Data Protection Privacy Policy

Print this page:

Purpose of policy:

CoGrammar and our affiliates and subsidiaries (hereinafter referred to as “The Company”) respect individual privacy and take the privacy of your personal information very seriously. As the data controller, The Company collects, uses, and discloses your personal data in connection with your working relationship with us, or with your application for a working relationship with us, in a manner consistent with the laws of the countries in which we do business. We use your personal data in a manner that is consistent with the uses described in this Privacy Policy (the “Policy”), which covers the treatment of the personal information we receive or maintain about you. This Policy is intended to cover The Company’s collection and use of data obtained in the course of your relationship with The Company.

Scope of policy:

This Policy applies to the personal data The Company receives or maintains regarding all data collected in terms of the information you choose to provide to us. The information we collect includes personal information – such as your name, address, e-mail address, telephone number, prior educational background information, work experience, and the content of any communications that we exchange, as well as non-personal information. In some cases, we require your personal information in order to perform a contract or to comply with a legal obligation. We also collect your personal information when you apply for a job at The Company.

This policy also applies to any third party personal data received from clients for the purposes of The Company conducting its business

Definitions of key terms:

The Company:
CoGrammar Ltd, Company Number:10493520 , a UK based company.
Data subject:
A data subject is a natural person. Examples of a data subject can be an individual, a customer, a prospect, an employee, a contact person, etc.
Personal data:
Any information relating to an identified / identifiable individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, photo, email address, bank details, posts on social networking sites, medical information, IP address, or a combination of the data that directly or indirectly identifies the person.
Sensitive personal data:
The GDPR, CCPA and all other relevant legislation refer to sensitive personal data as "special categories of personal data."" The special categories of data include racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data, where processed to uniquely identify an individual. Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing.
Data controller:
Any organization, person, or body that determines the purposes and means of processing personal data, controls the data and is responsible for it, alone or jointly. Examples, when the data controller is an individual, include general practitioners, pharmacists, and politicians, where these individuals keep personal information about their patients, clients, constituents, etc. Examples of organizations can be data controllers, for profit or not for profit, private or government-owned, large or small, where those organizations keep personal information about their employees, clients, etc.
Data processor:
A data processor processes the data on behalf of the data controller. Examples include payroll companies, accountants, and market research companies.
Accountability is the ability to demonstrate compliance with the GDPR, CCPA and all other relevant legislation. The Regulation explicitly states that this is the organization’s responsibility. In order to demonstrate compliance, appropriate technical and organizational measures have to be implemented. Best practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Consent is any "freely given, specific, informed and unambiguous" indication of the individual's wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed for one or more specific purposes.
The affirmative action, or a positive opt-in, means that the consent cannot be inferred from silence, pre-ticked boxes, or inactivity. It should also be separate from terms and conditions and have a simple way to withdraw it. Public authorities and employers will need to pay special attention to ensure that consent is freely given.
Processing is any operation performed on personal data (sets), such as creation, collection, storage, view, transport, use, modification, transfer, deletion, etc., whether or not by automated means.
Subject access:
This is the data subject’s right to obtain from the data controller, on request, certain information relating to the processing of his/her personal data.
Third Party:
A third party is any natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.
The transfer of personal data to countries outside the EEA or to international organizations is subject to restrictions. As with the Data Protection Directive, data does not need to be physically transported to be transferred. Viewing data hosted in another location would amount to a transfer for GDPR purposes.
GDPR or The Regulation:
means the General Data Protection Regulation.
Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Responsible Person:
means Riaz Moola (Founder and CEO).
Register of Systems:
means a register of all systems or contexts in which personal data is processed by the company.
means the California Consumer Privacy Act, is the state statute intended to enhance privacy rights and consumer protection for residents of California, United States.

Policy prescripts:

Data protection principles

The Company is committed to processing data in accordance with its responsibilities as outlined in the GDPR and in accordance with relevant international legislation.

This means that your personal data will be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

General provisions

  1. This policy applies to all personal data processed by The Company.
  2. The Responsible Person shall take responsibility for the Company’s ongoing compliance with this policy.
  3. This policy shall be reviewed at least annually.

Lawful, fair and transparent processing

Types of personal data

The Personal Data collected by The Company are as follows:

  • Data required in order to manage the employment relationship, from the point at which you make an application for employment and throughout your employment (e.g., through on-boarding, use of company systems, etc.
  • Third Party personal data received from clients for the purposes of The Company's code review service offering.
  • Anonymous, Aggregated, and other information collated from your use of The Company’s Services. Anonymized or aggregated information is not Personal Information.

