Privacy Policy - ETHEGEN

Introduction

This Privacy Policy explains how ETHEGEN (referred to as the company) collects, processes, stores, protects, and uses Client Data in connection with the provision of its digital services (the “Service).

This Privacy Policy applies to all Clients who access or use the Service and to Users authorised by the Client to interact with the Service. By using the Service, Clients acknowledge and agree to the practices described in this Privacy Policy.

The purpose of this Privacy Policy is to:

Provide transparency regarding how Client Data is handled through the Service;
Describe the Company’s role and responsibilities in relation to Client Data;
Explain the rights available to Clients and Users under applicable data protection laws, including the Nigeria Data Protection Regulation (NDPR); and
Outline the measures implemented to protect Client Data.

This Privacy Policy forms part of the contractual framework governing the relationship between ETHEGEN and the Client and is incorporated by reference into the Company’s Terms and Conditions.

This Privacy Policy does not:

Govern the internal data handling practices, systems, or policies of Clients or their Users;
Apply to personal data processed by the Client outside the Service, including data collected through the Client’s own websites, applications, or offline activities;
Cover third-party products, services, platforms, or integrations that the Client may connect to or use in conjunction with the Service, which are subject to their own privacy policies and terms;
Replace or override the Company’s Terms and Conditions, Acceptable Use Policy, or any applicable Data Processing Agreement, which separately govern contractual rights, liabilities, and data processing obligations.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below. Defined terms may be used in the singular or plural as the context requires.

“Client”

Means any company, organization, or legal entity that has entered into an agreement with the Company to use the Service, including its authorised representatives.

“Users”

Means individuals authorised by the Client to access or use the Service on the Client’s behalf, including employees, contractors, agents, or other designated persons.

“Client Data”

Means all data, information, content, records, materials, or inputs uploaded, submitted, generated, transmitted, or otherwise made available through the Service by or on behalf of the Client or its Users, including personal data and business data.

“Personal Data”

Means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws, including the Nigeria Data Protection Regulation (NDPR).

“Usage Data”

Technical, operational, and statistical data arising from Service interactions.

“Processing” / “Process”

Has the meaning assigned under applicable data protection laws and includes any operation performed on data, such as collection, storage, use, modification, disclosure, transmission, or deletion.

“Applicable Data Protection Laws”

Means all data protection, privacy, and cybersecurity laws and regulations applicable to the processing of Client Data, including the Nigeria Data Protection Regulation (NDPR), and any successor or related legislation.

Technical & Operational Definitions

“Service”: Means the Company’s digital application, platform, software, tools, and related services provided to the Client, including all features, updates, and functionalities made available through it.

“Application”: Means the software application or web-based platform operated by the Company through which the Service is delivered.

“Third-Party Services”: Means external systems, platforms, software, or services not operated by the Company that the Client connects to, integrates with, or uses in conjunction with the Service.

“Sub-processor”: Means any third party engaged by the Company to process Client Data on the Company’s behalf for the purpose of providing the Service, such as hosting, backup, or infrastructure providers.

“Security Incident”: Means a confirmed or reasonably suspected event that results in unauthorised access to, disclosure of, loss of, or alteration of Client Data.

3. Data Collection

The Company collects and processes personal data only to the extent necessary for the specific, explicit, and legitimate purposes of providing, operating, maintaining, securing, and improving the Service, in compliance with the principles of personal data processing under the Nigeria Data Protection Act 2023 (NDPA), including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (security), and accountability.

The Company adheres strictly to data minimisation by collecting only the data that is adequate, relevant, and limited to what is reasonably necessary to fulfil these purposes. Where practicable, data is anonymised or aggregated to further reduce identifiability. The Company demonstrates accountability by maintaining records of processing activities, implementing appropriate technical and organisational measures, and ensuring ongoing compliance with applicable law.

