Application of Policy

As a responsible and law-abiding digital health company, we are committed to ensuring that your Personal Data is lawfully collected, fairly processed, securely stored, and adequately protected in accordance with the provisions of applicable data protection legislation.

In the course of delivering our services and in connection with your interaction with us and authorised third parties through our platforms, including, but not limited to, our websites, telehealth portals, mobile applications, wellness hubs, and any other digital or physical channels operated by us (collectively, the “Platforms”), we may collect, use, retain, or otherwise process your Personal Data, subject always to the terms of this Privacy Policy (“Policy”).

This Policy outlines our data processing practices, the nature and purpose of Personal Data we may collect, and the rights to which you are entitled as a user of any of our services or Platforms. It applies to all VivaFemini-operated services, tools, applications, and sites, irrespective of the mode of access or use

Definitions

For the purposes of this Policy and any ancillary documentation or agreements to which it relates:

• “Data” or “Personal Data” shall mean any information relating to an identified or identifiable natural person (“Data Subject”), including but not limited to: name, residential or official address, identification number, email address, telephone number, biometric data, date of birth, passport photograph, online identifiers (including but not limited to MAC address, IP address, International Mobile Equipment Identity (IMEI), Subscriber Identification Module (SIM), International Mobile Subscriber Identity (IMSI)), Bank Verification Number (BVN), and other financial or transactional information such as bank account details, card numbers, personal identification numbers (PINs), or passwords.
• Personal Data shall also include sensitive information revealing or relating to race, ethnicity, tribe, nationality, political opinions, religious or philosophical beliefs, health status, sexual orientation, criminal convictions or records, trade union membership, and any data concerning the physical, physiological, genetic, mental, economic, cultural, or social identity of the Data Subject, whether directly or indirectly identifiable.
• “Processing” or “to Process” shall mean any operation or set of operations, whether or not carried out by automated means, performed upon Personal Data or sets of Personal Data, including but not limited to: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, transmission, disclosure (whether by dissemination, publication, or otherwise making available), alignment or combination, restriction, erasure, deletion or destruction.
• “Consent” By accessing or making use of any of VivaFemini's Platforms, services, tools, applications, or offerings (whether web-based, mobile-based, or offline), you acknowledge that you have read, understood, and agreed to the terms set forth in this Privacy Policy, and you expressly consent to the collection, use, disclosure, transfer, and processing of your Personal Data in accordance with the provisions herein and in compliance with applicable data protection laws.
• Where required by law or in specific contexts, VivaFemini shall obtain your clear and affirmative consent through an opt-in mechanism (such as ticking a box, clicking an 'Agree' button, or submitting a form), prior to collecting or processing your Personal Data, particularly in respect of sensitive personal data or where cross-border transfers are involved.
• You may, at any time and without detriment, withdraw your consent for any specific processing activity by contacting The Company's designated Data Protection Officer (DPO) via the contact details provided in this Policy. Such withdrawal shall not affect the lawfulness of any processing carried out prior to the withdrawal.
• Notwithstanding the foregoing, continued use of VivaFemini's Platforms or services after publication or notification of any material amendment to this Policy shall constitute renewed and binding consent to the updated terms.

Age and Legal Capacity

The use of The Company's Platforms and services is intended only for individuals who have attained the age of legal majority under the applicable laws of their country of residence, which shall in no case be less than eighteen (18) years.

Persons below the age of eighteen (18), or such higher age as required by law in their jurisdiction, may only access the Platforms and provide Personal Data with the verifiable consent and active supervision of a parent or legal guardian, who shall be responsible for the minor's actions and data disclosures.

VivaFemini reserves the right to take reasonable steps to verify the age and capacity of any user, and to restrict or suspend access where there is reason to believe that this clause has been breached.