Your personal data

The Personal Data that The Company collects and uses about you includes:

  • Application information (e.g., your CV, application form, references supplied by your former employer). If you do not provide this information, The Company may not be able to offer you a position.
  • Right to work information (e.g., work permit/visa application information). If you do not provide this information, The Company may not be able to offer you a position.
  • Basic personal details (e.g., name, date of birth).
  • Contact details (e.g., telephone number, email address, postal address).
  • Information required for payroll purposes (e.g., bank account details, tax information);
  • Information related to benefit entitlements and schemes (e.g. details of participation, contributions made);
  • Sensitive personal data including information related to gender, race or ethnic origin for purposes of complying with applicable anti-discrimination or diversity legislation (where applicable);
  • Medical information, if necessary to comply with applicable laws or in order to provide medical care to you;
  • Performance-related data (e.g. information about and assessments of your performance collected as part of the appraisal process);
  • Location information;
  • Information required in connection with disciplinary action or investigations;
  • Information about your use of company systems or information that you provide to The Company through the systems (e.g., information from your company email account, information posted on our website, the information you submit through applications or software made available to you, information collected from you when you connect a device to our networks or communications sent to us or through our applications.);
  • Payment information;
  • Any other information that you provide directly to us.
Processing of your personal data

The Company uses your Personal Information primarily to manage their relationship with you. From time to time, The Company may also use your Personal Information in the management of resources, to carry out marketing, and to keep systems secure.

The purposes for which The Company uses Personal Information include:

  • Recruitment;
  • Providing you with equipment, training, and support so that you can carry out your role. We do this in order to meet applicable contractual and employment related obligations to you;
  • Providing staff training, feedback, and appraisals, in order to meet our contractual obligations to you, and where not strictly required by that contract, to meet our legitimate interests in ensuring employees are best able to carry out their roles. This may involve maintaining a personnel or service record, and may involve carrying out investigations or disciplinary procedures to protect The Company’s interests;
  • Compensation and benefits management, to ensure that you are paid;
  • Organisation management and administration. The company processes Personal Information in this way to meet our legitimate interests in running the business effectively;
  • Administration of absences in accordance with Company and statutory leave programs, to ensure that The Company complies with legal and contractual obligations;
  • Communications. This may include facilitating communications to and between employees and contractors, and communications with other bodies (e.g., landlords, and regulatory authorities) in order to meet legitimate interests in managing the business;
  • Marketing activities, including marketing photos, brochures, website content, videos, social media posts, and other related marketing activities. The Company will only use your personal data in creating this content with your consent;
  • Compliance with legal obligations, including health and safety requirements, requests for information from government agencies, and security investigations;
  • Provision of employment references if requested by a potential employer;
  • Administering Company applications, software, and systems, in order to meet legitimate interests in ensuring that systems are secure and are fit for use;
  • Statistical and analytical purposes to understand and improve worker satisfaction and performance; and
  • Such other purposes as may be disclosed to you from time to time.

Code Review as a Service

We collect information that your company,- institution, recruiter, or service provider provides to us. The Company is a third party processor of personal data received on behalf of the data controller of the company, institution or service provider that collected your personal data. This means that the personal data you have provided to a company, institution, recruiter, or service provider may be shared with us for the purpose of our business offering of Code Review as a Service. The company, institution, recruiter or service provider’s data controller remains accountable for their GDPR compliance and has the accountability to request that your data is transferred in accordance with regulations and/or removed from our systems should you opt-out of their service offering.

The Company requests different types of Personal Information from clients or others, depending on the services used and the relationship with The Company. We may collect the following categories of information, depending on the Services that you use:

The Company requests different types of Personal Information from clients or others, depending on the services used and the relationship with The Company. We may collect the following categories of information, depending on the Services that you use:

  • Contact Information, including your name, mailing address, phone number, an email address;
  • Professional Information, including your company name, title, role, team, LinkedIn profile, and other information about your profession.

Register of systems

To ensure its processing of data is lawful, fair and transparent, the Company shall maintain a Register of Systems. The Register of Systems shall be reviewed at least annually. The register of systems can be requested by contacting

Lawful purposes

  • All data processed by the Company will be done on one of the following lawful bases:
    1. Consent: the individual has given clear consent to process their personal data for a specific purpose;
    2. Contract: the processing is necessary for a contract The Company has with the individual, including the collation of data prior to the finalisation of the contract;
    3. Legal obligation: the processing is necessary for The Company to comply with the law (not including contractual obligations).
    4. Vital interests: processing is necessary to protect someone's life.
    5. Public task: the processing is necessary for The Company to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
    6. Legitimate interests: the processing is necessary for The Company's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
  • The Company shall note the appropriate lawful basis in the Register of Systems.
  • Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
  • Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Company’s systems

Data minimisation

The Company shall ensure that personal data is adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed.


