inSmartio Logo
Legal — Privacy

PrivacyPolicy.

inSmartio is committed to protecting your personal data. This policy explains how we collect, use, and safeguard your information in full compliance with Nigerian law.

NDPA / GAID Compliant

Effective Date

April 1, 2026

Last Updated

March 2026

Version

1.0

Nigeria Data Protection Act 2023 (NDPA)General Application & Implementation Directive 2025 (GAID)Section 37 — Constitution of FRN 1999

Quick Reference Summary

What We Collect

  • Identity & Contact info
  • Verification data (NIN, BVN)
  • Financial & Transaction records
  • Communications & Job details
  • TAS recruitment data

How We Protect You

  • Encryption for all sensitive data
  • Strict access controls
  • Regular audits & staff training
  • Breach notification within 72 hours

Your Rights

  • Access your data (DSAR)
  • Correct inaccurate data
  • Request deletion
  • Withdraw consent
  • Lodge complaint with NDPC
DPO Email: dpo@insmartio.ioPhone: +234 800 INSMARTIOCompliance: NDPA 2023 | GAID 2025 | NDPC
01

Introduction & Commitment

At inSmartio ("we", "us", "our"), we are committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our platform, whether as a Client, Expert, or Talent Acquisition Specialist (TAS).

We process your personal data in compliance with the Nigeria Data Protection Act 2023 (NDPA), General Application and Implementation Directive (GAID) 2025, Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended), and other applicable data protection regulations.

"We treat your privacy as a fundamental right. This policy is designed to be transparent, simple to understand, and to give you control over your information."

02

Definitions

TermMeaning
Personal DataAny information relating to an identified or identifiable natural person ("Data Subject")
Data SubjectYou – the individual whose personal data is being processed
Data ControllerinSmartio – the entity that determines the purposes and means of processing your data
Data ProcessorThird parties who process data on our behalf (e.g., payment processors, cloud storage)
ProcessingAny operation performed on personal data (collection, storage, use, sharing, deletion)
ConsentFreely given, specific, informed, and unambiguous agreement to process your data
DPOData Protection Officer – our designated privacy expert
NDPCNigeria Data Protection Commission – the regulatory authority
GAIDGeneral Application and Implementation Directive 2025
ClientA user seeking services on inSmartio
ExpertA verified service provider on inSmartio
TASTalent Acquisition Specialist – a recruiter of experts
03

Who We Are (Data Controller Information)

Company NameinSmartio (CHRIVON TECH SOLUTIONS Limited)
Nature of BusinessPeer-to-peer service marketplace connecting Clients with verified Experts, and Talent Acquisition Specialists (TAS) who recruit Experts
JurisdictionNigeria
Contact AddressAdmiralty Way, Lekki Phase 1, Lagos, Nigeria
Emailprivacy@insmartio.io
Phone+234 800 INSMARTIO
Websitewww.insmartio.io
04

Our Guiding Principles

In processing your personal data, we adhere strictly to the principles of data protection as required by the NDPA and GAID. We ensure that personal data shall be:

PrincipleOur Commitment
Lawfulness, Fairness & TransparencyProcessed lawfully, fairly, and in a transparent manner
Purpose LimitationCollected for specified, explicit, and legitimate purposes only
Data MinimizationAdequate, relevant, and limited to what is necessary
AccuracyAccurate and kept up to date; inaccurate data corrected or erased
Storage LimitationKept only as long as necessary for the purpose
Integrity & ConfidentialitySecured against unauthorized access, loss, or damage
AccountabilityWe demonstrate compliance with all principles
05

What Personal Data We Collect

Depending on your interaction with us (as Client, Expert, TAS, or visitor), we may collect the following categories of personal data:

06

How We Collect Your Data

Collection MethodDescription
Direct RegistrationWhen you fill registration forms (paper or digital)
App/Website UsageWhen you use our platform, post jobs, place bids, or communicate
Verification ProcessWhen you submit NIN, BVN, and other verification documents
CommunicationsWhen you contact us via phone, email, WhatsApp, or chat
Third-Party SourcesVerification partners (NIMC, credit bureaus, guarantors)
Public SourcesPublic records and databases (for verification purposes only)
Automated TechnologiesCookies, log files, and analytics tools
TAS ReferralWhen you register using a TAS referral link or code
07

