Data Protection Policy for Earn9ja
Last Updated: January 2, 2025
1. Introduction
This Data Protection Policy outlines how Earn9ja complies with the Nigeria Data Protection Regulation (NDPR) 2019 and protects the personal data of our users.
Earn9ja is committed to protecting your privacy and ensuring the security, confidentiality, and integrity of your personal data.
2. Legal Framework
This policy complies with:
- Nigeria Data Protection Regulation (NDPR) 2019
- Nigeria Data Protection Bureau (NDPB) Guidelines
- Constitution of the Federal Republic of Nigeria
- Cybercrimes Act 2015
3. Data Controller Information
Data Controller: Earn9ja
Registration: [Your Business Registration Number]
Address: [Your Business Address], Nigeria
Email: [email protected]
Data Protection Officer: [email protected]
4. Principles of Data Processing
We process personal data in accordance with these principles:
4.1 Lawfulness, Fairness, and Transparency
- Data collected and processed lawfully
- Clear communication about data use
- Transparent privacy practices
4.2 Purpose Limitation
- Data collected for specific, explicit purposes
- Not used for incompatible purposes
- Purpose clearly communicated at collection
4.3 Data Minimization
- Only collect data necessary for our services
- Avoid excessive data collection
- Regular review of data needs
4.4 Accuracy
- Maintain accurate and up-to-date data
- Provide mechanisms for data correction
- Promptly update or delete inaccurate data
4.5 Storage Limitation
- Retain data only as long as necessary
- Defined retention periods for different data types
- Secure deletion when no longer needed
4.6 Integrity and Confidentiality
- Implement appropriate security measures
- Protect against unauthorized access
- Ensure data confidentiality
4.7 Accountability
- Demonstrate compliance with NDPR
- Maintain records of processing activities
- Conduct regular audits
5. Legal Basis for Processing
We process your data based on:
5.1 Consent
- Explicit consent for marketing communications
- Consent for optional features (location, camera)
- Right to withdraw consent at any time
5.2 Contract Performance
- Account creation and management
- Task completion and payment processing
- Service delivery
5.3 Legal Obligation
- KYC/AML compliance
- Tax reporting
- Response to legal requests
5.4 Legitimate Interests
- Fraud prevention and security
- Service improvement and analytics
- Business operations
6. Types of Personal Data Collected
6.1 Identity Data
- Full name
- Date of birth
- Gender
- Government-issued ID
- BVN (Bank Verification Number)
- Selfie/photograph
6.2 Contact Data
- Email address
- Phone number
- Physical address (optional)
6.3 Financial Data
- Bank account details
- Transaction history
- Earnings and withdrawals
- Payment method information
6.4 Technical Data
- IP address
- Device information
- Browser type
- Operating system
- App version
6.5 Usage Data
- Tasks completed
- Time spent in app
- Features used
- Interaction patterns
6.6 Marketing Data
- Communication preferences
- Marketing consent status
7. Data Subject Rights
Under NDPR, you have the following rights:
7.1 Right to Access
- Request confirmation of data processing
- Obtain a copy of your personal data
- Receive information about processing activities
How to Exercise: Email [email protected] with subject “Data Access Request”
7.2 Right to Rectification
- Correct inaccurate personal data
- Complete incomplete data
How to Exercise: Update in app settings or contact support
7.3 Right to Erasure (“Right to be Forgotten”)
- Request deletion of personal data
- Exceptions: Legal obligations, ongoing disputes
How to Exercise: Delete account in app or email [email protected]
7.4 Right to Restrict Processing
- Limit how we use your data
- Object to certain processing activities
How to Exercise: Email [email protected]
7.5 Right to Data Portability
- Receive your data in a structured, machine-readable format
- Transfer data to another service
How to Exercise: Request data export via [email protected]
7.6 Right to Object
- Object to processing based on legitimate interests
- Object to direct marketing
How to Exercise: Opt-out in app settings or email [email protected]
7.7 Right to Withdraw Consent
- Withdraw consent at any time
- Does not affect lawfulness of prior processing
How to Exercise: Manage consent in app settings
7.8 Right to Lodge a Complaint
- File a complaint with the Nigeria Data Protection Bureau (NDPB)
NDPB Contact:
Website: https://ndpb.gov.ng
Email: [email protected]
Phone: +234 (0) 9-461-3858
8. Data Security Measures
We implement technical and organizational measures to protect your data:
8.1 Technical Measures
- Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
- Access Controls: Role-based access control (RBAC)
- Authentication: Multi-factor authentication (MFA) for admin access
- Firewalls: Network security and intrusion detection
- Monitoring: 24/7 security monitoring and logging
- Backups: Regular encrypted backups with disaster recovery
8.2 Organizational Measures
- Staff Training: Regular data protection training
- Access Policies: Strict need-to-know access policies
- Confidentiality Agreements: All staff sign NDAs
- Vendor Management: Due diligence on third-party processors
- Incident Response: Data breach response plan
- Regular Audits: Security assessments and penetration testing
8.3 Data Breach Response
In the event of a data breach:
- Notify NDPB within 72 hours
- Notify affected users without undue delay
- Document the breach and response actions
- Implement measures to prevent recurrence
9. Data Retention
We retain personal data according to these schedules:
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of account + 1 year | Service provision |
| Closed account data | 3 years | Compliance, disputes |
| Transaction records | 7 years | Tax, legal requirements |
| KYC documents | 5 years after account closure | AML compliance |
| Marketing data | Until opt-out | Marketing purposes |
| Support tickets | 2 years | Customer service |
| Audit logs | 1 year | Security, compliance |
After retention periods expire, data is securely deleted or anonymized.