Personal data may be collected through the following channels:

3.1 Data Provided Directly by the Client or Users

The Company collects Client Data and personal data that Clients or their authorised Users voluntarily and deliberately submit through the Service. This includes, but is not limited to:

Business records, operational data, documents, files, and other content uploaded to the Service;
Information entered into forms, fields, configuration settings, or other inputs within the Application;
Data generated from User actions and interactions while using the Service;
Administrative instructions or inputs provided through the Client’s authorised admin account.

The nature, type, and volume of such data depend on the Client’s specific use case, configuration, and instructions. Clients are responsible for ensuring that any personal data submitted is processed on a valid lawful basis (e.g., consent, contract performance, or legitimate interests) and that they have obtained any required consents or authorisations from data subjects.

3.2 User and Usage Data (Technical and Operational Data)

The Company automatically collects certain technical, operational, and usage-related data (Usage Data) arising from interactions with the Service. This may include:

Log files, timestamps, session durations, access records, and IP addresses;
Feature usage patterns, interaction behaviours, and performance metrics;
Device information (e.g., device type, browser type/version, operating system);
Network-related information;
Error reports, crash logs, diagnostic data, and system activity logs;
In the context of cybersecurity services (where applicable), security event data such as threat detections and incident logs.

Usage Data is collected and processed primarily for the following legitimate purposes:

Monitoring and ensuring system performance, availability, and reliability;
Detecting, preventing, investigating, and responding to security incidents, threats, or breaches;
Troubleshooting, debugging, and providing technical support;
Analysing trends to improve, train, enhance, and develop the Service.

To the greatest extent practicable, Usage Data is processed in anonymised, pseudonymised, or aggregated form so as not to identify individuals. Collection is limited to what is necessary, and data is retained only as long as required for these purposes.

3.3 Data from Third-Party Services and Integrations

Where a Client configures the Service to connect or integrate with third-party systems, platforms, or services (Third-Party Services), the Company may receive and process personal data or other information made available through such integrations, strictly in accordance with the Client’s explicit instructions and configurations.

The Client acknowledges and agrees that:

The Company does not control Third-Party Services and is not responsible for their privacy practices;
Any data obtained from Third-Party Services is governed by the Client’s agreements with those third parties;
The Client is solely responsible for ensuring that sharing such data with the Company is lawful, authorised, and compliant with applicable laws (including obtaining any necessary consents or establishing other lawful bases under the NDPA).

3.4 Administrative and Access Data

The Company collects information necessary for account administration, access control, and security, including:

Admin account credentials, permissions, and roles;
User access levels, roles, and activity history;
Audit logs of configuration changes, access grants, system actions, and security events.

This data is processed to ensure proper service delivery, enforce accountability, maintain security, and comply with legal obligations.

3.5 Communications and Support Data

When Clients or Users contact the Company (via email, in-app messaging, support tickets, requests for demos, registration, or other channels), the Company may collect and retain:

Contact details (e.g., name, email address, phone number);
Organisation name, job title, and related identifiers;
Content of communications, support requests, feedback, and correspondence.

Such data is processed solely to respond to inquiries, provide support, resolve issues, improve service quality, and maintain accurate records of interactions.

3.6 Billing and Payment-Related Data

Where applicable, limited billing and payment information may be collected as necessary to process transactions (e.g., organisation details for invoicing). The Service does not collect, store, or process sensitive financial authentication data such as full payment card details or bank account credentials unless explicitly required and processed through secure, compliant third-party payment processors. Clients are responsible for compliance with relevant payment regulations.

3.7 Data Not Intentionally Collected

The Service does not intentionally collect or process:

Sensitive personal data (as defined under the NDPA, including data revealing health, biometric/genetic information, race/ethnic origin, political opinions, religious beliefs, trade union membership, sex life, or other categories specified by the Nigeria Data Protection Commission);
Payment card details, bank account information, or financial authentication credentials beyond what is strictly necessary and handled via secure third-party processors;
Biometric, genetic, or other special category data unless explicitly instructed by the Client, required for the Service, and permitted by law with appropriate safeguards.

If such data is inadvertently submitted contrary to this policy, it will be treated as Client Data, processed only in accordance with the Client’s instructions and applicable law (including any required data privacy impact assessments), and deleted where possible without compromising service integrity or legal obligations.