Purpose of Collection & Lawful Basis

We process your personal data for specific purposes and rely on lawful bases as required by the NDPA and GAID:

Purpose of ProcessingCategories of DataLawful Basis
Account Registration & ManagementIdentity, ContactPerformance of a contract; Consent
Service Provision (matching Clients & Experts)Identity, Contact, Service, LocationPerformance of a contract
Verification & Trust (NIN/BVN checks)Verification, IdentityLegal obligation; Legitimate interest
TAS Program AdministrationTAS-specific, Bank detailsPerformance of a contract; Legitimate interest
Commission Calculation & PaymentFinancial, Identity, TAS-specificPerformance of a contract
Payment ProcessingFinancial, IdentityPerformance of a contract
Communication about JobsContact, CommunicationsPerformance of a contract; Legitimate interest
Customer SupportAll relevant categoriesLegitimate interest; Legal obligation
Dispute ResolutionAll relevant categoriesLegal obligation; Legitimate interest
Fraud Prevention & Platform SecurityAll relevant categoriesLegal obligation; Legitimate interest
Marketing & PromotionsContact, UsageConsent (opt-in required)
Analytics & Platform ImprovementUsage, TechnicalLegitimate interest; Consent (where required)
Legal ComplianceAll relevant categoriesLegal obligation
Safety & Emergency ProtocolsLocation, IdentityVital interest; Consent
Note on Legitimate Interest: Where we rely on legitimate interest, we have conducted a Legitimate Interest Assessment (LIA) as required by GAID, balancing our needs with your privacy rights.
08

Sensitive Personal Data

The NDPA classifies certain data as "sensitive personal data" requiring extra protection. This includes: health information, genetic/biometric data, political opinions, religious/philosophical beliefs, trade union membership, sexual orientation, and criminal records.

We do not knowingly collect sensitive personal data unless voluntarily provided. If you provide such data, you explicitly consent to its processing.

Criminal records (Police Clearance) are collected only for Tier 3 Experts under strict safeguards and legal obligation. Biometric data (photographs, NIN/BVN) is collected for verification purposes only.

For sensitive data processing, we conduct a Data Protection Impact Assessment (DPIA) as mandated by GAID.

8.2 Automated Decision-Making & Profiling

We do not use automated decision-making or profiling that produces legal effects or significantly affects you. However, we use automated systems for:

ActivityDescriptionYour Rights
Job MatchingAlgorithm matches jobs with relevant experts based on category, location, and ratingYou can request human review
Fraud DetectionAutomated systems flag suspicious activity for human reviewYou can appeal decisions
TAS Tier CalculationAutomated calculation based on active expert countYou can request manual review

To request human review, contact dpo@insmartio.io.

10

Detailed Rights of Data Subjects

Under the NDPA and GAID, you have the following rights regarding your personal data:

Right to be Informed

To know what data we collect, why, and how we use it (this policy fulfills this right)

Right of Access (DSAR)

To request a copy of your personal data we hold

Right to Rectification

To correct inaccurate or incomplete data

Right to Erasure

To request deletion of your data, subject to legal obligations

Right to Restrict Processing

To limit how we use your data in certain circumstances

Right to Data Portability

To receive your data in a structured, commonly used format and transfer it to another controller

Right to Object

To object to processing based on legitimate interests or direct marketing

Right to Withdraw Consent

To withdraw consent at any time (without affecting prior lawful processing)

Right to Lodge a Complaint

To complain to the Nigeria Data Protection Commission (NDPC)

Rights are not absolute and may be limited by legal obligations. We will respond to requests within one month, free of charge. Manifestly unfounded or excessive requests may incur a reasonable fee.

11

How to Exercise Your Rights (DSAR Process)

To exercise any of your rights, please follow this process:

1

Complete a DSAR Form

Available at our office or request via email at dpo@insmartio.io

2

Submit to Our DPO

Via email: dpo@insmartio.io | WhatsApp: +234 800 INSMARTIO | In-person: Admiralty Way, Lekki Phase 1, Lagos

3

Provide Identification

Two forms of ID (one photo ID, one address verification) to confirm your identity

