Privacy Policy
Last updated: January 2026. Questions? Contact us.
THIS PRIVACY POLICY NOTICE (“Privacy Policy”) describes how ONTRIA (Company”, “we”, “us”, or “our”) collects, uses, discloses, and protects Personal Data.
Introduction
-
The Company operates digital platforms and provides software, consulting, and digital transformation services to users and in the course of its business activities collects, processes, stores, and manages personal data from users who interact with its digital platforms, services, or products.
-
This Privacy Policy is established to comply with the Nigeria Data Protection Act, 2023 (NDPA), the General Application and Implementation Directive (GAID) 2025, and any transitional/legacy provisions from the Nigeria Data Protection Regulation (NDPR) 2019 where still applicable, and other applicable Nigerian laws governing the protection of personal data and privacy rights.
-
The Company recognizes the fundamental right to privacy of all individuals and is committed to implementing appropriate technical and organizational measures to ensure the lawful, fair, and transparent processing of personal data.
-
This Privacy Policy sets out the legal basis, purposes, and procedures for the collection, use, storage, sharing, and protection of personal data by the Company in accordance with Nigerian data protection principles.
-
The Company acts as a data controller in respect of personal data processed through its operations and acknowledges its obligations to data subjects under applicable Nigerian data protection laws.
-
This Privacy Policy applies to all personal data processing activities conducted by the Company, whether through automated or manual means, and covers data collected directly from users or obtained from third-party sources.
-
The Company is committed to maintaining transparency in its data processing activities and providing clear information to data subjects about their rights and how their personal data is handled.
-
Definitions
-
Automated Decision-Making means any decision-making process based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects an individual.
-
Biometric Data means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person.
-
Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them.
-
Cookies means small text files placed on a user’s device by a website to store information about the user’s preferences, login status, or browsing behaviour.
-
Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
-
Data Controller means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
-
Data Portability means the right of a data subject to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
-
Data Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
-
Data Protection Officer or DPO means the person designated by the Company to monitor compliance with data protection laws and serve as the primary contact for data protection matters.
-
Data Subject means an identified or identifiable natural person whose personal data is processed by the Company.
-
Direct Marketing means the communication of any advertising or marketing material which is directed to particular individuals.
-
Erasure means the deletion or removal of personal data from the Company’s systems and records.
-
Filing System means any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
-
Lawful Basis means one of the legal grounds specified under Nigerian data protection law that permits the processing of personal data.
-
NDPR means the Nigeria Data Protection Regulation 2019 and any amendments or successor legislation including but not limited to the Nigeria Data Protection Act, 2023 (NDPA) and General Application and Implementation Directive (GAID) 2025.
-
NDPC means the Nigeria Data Protection Commission, being the supervisory authority for data protection in Nigeria under the NDPA.
-
Personal Data means any information relating to an identified or identifiable natural person, including but not limited to name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
-
Processing means any operation or set of operations performed on personal data or sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, restriction, erasure, or destruction.
-
Profiling means any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects relating to a natural person.
-
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
-
Rectification means the correction of inaccurate personal data and the completion of incomplete personal data.
-
Restriction of Processing means the marking of stored personal data with the aim of limiting their processing in the future.
-
Sensitive Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life, sexual orientation, or criminal convictions and offenses.
-
Third Country means any country outside Nigeria to which personal data may be transferred.
-
Third Party means any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who are authorized to process personal data under the direct authority of the controller or processor.
-
Tracking Technologies means technologies used to collect information about users’ online activities, including cookies, web beacons, pixels, and similar technologies.
-
Transfer means the movement of personal data from one location, system, or controller to another.
-
User Account means the registered account created by a user to access the Company’s services or platforms.
-
Website means “ontria.com.ng” and any associated subdomains, applications, or digital platforms operated by the Company.
-
-
Information We Collect
-
Information You Provide Directly: We collect personal data that you voluntarily provide to us when you interact with our services, including:
-
Contact information such as name, email address, phone number, and postal address;
-
Account registration details including username, password, and profile information;
-
Payment and billing information including credit card details, bank account information, and transaction history;
-
Communications you send to us through contact forms, emails, surveys, feedback, or customer support interactions;
-
User-generated content such as reviews, comments, posts, and any other content you submit through our platforms;
-
Identity verification documents including government-issued identification, proof of address, and professional credentials where required;
-
Employment or business information when you apply for jobs or business partnerships with us.