All Personal Data collected from users under the applicable age threshold shall be processed strictly in accordance with the provisions of this Policy and any additional safeguards required under applicable child protection and data privacy laws

Collection of Personal Data

In the course of your interaction, engagement, or use of VivaFemini's Platforms, whether directly or through authorized third parties the Company may collect, access, or receive certain categories of Personal Data relating to you, in accordance with lawful, fair, and transparent data processing principles. Such data may be obtained through the following lawful means:

Automated Collection through Digital Interaction:

Personal Data may be collected automatically upon your access or continued use of VivaFemini's websites, mobile applications, digital tools, or services. This may include technical and usage information such as device identifiers, IP addresses, browsing history, access times, geolocation data, session cookies, and metadata arising from user activity. VivaFemini may deploy cookies, web beacons, SDKs, and other tracking technologies to enhance user experience, enforce Platform security, monitor traffic patterns, and facilitate service delivery. Users retain the right to disable non-essential cookies through their browser or device settings, except where such cookies are strictly necessary for the operation of the Platform.

Data from Device and Application Downloads:

When you install, launch, or use any of VivaFemini's digital applications or access its online services, the Company may collect location-based data and device-specific information (such as device model, operating system, and unique identifiers). This information may be used to deliver personalized content, functionality, or location-based services, subject always to applicable settings or permissions on your device, which you may manage or revoke at any time.

Information Voluntarily Provided through Physical or Digital Means:

VivaFemini may collect Personal Data directly from you when you create or update your account, complete forms, respond to surveys or feedback requests, or otherwise submit information through written correspondence, electronic communication, identification documents (e.g., national ID, passport), medical records, user-generated content, or through any other physical or digital means by which information is voluntarily made available to the Company.

Third-Party Sources and Verified Channels:

Where appropriate and lawful, VivaFemini may obtain Personal Data from authorised third-party sources, including but not limited to: healthcare providers, guardians, employers, payment processors, financial institutions, service vendors, institutional partners, or regulatory bodies. Such data shall be collected and processed in accordance with the representations and warranties provided by the source and shall be used solely for the purposes communicated to the Data Subject.

Social Media and External Platforms:

Personal Data may also be collected through your interactions with VivaFemini via social media platforms, including but not limited to Instagram, Facebook, LinkedIn, WhatsApp, and Twitter. Such interactions may include comments, enquiries, messages, mentions, tagged content, or any other publicly available engagement. Data collected in this manner shall be processed in accordance with the privacy settings of the platform and for purposes consistent with this Policy.

The Company shall ensure that all Personal Data collected through any of the above means shall be processed solely for legitimate, specified, and lawful purposes, with appropriate safeguards to protect your privacy and data protection rights.

Use of Your Personal Information

Storage and Protection Of Your Personal Data

• Encryption of sensitive or special category data both in transit and at rest, using industry-standard encryption protocols; 
• Controlled and role-based access rights to confidential data, ensuring only duly authorized personnel may access such information on a need-to-know basis;
• Secure server environments and cloud-based infrastructure hosted in certified data centers with appropriate physical and environmental security controls; 
• Implementation of firewall protections, anti-malware protocols, endpoint controls, and intrusion detection systems;
• Multi-factor authentication and periodic access credential reviews for administrative interfaces and user dashboards; 
• Regular security audits, vulnerability assessments, and data integrity reviews conducted internally or by third-party experts.

Processing and Disclosure of Your Personal Data

In the ordinary course of providing our services and in connection with your engagement with our platforms, we may share or disclose your Personal Data to the following categories of third parties (whether within or outside your jurisdiction of residence), subject always to data minimisation and confidentiality safeguards:

• Financial institutions and payment processors, to facilitate payments, refunds, or related financial transactions;
• External vendors, partners, consultants, and technical service providers engaged by VivaFemini under appropriate data processing agreements;
• Regulatory bodies, competent supervisory authorities, law enforcement, or judicial agencies, in compliance with applicable law, legal obligation, subpoena, court order, or binding regulatory directive;
• VivaFemini Group entities, subsidiaries, and affiliates, where such disclosure is necessary for group-level operations, coordination of services, or compliance purposes.

