1. Introduction
Finora Technologies Ltd ("Finora", "we", "us", "our") is committed to protecting your personal data and respecting your privacy rights. This Data Protection Policy outlines our approach to data protection in compliance with the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA).
This policy applies to all personal data we process as a data controller through our business management and tax platform ("Finora Platform") accessible at app.finorabusiness.com and related services.
1.1 Scope
This policy covers:
- Personal data of our users, customers, and website visitors
- Data processed through the Finora Platform
- Data collected via our marketing website (finorabusiness.com)
- Data collected through customer support interactions
2. Data Protection Principles
In accordance with NDPR Article 2.1, we adhere to the following data protection principles:
2.1 Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and in a transparent manner. We clearly communicate what data we collect, why we collect it, and how it will be used.
2.2 Purpose Limitation
Personal data is collected for specified, explicit, and legitimate purposes. We do not process personal data in a manner incompatible with those purposes.
2.3 Data Minimization
We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes of processing.
2.4 Accuracy
We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date. Inaccurate data is rectified or erased without delay.
2.5 Storage Limitation
Personal data is kept in a form that permits identification of data subjects for no longer than necessary. We have established retention periods for different categories of data.
2.6 Integrity and Confidentiality
We implement appropriate technical and organizational measures to ensure security of personal data, including protection against unauthorized processing, accidental loss, destruction, or damage.
2.7 Accountability
We are responsible for and can demonstrate compliance with these principles.
3. Data Controller Information
Data Controller: Finora Technologies Ltd
Registered Address: [TO BE INSERTED - Company registered address in Nigeria]
CAC Registration Number: [TO BE INSERTED]
Contact Information:
- Email: privacy@finorabusiness.com
- Phone: [TO BE INSERTED]
- Website: https://finorabusiness.com
4. Data Protection Officer (DPO)
In compliance with NDPR requirements, we have appointed a Data Protection Officer responsible for overseeing our data protection strategy and implementation.
Data Protection Officer:
- Name/Title: [TO BE INSERTED]
- Email: dpo@finorabusiness.com
- Phone: [TO BE INSERTED]
4.1 DPO Responsibilities
- Monitoring compliance with NDPR and internal policies
- Advising on data protection impact assessments
- Cooperating with NITDA on regulatory matters
- Acting as a contact point for data subjects
- Managing Data Subject Access Requests (DSARs)
- Coordinating data breach response procedures
5. Categories of Personal Data Processed
We process the following categories of personal data:
5.1 Account Information
- Full name
- Email address
- Phone number
- Password (encrypted)
- Profile photograph (optional)
5.2 Business Information
- Business name
- Business address
- Tax Identification Number (TIN)
- CAC registration number
- Industry/sector
- Annual revenue range
5.3 Financial Data
- Invoice details (amounts, dates, descriptions)
- Receipt data (amounts, vendors, dates)
- Expense records
- Bank account information (for bank integration)
- Tax calculations and filings
5.4 Transaction Data
- Customer and supplier information entered by users
- Product and inventory data
- Payment records
- Journal entries and accounting data
5.5 Technical Data
- IP address
- Browser type and version
- Device information
- Operating system
- Time zone
- Login timestamps
5.6 Usage Data
- Features used within the platform
- Navigation patterns
- Session duration
- Error logs
6. Purposes of Processing
We process personal data for the following purposes:
| Purpose | Legal Basis (NDPR Article 2.2) |
|---|---|
| Providing the Finora Platform services | Contract performance |
| Account creation and authentication | Contract performance |
| Processing invoices and financial data | Contract performance |
| Tax calculations and compliance | Legal obligation |
| Sending service-related communications | Contract performance |
| Customer support | Legitimate interests |
| Platform improvement and analytics | Legitimate interests |
| Marketing communications (with consent) | Consent |
| Fraud prevention and security | Legitimate interests |
| Legal compliance and dispute resolution | Legal obligation |
7. Data Subject Rights
Under NDPR Article 3.1, you have the following rights regarding your personal data:
7.1 Right of Access
You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.
7.2 Right to Rectification
You have the right to request correction of inaccurate personal data and completion of incomplete data.
7.3 Right to Erasure (Right to be Forgotten)
You have the right to request deletion of your personal data when:
- The data is no longer necessary for the original purpose
- You withdraw consent (where processing was based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
7.4 Right to Restrict Processing
You have the right to request restriction of processing in certain circumstances.
7.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
7.6 Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes.
7.7 Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time.
7.8 How to Exercise Your Rights
To exercise any of these rights, submit a Data Subject Access Request (DSAR) by:
1. Email: dpo@finorabusiness.com 2. In-App: Settings > Privacy > Request My Data 3. Mail: Data Protection Officer, Finora Technologies Ltd, [Address]
Required Information for DSAR:
- Your full name
- Email address associated with your Finora account
- Description of your request
- Preferred format for data (if requesting access/portability)
- Valid identification (for verification)
Response Timeframe: We will respond to your request within one (1) month of receipt, as required by NDPR. This period may be extended by two months for complex requests, in which case we will notify you within the first month.
Fees: We do not charge a fee for processing DSARs unless requests are manifestly unfounded or excessive.
8. International Data Transfers
Your personal data may be transferred to and processed in countries outside Nigeria for the purpose of providing our services. These transfers are necessary because we use cloud infrastructure providers with data centers globally.
