Data Privacy Policy

Effective date: 22nd April 2026

Scope: This Policy applies to all personal data processed by the Company (employees, contractors, customers, prospects, vendors, website visitors and other data subjects) wherever processed, whether electronic or paper.

1. Purpose and policy statement

The Company is committed to protecting the privacy and security of personal data and to meeting all legal and regulatory obligations under the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Regulation (NDPR). We process personal data lawfully, fairly, and transparently, and we implement appropriate technical, organisational, and contractual safeguards to protect personal data.

2. Legal framework and principles

We process personal data in accordance with applicable Nigerian law and international best practice. Processing principles we follow include:

Lawfulness — fairness and transparency;
Purpose limitation — collected for specified, explicit, legitimate purposes;
Data minimisation — adequate, relevant and limited to what is necessary;
Accuracy — kept accurate and up to date;
Storage limitation — retained only as long as necessary;
Integrity and confidentiality — security of processing;
Accountability — records of processing and demonstrable compliance.

References: Nigeria Data Protection Act 2023; NDPR implementation guidance.

3. Scope: What personal data we process

We process categories including (examples):

Identity & contact: name, date of birth, national ID, passport, phone, email, address.
Employment data: CVs, employment history, payroll details, bank account for salary, tax IDs, pension data, performance appraisals, disciplinary records, medical fitness records (where lawfully required).
Customer & transactional data: account details, transaction records, billing and payment history, contractual records, KYC data.
Technical & usage data: IP addresses, device identifiers, cookies, access logs.
Special categories where necessary: health data (medical fitness), biometric data for access control — processed only where lawful and necessary and with enhanced safeguards.
Third-party & supplier data: contact and performance data for vendors and service providers.

4. Lawful bases for processing

We rely on one or more lawful bases for processing, including:

Contractual necessity — to perform a contract (e.g., payroll, employment administration).
Legal obligation — to comply with statutory obligations (tax, regulatory reporting, pension).
Legitimate interests — pursued by the Company where those interests are not overridden by data subject rights (e.g., fraud prevention, network security, service improvements).
Consent — used where explicit consent is required (marketing, profiling where applicable).
Vital interests / public interest — only where strictly necessary.

We document the lawful basis for each processing activity in our Records of Processing.

5. Data subject rights

Data subjects have the following rights and may exercise them by contacting the Company Data Protection Officer (DPO) or privacy team (contact details below):

Right of access to personal data;
Right to rectification of inaccurate data;
Right to erasure (subject to legal and contractual retention obligations);
Right to restrict processing in limited circumstances;
Right to object to processing (including direct marketing);
Right to data portability where technically feasible;
Rights relating to automated decision-making and profiling.

We respond within statutory timelines and provide information on how requests are handled, any fees (if lawful), and appeal routes.

6. Remarketing, Analytics and Targeted Communications

The Company may use Personal Data, including online identifiers, cookies, device information, and interaction data, for analytics, audience measurement, and remarketing purposes, including the delivery of targeted communications and advertisements relating to the Company's products or services.

Remarketing activities may involve the use of third-party platforms, advertising networks, analytics providers, and social media platforms acting as data processors or independent controllers.

Such processing shall be conducted on one or more lawful bases, including:

the Data Subject's consent, where required by law; and/or
the Company's legitimate interests in promoting its services and improving user engagement, provided such interests are not overridden by the rights and freedoms of the Data Subject.

The Company shall ensure that:

remarketing activities are transparent and proportionate;
appropriate contractual safeguards are in place with third-party providers;
cookies or similar technologies used for remarketing are subject to consent where required;
Personal Data used for remarketing is not retained longer than necessary.

Data Subjects shall have the right to opt out of remarketing and targeted communications at any time, including through cookie preference settings, unsubscribe mechanisms, account settings, or by contacting the Company directly.

The Company shall honour opt-out requests promptly and shall not subject Data Subjects to adverse treatment for exercising this right.

7. Special categories and sensitive data

Processing of health data, biometric identifiers, and other sensitive categories is allowed only where a specific lawful basis exists (e.g., explicit consent, employment necessity for medical fitness, or legal requirement) and only with appropriate safeguards (encryption, access controls, minimisation, and limited retention). Medical records are stored separately and with heightened access controls. NDPR/NDPA expectations on sensitive processing are followed.

8. Children and minors

We do not knowingly collect personal data from children under 16 without verifiable parental/guardian consent. Where services are directed at minors, we implement verification and parental consent steps as required.

9. Cookies, trackers & analytics

Our websites use cookies and tracking technologies. Cookie banners and a cookie policy explain categories of cookies, purposes, and how to opt out. We follow recognised cookie-consent best practice. Aggregate analytics data is used for service improvement and is anonymised where possible.

10. Data protection by design and default

Privacy is embedded into system design and business processes (Privacy by Design). New projects or high-risk processing undergo Data Protection Impact Assessments (DPIAs) in line with international DPIA guidance; DPIAs are mandatory where processing is likely to result in high risk to individuals' rights and freedoms (e.g., large scale processing of financial or biometric data, automated profiling). Templates and procedures for DPIAs are maintained.