Where cross-border data transfer is required, the Company shall ensure that such transfer is executed in compliance with the Nigeria Data Protection Act 2023 and other applicable cross-border transfer protocols, and that adequate safeguards, such as standard contractual clauses or equivalent legal mechanisms, are implemented.

Your Data Protection Rights

In accordance with the Nigeria Data Protection Act, 2023 (NDPA), the Nigeria Data Protection Regulation, 2019 (NDPR), and other applicable data privacy frameworks, you, as a Data Subject, are entitled to exercise the following rights in respect of your Personal Data processed by the Company

Right of Access

You have the right to obtain confirmation from the Company as to whether or not your Personal Data is being processed, and, where that is the case, access to such data and supplementary information regarding the processing.

Right to Data Portability

You have the right to request that your Personal Data be made available to you in a structured, commonly used, and machine-readable format and, where technically feasible, to request the transfer of such data to another Data Controller or third party designated by you. This right shall not apply where the request is manifestly unfounded, repetitive, or excessive.

Right to Rectification

You have the right to request that inaccurate, incomplete, or outdated Personal Data relating to you be promptly corrected or updated. Any such request must be supported by appropriate documentation evidencing the inaccuracy and the proposed correction.

Right to Withdraw Consent

You may object to the processing of your Personal Data on legitimate grounds. In certain circumstances, you may also request that we restrict the processing of your data, particularly where there is a dispute as to its accuracy or lawfulness. However, this right is subject to overriding legal or regulatory obligations imposed on the Company.

Right to Erasure (“Right to be Forgotten”)

You may request the deletion of your Personal Data where there is no longer a lawful basis for retention. Notwithstanding, the Company reserves the right to retain such data where retention is required by law, regulatory directive, contractual obligation, or in defence of legal claims.

Right to Lodge Complaints

You are entitled to lodge a formal complaint with the Nigeria Data Protection Commission (NDPC) or any other competent supervisory authority, where you believe that your rights under applicable data protection law have been violated.

Right to be Informed

You have the right to receive clear, transparent, and easily understandable information about how your Personal Data is collected, used, shared, and retained by the Company, including the existence of any profiling or automated decision-making processes.

Right to Human Intervention in Automated Decisions

Where decisions concerning you are made solely on the basis of automated processing, including profiling, you have the right to request human intervention, express your point of view, and contest such decision, where it produces legal or similarly significant effects. Any request to exercise your rights may be made by sending an email to the Company's designated Data Protection Officer at dataprotection@vivafemini.org .We shall respond to such requests within the timeframes prescribed by applicable law and in accordance with our internal policies.

Software Usage and Updates

General Commitment

The Company is committed to safeguarding the privacy rights of its data subjects, regardless of geographic location. As a digital health platform with regional and global partnerships, it may be necessary, in the ordinary course of providing services, to transfer personal data across national borders, including to countries where data protection regimes may differ from those in Nigeria or the country of the data subject.

Scope of Application

This Cross-Border Data Transfer Policy governs the international transfer of personal data processed by or on behalf of VivaFemini, whether the transfer is intra-group, to a third-party service provider, or otherwise, and whether undertaken manually or by automated means.

Transfer Basis and Safeguards

Permitted Grounds for Transfer

Where adequacy or appropriate safeguards do not exist, personal data may only be transferred internationally upon satisfaction of one or more of the following lawful grounds:

• The explicit, informed, and freely-given consent of the data subject has been obtained;
• The transfer is necessary for the performance of a contract between the data subject and VivaFemini, or for pre-contractual steps at the request of the data subject;
• The transfer is necessary for the conclusion or performance of a contract in the interest of the data subject between VivaFemini and a third party;
• The transfer is necessary for important reasons of public interest recognized under applicable law;
• The transfer is necessary for the establishment, exercise, or defense of legal claims;
• The transfer is necessary to protect the vital interests of the data subject or another person where the data subject is incapable of giving consent.

