Privacy Policy

Consent

Where you have given clear, informed consent for specific processing activities, such as subscribing to newsletters or optional communications.

Contractual Necessity

Processing is necessary to provide the services you have requested, such as account creation, registration processing, and access to platform features.

Legal Obligation

Processing is required to comply with legal or regulatory obligations, such as identity verification, record-keeping, or responding to lawful government requests.

Legitimate Interests

Processing is necessary for our legitimate interests or the legitimate interests of third parties, such as:

• Maintaining platform security and preventing fraud
• Improving and optimizing platform features and user experience
• Conducting analytics and generating reports for program management
• Enforcing terms of service and protecting against misuse

We balance these interests against your rights and freedoms and will not process your information where your interests override our legitimate interests.

Public Interest / Official Authority

As a government commission, certain processing activities may be necessary for the performance of tasks carried out in the public interest or in the exercise of official authority.

Vital Interests

In rare circumstances, processing may be necessary to protect your vital interests or those of another person.

Service Providers & Processors

We engage third-party service providers to help us operate the platform and deliver services, such as:

• Cloud hosting and infrastructure providers
• Data storage and database management services
• Email delivery and notification services
• Authentication and security services
• Analytics and monitoring tools
• Customer support and helpdesk platforms

These providers are contractually required to protect your data and use it only for the purposes we specify.

Government Entities & Law Enforcement

We may share personal information with government agencies, regulators, law enforcement, or other authorities when:

• Required by law, court order, or legal process
• Necessary to comply with regulatory requirements
• Needed to investigate suspected fraud, abuse, or illegal activity
• Required to protect the rights, property, or safety of NiDCOM, users, or the public

Internal Administrators & Reviewers

Authorized NiDCOM staff and administrators may access personal information as necessary to:

• Review and approve registrations and applications
• Verify identity documents and supporting materials
• Provide user support and resolve issues
• Conduct audits and maintain system integrity

Access is granted on a role-based, need-to-know basis with appropriate security controls.

Public Directory Publication

When an organization is approved and published in the public directory, certain information becomes publicly accessible (see Section 8 for details). Personal identity documents and private contact information remain confidential.

Business Transfers

In the event of an organizational restructuring, merger, or transfer of services, personal information may be transferred to successor entities, subject to continued protection under this Privacy Policy or equivalent safeguards.

Aggregate & De-identified Information

We may share aggregate, anonymized, or de-identified information that cannot reasonably be used to identify you, for research, reporting, or program evaluation purposes.

What May Be Published Publicly

When an organization is approved and published in the public directory, the following information may be visible to the public:

• Organization name
• Organization type (e.g., Professional, Cultural)
• Country and city/region location
• Organization description and mission
• Public website URL (if provided)
• Organization logo or profile image
• Publicly listed contact email (if designated)

What Remains Private

• Personal identity documents (passports, IDs)
• Individual member personal information
• Private contact details not designated for public display
• Administrative notes and internal review records
• Account credentials and authentication information
• Personal addresses and phone numbers
• Registration and verification documents

Control Over Public Information

Organization administrators have control over most public profile information through the organization portal. If you wish to request updates, corrections, or removal of publicly displayed information, please contact support@nidcom.gov.ng.

Active Accounts & Registrations

Personal information for active user accounts and registered organizations is retained for as long as the account remains active and in good standing, plus a reasonable period following account closure for administrative and legal purposes.

Verification Documents

Identity documents and supporting materials submitted for verification may be retained for the duration of registration validity, plus additional time as required for compliance, audit, and regulatory purposes.

Incomplete or Withdrawn Applications

Incomplete registration attempts, orphaned records, or withdrawn applications may be retained for a limited period for administrative tracking and fraud prevention purposes, then securely deleted or anonymized.

Support Communications

Support tickets, inquiries, and correspondence are retained for customer service, quality assurance, and issue resolution purposes, typically for a period of 2-3 years unless longer retention is required by law.

Security & Audit Logs

Technical logs, security monitoring records, and audit trails are retained for security, troubleshooting, and compliance purposes, typically for 1-3 years depending on the type of log.

Legal & Regulatory Requirements

Where legal, regulatory, tax, accounting, or other compliance obligations require longer retention periods, we will retain personal information for the required duration and securely dispose of it thereafter.