-
-
Information Collected Automatically: We automatically collect certain information when you access or use our services, including:
-
Technical information such as IP address, device type, operating system, browser type and version, and device identifiers;
-
Usage data including pages visited, time spent on pages, click patterns, search queries, and interaction with website features;
-
Location data derived from IP addresses or GPS coordinates where location services are enabled;
-
Log files containing information about your access to and use of our services;
-
Performance data related to how our services function on your device.
-
-
Information from Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to collect:
-
Session information and user preferences;
-
Analytics data about website performance and user behavior;
-
Advertising and marketing data for personalized content delivery.
-
-
Information from Third Parties: We may receive personal data about you from third-party sources, including:
-
Social media platforms when you connect your accounts or share content;
-
Business partners, vendors, and service providers who assist in our operations;
-
Publicly available sources and data aggregators;
-
Other users who refer you to our services or mention you in their communications.
-
-
Sensitive Personal Data: We may collect sensitive personal data only with your explicit consent or where permitted by law, including:
-
Health information when relevant to our services;
-
Religious or philosophical beliefs where disclosed in user content;
-
Biometric data for identity verification purposes where applicable.
-
-
-
How We Collect Information
-
Direct Collection Methods
-
We collect Personal Data directly from you when you voluntarily provide information through our Website, including but not limited to registration forms, contact forms, subscription forms, survey responses, and feedback submissions.
-
Personal Data is collected when you create a User Account, make inquiries about our services, request information, or engage in any transaction or communication with us.
-
We may collect Personal Data through telephone conversations, email correspondence, live chat features, and other direct communication channels you initiate with us.
-
-
Automatic Collection Methods
-
We automatically collect certain information when you visit or interact with our Website through the use of Cookies, web beacons, log files, and other Tracking Technologies.
-
Automatic collection includes technical data such as IP addresses, browser type and version, operating system, device identifiers, location data, and browsing behaviour patterns.
-
We collect usage data including pages visited, time spent on pages, click-through rates, download activity, and interaction with Website features and content.
-
-
Third Party Sources
-
We may obtain Personal Data from publicly available sources, business partners, service providers, marketing agencies, and other Third Parties with whom we have legitimate business relationships.
-
Personal Data may be collected through social media platforms when you interact with our social media accounts or use social media login features on our Website.
-
We may receive Personal Data from affiliate companies, subsidiaries, and other entities within our corporate group for legitimate business purposes.
-
-
Mobile Applications and Devices
-
When you use our mobile applications, we may collect device-specific information including device model, operating system version, unique device identifiers, and mobile network information.
-
With your Consent, we may access device features such as camera, microphone, location services, contacts, and photo gallery for specific functionalities within our applications.
-
-
Offline Collection
-
We may collect Personal Data through offline interactions including physical forms, printed surveys, business cards exchanged at events, and face-to-face meetings or consultations.
-
Personal Data collected offline may be digitized and integrated into our electronic Filing Systems for Processing in accordance with this Privacy Policy.
-
-
-
Purpose of Data Processing
-
The Company processes Personal Data only for lawful, specific, explicit and legitimate purposes in accordance with the NDPA and applicable Nigerian data protection laws.
-
Lawful Basis for Processing
-
The Company processes Personal Data based on one or more of the following lawful grounds:
-
Consent of the Data Subject for specific processing activities;
-
Performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject prior to entering into a contract;
-
Compliance with legal obligations to which the Company is subject under Nigerian law;
-
Protection of vital interests of the Data Subject or another natural person;
-
Performance of tasks carried out in the public interest;
-
Legitimate interests pursued by the Company, provided such interests do not override the fundamental rights and freedoms of the Data Subject.
-
-
-
Specific Purposes of Processing
- Service Provision and Account Management
-
Processing Personal Data to provide, maintain, and improve our services, create and manage User Accounts, and facilitate user access to platform features.
- Communication and Customer Support
-
Processing contact information and communication records to respond to inquiries, provide customer support, and send service-related notifications.
- Transaction Processing and Billing
-
Processing payment information, billing details, and transaction records to facilitate payments, issue invoices, and maintain financial records.
- Legal Compliance and Regulatory Requirements
-
Processing Personal Data to comply with applicable Nigerian laws, regulatory requirements, court orders, and government requests.
- Security and Fraud Prevention
-
Processing Personal Data to detect, prevent, and investigate security breaches, fraudulent activities, and unauthorized access to our systems.
