Last Updated: May 24, 2025
1. INTRODUCTION
Accentity Ltd ("we," "us," "our," or the "Company") is committed to protecting the privacy and security of personal data we process in connection with our AI-driven credit reporting platform services (the "Service").
This Privacy Policy explains our practices regarding the collection, use, and disclosure of personal data by our Service, as well as your rights regarding this data. This policy has been designed to comply with applicable data protection laws, including the Nigerian Data Protection Act 2023 ("NDPA") and the European Union General Data Protection Regulation ("GDPR"), where applicable.
2. DEFINITIONS
For the purposes of this Privacy Policy:
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly.
"Processing" means any operation performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction.
"Data Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
"Data Processor" means an entity that Processes Personal Data on behalf of a Data Controller.
"Customer" means our B2B clients (e.g., financial institutions) who use our Service.
"End User" means an individual whose Personal Data is processed through our Service when they request their credit identity through our Customers or directly through our website.
3. ROLES AND RESPONSIBILITIES
3.1 Our Role
In providing our Service to Customers, we act in different capacities depending on the context:
We act as a Data Processor when processing Personal Data of End Users on behalf of our Customers. In this context, our Customers are the Data Controllers who determine the purposes and means of processing End User Personal Data.
We act as a Data Controller for Personal Data we collect directly from our Customers' referred users who access and use our Service.
3.2 Customer Responsibilities
As Data Controllers, our Customers are responsible for:
Ensuring they have appropriate legal bases for processing End User Personal Data
Providing privacy notices to End Users as required by applicable law
Obtaining any necessary consents from End Users
Responding to Data Subject rights requests from End Users
Ensuring they have the right to share End User Personal Data with us
We will assist our Customers in fulfilling these obligations as appropriate.
4. PERSONAL DATA WE PROCESS
4.1 Customer Personal Data
As a Data Controller, we collect and process the following Personal Data from our Customers' referred users:
Account Information: Name, email address, phone number
Authentication Data: Username, password (encrypted), security questions, and multi-factor authentication details
System Usage Data: Log data, device information, IP addresses, access times, pages viewed, and other usage information
Communications: Information provided in support tickets, feedback, emails, and other communications
Payment Information: Billing contact details, payment method information, and transaction history
4.2 End User Personal Data
As a Data Processor on behalf of our Customers, we may process the following categories of End User Personal Data:
Identification Information: Name, date of birth, government issued identification numbers, and contact information
Financial Information: Income data, transaction data, account balances, payment records, savings data and credit history
Behavioural Data: Payment behaviour, loan repayment history, and default records
Derived Data: Credit scores, affordability assessments, and other analytical outputs generated by our credit and risk decisioning models
5. HOW WE COLLECT PERSONAL DATA
5.1 Direct Collection
We collect Personal Data directly from:
Customer and website referred users during account registration and service usage
Customer interactions with our support team and communications systems
5.2 Indirect Collection
We collect Personal Data indirectly through:
Our Customers, who provide End User Personal Data for processing
Third-party data sources and integration partners authorised by the End User
Automated technologies such as cookies and server logs
Open banking providers and financial data sources
Public records and legitimate information sources relevant to financial behavioural assessment
6. PURPOSES AND LEGAL BASES FOR PROCESSING
6.1 Processing Customer Personal Data (as Data Controller)
We process Customer Personal Data for the following purposes and under the following legal bases:
Purpose
Legal Basis
Account creation and management
Contract performance
Service provision and customisation
Contract performance
Communication about the Service
Legitimate interests
Technical support and troubleshooting
Contract performance
Service improvement and feature development
Legitimate interests
Security monitoring and fraud prevention
Legal obligation and legitimate interests
Billing and payment processing
Contract performance
Marketing our services to existing customers
Legitimate interests (with opt-out)
6.2 Processing End User Personal Data (as Data Processor)
We process End User Personal Data solely on behalf of our Customers and the End User, and in accordance with their instructions for the following purposes:
Financial behaviour scoring and affordability assessment
Fraud detection and risk management
Regulatory compliance (e.g., KYC, AML)
Data enrichment and verification
Statistical analysis and model development
The legal bases for this processing are determined by our End Owners as Data Owners.
