Privacy Policy

NaijaAccountability.ng is a civic accountability platform operated in Nigeria. We provide Nigerian citizens with a transparent, verifiable record of elected officials' governance conduct across all tiers of government — federal, state, and local.

For the purposes of the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and regulations issued by the National Information Technology Development Agency (NITDA), NaijaAccountability.ng is the Data Controller.

Our registered address and Data Protection Officer contact details are set out in Section 12.

We collect the following categories of personal data:

What we do not collect: We never store your raw NIN number. Whistleblower reports are end-to-end encrypted client-side; our servers store only ciphertext and never have access to the plaintext or your identity.

Under the NDPR Article 2.2 and the NDPA 2023, we process your data on the following legal bases:

• Consent — for optional analytics cookies and email marketing. You may withdraw consent at any time by updating your notification preferences or using the cookie settings.
• Contractual necessity — processing required to operate your account and deliver the services you have registered for (account creation, report submission, notifications).
• Legitimate interests — security logging, fraud prevention, rate limiting, and retaining anonymised reports for the public interest of civic accountability. Our legitimate interests do not override your rights.
• Compliance with a legal obligation — where we are required by Nigerian law to retain or disclose data.

We retain personal data only for as long as necessary for the purposes described above, or as required by Nigerian law.

• Active accounts: data is retained for the duration of your account.
• Unverified accounts (NIN not completed): automatically deleted after 90 days of inactivity.
• After account deletion: reports are anonymised (author identity removed) and retained as part of the public civic record. All other personal data is permanently deleted within 30 days.
• Security logs (IP, user agent): maximum 90 days.
• Data export files: emailed directly to you; not retained on our servers after dispatch.
• Deleted account data: permanently purged within 30 days of deletion request.

We do not sell, trade, or rent your personal data to any third party. We share data with the following service providers, each under a Data Processing Agreement, solely to deliver the platform:

We may disclose personal data where required by a valid court order, subpoena, or direction from a competent Nigerian regulatory authority.

Some of our service providers are based outside Nigeria. Where personal data is transferred to countries without an adequacy decision under the NDPA, we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) or equivalent instruments recognised by NITDA — before any transfer takes place.

Under the NDPR 2019 and NDPA 2023, you have the following rights regarding your personal data:

• Right of access — you may request a full copy of all personal data we hold about you. Use the "Export my data" function in Account Settings, or contact our DPO.
• Right to rectification — if any data we hold is inaccurate or incomplete, you have the right to have it corrected. Update your profile in Account Settings or contact the DPO.
• Right to erasure ("right to be forgotten") — you may request deletion of your account and all associated personal data. Use the "Delete my account" function in Account Settings. Reports will be anonymised and retained in the public interest.
• Right to data portability — your data export will be provided in JSON format, a machine-readable, structured format.
• Right to object — you may object to processing based on our legitimate interests at any time. Contact the DPO to exercise this right.
• Right to restrict processing — in certain circumstances (e.g. while a complaint is pending) you may request that processing is restricted.
• Right to withdraw consent — for any processing based on consent (analytics cookies, email marketing), you may withdraw at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng, or NITDA's data protection unit.

To exercise any of these rights, contact our Data Protection Officer at dpo@naijaaccountability.ng. We will respond within 72 hours and fulfil the request within 30 days as required by the NDPR.

We use the following categories of cookies:

You can change your cookie preferences at any time by clearing the naija-consent cookie in your browser settings. We do not use third-party advertising or tracking cookies.

NaijaAccountability.ng is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a child, please contact our DPO immediately and we will delete it promptly.

We implement appropriate technical and organisational measures to protect your personal data in accordance with NDPR Article 2.6, including:

• All data is transmitted over TLS 1.2+ (HTTPS). HTTP connections are redirected.
• Passwords and NIN data are hashed using bcrypt (cost factor 12) — raw values are never stored.
• Evidence files undergo EXIF metadata stripping before cloud storage to remove geolocation and device identifiers.
• Whistleblower reports are end-to-end encrypted client-side using TweetNaCl.js — the server stores ciphertext only and cannot decrypt them.
• API keys are stored as SHA-256 hashes — raw keys are shown once and never stored.
• Role-based access control: moderators and admins access only data required for their functions.
• Upstash Redis rate limiting prevents brute-force attacks on authentication and submission endpoints.
• Content Security Policy (CSP), X-Frame-Options, and other security headers are set on all responses.

In the event of a personal data breach, we will notify affected users and the Nigeria Data Protection Commission within 72 hours of becoming aware, as required by the NDPA 2023.

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email or in-app notification at least 14 days before the changes take effect, and update the effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

NaijaAccountability.ng has appointed a Data Protection Officer (DPO) in accordance with Article 4.1(4) of the NDPR. If you have any questions about this policy, wish to exercise your rights, or wish to make a complaint about our data practices, contact:

You also have the right to lodge a complaint directly with the Nigeria Data Protection Commission or with NITDA if you believe your data has been processed unlawfully.