3.8 Data Minimisation and Purpose Limitation

In line with the NDPA, the Company applies strict data minimisation and purpose limitation principles. Personal data is collected only for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Clients are strongly encouraged to configure the Service and limit submissions to exclude unnecessary personal or sensitive data. The Company implements measures to ensure data accuracy, relevance, and non-excessiveness.

All processing is conducted on a valid lawful basis under the NDPA (e.g., performance of a contract with the Client, legitimate interests of the Company where balanced against data subject rights, legal obligations, or consent where required). The Company provides transparent information about processing activities through this Privacy Policy and encourages Clients to review and communicate relevant details to their Users/data subjects.

4. Client Data Ownership, Control, and Permitted Processing

4.1 Ownership of Client Data

All data, information, records, content, files, materials, or outputs uploaded, submitted, generated, transmitted, stored, or otherwise made available through the Service by or on behalf of the Client or its authorised Users (collectively, Client Data) remain the sole and exclusive property of the Client (or its licensors, as applicable). The Company claims no ownership, title, intellectual property rights, or proprietary interest in Client Data. Nothing in this Privacy Policy, the Terms of Service, or any other agreement shall be interpreted as assigning, transferring, or granting any such rights to the Company.

4.2 Roles under Applicable Data Protection Laws

In relation to Client Data that constitutes personal data (as defined in the Nigeria Data Protection Act 2023 (NDPA)), the Client acts as the data controller and bears primary responsibility for determining the purposes and means of processing. The Company acts solely as a data processor (or sub-processor where applicable), processing Client Data strictly in accordance with the Client's documented instructions, this Privacy Policy, the applicable agreement(s) between the parties (including any Data Processing Addendum), and the requirements of the NDPA.

The Company processes personal data as an independent data controller only in limited circumstances, such as for its own operational needs, security monitoring, compliance with legal obligations, or fraud prevention, where such processing is necessary and proportionate. In all cases, the Company complies with the NDPA principles (Section 24) and relies on a valid lawful basis under Section 25 of the NDPA.

4.3 Lawful Bases for Processing Personal Data

The Company processes personal data incorporated in Client Data or otherwise collected only on one or more of the following lawful bases under Section 25 of the NDPA:

Performance of a contract to fulfil the Company's obligations under the agreement with the Client, including providing, operating, maintaining, supporting, and securing the Service, or to take steps at the Client's request prior to entering into such contract.
Legitimate interests pursued by the Company or a third party, provided such interests are not overridden by the fundamental rights and freedoms of data subjects. The Company conducts legitimate interests assessments where required, balancing its interests (e.g., service improvement, security, operational efficiency) against data subject rights.
Legal obligation to comply with applicable laws, regulations, court orders, or lawful requests from competent authorities.
Consent where explicitly obtained and required (e.g., for certain optional features or marketing communications), and in a manner that is freely given, specific, informed, and unambiguous, with easy withdrawal.
Other bases as permitted under the NDPA (e.g., vital interests or public task, where relevant).

The Company shall not process personal data without a documented lawful basis and shall cease processing if the basis no longer applies.

4.4 Permitted Processing and Use of Client Data

The Company shall access, use, disclose, or otherwise process Client Data exclusively for the following strictly limited purposes:

Delivering, configuring, and maintaining the Service as requested or configured by the Client;
Providing technical support, troubleshooting, error resolution, and customer assistance;
Monitoring for, detecting, preventing, investigating, and responding to security threats, incidents, unauthorised access, or abuse of the Service;
Ensuring system integrity, reliability, and performance;
Generating anonymised, pseudonymised, or aggregated statistical or technical data derived from Client Data or Usage Data for the sole purpose of analysing trends, improving Service functionality, developing new features, enhancing security algorithms, training machine learning models, or conducting research provided such data no longer identifies the Client, its Users, or any data subjects and cannot be re-identified;
Fulfilling administrative, billing, accounting, or operational tasks necessary for Service provision;
Complying with legal, regulatory, or contractual obligations (including audits or cooperation with authorities).