Third-Party Processor Obligations

VivaFemini shall only transfer personal data to third-party processors outside Nigeria or other jurisdictions with adequate protection if such parties:

• Enter into written agreements with VivaFemini that impose binding data protection obligations equivalent to those contained in this Policy and applicable law;
• Undertake not to further transfer or sub-process the data without VivaFemini's prior written consent and appropriate safeguards;
• Agree to notify VivaFemini promptly in the event of a data breach or inability to comply with their obligations.

Data Minimization and Anonymization

Where feasible and appropriate, VivaFemini shall anonymize or pseudonymize personal data prior to transfer. Any transferred data must be limited to what is necessary for the intended lawful purpose and retained only for the period required to fulfil such purpose.

Transparency and Notification

VivaFemini shall inform data subjects, through this Policy or separate notice, where cross-border data transfers are anticipated, the jurisdictions involved, and the applicable safeguards implemented. Where required by law, the Company shall seek approval or registration of the cross-border transfer from the NDPC or other competent authority.

Public Authority Disclosure

Personal data may be disclosed to foreign public authorities only upon lawful request and in accordance with applicable legal standards. The Company shall ensure that such disclosures are proportionate, legally justified, and subject to accountability and reporting requirements.

Cookie Policy

VivaFemini uses cookies and similar tracking technologies to enhance user experience, ensure security, and enable functionality across our digital Platforms. This Cookie Policy explains how and why we use such technologies and the rights of users in relation to them.

Definition of Cookies

Cookies are small text files placed on your device (computer, smartphone, or other internet-enabled device) when you access or use our Platforms. These files contain information used to recognize your browser, store preferences, and improve your browsing experience.

Purpose of Use

We use cookies and similar technologies for the following lawful purposes:

User Consent and Control

Upon first visit to our Platform, you will be presented with a cookie banner or pop-up requesting your consent to use non-essential cookies. You may:

Please note that restricting certain types of cookies may impair functionality or limit your user experience on our Platforms.

Third-Party Sites and Cookies

This Cookie Policy applies exclusively to our websites and digital Platforms. The Company does not control the cookies or data practices of third-party websites that may be linked or embedded within our services. We encourage you to review the privacy and cookie policies of such external websites before engaging with them.

Policy Updates

We may revise this Cookie Policy from time to time to reflect changes in technology, applicable law, or our operational practices. Any material amendments will be communicated to you through appropriate notice mechanisms.

Session Cookies (Temporary Cookies)

The Company utilizes Session Cookies, otherwise referred to as Temporary Cookies, which enable our digital Platforms to recognize you during a single browsing session. These cookies temporarily retain information such as preferences and interactions submitted during your visit, thereby facilitating navigation and improving user experience.
 Such cookies are ephemeral in nature and are automatically deleted upon the closure of your browser or termination of your session.

Persistent Cookies (Permanent Cookies)

We also employ Persistent Cookies, also known as Permanent or First-Party Cookies, which remain active on your device beyond the closure of your browser session. These cookies allow our Platform to recall your saved preferences, authentication credentials, interface customizations (such as language selection), and previously selected settings, thereby personalizing and enhancing your future interactions with us.

Purpose and Lawfulness of Use

The deployment of both session and persistent cookies is strictly for lawful and legitimate purposes, including but not limited to:

• Maintaining session continuity;
• Personalizing user experience;
• Facilitating secure login and navigation;
• Enhancing Platform performance and accessibility.

Where cookies are not essential to the functioning of the Platform, we shall obtain your explicit consent prior to their deployment.

Why We Use Cookies

Cookies are employed by The Company for the purpose of enhancing the functionality, efficiency, and overall user experience of our Platforms. These technologies enable us to store and retrieve relevant information regarding your usage patterns, thereby facilitating seamless navigation, optimized service delivery, and personalization of content. Specifically, we use cookies for the following purposes

Authentication

To verify and identify you when you access or re-access our website, mobile application, or affiliated digital services. This enables us to tailor content and service options in accordance with your account status, usage preferences, and security settings.