4

Acknowledgment

Our DPO will acknowledge receipt within 5 working days

5

Full Response

We will respond fully within one month of receiving your request

12

Data Sharing & Transfers to Third Parties

Third PartyPurposeData Shared
Other Users (Clients/Experts/TAS)To facilitate service deliveryName, contact (when job accepted), ratings, verification badges, TAS ID
Payment Processors (Paystack, Flutterwave)Payment processingFinancial data, transaction details
Verification Partners (NIMC, credit bureaus)Identity verificationNIN, BVN, name, DOB
Cloud Service Providers (AWS, etc.)Data storage and hostingAll data as applicable
Customer Support ToolsSupport ticketingContact, communications
Legal/Regulatory AuthoritiesCompliance with lawAs required by law
Dispute Resolution PartnersMediation servicesRelevant job and communication data
Analytics ProvidersPlatform improvementUsage data (anonymized where possible)

We only share data necessary for the specific purpose. Third parties are contractually bound to protect your data (Data Processing Agreements). We do NOT sell your personal data to third parties for marketing.

TAS-Specific: TAS agents receive information about experts they recruited (name, performance metrics, commission earned). Experts see their TAS agent's name and contact information.

13

Cross-Border Data Transfers

As a Nigerian platform, we primarily store data within Nigeria. However, some service providers may be located outside Nigeria (cloud infrastructure, payment processors, analytics tools).

Before transferring personal data outside Nigeria, we ensure one of the following safeguards:

Adequacy Decision

The recipient country has adequate data protection laws (as determined by NDPC)

Appropriate Safeguards

Binding Corporate Rules, Standard Contractual Clauses (approved by NDPC), or other approved transfer instruments

Derogations

Specific situations such as your consent, contract performance, or legal claims

14

Data Security Measures

Technical Measures

  • End-to-end encryption for chat communications
  • SSL/TLS encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Firewalls and intrusion detection systems
  • Regular security patches and updates
  • Multi-factor authentication for admin access

Organizational Measures

  • Strict access controls (role-based access)
  • Regular staff training on data protection
  • Data protection by design and by default
  • Annual compliance audits (as required by GAID)
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
Breach Notification: In the event of a data breach, we will notify the NDPC within 72 hours (as required by GAID), inform affected data subjects without undue delay, and take immediate steps to mitigate harm.

Verification Document Storage

Security MeasureImplementation
Encryption at restAES-256
Encryption in transitTLS 1.3
Access controlAdmin only, with audit logging
RetentionAccount duration + 2 years
DeletionAnonymized after retention period
Third-party accessVerification partners only (NIMC, etc.)
15

Data Retention Period

Data CategoryRetention PeriodReason
Financial Records (transactions, payouts)7 yearsRegulatory compliance (tax, audit)
Verification Documents (NIN, BVN)Duration of account + 2 yearsPlatform integrity, fraud prevention
Job Postings & Bids2 years post-completionDispute resolution, platform improvement
Chat Logs & Communications2 yearsDispute resolution, quality monitoring
User Profile DataUntil account deletion + 24 months inactivityService provision
TAS Recruitment RecordsDuration of TAS status + 2 yearsCommission tracking, dispute resolution
Usage AnalyticsAnonymized after 36 monthsBusiness intelligence
Marketing PreferencesUntil consent withdrawnMarketing compliance

Account Deletion: When you delete your account, your profile becomes inaccessible and personal data is anonymized or deleted (subject to legal holds). Reviews and ratings may remain anonymized to preserve platform integrity. Financial records are retained for 7 years per legal requirement.

To request account deletion, contact dpo@insmartio.io.

16

Cookies & Technical Information

Cookies are small text files stored on your device when you visit websites or use apps. They help us recognize you and remember your preferences.

Cookie TypePurposeDuration
Essential CookiesRequired for platform operation (login, security)Session/permanent
Functional CookiesRemember preferences and settingsUp to 1 year
Analytics CookiesUnderstand how users interact with our platformUp to 2 years
Marketing CookiesDeliver relevant ads (with consent only)Up to 1 year

You can manage cookies via your browser settings or app permissions. We obtain consent for all non-essential cookies. We may also automatically collect IP address, device type, operating system, app version, and browsing behavior to improve user experience and detect fraud.

17

Data Protection Officer (DPO) Contact

Appointed DPO

Eugene LOKO

Emaildpo@insmartio.io
Phone+234 800 INSMARTIO (0803 xxxxxxxx)
AddressAdmiralty Way, Lekki Phase 1, Attn: Data Protection Officer
HoursMonday – Friday, 9 AM – 5 PM WAT

The DPO monitors compliance with data protection laws, advises on DPIAs, cooperates with the NDPC, and handles all data subject requests and complaints.