The Company expressly prohibits and shall not:

Use Client Data for its own marketing, advertising, or promotional purposes;
Sell, rent, lease, license, monetise, or disclose Client Data to third parties for their independent commercial benefit;
Process Client Data for any purpose incompatible with the above or contrary to the Client's instructions;
Combine Client Data with other datasets in a way that identifies individuals unless authorised.

Any processing beyond these purposes requires the Client's prior explicit written authorisation.

4.5 Usage Data and Service Enhancement

The Company collects and processes Usage Data primarily on the basis of contract performance and legitimate interests. Anonymised or aggregated Usage Data may be used indefinitely for Service improvement, AI/ML training, threat intelligence sharing (without Client-identifying information), or industry reporting, in full compliance with NDPA data minimisation and purpose limitation principles.

4.6 Client Control, Responsibilities, and Warranties

The Client retains absolute control over:

The nature, content, and volume of Client Data submitted or generated;
Which individuals' personal data (if any) is included;
Processing purposes, retention periods, deletion, export, or rectification requests (subject to the Company's technical capabilities and legal/back-up obligations).

The Client warrants and undertakes that:

All Client Data is collected and processed lawfully, with appropriate lawful bases under the NDPA;
Any required consents from data subjects have been validly obtained and documented;
Client Data does not infringe third-party rights or violate applicable laws;
The Client shall indemnify the Company against claims arising from unlawful or unauthorised Client Data.
The Company does not monitor, verify, or assume responsibility for the legality, accuracy, quality, or content of Client Data and disclaims liability for any issues arising therefrom.

4.7 No Additional Rights Granted

No provision herein grants the Company any licence, right, or permission to use Client Data beyond what is explicitly stated. All processing is subject to the NDPA, including accountability, security, and data subject rights obligations. The Company maintains records of processing activities and implements appropriate technical and organisational measures to protect Client Data.

This section shall be interpreted to maximise enforceability and compliance with the NDPA and shall prevail over any conflicting provision to the extent necessary to ensure such compliance.

5. Data Sharing, Sub-Processors, Third-Party Integrations, and Cross-Border Transfers

5.1 General Restrictions on Sharing

The Company shall not sell, rent, lease, license, monetise, or commercially exploit Client Data or personal data in any way.

Sharing or disclosure of Client Data (including personal data) is strictly limited to:

Authorised sub-processors (as detailed in 5.2) engaged to support Service provision;
Competent legal, regulatory, or governmental authorities when required by applicable law, court order, or binding request;
Other third parties only with the Client’s prior explicit written authorisation.

Anonymised, pseudonymised, or aggregated Usage Data (incapable of identifying the Client, Users, or data subjects) may be shared or used for Service improvement, AI/ML training, threat intelligence, research, or industry reporting, in compliance with NDPA data minimisation and purpose limitation principles.

5.2 Sub-Processors

The Company may engage third-party sub-processors to process Client Data solely on its behalf and under its instructions. Examples include:

Cloud infrastructure and hosting providers;
Backup, disaster recovery, and storage services;
Analytics, monitoring, and logging providers;
Technical support or operational vendors.

The Company remains fully liable for sub-processor compliance. It shall:

Enter into written data processing agreements with each sub-processor imposing obligations at least as protective as those in this Privacy Policy and the NDPA (including security, confidentiality, purpose limitation, and audit rights);
Ensure sub-processors implement appropriate technical and organisational measures;
Maintain an up-to-date list of sub-processors (available upon reasonable request);
Notify the Client of new or replacement sub-processors in advance where practicable, allowing the Client to object on reasonable data protection grounds.

5.3 Third-Party Integrations

When the Client configures integrations with third-party services (e.g., APIs, SaaS platforms), the Client:

Warrants it has all necessary authority, consents, and lawful bases to share data with the Company;
Confirms such sharing complies with applicable laws and third-party terms;
Instructs the Company on data access and processing for Service delivery.

The Company processes third-party-sourced data strictly per Client instructions and is not responsible for privacy practices, security, or compliance of those third-party services.