Security and Fraud Prevention

To bolster the integrity of our Platforms, detect suspicious or unauthorized activity, enforce access restrictions, and support technical measures aimed at protecting user data, account access, and transactional security.

Preferences, Features, and User Experience

To store user-inputted data across sessions, including language selection, form inputs, interface preferences, and accessibility settings. These cookies enable the continuous and intuitive functionality of our services and allow us to customize your experience in a manner aligned with your previously demonstrated interests.

Performance, Analytics, and Research

To evaluate how users interact with our Platforms, measure traffic patterns, determine the effectiveness of communications or features, and generate statistical reports on service usage. These insights enable us to refine service delivery, improve user engagement, and inform product development decisions.

Where cookies are not strictly necessary for the operation of our services, we shall obtain your prior, informed, and unambiguous consent in accordance with the applicable provisions of the Nigeria Data Protection Act (NDPA) 2023.

Where We Place Cookies

The Company may deploy cookies and similar tracking technologies across multiple environments within our digital infrastructure. Such placement enables us to monitor performance, facilitate usability, and enhance service delivery. Cookies may be set in the following environments:

• Websites and Online Services: Cookies may be deployed on our official websites and any other VivaFemini-owned or managed web-based services or domains.
• Mobile Applications: Cookies and application-specific identifiers may be placed within our proprietary mobile applications, where such deployment enhances the app's responsiveness, remembers user preferences, or facilitates secure authentication.

Email Communications: We may embed cookies or pixel tags in emails sent by us in order to determine user engagement levels. These tools assist in evaluating whether you have opened, interacted with, or taken action in response to a given email, thereby informing improvements in future communications. The use of cookies in this context is subject to your email client or browser settings

Controlling Cookies

We shall not deploy cookies, other than those strictly necessary for the functioning and security of our Platforms, without first obtaining your express, informed, and affirmative consent in line with Section 41 of the Nigeria Data Protection Act (NDPA) 2023.You have the right to:

• Decline or Withdraw Consent: You may refuse the use of non-essential cookies by actively declining our cookie banner when accessing our Platforms. You may also withdraw previously granted consent at any time through your browser or device settings.
• Browser and Device Settings: You may configure your web browser or device settings to block, restrict, or delete cookies at your discretion. Please note, however, that certain core functionalities of our Platforms may be limited or rendered inoperative if essential cookies are disabled.
• Email Preferences: Your email settings may be configured to prevent automatic loading of images or disable tracking elements within email content. You are encouraged to consult your email provider's support resources for guidance.

We may revise this Cookie Policy from time to time to reflect legal, technological, or operational developments. Any material revisions will be communicated via email or prominently displayed on our Platforms prior to implementation.

Data Retention Policy

This Data Retention Policy ('Policy') sets forth the principles and procedures adopted by the “Company” for the secure retention, storage, archival, and eventual disposal of Records (as defined herein), in a manner that is compliant with applicable data protection, corporate, contractual, and regulatory obligations.

This Policy ensures that personal and sensitive information is retained only for as long as is strictly necessary for legitimate and lawful purposes, including but not limited to fulfilment of contractual obligations, compliance with statutory duties, defense of legal claims, financial recordkeeping, or public health-related obligations.

Definition of Records

For the purposes of this Policy, “Records” shall mean any documents, information, or data, whether in physical or electronic form that:

• Are created, received, stored, or maintained in the course of the Company's business;
• Serve as evidence of transactions, decisions, or activities relating to users, staff, partners, or stakeholders;
• May include but are not limited to:
• Personal Data and Special Category Data;
• Contracts and legal agreements;
• Correspondence, reports, communications (internal or external); 
• HR, financial, and operational records;
• Audit logs, analytics records, and metadata generated by platforms.

Records shall be deemed to encompass all media formats, including digital files, databases, hard-copy documents, emails, images, and cloud-based data.