- Analytics and Service Improvement
-
Processing usage data and user interactions to analyse platform performance, improve services, and develop new features.
- Marketing and Communications
-
Processing contact information and preferences to send promotional materials, newsletters, and marketing communications where Consent has been obtained.
- Research and Development
-
Processing anonymized or pseudonymized data for research purposes, product development, and business analytics.
-
Processing of Sensitive Personal Data
-
The Company processes Sensitive Personal Data only where:
-
Explicit Consent has been obtained from the Data Subject;
-
Processing is necessary for compliance with employment law obligations;
-
Processing is necessary to protect vital interests where Consent cannot be obtained;
-
Processing is authorized by Nigerian law for reasons of substantial public interest.
-
-
-
Purpose Limitation
-
Personal Data shall not be processed for purposes other than those specified in this section unless:
-
Fresh Consent is obtained from the Data Subject for the new purpose;
-
The new purpose is compatible with the original purpose of collection;
-
Processing is required by law or for the performance of statutory functions.
-
-
-
-
Data Sharing and Disclosure
-
The Company may share personal data with third parties only in the circumstances set out in this section and in accordance with applicable Nigerian data protection laws.
-
Service Providers and Processors
-
The Company may share personal data with trusted third-party service providers who assist in delivering our services, including but not limited to payment processors, hosting providers, marketing agencies, and customer support services.
-
All service providers are required to enter into data processing agreements that ensure adequate protection of personal data and compliance with Nigerian data protection requirements.
-
Service providers are only authorized to process personal data for the specific purposes outlined in their agreements with the Company and are prohibited from using personal data for their own purposes.
-
-
Corporate Affiliates and Subsidiaries
-
Personal data may be shared with the Company’s subsidiaries, parent - purposes including administration, customer service, and internal reporting.
-
Such sharing is subject to appropriate safeguards and all recipient entities must maintain equivalent levels of data protection.
-
-
Legal and Regulatory Requirements
-
The Company may disclose personal data when required by Nigerian law, court order, or lawful request from regulatory authorities including NDPC.
-
Personal data may be shared with law enforcement agencies when necessary to prevent, detect, or investigate criminal activities or threats to public safety.
-
The Company will endeavour to notify affected data subjects of such disclosures unless prohibited by law or court order.
-
-
Business Transactions
-
In the event of a merger, acquisition, sale of assets, or similar business transaction, personal data may be transferred to the acquiring entity or successor organization.
-
Data subjects will be notified of any such transfer and informed of their rights regarding the continued processing of their personal data.
-
-
Consent-Based Sharing
-
The Company may share personal data with third parties when explicit consent has been obtained from the data subject for such sharing.
-
Consent may be withdrawn at any time, and the Company will cease sharing personal data with the relevant third parties upon such withdrawal.
-
-
Anonymized and Aggregated Data
- The Company may share anonymized or aggregated data that cannot identify individual data subjects with third parties for research, analytics, or business purposes.
-
The Company does not sell, rent, or trade personal data to third parties for commercial purposes without explicit consent from data subjects.
-
-
Data Security Measures
-
The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing.
-
Technical security measures include but are not limited to:
-
Encryption of Personal Data both in transit and at rest using industry-standard encryption protocols.
-
Implementation of secure access controls including multi-factor authentication for authorized personnel.
-
Regular security updates and patches to systems and software used for Processing Personal Data.
-
Network security measures including firewalls, intrusion detection systems, and secure communication protocols.
-
Regular automated backups of Personal Data with secure storage and recovery procedures.
-
Implementation of data loss prevention systems to prevent unauthorized disclosure or transfer of Personal Data.
-
-
Organizational security measures include but are not limited to:
-
Designation of authorized personnel with defined roles and responsibilities for data protection and security.
-
Regular training of employees on data protection principles, security procedures, and incident response protocols.
-
Implementation of confidentiality agreements for all personnel with access to Personal Data.
-
Establishment of clear data handling procedures and access controls based on the principle of least privilege.
-
Regular security audits and risk assessments to identify and address potential vulnerabilities.
-
Development and maintenance of incident response procedures for Data Breaches and security incidents.
-
-
The Company conducts regular reviews and updates of its security measures to ensure their continued effectiveness and compliance with applicable Nigerian data protection laws and industry best practices.