5.4 Cross-Border Transfers

Personal data may be transferred, stored, or processed outside Nigeria (including in jurisdictions without NDPA-equivalent protections).

In line with Sections 41–43 of the NDPA, the Company shall not transfer personal data outside Nigeria unless one or more of the following apply:

The recipient is subject to a law, binding corporate rules (BCRs), standard contractual clauses (SCCs), code of conduct, or approved certification mechanism that provides an adequate level of protection consistent with the NDPA;
An adequacy decision has been made by the Nigeria Data Protection Commission (NDPC) for the destination country, sector, or transfer mechanism;
Other permitted bases under Section 43 (e.g., explicit informed consent after risk notification, contract performance, vital interests, legal claims, or public interest).

The Company implements appropriate safeguards (e.g., NDPC-approved SCCs or equivalent contractual clauses, technical measures like encryption) to ensure protection. Where required, transfers are documented, and risks assessed. The Client, by using the Service, consents to such transfers necessary for Service provision, subject always to these safeguards and NDPA compliance.

5.5 Compelled Disclosures

The Company may disclose Client Data or personal data if compelled by law, regulation, court order, or lawful governmental request. Where legally permitted and practicable (without risking non-compliance), the Company will promptly notify the Client of the request and cooperate reasonably to challenge or minimise disclosure.

This section is interpreted to ensure strict NDPA compliance (including accountability, security, and data subject rights). The Company maintains records of transfers and safeguards, and this prevails over conflicting terms to the extent needed for legal enforceability.

6. Data Subject Rights, Security Measures, and Incident Response

6.1 Data Subject Rights

In accordance with Nigeria Data Protection Act 2023, particularly Sections 34–39, data subjects (including Users whose personal data may be processed as part of Client Data) have the following rights, which the Company respects to the extent applicable as a data processor or controller:

Right to information: to receive clear, transparent details about processing activities (provided via this Privacy Policy and other notices);
Right of access: to obtain confirmation of whether their personal data is processed and, where applicable, access copies of such data;
Right to rectification: to request correction, completion, or update of inaccurate, incomplete, outdated, or misleading personal data;
Right to erasure (right to be forgotten): to request deletion of personal data where it is no longer necessary, consent is withdrawn, processing is unlawful, or other NDPA grounds apply;
Right to restriction of processing: to request restriction (e.g., while accuracy is contested, processing is unlawful but erasure is opposed, or for establishing/defending legal claims);
Right to data portability: to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller (where technically feasible and processing is based on consent or contract);
Right to object: to object to processing based on legitimate interests, direct marketing, or profiling (with absolute objection to marketing);
Rights related to automated decision-making: to not be subject to solely automated decisions with legal or significant effects, and to obtain human intervention/explanation;
Right to withdraw consent: at any time, where processing relies on consent, as easily as it was given;
Right to lodge a complaint: with the Nigeria Data Protection Commission (NDPC) if rights are infringed.

As a data processor for Client Data, the Company processes such requests in accordance with the Client’s instructions and NDPA requirements. The Client (as data controller) is primarily responsible for handling and responding to data subject requests. Where the Company receives a direct request, it will forward it to the Client promptly and assist as reasonably required. Requests are handled free of charge (unless manifestly unfounded or excessive), within reasonable timeframes, and with verification of the requester’s identity where necessary.

6.2 Security Measures

In compliance with Section 39 of the Nigeria Data Protection Act 2023 (NDPA), the Company, as data processor (or controller where applicable), implements appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data and Client Data, protecting against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, misuse, unauthorised disclosure, or access.

These measures are proportionate to the risks and include:

Encryption of data in transit (e.g., TLS) and at rest where appropriate and technically feasible;
Strict access controls, including role-based access, least-privilege principles, secure authentication, and multi-factor authentication (MFA) for administrative accounts;
Network and system monitoring, intrusion detection/prevention, firewalls, and segmentation;
Regular vulnerability assessments, penetration testing, security audits, software patching, and updates;
Employee confidentiality agreements, security awareness training, and background screening;
Backup, disaster recovery, and business continuity procedures.