Duration of Retention

The Company shall retain Records for no longer than is necessary to achieve the specific and lawful purposes for which such data was collected, subject to applicable regulatory retention schedules, business needs, and legal exceptions.

Archiving and Storage

Records required to be retained shall be securely stored, whether in physical or digital format, in line with the Company's Data Security and Access Management Policies. Electronic records shall be stored in encrypted form, on approved cloud-based or on-premises servers with access limited strictly to authorized personnel. Physical records shall be housed in secure, access-controlled environments, and their storage shall be periodically audited.

Disposal of Records

Upon expiry of the retention period, Records shall be securely disposed of in accordance with the Company's standard operating procedures, ensuring:

Exceptions and Legal Holds

The routine destruction of Records shall be suspended where a legal hold is in place. This includes:

• Instances of ongoing or anticipated litigation, investigations, or regulatory enquiries;
• Specific written instructions from the Company's Legal Counsel or Data Protection Officer.

During a legal hold, all relevant Records shall be preserved intact and may only be disposed of upon written clearance from Legal.

Compliance and Enforcement

The Company's Data Protection Officer shall periodically audit adherence to this Policy and shall ensure that all staff and relevant processors receive appropriate training on data retention obligations.

Non-compliance with this Policy shall be deemed a breach of duty and may result in disciplinary action, contractual penalties, or legal sanctions.

Scope and Objective of the Data Retention Policy

This Data Retention Policy shall apply to all Records, whether personal or non-personal in nature, created, received, accessed, processed, stored, retained, or destroyed by or on behalf of the Company in the ordinary course of its operations. The principal objective of this Policy is to ensure that all Records:

• Are accurately identified, lawfully retained, and stored securely in accordance with applicable legal, regulatory, and contractual obligations;
• Are protected against unauthorized access, alteration, or loss during their lifecycle
• Are destroyed or archived in a secure and timely manner upon the expiration of their designated retention period, subject to applicable legal holds.

The obligations contained herein apply to all employees, contractors, interns, officers, and consultants of the Company, as well as any third-party data processors or vendors engaged under lawful contract to handle Records or Personal Data on the Company's behalf.

Policy Oversight and Administration

Oversight and implementation of this Policy shall rest with the Company's Data Protection and Compliance Officer (DPCO), appointed in accordance with the Nigeria Data Protection Act 2023.

Security Measures for Retained Records

In furtherance of its obligations under the Nigeria Data Protection Act 2023, the Nigeria Data Protection Regulation 2019, and applicable international best practices, the “Company” shall implement and maintain appropriate technical and organisational measures to ensure the confidentiality, integrity, availability, and traceability of all Records retained in accordance with this Policy.

The Company shall continuously review and update its data retention and security practices to reflect changes in applicable law, technological advancements, and risk management protocols.

Retention Period and Procedures

The Company shall ensure that all Records obtained, generated, or stored in the course of its operations are periodically reviewed to assess their continuing relevance, validity, accuracy, and lawful retention. This review shall be carried out under the supervision of the Data Protection and Compliance Officer (DPCO) and shall be documented for audit purposes.

The Company shall ensure the secure destruction or anonymisation of all Records that have exceeded their lawful retention period, in a manner that prevents unauthorised access, retrieval, or reconstruction.

Destruction of Records

The destruction of Records is an integral and final stage of the Company's data retention lifecycle. Upon the expiry of any applicable retention period, Records shall be subject to appropriate review and thereafter securely archived, returned, anonymised, or irreversibly destroyed, depending on the nature, classification, and regulatory sensitivity of the Record in question.

The Data Protection and Compliance Officer (DPCO) shall maintain a Retention Register and shall, upon the lapse of a retention period, assess each Record against the register to determine the suitable course of action, subject always to applicable statutory, contractual, and regulatory obligations.

