by emailing us.

You have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) if you believe your data has been handled unlawfully.

Security

We use industry-standard measures including TLS encryption in transit, encrypted storage at rest, row-level security in our database, invite-only access, rate limiting, and multi-factor authentication for administrative roles.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated through the portal or by email. The effective date and version are shown at the top of this page.