1. Introduction and Compliance
COOPERATIV ("we," "our," or "us") is committed to protecting the fundamental rights and freedoms, and the interests of Data Subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria and the Nigeria Data Protection Act (NDPA) 2023.
This policy outlines how we, as a Data Controller, process the personal data of our customers, employees, and website visitors in line with the NDPA's principles of lawfulness, fairness, and transparency.
2. Data Protection Officer (DPO) and Commission
The responsibility for data protection compliance rests with our designated Data Protection Officer (DPO).
- Data Protection Officer (DPO)
- Adeniyi Shobowale
- DPO Email
- support@getcooperativ.com
- DPO Phone
- 08127126592
- Office Address
- 5 Akinola Adeniyi Street, Soluyi, Gbagada
3. Personal Data Processed
We adhere to the principles of Data Minimisation (collecting only what is necessary) and Purpose Limitation (using data only for specified, legitimate purposes).
| Category of Data Subject | Type of Personal Data Collected | Purpose of Processing | Lawful Basis (NDPA Section 25) |
|---|---|---|---|
| Business Contacts / Clients | Name, job title, work email, phone, company details. | Contract management, service billing, relationship maintenance. | Performance of a Contract |
| Software Users | User ID, login activity, system interaction logs. | Granting access, ensuring security, delivering contracted service functionality. | Performance of a Contract |
| Marketing Leads / Visitors | Email, IP address, browsing data, demographic information. | Sending promotional materials, improving website user experience. | Consent (Freely given, specific, informed, and unambiguous) |
| Job Applicants | CV, educational records, professional history, reference checks. | Recruitment, internal personnel management. | Legitimate Interest (when overriding Data Subject rights) or Contract |
4. Consent Requirements (Section 26, NDPA)
Where we rely on Consent as the lawful basis for processing (e.g., for marketing or non-essential cookies):
- Consent is sought by an affirmative action and communicated in a clear, simple, and transparent manner. Silence, inactivity, or pre-selected options shall not constitute valid consent.
- You have the absolute right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
5. Data Security, Integrity, and Confidentiality
In line with Section 39 of the NDPA, we implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Measures include: data encryption, access control policies, regular security audits, and staff data protection training.
Data Breach: In the event of a personal data breach that is likely to result in a high risk to your rights, we will notify the NDPC and affected Data Subjects without undue delay.
6. Data Subject Rights (Part VI, NDPA)
As a Data Subject under the NDPA, you have the following rights, which you can exercise by contacting our DPO:
- Right to be Informed: The right to know what personal data is being processed, why, how, and for how long.
- Right to Access: The right to obtain confirmation as to whether your personal data is being processed and, where it is, access to the data.
- Right to Rectification: The right to request the correction of inaccurate or incomplete personal data.
- Right to Erasure (Right to be Forgotten): The right to have your personal data deleted, especially when the data is no longer necessary for the original purpose or consent is withdrawn.
- Right to Restrict Processing: The right to temporarily limit the use of your data under certain conditions.
- Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format, and transmit that data to another Data Controller.
- Right to Object: The right to object to the processing of your personal data, especially where the basis is Legitimate Interest or for Direct Marketing (which is an absolute right).
- Right to Withdraw Consent: The right to withdraw consent at any time.
- Right to Lodge a Complaint: The right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe our processing violates the NDPA.
7. Cross-Border Transfer of Personal Data (Part VIII, NDPA)
Cooperativ may transfer your personal data outside Nigeria, particularly if our cloud servers or specialized service providers are located internationally. We will only do so if we ensure an adequate level of protection for the data.
This adequacy is ensured through:
- Adequacy Decisions: Transferring data to a country deemed by the NDPC to have adequate data protection laws.
- Standard Contractual Clauses (SCCs): Implementing Commission-approved contractual clauses that impose NDPA-compliant obligations on the recipient.
8. Responsibility as a Data Processor
Where Cooperativ provides software services to a client (who is the Data Controller), and processes that client's customer data on their behalf, our processing is governed by a Data Processing Agreement (DPA) with that client, ensuring compliance with the NDPA.
If you are an end-user of one of our clients, you must direct your privacy rights requests (e.g., access, deletion) to the client (the Data Controller).
9. Changes to This Policy
This policy will be reviewed and updated periodically to reflect changes in our data processing practices or amendments to the NDPA. The latest version will always be available on our website.
