Name: Finora
Rating: 4.8 (120 reviews)
Author: Finora

1. Introduction

Finora Technologies Ltd ("Finora", "we", "us", "our") is committed to protecting your personal data and respecting your privacy rights. This Data Protection Policy outlines our approach to data protection in compliance with the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA).

This policy applies to all personal data we process as a data controller through our business management and tax platform ("Finora Platform") accessible at app.finorabusiness.com and related services.

1.1 Scope

This policy covers:

Personal data of our users, customers, and website visitors
Data processed through the Finora Platform
Data collected via our marketing website (finorabusiness.com)
Data collected through customer support interactions

2. Data Protection Principles

In accordance with NDPR Article 2.1, we adhere to the following data protection principles:

2.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We clearly communicate what data we collect, why we collect it, and how it will be used.

2.2 Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes. We do not process personal data in a manner incompatible with those purposes.

2.3 Data Minimization

We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes of processing.

2.4 Accuracy

We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date. Inaccurate data is rectified or erased without delay.

2.5 Storage Limitation

Personal data is kept in a form that permits identification of data subjects for no longer than necessary. We have established retention periods for different categories of data.

2.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure security of personal data, including protection against unauthorized processing, accidental loss, destruction, or damage.

2.7 Accountability

We are responsible for and can demonstrate compliance with these principles.

3. Data Controller Information

Data Controller: Finora Technologies Ltd

CAC Registration Number: RC 9133658

Contact Information:

Email: privacy@finorabusiness.com
Website: https://finorabusiness.com

4. Data Protection Officer (DPO)

In compliance with NDPR requirements, we have appointed a Data Protection Officer responsible for overseeing our data protection strategy and implementation.

Data Protection Officer:

Title: Office of the Data Protection Officer
Email: dpo@finorabusiness.com

4.1 DPO Responsibilities

Monitoring compliance with NDPR and internal policies
Advising on data protection impact assessments
Cooperating with NITDA on regulatory matters
Acting as a contact point for data subjects
Managing Data Subject Access Requests (DSARs)
Coordinating data breach response procedures

5. Categories of Personal Data Processed

We process the following categories of personal data:

5.1 Account Information

Full name
Email address
Phone number
Password (encrypted)
Profile photograph (optional)

5.2 Business Information

Business name
Business address
Tax Identification Number (TIN)
CAC registration number
Industry/sector
Annual revenue range

5.3 Financial Data

Invoice details (amounts, dates, descriptions)
Receipt data (amounts, vendors, dates)
Expense records
Bank account information (for bank integration)
Tax calculations and filings

5.4 Transaction Data

Customer and supplier information entered by users
Product and inventory data
Payment records
Journal entries and accounting data

5.5 Technical Data

IP address
Browser type and version
Device information
Operating system
Time zone
Login timestamps

5.6 Usage Data

Features used within the platform
Navigation patterns
Session duration
Error logs

6. Purposes of Processing

We process personal data for the following purposes:

Purpose	Legal Basis (NDPR Article 2.2)
Providing the Finora Platform services	Contract performance
Account creation and authentication	Contract performance
Processing invoices and financial data	Contract performance
Tax calculations and compliance	Legal obligation
Sending service-related communications	Contract performance
Customer support	Legitimate interests
Platform improvement and analytics	Legitimate interests
Marketing communications (with consent)	Consent
Fraud prevention and security	Legitimate interests
Legal compliance and dispute resolution	Legal obligation

7. Data Subject Rights

Under NDPR Article 3.1, you have the following rights regarding your personal data:

7.1 Right of Access

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.

7.2 Right to Rectification

You have the right to request correction of inaccurate personal data and completion of incomplete data.

7.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data when:

The data is no longer necessary for the original purpose
You withdraw consent (where processing was based on consent)
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed

7.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances.

7.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

7.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Where processing is based on consent, you have the right to withdraw consent at any time.

7.8 How to Exercise Your Rights

To exercise any of these rights, submit a Data Subject Access Request (DSAR) by:

1. Email: dpo@finorabusiness.com 2. In-App: Settings > Privacy > Request My Data

Required Information for DSAR:

Your full name
Email address associated with your Finora account
Description of your request
Preferred format for data (if requesting access/portability)
Valid identification (for verification)

Response Timeframe: We will respond to your request within one (1) month of receipt, as required by NDPR. This period may be extended by two months for complex requests, in which case we will notify you within the first month.

Fees: We do not charge a fee for processing DSARs unless requests are manifestly unfounded or excessive.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside Nigeria for the purpose of providing our services. These transfers are necessary because we use cloud infrastructure providers with data centers globally.

8.1 Countries/Regions Where Data May Be Processed

United States (Cloudflare, Firebase/Google Cloud)
European Union (backup data centers)

8.2 Safeguards for International Transfers

In accordance with NDPR Article 2.11, we implement the following safeguards:

1. Standard Contractual Clauses: We have executed data processing agreements with our service providers that include standard contractual clauses approved by relevant data protection authorities.