-
Access to Personal Data is restricted to authorized personnel who require such access for legitimate business purposes and is monitored and logged for security purposes.
-
Third-party service providers and Data Processors engaged by the Company are required to implement appropriate security measures and provide adequate guarantees regarding the protection of Personal Data.
-
The Company maintains records of all security incidents and Data Breaches and will notify the relevant authorities and affected Data Subjects in accordance with the requirements of the NDPA and applicable Nigerian laws.
-
-
Data Retention
-
The Company shall retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the lawful basis for processing, and as required by applicable Nigerian laws.
-
Account and Profile Data collected from registered users shall be retained for the duration of the active user account plus a period of two (2) years following account closure or deactivation.
-
Transaction and Payment Data shall be retained for a minimum period of six (6) years from the date of the last transaction to comply with Nigerian financial record-keeping requirements and tax obligations.
-
Marketing and Communication Data shall be retained until the data subject withdraws consent or for a maximum period of three (3) years from the last interaction, whichever occurs first.
-
Technical and Usage Data including server logs, cookies, and website analytics shall be retained for a period not exceeding twelve (12) months from the date of collection.
-
Employment and HR Data of current employees shall be retained during the employment period plus seven (7) years following termination of employment as required by Nigerian labour laws.
-
Legal and Compliance Data necessary for establishing, exercising, or defending legal claims shall be retained for the applicable limitation period under Nigerian law or until the resolution of any legal proceedings.
-
Sensitive Personal Data shall be deleted or anonymized immediately upon achieving the specific purpose for which it was processed, unless retention is required by law.
-
The Company shall establish and maintain a data retention schedule that specifies retention periods for different categories of personal data and shall review this schedule annually.
-
Personal data shall be securely deleted or anonymized upon expiration of the applicable retention period using industry-standard methods that prevent recovery of the original data.
-
Where personal data is stored in backup systems, the Company shall ensure that such data is deleted from backup systems within ninety (90) days of the scheduled deletion date.
-
Data subjects may request early deletion of their personal data where there is no legal obligation requiring continued retention, and the Company shall comply with such requests within thirty (30) days.
-
-
Individual Rights
-
Right of Access: You have the right to obtain confirmation from the Company as to whether or not your Personal Data is being processed, and where that is the case, access to your Personal Data and information about the purposes of processing, categories of Personal Data concerned, recipients of disclosure, retention periods, and your other rights under this Privacy Policy.
-
Right to Rectification: You have the right to obtain rectification of inaccurate Personal Data concerning you and to have incomplete Personal Data completed, including by means of providing a supplementary statement.
-
Right to Erasure: You have the right to obtain erasure of your Personal Data where the Personal Data is no longer necessary for the purposes for which it was collected, you withdraw Consent where processing is based on Consent, you object to processing and there are no overriding legitimate grounds for processing, or the Personal Data has been unlawfully processed.
-
Right to Restriction of Processing: You have the right to obtain Restriction of Processing where you contest the accuracy of Personal Data, the processing is unlawful but you oppose erasure, the Company no longer needs the Personal Data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.
-
Right to Data Portability: Where processing is based on Consent or contract performance and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another Data Controller.
-
Right to Object: You have the right to object to processing of your Personal Data for Direct Marketing purposes at any time, and to processing based on legitimate interests unless the Company demonstrates compelling legitimate grounds that override your interests, rights, and freedoms.
-
Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on Automated Decision-Making, including Profiling, which produce legal effects or similarly significantly affect you, except where necessary for contract performance or based on explicit Consent.
-
Right to Withdraw Consent: Where processing is based on Consent, you have the right to withdraw Consent at any time without affecting the lawfulness of processing based on Consent before its withdrawal.
-
Exercise of Rights: To exercise any of these rights, you may contact the Company using the details provided in Section 13 of this Privacy Policy, and the Company will respond to your request within thirty (30) days as required under the NDPA.
-
Right to Lodge Complaints: You have the right to lodge a complaint with NDPC if you believe that the processing of your Personal Data violates applicable Nigerian data protection laws.
-
Verification Requirements: The Company may require reasonable verification of your identity before processing requests to exercise your rights, and may charge reasonable fees for manifestly unfounded or excessive requests.
-
-
Cookies and Tracking Technologies
-
The Company uses Cookies and Tracking Technologies on its Website to enhance user experience, analyse usage patterns, and provide personalized services in accordance with the provisions of the NDPA and applicable Nigerian laws.