10. International Data Transfers
Your data is primarily stored in Nigeria. If transferred internationally:
- Adequate protection measures implemented
- Standard contractual clauses used
- NDPR requirements met
- User notification provided
Current International Transfers:
- Firebase (Google Cloud) - USA (Standard Contractual Clauses)
- MongoDB Atlas - Cloud regions (Data residency controls)
11. Third-Party Data Processors
We engage these third-party processors:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Firebase | Authentication, analytics | USA | SCC, Privacy Shield |
| MongoDB Atlas | Database hosting | Cloud | Encryption, access controls |
| Paystack | Payment processing | Nigeria | PCI-DSS compliant |
| Flutterwave | Payment processing | Nigeria | PCI-DSS compliant |
| CPAGrip | Advertising | International | Privacy policy, DPA |
| AdGem | Advertising | USA | Privacy policy, DPA |
| Sentry | Error monitoring | USA | Data anonymization |
All processors are contractually bound to protect your data.
12. Children’s Data
We do not knowingly collect data from individuals under 18 years of age. If we discover such data, we will:
- Delete it immediately
- Notify the parent/guardian (if identifiable)
- Prevent future collection
13. Automated Decision-Making
We use automated processing for:
- Fraud Detection: Flagging suspicious activities
- Task Matching: Recommending relevant tasks
- Credit Scoring: Assessing withdrawal eligibility
You have the right to:
- Request human review of automated decisions
- Express your point of view
- Contest the decision
14. Cookies and Tracking
We use cookies and similar technologies:
- Essential Cookies: Required for app functionality
- Analytics Cookies: Understand usage patterns (Google Analytics)
- Advertising Cookies: Personalized ads (with consent)
Manage cookie preferences in app settings.
15. Data Protection Impact Assessment (DPIA)
We conduct DPIAs for high-risk processing activities:
- KYC verification processes
- Fraud detection systems
- New feature implementations
- Third-party integrations
16. Data Protection Officer (DPO)
Our DPO oversees data protection compliance:
Name: [DPO Name]
Email: [email protected]
Responsibilities:
- Monitor NDPR compliance
- Conduct staff training
- Handle data subject requests
- Liaise with NDPB
- Conduct audits and assessments
17. Updates to This Policy
We review and update this policy annually or when:
- Legal requirements change
- Business practices change
- New technologies are adopted
Users will be notified of significant changes.
18. Contact and Complaints
For Data Protection Inquiries:
Email: [email protected]
Phone: [Your Phone Number]
Address: [Your Business Address], Nigeria
To Lodge a Complaint with NDPB:
Nigeria Data Protection Bureau
Website: https://ndpb.gov.ng
Email: [email protected]
Phone: +234 (0) 9-461-3858
Address: No. 1, Zambezi Crescent, Off Aguiyi Ironsi Street, Maitama, Abuja
19. Acknowledgment
By using Earn9ja, you acknowledge that you have read and understood this Data Protection Policy and consent to the processing of your personal data as described herein.
Document Version: 1.0
Effective Date: January 2, 2025
Next Review Date: January 2, 2026