Data Privacy and Protection Policy

• Introduction

  Eonace Global Nigeria Limited (referred to as "the Company") is committed to protecting the privacy and security of personal data. This policy outlines how the Company collects, processes, and safeguards personal information in compliance with the Nigeria Data Protection Act 2023 (NDPA) and other relevant regulations.

• Definitions

  • Company: Refers to Eonace Global Nigeria Limited, RC 1995633.
  • NDPA: The Nigeria Data Protection Act 2023, governing data protection and privacy in Nigeria.
  • Personal Data: Any information relating to an identifiable person, including but not limited to names, contact details, financial details, and identification numbers.
  • Responsible Person: The Data Protection Officer (DPO) or any other designated officer of the Company responsible for data protection matters.
  • Register of Systems: A documented register of all systems or contexts where personal data is processed by the Company.

• Scope

  This policy applies to all employees, contractors, and third-party vendors of the Company and governs the handling of personal data in all contexts, including deposit and transfer services, bills payment, airtime and data purchases, electricity bill payments, and other related services.

• Principles of Data Protection

  The Company is committed to adhering to the following principles:

  1. Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner.
  2. Purpose Limitation: Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  3. Data Minimization: Only the data necessary for the intended purpose shall be collected.
  4. Accuracy: Personal data shall be accurate and kept up to date.
  5. Storage Limitation: Data shall not be retained longer than necessary for the purposes for which it is processed.
  6. Integrity and Confidentiality: Data shall be processed securely to protect against unauthorized access, alteration, or disclosure.

• Legal Basis for Processing Personal Data

  The Company processes personal data based on one or more of the following legal bases:

  • The consent of the data subject.
  • Performance of a contract to which the data subject is a party.
  • Compliance with a legal obligation.
  • Protection of vital interests of the data subject or another person.
  • Legitimate interests pursued by the Company or a third party, provided these are not overridden by the rights and freedoms of the data subject.

• Data Collection and Use

  The Company collects personal data for the following purposes:

  • Providing fintech services, including deposits, transfers, bills payment, airtime and data purchases, and electricity bill payment.
  • Facilitating customer verification and authentication.
  • Managing customer relationships and communications.
  • Complying with legal and regulatory requirements.

• Location Data for Address Verification

  We use location data collected through our integration with OkHi to verify your address when unlocking a new account tier. This additional layer of verification helps prevent fraud and ensures that only legitimate users access our enhanced services. Specifically:

  • What is Collected: We collect precise geolocation data (such as GPS coordinates) through OkHi for the purpose of address verification.

  • Purpose of Collection: The location data is used solely to confirm your physical address and to unlock a new account tier. This process is a key component of our fraud prevention measures.

  • How It Helps Prevent Fraud: By verifying your address, we can better authenticate your identity and prevent fraudulent account creation or misuse of our services.

  • Data Handling and Security: The collected location data is stored securely and is processed strictly in accordance with our data protection policies. We do not share this data with third parties except as necessary for delivering our services or as required by law.

  • User Control: You have control over the collection of your location data through your device settings. However, please note that disabling location services may affect your ability to unlock this account tier and benefit from the associated fraud prevention features.

• Data Subject Rights

  Data subjects have the following rights under the NDPA:

  1. Right to Access: Request access to their personal data held by the Company.
  2. Right to Rectification: Request correction of inaccurate or incomplete data.
  3. Right to Erasure: Request deletion of personal data where it is no longer needed or processed unlawfully.
  4. Right to Restriction: Restrict the processing of their data in certain circumstances.
  5. Right to Data Portability: Request transfer of their data to another organization.
  6. Right to Object: Object to the processing of their data for certain purposes, such as direct marketing.
  7. Right to Withdraw Consent: Withdraw consent for data processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

• Data Security Measures

  The Company employs the following measures to ensure the security of personal data:

  • Encryption of sensitive data both in transit and at rest.
  • Role-based access controls to restrict data access to authorized personnel only.
  • Regular security assessments and audits.
  • Secure disposal of data and media containing personal information.
  • Employee training on data protection and security practices.

• Data Retention

  The Company retains personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal and regulatory obligations. The following retention periods apply:

  • Customer Identification Data: Retained for 5 years after the end of the customer relationship.
  • Transaction Records: Retained for 7 years after the transaction date.
  • Communication Records: Retained for 3 years.
  • Marketing Data: Retained until consent is withdrawn or 2 years after the last interaction.
  • Security Logs: Retained for 1 year.
  • Backup Data: Retained within a rotational cycle of 6 months to 1 year.

• Third-Party Data Sharing

  The Company may share personal data with third-party service providers, including payment processors, for legitimate purposes. These third parties are contractually obligated to:

  • Use the data solely for the intended purpose.

  • Protect the data in compliance with applicable laws.

• Breach Notification

  In the event of a data breach, the Company shall:

  • Notify the affected individuals and the Nigeria Data Protection Bureau (NDPB) promptly.

  • Take immediate steps to mitigate the impact of the breach.

  • Conduct a post-incident review to prevent future breaches.

• Data Protection Officer (DPO)

  The Company has appointed a Data Protection Officer responsible for:

  • Ensuring compliance with this policy and the NDPA.

  • Serving as the contact point for data subjects and regulatory authorities.

  • Conducting regular data protection audits.

• Policy Review and Updates

  This policy shall be reviewed annually or as required by changes in regulatory requirements or business operations.

• Contact Information

  For inquiries or concerns regarding this policy, please contact:

  Data Protection Officer

  Eonace Global Nigeria Limited

  Email: support@eonace.co