-
Cookies are small text files stored on your device when you visit our Website that enable us to recognize your browser and capture certain information about your preferences and activities.
-
The types of Cookies and Tracking Technologies we use include:
-
Essential Cookies: Necessary for the basic functioning of the Website and cannot be disabled without affecting core functionality.
-
Performance Cookies: Collect anonymous information about how visitors use our Website to help us improve its performance and user experience.
-
Functionality Cookies: Remember your preferences and settings to provide enhanced features and personalized content.
-
Analytics Cookies: Track and analyse user behaviour patterns to understand Website usage and improve our services.
-
Marketing Cookies: Used for targeted advertising and measuring the effectiveness of marketing campaigns.
-
-
We obtain your Consent before placing non-essential Cookies on your device, except where such Cookies are strictly necessary for the provision of services you have requested.
-
You may manage your cookie preferences through your browser settings or our cookie management tool, however disabling certain Cookies may limit your ability to use some features of our Website.
-
Third Party service providers may place Cookies on your device through our Website for analytics, advertising, and social media integration purposes, subject to their respective privacy policies.
-
We retain Cookie data for periods ranging from session-based to up to two (2) years depending on the type and purpose of the Cookie, after which such data is automatically deleted.
-
We do not use Cookies to store Sensitive Personal Data or information that could directly identify you without additional authentication measures.
-
-
International Data Transfers
-
The Company may transfer Personal Data outside Nigeria to Third Countries where necessary for the legitimate purposes outlined in this Privacy Policy, subject to compliance with applicable Nigerian data protection laws and regulations.
-
All international Transfers of Personal Data shall be conducted only where the Company has ensured that appropriate safeguards are in place to protect the rights and freedoms of Data Subjects and that effective legal remedies are available.
-
The Company shall implement one or more of the following safeguards for international data Transfers:
-
Transfer to countries that have been determined by NDPC to provide adequate levels of data protection equivalent to Nigerian standards.
-
Implementation of binding corporate rules approved by NDPC for intra-group transfers within multinational organizations.
-
Execution of standard contractual clauses or model clauses approved by NDPC with the data recipient in the Third Country.
-
Implementation of approved codes of conduct or certification mechanisms that include binding and enforceable commitments by the data recipient.
-
Obtaining explicit Consent from the Data Subject for the specific Transfer after being informed of the potential risks.
-
-
In exceptional circumstances, the Company may transfer Personal Data without adequate safeguards only where:
-
The Transfer is necessary for the performance of a contract between the Data Subject and the Company or implementation of pre-contractual measures.
-
The Transfer is necessary for important reasons of public interest as recognized under Nigerian law.
-
The Transfer is necessary for the establishment, exercise, or defense of legal claims.
-
The Transfer is necessary to protect the vital interests of the Data Subject where Consent cannot be obtained.
-
-
The Company shall maintain records of all international Transfers including the categories of Personal Data transferred, the purpose of Transfer, the safeguards implemented, and the identity of recipients in Third Countries.
-
Data Subjects have the right to obtain information about the safeguards implemented for international Transfers of their Personal Data and to lodge complaints with NDPC regarding such Transfers.
-
The Company shall regularly review and monitor the adequacy of safeguards for international Transfers and shall suspend or terminate Transfers where adequate protection cannot be ensured.
-
-
Children’s Privacy
-
The Company recognizes that children require special protection when their personal data is processed and implements additional safeguards in accordance with Nigerian data protection laws.
-
For the purposes of this Privacy Policy, a “child” means any person under the age of eighteen (18) years as defined under Nigerian law.
-
The Company does not knowingly collect, process, or retain personal data from children without obtaining verifiable parental consent prior to such collection.
-
Where the Company’s services are not directed at children, the Company will take reasonable steps to verify that users are not children, including:
-
Implementing age verification mechanisms during account registration or service access.
-
Requiring users to confirm their age before accessing certain features or services.
-
Monitoring user interactions to identify potential underage users.
-
-
If the Company becomes aware that it has inadvertently collected personal data from a child without proper parental consent, it will:
-
Immediately cease processing such personal data.
-
Delete the child’s personal data from its systems within thirty (30) days of discovery.
-
Notify the parents or guardians of the data collection and deletion process where contact information is available.
-
-
Where parental consent is required and obtained, the Company will:
-
Verify the identity of the parent or legal guardian providing consent.