  • The Company shall take reasonable steps to ensure personal data is accurate.
  • Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date

Archiving / removal

  • To ensure that personal data is kept for no longer than necessary, the Company shall put in place an archiving policy for each area in which personal data is processed and review this process annually. The archiving policy shall consider what data should/must be retained, for how long, and why.
  • Individuals have the right to access their personal data and any such requests made to the Company shall be dealt with in a timely manner under the relevant act.
  • Should you wish to be removed from all automated email and manual emails sent by the company, please submit your request in writing to Please note that by unsubscribing from one mailing list or mail chain, you may continue to recieve emails from us that are manually written by our team or from other email services, and to fully unsubscribe from all communications from us we will need to process your written request for this made to, and this may take up to a calender month.
  • Please note that depending on the programme you entered into and the Student Undertaking Agreement you signed, as a UK government funded student for example, we may be required to keep your information on file and continue communicating to you until a request is submitted to and considered under GDPR regulations.

Security / fraud

  1. The Company has ensured that personal data is stored securely using modern software that is kept-up-to-date.
  2. Access to personal data shall be limited to personnel who need access and appropriate security is in place to avoid unauthorised sharing of information.
  3. When personal data is deleted this should be done safely, so that the data is irrecoverable.
  4. Appropriate back-up and disaster recovery are in place.
  5. We access and disclose your information to detect, prevent, or otherwise address fraud, security or other technical issues.

International transfers

The Company transfers personal information from the European Economic Area ("EEA") to other countries, including South Africa and the United Kingdom. Where information is transferred outside the EEA to a third party in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by standard contractual clauses and relevant documentation in relation to privacy. A copy thereof can be provided for your review on request to


In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Company shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner's Office.

Cookies policy - View Cookie Declaration

Types of personal data

A cookie is a small text file that a website stores on your computer or mobile device when you visit the site.

First party cookies are cookies set by the website that you are visiting, where only that website can read them. A website website could potentially use external services, which use their own set of cookies. These are known as third-party cookies.

Persistent cookies are cookies that are saved onto your computer, which are not deleted automatically when you quit your browser. The alternative to this is a session cookie, which is deleted when you close your browser.

Every time you visit our website, you will be prompted to accept or refuse cookies. The purpose of this is to enable the site to remember your preferences over a period of time. This way, you won’t have to re-enter your details when browsing the site during the same visit.

Cookies can also be used to establish anonymised statistics about the browsing experience on our site.

How do we use cookies?

We mostly use "first-party cookies". These are cookies set and controlled by us and not by any external organisation.

The 3 types of first-party cookie we use are to:

  • Customer visitor preferences
  • Make our website operational
  • Gather analytics data (about user behaviour)

Visitor preferences

These are set by us and only we can read them.

They remember:

  • If you have agreed to (or refused) this site’s cookie policy
  • Name
  • Service Purpose
  • Cookie type and duration

Operational cookies

There are some cookies that we have to include for certain web pages to function effectively. For this reason, they do not require your consent.

In particular:

  • Authentication cookies
  • Technical cookies required by certain IT systems

Authentication cookies

These are stored when you log on to our site, using our authentication service (Login). When you do this, you accept the associated privacy policy.

Remembers your settings and preferences:

  • User ID
  • User name
  • Acknowledged cookie policy
  • High contrast mode
  • Privacy mode
  • View account details after login

Technical cookies

These are used for the sole purpose of carrying out the transmission of certain information on an electronic communications network or as strictly necessary for the provider of an information service to provide services requested explicitly by the subscriber or user.

Analytics cookies

We use these purely for internal research on how we can improve the service we provide for all our users.

The cookies simply assess how you interact with our website - as an anonymous user (the data gathered does not identify you personally).

Also, this data is not shared with any third parties or used for any other purpose. The anonymised statistics could be shared with contractors working on communication projects under contractual agreement with the us.

However, you are free to refuse these types of cookies - via the cookie banner you’ll see on the first page you visit.

Third-party cookies

Some of our pages display content from external providers, e.g. YouTube, Facebook and Twitter.

To view this third-party content, you first have to accept their specific terms and conditions. This includes their cookie policies, which we have no control over.