7. DATA SHARING AND DISCLOSURES
7.1 Service Providers
We may share Personal Data with the following categories of service providers who process data on our behalf:
Cloud infrastructure and hosting providers
Authentication and security service providers
Customer support and ticketing systems
Payment processors
Data analytics providers
Communication and notification services
All service providers are bound by appropriate data processing agreements that ensure adequate protection of Personal Data.
7.2 Third-Party Data Sources
We integrate with various first and third-party data sources as directed by the End User, including but not limited to:
Open banking providers
Financial institutions
KYC and identity verification services
Utilities providers
These integrations are governed by appropriate data sharing agreements.
7.3 Legal Disclosures
We may disclose Personal Data when required by law, including:
In response to lawful requests from public authorities
To comply with a legal obligation, court order, or legal process
To protect our rights, privacy, safety, or property
In connection with an investigation of suspected or actual illegal activity
7.4 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, Personal Data may be transferred as a business asset. We will ensure that such transfers comply with applicable data protection laws and this Privacy Policy.
8. INTERNATIONAL DATA TRANSFERS
8.1 Data Storage Locations
We primarily store Personal Data in data centres located in the United Kingdom and Nigeria. However, some processing may occur in other countries where our service providers operate.
8.2 Transfer Safeguards
When transferring Personal Data outside Nigeria or the European Economic Area, we implement appropriate safeguards including:
Standard Contractual Clauses approved by the European Commission and/or the Nigeria Data Protection Commission
Adequacy decisions where applicable
Binding Corporate Rules where applicable
Other legally approved mechanisms
9. DATA RETENTION
9.1 Customer Personal Data
We retain Customer Personal Data for:
The duration of the contractual relationship plus an additional period as required for legal, regulatory, audit, or legitimate business purposes
Account information is retained for up to 2 years after account closure for regulatory compliance and business continuity purposes
9.2 End User Personal Data
End User Personal Data is retained:
In accordance with our Customers' instructions
As required by applicable laws and regulations
According to our documented retention policies, which balance service needs with data minimisation principles
9.3 Anonymised Data
We may retain anonymised or aggregated data, which cannot identify individual Data Subjects, for statistical, research, and service improvement purposes indefinitely.
10. DATA SECURITY
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Encryption of Personal Data in transit and at rest
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Staff training on data protection and security
Incident response procedures
Regular security monitoring and logging
Data backup and recovery procedures
While we strive to protect the Personal Data we process, no system is completely secure. We continuously improve our security measures as technology evolves.
11. DATA SUBJECT RIGHTS
11.1 Customer Personal Data
For Personal Data we control directly, individuals have the following rights (subject to applicable law):
Right to Access: Request information about Personal Data we process, how we process it, and who we share it with
Right to Rectification: Request correction of inaccurate Personal Data
Right to Erasure: Request deletion of Personal Data in certain circumstances
Right to Restrict Processing: Request limitation of processing in certain circumstances
Right to Data Portability: Request transfer of Personal Data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent: Withdraw previously given consent to processing
Rights Related to Automated Decision-Making: Request human intervention for significant automated decisions
11.2 End User Personal Data
For Personal Data we process on behalf of our Customers, End Users should contact the Customer directly to exercise their rights. We will assist our Customers in responding to such requests in accordance with applicable law.
12. COOKIES AND SIMILAR TECHNOLOGIES
12.1 Types of Cookies We Use
We use the following types of cookies and similar technologies:
Strictly necessary cookies. These are cookies that are required for the operation of our Website and Service. They include, for example, cookies that enable you or your Users to log into secure areas of our Website or Service.
Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our Website and Service when they are using it. This helps us to improve the way our Website and Service works.
Functionality cookies. These are used to recognise you and your Users when you/they return to our Website. This enables us to personalise our content for you and your Users, greet you and your Users by name and remember your/their preferences.
Targeting cookies. These cookies record your and your Users’ visit to our Website, the pages you and your Users have visited and the links you and your Users have followed. We will use this information to make our Website and the advertising displayed on it (if any) more relevant to your and your Users’ interests. We may also share this information with third parties for this purpose.
You can find detailed information about the individual cookies we use, the purposes for which we use them and how to manage them on our cookie policy page - https://accentity.tech/cookie-policy.