-
Clearly explain the purposes for which the child’s personal data will be processed.
-
Allow parents to withdraw consent at any time and delete their child’s personal data upon request.
-
-
Parents and legal guardians have the right to access, rectify, or request deletion of their child’s personal data by contacting the Company through the contact information provided in this Privacy Policy.
-
The Company will not use a child’s personal data for direct marketing purposes or share such data with third parties for commercial purposes without explicit parental consent.
-
Additional security measures are implemented for children’s personal data, including enhanced access controls and regular monitoring of data processing activities involving minors.
-
-
Policy Updates
-
The Company reserves the right to modify, update, or amend this Privacy Policy at any time to reflect changes in its data processing practices, applicable laws, or business operations.
-
Any material changes to this Privacy Policy that may adversely affect the rights of data subjects or significantly alter the purposes for which personal data is processed shall be communicated to users through the following methods:
-
Posting prominent notice on the Company’s website or digital platform for a period of not less than thirty (30) days prior to the changes taking effect.
-
Sending direct notification via email to registered users at their last known email address on file.
-
Push notifications through the Company’s mobile application where applicable.
-
-
For non-material changes such as typographical corrections, clarifications that do not change the substance of the policy, or administrative updates, the Company may update this Privacy Policy without prior notice by posting the revised version on its website.
-
The effective date of any updated Privacy Policy shall be clearly indicated at the top of the document, and the Company shall maintain a version history of significant changes for a period of three (3) years.
-
Continued use of the Company’s services, website, or digital platforms after the effective date of any updated Privacy Policy constitutes acceptance of the revised terms, unless the user explicitly objects within thirty (30) days of notification.
-
Where changes relate to the processing of sensitive personal data or introduce new lawful basis for processing, the Company shall obtain fresh consent from affected data subjects before implementing such changes.
-
Users who object to material changes in the Privacy Policy may terminate their relationship with the Company and request deletion of their personal data in accordance with Section 8 of this Privacy Policy.
-
-
Contact Information
-
For any inquiries, complaints, or requests relating to this Privacy Policy or the processing of your Personal Data, you may contact the Company using the following details:
-
Email: info@ontria.com.ng
-
Telephone: +234 915 926 8353
-
Physical Address: Lagos, Nigeria
-
-
You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your Personal Data has been processed in violation of applicable data protection laws.
NDPC contact details are as follows:
-
Address: Nigeria Data Protection Commission, No.12 DR Clement Isong Street, Abuja.
-
Email: info@ndpc.gov.ng
-
Website: www.ndpc.gov.ng
-
The Company undertakes to respond to privacy-related inquiries and requests within 30 days of receipt, or such shorter period as may be required under applicable law.
-
When contacting the Company regarding privacy matters, please provide sufficient information to enable us to identify you and process your request efficiently.
-
-
Governing Law and Jurisdiction
-
This Privacy Policy and all matters relating to the processing of personal data by the Company shall be governed by and construed in accordance with the laws of the Federal Republic of Nigeria.
-
The Company’s data processing activities are subject to the Nigeria Data Protection Act, 2023 (NDPA), the General Application and Implementation Directive (GAID) 2025, and any transitional provisions from the Nigeria Data Protection Regulation (NDPR) 2019, and any other applicable Nigerian data protection laws and regulations as may be amended from time to time.
-
The Nigeria Data Protection Commission (NDPC) serves as the supervisory authority for data protection matters in Nigeria, and the Company acknowledges NDPC’s jurisdiction over its data processing activities.
-
Any dispute arising out of or in connection with this Privacy Policy or the Company’s data processing activities shall first be resolved through good faith negotiations between the parties.
-
Where disputes cannot be resolved through negotiation, data subjects may lodge complaints with NDPC in accordance with the procedures established under Nigerian data protection laws.
-
The Federal High Court of Nigeria shall have exclusive jurisdiction to determine any legal proceedings arising from or relating to this Privacy Policy or data protection matters involving the Company.
-
Data subjects retain all rights available under Nigerian law to seek remedies for violations of their data protection rights, including but not limited to compensation for damages suffered as a result of unlawful processing.
-
This Privacy Policy shall remain binding and enforceable to the fullest extent permitted under Nigerian law, and any provision found to be unenforceable shall not affect the validity of the remaining provisions.
-
This Privacy Policy has been approved and adopted by ONTRIA and becomes effective on 15TH JANUARY, 2026.