Legal
Privacy Policy
Effective date: 24 June 2026 · Governed by the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023
01Who We Are
Naija Accountability is a civic accountability platform operated in Nigeria. We provide Nigerian citizens with a transparent, verifiable record of elected officials' governance conduct across all tiers of government - federal, state, and local.
For the purposes of the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and regulations issued by the National Information Technology Development Agency (NITDA), Naija Accountability is the Data Controller.
Our registered address and Data Protection Officer contact details are set out in Section 12.
02Data We Collect
We collect the following categories of personal data:
| Data category | Purpose | Retention |
|---|---|---|
| Email address | Account creation, email/password sign-in, password reset, and email notifications | Duration of account |
| Password (hashed) | Email/password sign-in - stored only as a one-way bcrypt hash, never in readable form | Duration of account |
| Phone number (optional) | Optional sign-in via SMS one-time code (OTP) and SMS notifications | Duration of account |
| Google account profile (only if you choose "Sign in with Google") | Authentication - we receive your name, email address, and profile photo from Google | Duration of account |
| Profile picture (optional) | Personalising your account; displayed with your account | Until you change or remove it, or delete your account |
| Display name (optional) | Shown on your account and account menu | Duration of account |
| Country, state/region, date of birth, and sex | Know-Your-Customer (KYC) details collected at sign-up to confirm age eligibility (13+) and to understand, in aggregate, who uses the platform. Not shared publicly or sold. | Duration of account |
| Reports submitted | Public civic accountability record | Retained in anonymised form after account deletion (public interest basis) |
| Governance ratings | Composite score calculation for politicians | Deleted upon account deletion |
| Evidence files (photos, PDFs, video) | Supporting documentation for reports | Deleted from storage 30 days after report rejection; retained indefinitely for approved reports |
| Notification history | Record of communications sent to you | Deleted upon account deletion |
| API keys (journalist accounts) | Authenticate requests to the public journalist API | Deleted upon account deletion or revocation |
| IP address & user agent | Security logging, rate limiting, fraud prevention | Maximum 90 days in access logs |
| Consent preferences | Record of your cookie and analytics consent | Duration of account or browser session |
What we do not collect: We do not collect your National Identification Number (NIN) or any government ID. Whistleblower reports are end-to-end encrypted client-side; our servers store only ciphertext and never have access to the plaintext or your identity.
03Legal Basis for Processing
Under the NDPR Article 2.2 and the NDPA 2023, we process your data on the following legal bases:
- Consent - for optional analytics cookies and email marketing. You may withdraw consent at any time by updating your notification preferences or using the cookie settings.
- Contractual necessity - processing required to operate your account and deliver the services you have registered for (account creation, report submission, notifications).
- Legitimate interests - security logging, fraud prevention, rate limiting, and retaining anonymised reports for the public interest of civic accountability. Our legitimate interests do not override your rights.
- Compliance with a legal obligation - where we are required by Nigerian law to retain or disclose data.
04Retention Periods
We retain personal data only for as long as necessary for the purposes described above, or as required by Nigerian law.
- Active accounts: data is retained for the duration of your account.
- Inactive accounts: automatically deleted after 90 days of inactivity.
- After account deletion: reports are anonymised (author identity removed) and retained as part of the public civic record. All other personal data is permanently deleted within 30 days.
- Security logs (IP, user agent): maximum 90 days.
- Data export files: emailed directly to you; not retained on our servers after dispatch.
- Deleted account data: permanently purged within 30 days of deletion request.
06International Transfers
Some of our service providers are based outside Nigeria. Where personal data is transferred to countries without an adequacy decision under the NDPA, we ensure appropriate safeguards are in place - including Standard Contractual Clauses (SCCs) or equivalent instruments recognised by NITDA - before any transfer takes place.
07Your Rights Under the NDPR
Under the NDPR 2019 and NDPA 2023, you have the following rights regarding your personal data:
- Right of access - you may request a full copy of all personal data we hold about you by contacting our Data Protection Officer.
- Right to rectification - if any data we hold is inaccurate or incomplete, you have the right to have it corrected. Update your name, photo, and notification preferences from your account profile page, or contact the DPO.
- Right to erasure ("right to be forgotten") - you may request deletion of your account and all associated personal data using the "Delete account" option on your profile page. Reports will be anonymised and retained in the public interest.
- Right to data portability - your data export will be provided in JSON format, a machine-readable, structured format.
- Right to object - you may object to processing based on our legitimate interests at any time. Contact the DPO to exercise this right.
- Right to restrict processing - in certain circumstances (e.g. while a complaint is pending) you may request that processing is restricted.
- Right to withdraw consent - for any processing based on consent (analytics cookies, email marketing), you may withdraw at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint - you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng, or NITDA's data protection unit.
To exercise any of these rights, contact our Data Protection Officer at dpo@naijaaccountability.com. We will respond within 72 hours and fulfil the request within 30 days as required by the NDPR.
09Children's Privacy
Naija Accountability is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a child, please contact our DPO immediately and we will delete it promptly.
10Security Measures
We implement appropriate technical and organisational measures to protect your personal data in accordance with NDPR Article 2.6, including:
- All data is transmitted over TLS 1.2+ (HTTPS). HTTP connections are redirected.
- Passwords are hashed using bcrypt (cost factor 12) - raw values are never stored.
- Evidence files undergo EXIF metadata stripping before cloud storage to remove geolocation and device identifiers.
- Whistleblower reports are end-to-end encrypted client-side using TweetNaCl.js - the server stores ciphertext only and cannot decrypt them.
- API keys are stored as SHA-256 hashes - raw keys are shown once and never stored.
- Role-based access control: moderators and admins access only data required for their functions.
- Upstash Redis rate limiting prevents brute-force attacks on authentication and submission endpoints.
- Content Security Policy (CSP), X-Frame-Options, and other security headers are set on all responses.
In the event of a personal data breach, we will notify affected users and the Nigeria Data Protection Commission within 72 hours of becoming aware, as required by the NDPA 2023.
11Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email or in-app notification at least 14 days before the changes take effect, and update the effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
12Contact & Data Protection Officer
Naija Accountability has appointed a Data Protection Officer (DPO) in accordance with Article 4.1(4) of the NDPR. If you have any questions about this policy, wish to exercise your rights, or wish to make a complaint about our data practices, contact:
Data Protection Officer
Naija Accountability
Email: dpo@naijaaccountability.com
Response time: within 72 hours
Regulatory authority: Nigeria Data Protection Commission (NDPC)
You also have the right to lodge a complaint directly with the Nigeria Data Protection Commission or with NITDA if you believe your data has been processed unlawfully.
Quick actions
Registered users can manage their account and exercise data rights directly:
