This Data Protection Policy describes how Inventino Technologies Ltd. ("we", "us") fulfils its obligations as a Data Controller under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR). It applies to all personal data we process in connection with our platform and services.
1. Scope & Purpose
This policy applies to:
- Personal data of individuals who register for and use the Inventino platform
- Personal data of customers whose information is stored by our users (merchants) within the platform
- Personal data of visitors to our marketing website
- Personal data of our employees, contractors, and suppliers
The purpose of this policy is to ensure that all personal data we control or process is handled lawfully, fairly, and transparently in line with the NDPA 2023.
2. Data Controller Details
- Company name: Inventino Technologies Ltd.
- Registered office: Lagos, Nigeria
- NITDA Registration: Registered Data Controller (NDPR Art. 3.1)
- DPO contact: dpo@inventino.shop
Where our users (merchants) store their customers' personal data within the Platform, those merchants act as independent Data Controllers for that data, and Inventino acts as a Data Processor on their behalf. We process such data strictly in accordance with our Terms of Service and applicable law.
3. Data Protection Principles
We process personal data in accordance with the following NDPA 2023 principles:
- Lawfulness, fairness, and transparency — we have a lawful basis for all processing and inform data subjects clearly
- Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes
- Data minimisation — we collect only the data that is necessary for the stated purpose
- Accuracy — we take reasonable steps to keep personal data accurate and up to date
- Storage limitation — data is kept no longer than necessary; see our retention schedule below
- Integrity and confidentiality — data is secured against unauthorised access, loss, or destruction using appropriate technical and organisational measures
- Accountability — we are responsible for, and are able to demonstrate, compliance with these principles
4. Lawful Bases for Processing
We rely on the following lawful bases under Section 25 of the NDPA 2023:
- Contractual necessity — processing your account data to deliver the service you contracted for
- Consent — sending marketing emails and setting non-essential cookies (freely given and withdrawable)
- Legitimate interests — fraud prevention, security monitoring, and analytics on anonymised aggregate data
- Legal obligation — complying with FIRS, CAMA 2020, and other Nigerian regulatory requirements
5. Data Subject Rights
Under the NDPA 2023, individuals whose data we process have the following rights. To exercise any right, contact dpo@inventino.shop. We will respond within 30 days.
- Right of access — obtain a copy of your personal data and information about how it is processed
- Right to rectification — correct inaccurate or incomplete personal data
- Right to erasure — request deletion of your data where there is no compelling reason for continued processing
- Right to restriction — ask us to halt processing while a dispute is resolved
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting prior lawful processing
Note: some rights may be limited where we are required by law to retain data or where data pertains to third parties (e.g., transaction records).
6. Data Retention Schedule
- Account & profile data — retained for the life of the subscription plus 90 days after closure
- Transaction records — 7 years (FIRS / CAMA 2020 compliance)
- Customer data (stored by merchants) — as directed by the merchant; deleted within 30 days of account closure
- Support communications — 2 years
- Marketing consent records — 3 years from last interaction or until consent is withdrawn
- Server access logs — 90 days
7. International Data Transfers
Our infrastructure is hosted primarily within Nigeria and the European Economic Area (EEA). Where data is transferred outside Nigeria, we ensure adequate safeguards are in place as required by Section 43 of the NDPA 2023:
- Transfers to countries with adequacy decisions from the Nigeria Data Protection Commission (NDPC)
- Standard Contractual Clauses (SCCs) with processors in non-adequate third countries
- Explicit consent for specific one-off transfers where other safeguards are impractical
8. Security Measures
We implement appropriate technical and organisational measures including:
- Encryption — TLS 1.3 in transit; AES-256 encryption at rest for sensitive fields
- Access controls — role-based access, principle of least privilege, MFA for internal admin systems
- Monitoring — real-time intrusion detection and anomaly alerting
- Vulnerability management — regular penetration testing and dependency audits
- Backups — daily encrypted backups with tested restore procedures
- Staff training — mandatory data protection training for all staff with access to personal data
9. Data Breach Response
In the event of a personal data breach, we will:
- Contain and assess the breach within 24 hours of discovery
- Notify the Nigeria Data Protection Commission (NDPC) within 72 hours where the breach is likely to result in risk to individuals' rights and freedoms
- Notify affected data subjects without undue delay where the breach is likely to result in high risk
- Maintain a breach register documenting all incidents, including those not requiring external notification
10. Third-Party Processors
We use sub-processors to deliver our service. All processors are bound by data processing agreements (DPAs) ensuring they process data only on our instructions and in compliance with the NDPA 2023. Key processors include:
- Cloud hosting (servers and databases)
- Payment gateways — Paystack, Flutterwave (PCI-DSS compliant)
- Transactional email — for password resets and account notifications
- Analytics — anonymised, marketing website only
11. Complaints
If you are unsatisfied with how we have handled your data, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):
We encourage you to contact our DPO first at dpo@inventino.shop so that we have the opportunity to address your concern directly.
12. Policy Review
This policy is reviewed at least annually or when there is a significant change in our data processing activities, applicable law, or regulatory guidance from the NDPC. The current version is always published at this URL.