But if you do not view this content, no third-party cookies are installed on your device.

Third-party providers on Commission websites:

  • YouTube
  • Internet Archive
  • Google Maps
  • Twitter
  • Vimeo
  • Microsoft
  • Facebook
  • Google
  • LinkedIn
  • Livestream
  • SoundCloud

These third-party services are outside of the control of our company. Providers may, at any time, change their terms of service, purpose and use of cookies, etc.

How can you manage cookies?

You can manage/delete cookies as you wish.

Removing cookies from your device

You can delete all cookies that are already on your device by clearing the browsing history of your browser. This will remove all cookies from all websites you have visited.

Be aware though that you may also lose some saved information (e.g. saved login details, site preferences).

Managing site-specific cookies

For more detailed control over site-specific cookies, check the privacy and cookie settings in your preferred browser.

Managing site-specific cookies

You can set most modern browsers to prevent any cookies being placed on your device, but you may have to manually adjust some preferences every time you visit a site/page. And some services and functionalities may not work properly at all (e.g. profile logging-in).

Blocking cookies

You can set most modern browsers to prevent any cookies being placed on your device, but you may have to manually adjust some preferences every time you visit a site/page. And some services and functionalities may not work properly at all (e.g. profile logging-in).

Additional information for californian consumers

Categories of personal information that will be collected and disclosed.

As required by the California Consumer Privacy Act (“CCPA”) effective 01 January 2020, the following categories of personal information that will be collected and disclosed in respect of Californian Consumers - where the means and purposes of data processing will be determined.

Please note that personal information is not sold.

The following categories of personal information are collected and disclosed for business purposes:

  • Contact Information/Identifiers: This is inclusive of real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, phone number, account name, or other similar identifiers.
  • Usage Data: This is inclusive of internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
  • Employment History: This is inclusive of professional or employment-related information.
  • Education Information: This is inclusive of information about education history or background.
  • Protected Classifications: This is inclusive of characteristics of protected classifications under California or federal law such as race, color, sex, age, religion, national origin, disability, and citizenship status.

Categories in respect of sources of personal information.

The categories of sources of personal information we collect are described in the section above "Your Data".

Purposes for collection of personal information.

We collect the personal information identified above to communicate with you, for advertising and marketing purposes, to provide and improve our services, and other purposes set forth in "Processing Your Personal Data" above.

Categories Of third parties with which the personal information is shared.

We share personal information identified above with the following categories of third parties:

  • The CoGrammar family of companies,
  • Third-party providers that serve business, professional or technical support functions,
  • Third parties for legal matters or safety purposes.

California consumer rights

California law gives California consumers the right to make the following requests:

  • The right to opt-out of sale of your personal information. Please note that HyperionDev does not sell personal information.
  • The right to request a copy of the personal information that we have collected about you in the prior 12 months.
  • The right to request deletion of the personal information that we have collected from you, subject to certain exemptions (for example, where the information is used by us to detect security incidents, debugging or to comply with a legal obligation).
  • The right to request more details about the personal information we collect and how and why we use and share it, including the categories of personal information we have collected about you, the categories of sources for personal information we collect, the business or commercial purposes for collecting personal information, and the categories of third parties with which we share personal information.

You can submit a copy, deletion, or right-to-know request online by filling outHyperionDev's "Data Request Form" or by contacting us at

*The CCPA prohibits discrimination against California consumers for exercising their rights under the CCPA and imposes requirements on any financial incentives offered to California consumers related to their personal information, unless the different prices, rates, or quality of goods or services are reasonably related to the value of the consumer's data.

Public forums/publicly available content

Any information you may disclose through the Website, such as on message boards, in chat rooms, or on other public areas, such as on webinars that you may attend, may be viewed by others, such as your classmates and learning facilitators. Please exercise caution when disclosing personal information in these public areas. If you do not want HyperionDev to store metadata associated with your content, please remove the metadata before uploading your content.

Third-party content

The Website may also offer you the ability to interact with content provided by third parties not affiliated with HyperionDev (“Third-Party Content”). Third-Party Content linked to or embedded on this Website is governed by the privacy policies of those third parties. Your use of Third-Party Content is subject to each site’s privacy policy, which may be different from ours. We have no control over the information that is collected, stored, or used by Third Party Content.

Changes to this data protection policy.

We review this Privacy Policy from time to time and reserve the right to make changes to this Privacy Policy at any time. If we do make material changes, we will give notice via the Website features or by otherwise contacting you.