The Company shall ensure that destruction processes adhere strictly to the principles of confidentiality, integrity, and data minimization, and that such destruction shall render the data irretrievable, in compliance with the Nigeria Data Protection Act 2023, other applicable laws, and the terms of any binding legal instruments.

Data Transfers to Third Parties

In the ordinary course of its operations and service delivery, VivaFemini Limited (“the Company”) may, from time to time, lawfully disclose or grant access to Personal Data to carefully vetted third parties, including but not limited to service providers, financial institutions, vendors, affiliates, subsidiaries, contractors, consultants, and related entities (collectively referred to as “Authorized Third Parties”).

Lawful Basis and Purpose of Disclosure

Any such disclosure or access shall be limited to the extent necessary for the Authorized Third Parties to perform their contractual obligations or services for and on behalf of the Company, including but not limited to:

• Technical, software, and platform development support;
• Customer service and user support functions;
• Application quality assurance and analytics;
• Identity verification and KYC compliance;
• Transaction processing and payment facilitation;
• Research, demographic analysis, and product improvement;
• Hosting, storage, and infrastructure management

Data Processing Safeguards

The Company shall ensure that all Authorized Third Parties:

• Process Personal Data solely on the Company's documented instructions;
• Enter into enforceable data processing agreements that incorporate data protection obligations no less protective than those imposed under the Nigeria Data Protection Act (NDPA) 2023, its subsidiary regulations, and any applicable cross-border or sector-specific privacy requirements;
• Implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of Personal Data shared with them;
• Shall not further disclose, retain, or repurpose such Personal Data beyond the purpose for which it was shared, unless required by law.

Transparency and Control

Where applicable, and in compliance with the Company's Privacy Policy, data subjects shall be informed, either directly or indirectly, of the categories of third parties with whom their Personal Data may be shared. In all circumstances, The Company shall retain overall control and responsibility for the safeguarding and lawful use of Personal Data processed on its behalf.

Cross-Border Considerations

Any transfer of Personal Data to third parties outside the Federal Republic of Nigeria shall be carried out in accordance with the Company's Cross-Border Data Transfer Policy and only where adequate safeguards are in place, as provided under this Policy and Section 41 of the NDPA 2023

Continued Accountability

Notwithstanding the engagement of any Authorised Third Party, the Company shall remain liable and accountable for ensuring compliance with applicable data protection standards and shall regularly audit or monitor such third parties to verify adherence to contractual and legal obligations concerning data privacy

Legal and Regulatory Data Disclosures

The Company may, where lawfully required, disclose or grant access to your Personal Data to competent governmental authorities, regulatory agencies, law enforcement bodies, administrative tribunals, or judicial bodies (collectively referred to as “Regulatory Authorities”) for any of the following purposes:

• To comply with a legal or regulatory obligation imposed under applicable laws, including the Nigeria Data Protection Act (NDPA) 2023;
• To enforce the terms of any contractual agreement to which you or the Company is a party;
• To protect the rights, property, business operations, safety, or legal interests of the Company, its users, employees, affiliates, or the public;
• To cooperate with an ongoing investigation, litigation, or formal proceeding relating to unlawful conduct or data misuse

Such disclosure shall be limited to the extent strictly necessary to satisfy the purpose for which the information is sought and shall be made in good faith and in accordance with applicable due process and legal safeguards.

Third-Party Website Linkages and External Services

For ease of access and operational support, our digital platforms, applications, and services (“Platforms”) may contain hyperlinks or integrations that lead to external websites, third-party applications, or services not owned, controlled, or operated by the Company.

You are strongly advised to review the privacy and data handling policies of any third-party website or platform you visit through links on our Platforms. Should you be dissatisfied with their terms or practices, you are at liberty to refrain from continued engagement with such third-party site or service. To the fullest extent permissible by applicable law, the Company disclaims all liability for any damage, loss, harm, or unauthorized processing of your Personal Data arising from your access to or interaction with third-party websites, services, or platforms.

