Zhift Platforms Ltd

Privacy Policy

This Privacy Policy explains how Zhift Platforms Ltd (“Zhift”, “we”, “us”) collects, uses, stores, and shares personal data. It is written to comply with the Nigeria Data Protection Regulation (NDPR), the General Data Protection Regulation (EU) 2016/679 (GDPR), and applicable National Information Technology Development Agency (NITDA) directives. It applies to everyone whose personal data we process, including client personnel, platform users, prospects, vendors, and site visitors.

1. Data Controller & Contact

Zhift Platforms Ltd acts as a data controller or processor depending on the service provided. Our Data Protection Officer (DPO) can be contacted at privacy@zhiftplatforms.com.

2. Categories of Personal Data

We collect the following categories of data, subject to purpose limitation and data minimisation:

  • Identity & Contact Data: Name, email address, phone number, role, company, and geographic location.
  • Professional & Project Data: Statements of work, change requests, configuration documentation, and meeting notes tied to service delivery.
  • Usage & Technical Data: Log files, telemetry, and device metadata necessary for service optimisation and security monitoring.
  • Support & Incident Data: Helpdesk tickets, call recordings, and incident response records that may include personal references.
  • Regulatory & Financial Data: KYC information, invoicing details, and audit evidence where mandated by law or client agreements.

3. Purposes & Lawful Bases

Zhift relies on multiple lawful bases enumerated in NDPR (Section 2.3) and GDPR (Article 6). Key purposes include:

  • Contract performance: Designing, deploying, integrating, and managing software platforms for our clients.
  • Legitimate interest: Monitoring system performance, preventing fraud, enhancing customer experience, and improving our solutions.
  • Legal obligation: Meeting statutory requirements such as financial reporting, regulatory filings, and responding to lawful requests.
  • Consent: Sending marketing updates, hosting webinars, or enabling cookies not strictly necessary for service delivery. Consent can be withdrawn at any time.

4. Data Sharing & Sub-Processors

We engage vetted third parties for functions such as cloud hosting, customer support, analytics, and secure communications. Each sub-processor is bound by a written contract requiring adherence to NDPR, GDPR, and NITDA-compliant safeguards. A current list is available on request.

5. International Transfers

When we move data across borders, we use approved transfer mechanisms such as Standard Contractual Clauses, NDPR adequacy decisions, or explicit consent. Additional technical measures (encryption, pseudonymisation) are applied where feasible.

6. Retention & Disposal

Personal data is retained only for the duration required to fulfil contractual and legal obligations. We maintain a retention schedule aligned with NDPR Part II and GDPR Article 5(1)(e). Data no longer required is securely deleted or anonymised, with disposal actions logged.

7. Security Measures

Zhift applies layered security controls including encryption in transit and at rest, role-based access, MFA, secure coding practices, regular penetration testing, vulnerability management, and business continuity / disaster recovery plans. Security incidents are handled under a formally documented incident response plan.

8. Automated Decision-Making

Zhift does not use solely automated decision-making that produces legal or similarly significant effects on individuals. If this changes, affected individuals will be notified with meaningful information about the logic involved as required by GDPR Article 22.

9. Data Subject Rights

Individuals may exercise their rights of access, rectification, erasure, restriction, objection, and data portability. Requests should be directed to privacy@zhiftplatforms.com. We will respond within 30 days (or the statutory timeframe) and may request additional information to verify identity.

10. Child Privacy

Our services are intended for professional use. We do not knowingly collect personal data from children under the age defined by NDPR or GDPR. If we learn that we have inadvertently received such data, we will delete it promptly and notify relevant guardians where required.

11. Complaints & Redress

If you believe your rights have been violated, please contact our DPO first. Should you remain unsatisfied, you may escalate to the Nigeria Data Protection Commission (NDPC), NITDA, or an EU supervisory authority if GDPR applies. We will cooperate fully with these bodies.

12. Updates to this Policy

We review this notice at least annually and when regulations change. Significant updates will be communicated via email or prominent site notices at least 14 days prior to taking effect.