2. Certifications: Our service providers maintain industry-recognized certifications:

Firebase/Google Cloud: SOC 2 Type II, ISO 27001
Cloudflare: SOC 2 Type II, ISO 27001

3. Technical Measures: Data is encrypted in transit (TLS 1.2+) and at rest.

4. Access Controls: Strict access controls limit who can access personal data.

9. Security Measures

We implement appropriate technical and organizational measures to protect personal data:

9.1 Technical Measures

Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Controls: Role-based access control (RBAC) with least privilege principle
Authentication: Multi-factor authentication available; secure password requirements
Network Security: Firewalls, DDoS protection, intrusion detection
Logging: Comprehensive audit logging of data access and modifications
Backup: Regular encrypted backups with tested recovery procedures

9.2 Organizational Measures

Employee Training: Regular data protection training for all staff
Access Management: Formal access request and revocation procedures
Vendor Assessment: Security assessment of third-party service providers
Incident Response: Documented incident response procedures
Policy Review: Annual review of data protection policies and procedures

9.3 Employee Confidentiality

All employees and contractors with access to personal data are bound by confidentiality agreements and receive training on data protection obligations.

10. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

Data Category	Retention Period	Rationale
Account information	Duration of account + 2 years	Contract and legal claims
Financial/tax records	6 years after creation	Nigerian tax law requirements
Audit logs	2 years	NDPR compliance
Marketing consent	Until withdrawn	Consent management
Contact form submissions	2 years	Business purposes
Backup data	90 days	Disaster recovery

10.1 Account Deletion

Upon account deletion request: 1. Account marked for deletion immediately 2. Data anonymized or deleted within 7 days (NDPR requirement) 3. Backups purged within 90 days 4. Financial records required by law retained in anonymized form for 6 years

11. Data Breach Procedures

In the event of a personal data breach, we follow these procedures:

11.1 Detection and Assessment

Incident detected through monitoring systems or reports
Immediate assessment of scope, severity, and affected data subjects
Containment measures implemented

11.2 Notification to NITDA

In accordance with NDPR requirements, we will notify NITDA within 72 hours of becoming aware of a breach that is likely to result in risk to data subjects' rights and freedoms.

Notification includes:

Nature of the breach
Categories and approximate number of data subjects affected
Name and contact details of the DPO
Description of likely consequences
Measures taken or proposed to address the breach

11.3 Notification to Data Subjects

Where a breach is likely to result in high risk to data subjects' rights and freedoms, we will notify affected individuals without undue delay.

11.4 Documentation

All breaches, regardless of severity, are documented including:

Facts of the breach
Effects
Remedial actions taken

12. Audit and Compliance

12.1 Compliance Monitoring

We conduct regular internal audits to ensure compliance with NDPR and this policy.

12.2 Annual Data Protection Audit

If we process personal data of more than 2,000 data subjects in any 12-month period, we will commission an annual data protection audit as required by NDPR.

12.3 NITDA Filing

We submit the annual data protection audit report to NITDA as required by NDPR.

12.4 Record Keeping

We maintain records of our data processing activities, including:

Categories of processing
Purposes
Data categories
Recipients
Transfers
Retention periods
Security measures

13. Third-Party Data Processors

We engage trusted third-party processors to help provide our services, including providers for authentication, database infrastructure, content delivery, bank integration, payment processing, and email delivery.

All processors are carefully vetted and bound by data processing agreements in compliance with NDPR requirements. These agreements require our processors to:

Process data only on our instructions
Ensure personnel confidentiality
Implement appropriate security measures
Assist with data subject requests
Notify us of data breaches
Delete data upon termination

For specific inquiries about our data processors, please contact our Data Protection Officer at dpo@finorabusiness.com.

14. Complaints

14.1 Internal Complaints

If you have concerns about how we handle your personal data, please contact our Data Protection Officer at dpo@finorabusiness.com. We will investigate and respond within 30 days.

14.2 Complaints to NITDA

You have the right to lodge a complaint with the National Information Technology Development Agency (NITDA) if you believe your data protection rights have been violated.

NITDA Contact:

Website: https://nitda.gov.ng
Email: info@nitda.gov.ng
Address: National Information Technology Development Agency, Plot 802, Constitution Avenue, Central Business District, Abuja, Nigeria

15. Policy Updates

15.1 Review Schedule

This policy is reviewed annually or whenever there are significant changes to our data processing activities or applicable regulations.

15.2 Change Notification

Material changes to this policy will be communicated through:

Email notification to registered users
Prominent notice on our website
In-app notification

15.3 Version History

Version	Date	Changes
1.0	December 29, 2025	Initial policy

16. Contact Information

For any questions about this Data Protection Policy or our data practices:

General Inquiries:

Email: privacy@finorabusiness.com
Website: https://finorabusiness.com/contact