8.1 Countries/Regions Where Data May Be Processed
- United States (Cloudflare, Firebase/Google Cloud)
- European Union (backup data centers)
8.2 Safeguards for International Transfers
In accordance with NDPR Article 2.11, we implement the following safeguards:
1. Standard Contractual Clauses: We have executed data processing agreements with our service providers that include standard contractual clauses approved by relevant data protection authorities.
2. Certifications: Our service providers maintain industry-recognized certifications:
- Firebase/Google Cloud: SOC 2 Type II, ISO 27001
- Cloudflare: SOC 2 Type II, ISO 27001
3. Technical Measures: Data is encrypted in transit (TLS 1.2+) and at rest.
4. Access Controls: Strict access controls limit who can access personal data.
9. Security Measures
We implement appropriate technical and organizational measures to protect personal data:
9.1 Technical Measures
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Role-based access control (RBAC) with least privilege principle
- Authentication: Multi-factor authentication available; secure password requirements
- Network Security: Firewalls, DDoS protection, intrusion detection
- Logging: Comprehensive audit logging of data access and modifications
- Backup: Regular encrypted backups with tested recovery procedures
9.2 Organizational Measures
- Employee Training: Regular data protection training for all staff
- Access Management: Formal access request and revocation procedures
- Vendor Assessment: Security assessment of third-party service providers
- Incident Response: Documented incident response procedures
- Policy Review: Annual review of data protection policies and procedures
9.3 Employee Confidentiality
All employees and contractors with access to personal data are bound by confidentiality agreements and receive training on data protection obligations.
10. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account information | Duration of account + 2 years | Contract and legal claims |
| Financial/tax records | 6 years after creation | Nigerian tax law requirements |
| Audit logs | 2 years | NDPR compliance |
| Marketing consent | Until withdrawn | Consent management |
| Contact form submissions | 2 years | Business purposes |
| Backup data | 90 days | Disaster recovery |
10.1 Account Deletion
Upon account deletion request: 1. Account marked for deletion immediately 2. Data anonymized or deleted within 7 days (NDPR requirement) 3. Backups purged within 90 days 4. Financial records required by law retained in anonymized form for 6 years
11. Data Breach Procedures
In the event of a personal data breach, we follow these procedures:
11.1 Detection and Assessment
- Incident detected through monitoring systems or reports
- Immediate assessment of scope, severity, and affected data subjects
- Containment measures implemented
11.2 Notification to NITDA
In accordance with NDPR requirements, we will notify NITDA within 72 hours of becoming aware of a breach that is likely to result in risk to data subjects' rights and freedoms.
Notification includes:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Name and contact details of the DPO
- Description of likely consequences
- Measures taken or proposed to address the breach
11.3 Notification to Data Subjects
Where a breach is likely to result in high risk to data subjects' rights and freedoms, we will notify affected individuals without undue delay.
11.4 Documentation
All breaches, regardless of severity, are documented including:
- Facts of the breach
- Effects
- Remedial actions taken
12. Audit and Compliance
12.1 Compliance Monitoring
We conduct regular internal audits to ensure compliance with NDPR and this policy.
12.2 Annual Data Protection Audit
If we process personal data of more than 2,000 data subjects in any 12-month period, we will commission an annual data protection audit as required by NDPR.
12.3 NITDA Filing
We submit the annual data protection audit report to NITDA as required by NDPR.
12.4 Record Keeping
We maintain records of our data processing activities, including:
- Categories of processing
- Purposes
- Data categories
- Recipients
- Transfers
- Retention periods
- Security measures
13. Third-Party Data Processors
We engage trusted third-party processors to help provide our services, including providers for authentication, database infrastructure, content delivery, bank integration, payment processing, and email delivery.
All processors are carefully vetted and bound by data processing agreements in compliance with NDPR requirements. These agreements require our processors to:
- Process data only on our instructions
- Ensure personnel confidentiality
- Implement appropriate security measures
- Assist with data subject requests
- Notify us of data breaches
- Delete data upon termination
For specific inquiries about our data processors, please contact our Data Protection Officer at dpo@finorabusiness.com.
14. Complaints
14.1 Internal Complaints
If you have concerns about how we handle your personal data, please contact our Data Protection Officer at dpo@finorabusiness.com. We will investigate and respond within 30 days.
14.2 Complaints to NITDA
You have the right to lodge a complaint with the National Information Technology Development Agency (NITDA) if you believe your data protection rights have been violated.
NITDA Contact:
- Website: https://nitda.gov.ng
- Email: info@nitda.gov.ng
- Address: National Information Technology Development Agency, Plot 802, Constitution Avenue, Central Business District, Abuja, Nigeria
15. Policy Updates
15.1 Review Schedule
This policy is reviewed annually or whenever there are significant changes to our data processing activities or applicable regulations.
15.2 Change Notification
Material changes to this policy will be communicated through:
- Email notification to registered users
- Prominent notice on our website
- In-app notification
15.3 Version History
| Version | Date | Changes |
|---|---|---|
| 1.0 | [TO BE INSERTED] | Initial policy |
16. Contact Information
For any questions about this Data Protection Policy or our data practices:
General Inquiries:
- Email: privacy@finorabusiness.com
- Website: https://finorabusiness.com/contact
Data Protection Officer:
- Email: dpo@finorabusiness.com
- Phone: [TO BE INSERTED]
Mailing Address: Finora Technologies Ltd Attn: Data Protection Officer [TO BE INSERTED] Nigeria
This Data Protection Policy demonstrates Finora Technologies Ltd's commitment to protecting personal data in accordance with the Nigeria Data Protection Regulation (NDPR) and best practices in data protection.