The Company aligns its practices with recognised standards (e.g., ISO 27001 principles and SOC 2 Type II where relevant) to maintain a high level of protection. While we use commercially reasonable and industry-accepted means to safeguard data, no method of electronic transmission or storage is 100% secure. Absolute security cannot be guaranteed due to evolving threats, but the Company is committed to ongoing enhancement and risk mitigation.

6.3 Guardrails and Access Limitations

The Service incorporates built-in guardrails to prevent misuse, unsafe operations, or harmful activities. The Client acknowledges that Users may attempt to circumvent these; the Company is not liable for consequences arising from deliberate overrides.

Any Company access to Client systems or third-party integrations is strictly limited, time-bound, and necessary for Service delivery/support. The Client warrants it has authority to grant such access without breaching laws or agreements.

6.4 Security Incidents and Breach Notification

In the event of a personal data breach (as defined in the NDPA):

The Company will investigate promptly, contain the breach, and take remedial steps.
As data processor, the Company notifies the Client (data controller) without undue delay upon becoming aware of a breach affecting Client Data.

Where the Company is the controller (e.g., for its own Usage Data), or as required:

Notify the NDPC within 72 hours of becoming aware of a breach likely to result in a risk to data subjects’ rights and freedoms (Section 40), including nature, categories affected, approximate numbers, consequences, and remedial actions;
If the breach is likely to result in high risk, notify affected data subjects without undue delay (in clear language, with details and mitigation advice).

The Company maintains records of all breaches (facts, effects, remedial actions) for accountability and NDPC review. Liability for incidents remains subject to the limitations in the Terms and Conditions.

6.5 Service Improvement and Anonymised Data

The Company may use anonymised, pseudonymised, or aggregated technical/usage data (incapable of identifying individuals) to monitor threats, enhance security, improve performance, update protections, and train models fully compliant with NDPA principles.

7. Data Retention, Access, Deletion, and Policy Updates

7.1 Data Retention and Storage Limitation

In accordance with Nigeria Data Protection Act (NDPA), which requires storage limitation, the Company retains personal data and Client Data only for as long as necessary to fulfil the purposes for which it was collected or processed, including:

Providing, operating, maintaining, supporting, and improving the Service;
Complying with legal, regulatory, tax, accounting, or contractual obligations;
Defending or establishing legal claims;
Facilitating necessary backups, disaster recovery, or archival purposes (where anonymised or pseudonymised where possible).

Retention periods are determined based on the specific purpose, nature of the data, and applicable legal requirements. Once no longer required, personal data and Client Data shall be securely deleted, destroyed, or irreversibly anonymised, unless the Client provides explicit written instructions to retain it longer or law mandates continued retention. The Company does not retain data indefinitely and periodically reviews retention needs to ensure compliance with NDPA principles.

7.2 Policy Updates and Notification

The Company may revise this Privacy Policy to reflect Service changes, evolving practices, legal developments (including NDPA amendments or NDPC guidance), or improved transparency.

Material changes (e.g., new processing purposes, reduced rights, or altered safeguards) will be notified to Clients in advance via in-Service notifications, email to the registered admin/contact, or other direct channels.
Minor updates may be posted with the revised effective date on the policy page.
Continued use of the Service after the effective date of updated terms constitutes acceptance.

The Company maintains a change log or version history for transparency. Clients are responsible for reviewing the current Privacy Policy regularly to stay informed of applicable terms, rights, and obligations.

7.4 Enforceability and Compliance

This section is interpreted and applied to ensure strict adherence to NDPA principles (including storage limitation, accuracy, accountability, and data subject rights under Sections 24 and 34–39). It prevails over conflicting provisions to the extent required for NDPA compliance. The Company demonstrates accountability through retention reviews, request logs, and appropriate measures.

8. Contact Information and Reporting Concerns

8.1 Data Protection Contact

For any questions, concerns, or requests regarding this Privacy Policy or the processing of Client Data, Clients may contact us at our email:

security@ethegen.com

All inquiries will be addressed promptly.