Security Assurances by Third Parties

The Company shall not disclose, transfer, or otherwise make available any Personal Data or Confidential Information belonging to a Data Subject or User to any third party, whether a vendor, service provider, consultant, affiliate, or agent, without first obtaining express or implied assurances (the “Undertaking”) from such third party that:

• They shall implement appropriate technical and organizational measures to safeguard the confidentiality, integrity, and availability of all Personal Data received;
• All persons authorized to process such data (including employees, officers, affiliates, or sub-processors) are bound by enforceable obligations of confidentiality, whether under contract, company policy, non-disclosure agreements, or statutory provisions;
• The disclosed data shall be processed strictly for the lawful, specified, and legitimate purpose for which it was shared, and not otherwise;
• The third party shall comply with all applicable data protection laws, regulations, and binding codes of practice, including but not limited to the Nigeria Data Protection Act (NDPA) 2023 or any successor legislation; and
• Under no circumstances shall the data be exploited, retained, or disclosed in a manner that constitutes unauthorized use, breach of duty, or infringement of data subject rights.

The Company shall retain the right to audit, supervise, or otherwise monitor the conduct and data handling practices of such third parties to ensure compliance with the undertakings imposed, and may terminate engagements or seek redress where a breach is detected or reasonably suspected.

Exceptions to Privacy Obligations

Nothing in this Policy shall apply to Personal Data or Information that:

• Has become publicly available through lawful means and without any breach by the Company or its agents;
• Is required by law or regulation to be disclosed under mandatory statutory, regulatory, or judicial order;
• Has been anonymized or rendered non-personally identifiable to such an extent that it no longer constitutes Personal Data under applicable law.

Breach and Consequences of Violation

Where any user, data subject, employee, agent, or third party:

• breaches the provisions of this Policy;
• acts in a manner inconsistent with the lawful handling of Personal Data; or
• engages in conduct which exposes the Company or any data subject to legal, regulatory, or reputational risk,

The Company reserves the unequivocal right to restrict, suspend, or terminate such person's access to its Platforms, services, or networks without prejudice to any other remedies available at law or in equity. In all cases, the affected individual or entity shall be notified of the basis of such action in writing, save where prohibited by law.

Dispute Resolution

The Company is committed to upholding the privacy and data protection rights of all Users and Data Subjects. In the event that you have any concerns or grievances regarding the processing of your Personal Data or the terms of this Privacy Policy, you are encouraged to notify the Company promptly in writing, stating your full name, contact details, and the specific nature of the complaint.

Internal Resolution Timeline

Upon receipt of such complaint, the Company shall acknowledge same within forty-eight (48) hours and engage with you in good faith toward achieving an amicable resolution within a reasonable time.

Escalation to Mediation

Where the Parties are unable to resolve any dispute, claim, or controversy arising out of or in connection with this Policy through negotiation within fourteen (14) days, such dispute shall be submitted to confidential mediation to be conducted in Lagos, Nigeria, in accordance with the provisions of the Lagos Multi-Door Courthouse (LMDC) Mediation Rules or such other mediation framework mutually agreed by the Parties. Each Party shall bear its own costs, and the Parties shall jointly bear the administrative costs of the mediation.

Recourse to Litigation

Where mediation fails or is deemed unsuccessful by the mediator, either Party may refer the matter to the appropriate court of competent jurisdiction in Lagos State, Nigeria, provided that all prior alternative dispute resolution mechanisms have been exhausted in good faith.

Contact Information

For any inquiries, requests, complaints, or assertions of data protection rights under applicable law, you may contact VivaFemini Limited via the following designated contact details:

• 
VivaFemini Limited, Data Protection Office
• Email: dataprotection@vivafemini.org
• Website:  www.vivafemini.org

Please allow up to forty-eight (48) hours for an initial response and two (2) business days for request processing. Kindly note that the Company reserves the right to decline manifestly unfounded, excessive, or repetitive requests, and may charge a reasonable administrative fee where permitted by law.