11. Records of Processing (RoPA)

We maintain a comprehensive Record of Processing Activities (RoPA) that documents: purposes, categories of data subjects and personal data, recipients, transfers, retention periods, security measures, and lawful bases. RoPAs are reviewed periodically.

12. Data retention & deletion

We retain personal data only for as long as necessary to fulfil the purposes stated in our retention schedule and to meet legal obligations. Example retention guidelines (adapt per use case):

Job applications (unsuccessful): 6–12 months (unless consent for longer)
Employee records: length of employment + 6 years (or as required for tax/pension law)
Payroll & tax records: minimum 6 years (or as required by tax law)
Financial transaction records: 7 years (or legal requirement)
Customer transactional data: as required to provide services + statutory periods

All retention periods are justified in RoPA and subject to periodic review.

13. Security measures

We maintain a documented information security program that includes:

logical access controls and least-privilege permissions;
encryption at rest and in transit where practical;
multi-factor authentication for sensitive systems;
network security (firewalls, IDS/IPS);
secure development lifecycle and code review;
vulnerability management and regular patching;
endpoint controls;
secure backups and tested recovery plans;
physical security for facilities and paper records;
strict vendor/processor onboarding and security questionnaires.

Technical and organisational measures are reviewed and tested periodically.

14. Processors, vendors and Data Processing Agreements

When we engage processors (cloud providers, payroll processors, analytics providers), we:

carry out due diligence on security and compliance;
enter written Data Processing Agreements that bind processors to NDPA/NDPR standards and to act only on our instructions;
require processors to implement technical and organisational measures commensurate with the risk;
reserve audit and inspection rights.
we keep a register of processors and a template DPA annex for common vendor types.

15. Cross-border transfers

Transfers of personal data outside Nigeria are permitted only where adequate safeguards exist and in compliance with NDPA/NDPR (e.g., adequacy decision, SCCs/appropriate contractual clauses, binding corporate rules, or specific NDPC permissions). Transfers are assessed and logged; additional controls are applied to sensitive data.

16. Breach management & notification

We maintain an incident response plan:

All persons detect and report suspected incidents immediately to the privacy/security team.
The Company investigates and implements containment and remediation.
Where a breach is likely to result in a risk to data subjects' rights and freedoms, the Company notifies the NDPC and affected data subjects within statutory timelines and with required content (nature of breach, likely consequences, measures taken).
We keep a breach register and conduct post-incident reviews to strengthen controls.

Note: Recent NDPC enforcement actions underline regulator scrutiny and financial penalties for non-compliance — timely notification and remediation are essential.

17. Subject Access Request (SAR) procedure

A clear SAR process is implemented:

Requests submitted via the designated channel (email/portal) with ID verification.
Standard acknowledgement within [5] business days and full response within statutory timeframes.
Fees only where justified by law; excessive or manifestly unfounded requests may be handled per policy.

18. Data Protection Officer (DPO) and contact

The Company has a DPO / responsible privacy contact to oversee compliance. Contact details:

Data Protection Officer / Privacy Contact

Name: Chukwuebuka Azubuike

Email: dataprivacy@platoonco.com

Postal address: 11B Wumego Crescent, Lekki Phase 1 Lagos, Nigeria.

19. Training, awareness and audits

We run regular privacy and security training for staff, role-specific sessions for those processing sensitive data, and awareness campaigns. Annual internal and third-party audits assess compliance; results feed remediation plans.

20. Privacy impact assessments & project review

All new systems, significant changes, or high-risk processing require a DPIA and sign-off by privacy and security leads before go-live. DPIA templates and review checklists are maintained and saved with project records.

21. Workforce & employee data handling

Employee personal and sensitive data processing is limited to HR, payroll, and authorised security teams; access is logged and controlled. Medical and fitness data are stored separately with restricted access. Any workplace monitoring (CCTV, device monitoring) is disclosed to staff with lawful basis and minimisation measures.

22. Marketing, profiling and automated decisions

Marketing communications are by consent or legitimate interest where lawful; opt-out mechanisms are provided. Where automated decision-making or profiling materially affects individuals, we document logic, perform DPIAs, and provide human review mechanisms.

23. Children & vulnerable data subjects

Additional safeguards apply to children's data (parental consent) and to processing that may affect vulnerable persons (additional controls, minimal collection, clear lawful basis).

24. Vendor checklist & Onboarding Requirements

Before onboarding a data-processing vendor we require:

evidence of security controls (ISO27001, SOC2, penetration test reports e.t.c.);
signed DPA with NDPA-aligned clauses;
audit/reporting obligations;
sub-processor lists and consent routes;
incident notification SLA (max 24 hours for material incidents).

25. Contracts, agreements & public privacy notice

This Policy sits alongside more detailed contracts and public notices:

public Privacy Notice / Website Policy;
internal Records of Processing (RoPA) and DPIA templates;
standard Data Processing Agreement (DPA) annex for vendors.

26. Enforcement, sanctions and remedial steps

Failure by staff to follow this Policy may result in disciplinary action including dismissal. Non-compliant vendors may have contracts terminated and be subject to claims for damages. The NDPC has the power to investigate and impose sanctions — organisations must prioritise compliance.

27. Review and governance

This Policy is reviewed annually or upon material change to the law, business model, or risk profile. The privacy governance committee / DPO is responsible for updates and for ensuring Board oversight.