Cross-Border Data Flows

Personal information may be transferred internationally due to:

• Cloud infrastructure and data storage services located in various jurisdictions
• Service providers and processors operating in different countries
• Administrative operations conducted by NiDCOM in Nigeria
• Global accessibility of the platform for diaspora users worldwide

Safeguards for International Transfers

When transferring personal information across borders, we implement appropriate safeguards to protect your data, including:

• Using reputable cloud providers and service providers with strong data protection practices
• Implementing contractual protections such as Standard Contractual Clauses (SCCs) where required
• Ensuring service providers comply with applicable data protection laws and security standards
• Encrypting data in transit and at rest to protect against unauthorized access
• Limiting data transfers to what is necessary for service delivery

Your Rights Regarding Transfers

If you have questions or concerns about international data transfers, or if you wish to obtain more information about the safeguards we use, please contact us at privacy@nidcom.gov.ng.

Technical Security Measures

• Encryption: Sensitive data is encrypted in transit using TLS/SSL protocols and at rest using industry-standard encryption methods
• Secure Authentication: User accounts are protected with secure password hashing and authentication mechanisms
• Access Controls: Role-based access controls (RBAC) ensure that only authorized personnel can access personal information
• Private Document Storage: Uploaded identity documents and verification materials are stored in secure, private storage with restricted access
• Security Monitoring: Automated monitoring and logging systems detect and respond to suspicious activity
• Regular Updates: Software, systems, and dependencies are regularly updated with security patches

Organizational Security Measures

• Staff access to personal information is granted on a need-to-know basis only
• Authorized personnel are trained on data protection principles and security best practices
• Confidentiality obligations are imposed on staff and contractors
• Security incident response procedures are in place to address breaches promptly
• Regular security assessments and audits are conducted to identify and address vulnerabilities

Limitations of Security

While we strive to protect your personal information, no system can be completely secure. We cannot guarantee absolute security of data transmitted over the internet or stored electronically. You are responsible for maintaining the security of your account credentials and should not share your password with others.

Reporting Security Issues

If you become aware of any security vulnerability or suspect unauthorized access to your account, please contact us immediately at support@nidcom.gov.ng.

Right to Be Informed

You have the right to know how we collect, use, and share your personal information. This Privacy Policy provides that transparency.

Right of Access

You have the right to request access to the personal information we hold about you. You can view and manage much of your information through your account portal, or you may submit a formal request to us.

Right to Rectification / Correction

If your personal information is inaccurate, incomplete, or out of date, you have the right to request corrections. You may update certain information directly in your account settings or contact us for assistance.

Right to Erasure / Deletion ("Right to Be Forgotten")

In certain circumstances, you may request deletion of your personal information, such as when:

• The information is no longer necessary for the purposes for which it was collected
• You withdraw consent (where consent was the basis)
• You object to processing and there are no overriding legitimate grounds
• The information was unlawfully processed

Note: We may retain certain information where required by law or for legitimate purposes such as legal compliance, fraud prevention, or dispute resolution.

Right to Restriction of Processing

You may request that we limit how we use your personal information in certain situations, such as while we verify the accuracy of disputed information or assess your objection to processing.

Right to Object

You have the right to object to processing of your personal information where:

• Processing is based on legitimate interests or public interest
• Your personal information is used for direct marketing purposes
• Your information is used for profiling or automated decision-making

Right to Data Portability

Where technically feasible and legally required, you may request a copy of your personal information in a structured, commonly used, machine-readable format, and may request transmission to another data controller.

Right to Withdraw Consent

If we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority or data protection regulator in your jurisdiction if you believe we have violated your privacy rights.

Relevant authorities may include:

• Nigeria: Nigeria Data Protection Commission (NDPC)
• EU/EEA: Your local data protection authority
• UK: Information Commissioner's Office (ICO)
• Other jurisdictions: Your local privacy regulator or consumer protection authority

Types of Cookies We May Use

• Essential Cookies: Necessary for the platform to function properly, such as authentication, session management, and security features. These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the platform, which pages are most visited, and how we can improve user experience.
• Functional Cookies: Remember your preferences and settings to provide a personalized experience.
• Performance Cookies: Collect information about platform performance, load times, and technical issues.

Third-Party Analytics

We may use third-party analytics services to help us understand usage patterns and improve the platform. These services may use cookies and similar technologies to collect information about your interactions.

Third-party analytics providers have their own privacy policies. We select providers that respect user privacy and comply with applicable data protection standards.

Managing Cookies

You can control and manage cookies in several ways:

• Browser Settings: Most browsers allow you to view, manage, and delete cookies through settings. You can typically block all cookies or accept/reject them on a case-by-case basis.
• Opt-Out Tools: Some analytics providers offer browser extensions or opt-out mechanisms.
• Do Not Track: If your browser sends a "Do Not Track" signal, we respect that preference where feasible.

Note: Blocking essential cookies may impact platform functionality and prevent you from using certain features.