18

Complaint Handling & Remediation

If you believe your data protection rights have been violated, follow this internal process:

1

Contact Our DPO

Submit your complaint in writing to dpo@insmartio.io with your full name, contact details, description of the issue, relevant dates and evidence, and desired resolution.

2

Acknowledgment

We will acknowledge receipt within 48 hours.

3

Investigation

Our DPO will investigate thoroughly, involving relevant departments.

4

Response

We will respond with our findings and proposed resolution within 7 working days.

5

Escalation

If unsatisfied, you may escalate within inSmartio for senior review.

External Remedies

If your complaint is not resolved internally, you have the right to lodge a complaint with:

Nigeria Data Protection Commission (NDPC)

Website: www.ndpc.gov.ng

Email: info@ndpc.gov.ng

You also have the right to seek judicial remedy in a court of competent jurisdiction.

19

Changes to This Policy

We may update this Privacy Policy to reflect changes in data protection laws (NDPA/GAID updates), changes in our data processing activities, new features or services, or regulatory guidance.

Notification: Material changes will be notified via email, SMS, or in-app notification. The "Last Updated" date at the top will be revised. We encourage you to review this policy periodically.

If you continue to use inSmartio after changes take effect, you signify acceptance of the updated policy. If you do not agree, you may close your account.

20

Acceptance of Policy

By registering on inSmartio, using our platform, or submitting your personal data to us, you acknowledge that you have read, understood, and agree to this Privacy Policy.

For Clients

This policy applies to your use of Client Mode.

For Experts

This policy applies to your use of Expert Mode and the verification process.

For TAS

This policy applies to your use of TAS Mode, the application process, and commission tracking.

For Visitors

This policy applies to your browsing of our website/app.

23

Children's Data

Our platform is not intended for children under 18 years of age. We do not knowingly collect personal data from children under 18.

If you are a parent or guardian and believe your child under 18 has provided personal data to us, please contact us immediately at dpo@insmartio.io. We will take steps to delete such information.

For users under 18: You must have parental consent to use our platform.

24

Marketing Communications & Opt-Out

We may send you marketing communications only with your explicit consent. You can opt out at any time via:

  • Click "Unsubscribe" in any marketing email
  • Toggle off "Marketing Communications" in app settings
  • Reply "STOP" to any marketing SMS
  • Email dpo@insmartio.io with subject "Unsubscribe"

What you will still receive after opt-out

  • Transactional emails (payment confirmations, job updates)
  • Security alerts
  • Legal notices
  • Account-related communications
25

Third-Party Links Disclaimer

Our platform may contain links to third-party websites or services (e.g., payment gateways, social media). This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of third-party sites. We encourage you to read their privacy policies before providing any personal data.

26

TAS Data Retention (Specific)

For TAS agents, in addition to Section 15:

TAS Data CategoryRetention PeriodReason
TAS application recordsDuration of TAS status + 3 yearsAudit, dispute resolution
Referral link click data2 yearsAnalytics, commission verification
Sub-TAS relationshipsDuration of relationship + 3 yearsOverride commission verification
Recruitment network dataAnonymized after 2 years inactiveBusiness intelligence

27. Sub-TAS Data Sharing Disclosure

If you are a Tier 3+ TAS recruiting sub-TAS agents, the following data is shared:

Data SharedWith WhomPurpose
Sub-TAS name and TAS IDMaster TASTeam management
Sub-TAS recruitment numbersMaster TASOverride commission calculation
Sub-TAS performance metricsMaster TASTeam performance tracking

Sub-TAS agents consent to this sharing when they agree to join a master TAS's team.

GL

Glossary of Terms

TermDefinition
NDPANigeria Data Protection Act 2023
GAIDGeneral Application and Implementation Directive 2025
NDPCNigeria Data Protection Commission
DPOData Protection Officer
DSARData Subject Access Request
DPIAData Protection Impact Assessment
LIALegitimate Interest Assessment
NINNational Identification Number
BVNBank Verification Number
TASTalent Acquisition Specialist

Document Control

Version 1.0 — Initial release by inSmartio Legal, March 2026

inSmartio: Trusted Services,
Verified Professionals.