13. CHILDREN'S PRIVACY
Our Service is not directed to individuals under the age of 18. We do not knowingly collect Personal Data from children. If we become aware that we have collected Personal Data from a child without verification of parental consent, we will take steps to remove that information from our servers.
14. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify Customers of material changes through our Service or by other means. The date at the top of this Privacy Policy indicates when it was last updated.
15. DATA PROTECTION OFFICER AND CONTACT INFORMATION
15.1 Data Protection Officer
We have appointed a Data Protection Officer who can be contacted at:
Email: dpo@accentity.tech
15.2 General Inquiries
For general privacy inquiries or to exercise your rights, please contact us at:
Email: hello@accentity.tech
15.3 Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your Personal Data violates applicable law. In Nigeria, the supervisory authority is the Nigeria Data Protection Commission (NDPC). In the UK, the supervisory authority is the Information Commission Office (ICO). In the EU, you may contact the supervisory authority in your country of residence.
16. APPENDICES
Appendix A: Data Processing Terms for Customers
Last Updated: May 24, 2025
1. INTRODUCTION
These Data Processing Terms ("DPT") form part of the main service agreement between Accentity ("Company," "we," "us," or "our") and our customers ("Customer," "you," or "your") and govern the processing of Personal Data by our subprocessors in connection with the provision of our credit intelligence platform services.
This document supplements our Privacy Policy and ensures compliance with applicable data protection laws, including the Nigerian Data Protection Act 2023 ("NDPA") and the European Union General Data Protection Regulation ("GDPR").
2. DEFINITIONS
Terms used in this DPT have the meanings assigned to them in the main service agreement, Privacy Policy, or as defined below:
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including NDPA, GDPR, and other relevant jurisdictional requirements
"Personal Data" has the meaning given in applicable Data Protection Laws
"Subprocessor" means any third party appointed by Company to process Personal Data on behalf of Customer in connection with the services
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates
3. SCOPE AND APPLICATION
3.1 Scope of Processing
These DPT apply to all processing of Personal Data by our subprocessors in connection with:
Credit assessment and scoring services
Fraud detection and risk management
Data storage and hosting
System maintenance and support
Analytics and reporting
Communication services
Payment processing (where applicable)
3.2 Data Controller and Processor Relationship
Customer acts as the Data Controller, Company acts as the Data Processor, and the entities listed in Section 4 act as Subprocessors under these terms.
4. AUTHORISED SUBPROCESSORS
4.1 Cloud Infrastructure and Hosting Subprocessors
Subprocessor
Service Provided
Data Types Accessed
Location
Digital Ocean
Cloud hosting, data storage, compute services, backup services, disaster recovery
All Personal Data categories
Ireland, UK, Nigeria
Processing Activities:
Data storage and hosting
Backup and disaster recovery
Computing resources provisioning
Network infrastructure management
Security monitoring and logging
Security Measures:
Encryption in transit and at rest
Access controls and authentication
Regular security audits and compliance certifications
Network security and monitoring
4.2 Data Source and Verification Subprocessors
Subprocessor
Service Provided
Data Types Accessed
Location
SmileID
Identity verification
Identity documents, biometric data
UK, Nigeria
Mono
Financial data
Transaction data, account balances
UK, Nigeria
Processing Activities:
Data collection and aggregation
Identity verification and KYC checks
Credit history compilation
Transaction analysis
Risk assessment data provision
Security Measures:
API security and authentication
Data transmission encryption
Access logging and monitoring
Regular security assessments
Compliance with financial regulations
4.3 Analytics and AI/ML Subprocessors
Subprocessor
Service Provided
Data Types Accessed
Location
Microsoft Azure
Machine learning model training
Identity documents, biometric data
Ireland, UK
Processing Activities:
Model training and validation
Predictive analytics
Model performance monitoring
Security Measures:
Data anonymisation and pseudonymisation
Secure model training environments
Access controls for analytical systems
Audit trails for model development
Data minimisation practices
4.4 Communication and Support Subprocessors
Subprocessor
Service Provided
Data Types Accessed
Location
Google Workplace
Email communications
Email addresses, communication logs
Ireland, UK
Twilio
SMS notifications & WhatsApp communication
Phone numbers, message logs
UK
Twilio SendGrid
Email communications
Email addresses, communication logs
UK
Granola
Customer meetings
Meeting recordings, participant data
US
Processing Activities:
Communication delivery
Notification services
Meeting facilitation
Communication logging
Security Measures:
Encrypted communication channels
Access controls for support systems
Data retention policies
Secure storage of communications
Authentication for system access
4.5 Payment and Financial Subprocessors
Subprocessor
Service Provided
Data Types Accessed
Location
Paystack
Payment processing
Payment details, transaction data
Nigeria
Processing Activities:
Payment transaction processing
Financial reporting
Compliance monitoring
Account reconciliation
Security Measures:
PCI DSS compliance
Tokenisation of payment data
Fraud monitoring systems
Secure transaction processing
Regular financial audits
4.6 Security and Monitoring Subprocessors
Subprocessor
Service Provided
Data Types Accessed
Location
Wazuh + AWS
Security monitoring, threat detection
System logs, access logs
USA, South Africa
Prometheus + AWS
Data backup and recovery
All Personal Data categories
Germany, USA, South Africa
Restic + AWS
System performance monitoring
Usage metrics, performance data
USA, South Africa
Processing Activities:
Security event monitoring
Threat detection and response
System performance monitoring
Data backup and recovery
Incident response
Security Measures:
Real-time security monitoring
Encrypted backup storage
Access controls and authentication
Incident response procedures
Regular security assessments
5. SUBPROCESSOR OBLIGATIONS
5.1 General Obligations
Each Subprocessor must:
Process Personal Data only in accordance with documented instructions from Company
Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organisational measures to ensure security of Personal Data
Not engage additional subprocessors without prior written authorisation
Assist Company in responding to Data Subject requests
Assist Company in ensuring compliance with Data Protection Laws
Delete or return Personal Data upon termination of services
Make available all information necessary to demonstrate compliance
5.2 Security Requirements
All Subprocessors must implement and maintain:
Encryption of Personal Data in transit and at rest
Pseudonymisation where appropriate
Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
Ability to restore availability and access to Personal Data in a timely manner in the event of incident
Regular testing, assessing, and evaluating effectiveness of technical and organisational measures
5.3 Data Transfer Requirements
For international data transfers, Subprocessors must:
Implement appropriate safeguards as required by Data Protection Laws
Provide adequate protection for Personal Data transferred outside Nigeria or the EEA
Comply with Standard Contractual Clauses or other approved transfer mechanisms
Notify Company of any legal requirements that may affect data protection
6. SUBPROCESSOR MANAGEMENT
6.1 Due Diligence
Before engaging any Subprocessor, Company conducts:
Security and privacy assessments
Legal and compliance reviews
Financial stability evaluations
References and reputation checks
Technical capability assessments
6.2 Contractual Requirements
All Subprocessors are bound by written agreements that include:
Data protection obligations equivalent to those in these DPT
Limitation of processing to specific purposes
Confidentiality and security requirements
Data Subject rights facilitation
Breach notification obligations
Audit rights and compliance monitoring
Data return or destruction requirements
6.3 Monitoring and Oversight
Company maintains ongoing oversight through:
Regular security and compliance audits
Performance monitoring and reporting
Incident response coordination
Contract compliance reviews
Risk assessments and mitigation
7. DATA SUBJECT RIGHTS
7.1 Rights Facilitation
Company will coordinate with Subprocessors to facilitate Data Subject rights including:
Right of access to Personal Data
Right to rectification of inaccurate data
Right to erasure (right to be forgotten)
Right to restrict processing
Right to data portability
Right to object to processing
Rights related to automated decision-making
7.2 Response Timeframes
Subprocessors must respond to Company's requests for Data Subject rights facilitation within:
48 hours for initial acknowledgment
5 business days for provision of requested information or action
Urgent cases (e.g., data protection incidents): immediate response required
8. SECURITY INCIDENT MANAGEMENT
8.1 Incident Notification
Subprocessors must notify Company of any Personal Data breach without undue delay and in any case within 24 hours of becoming aware of the breach.
8.2 Incident Information
Breach notifications must include:
Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of Personal Data records affected
Description of likely consequences of the breach
Measures taken or proposed to address the breach
8.3 Incident Response
Upon notification of a breach, Subprocessors must:
Take immediate steps to contain and mitigate the breach
Preserve evidence for investigation
Cooperate with Company's incident response activities
Implement additional security measures as directed
Provide regular updates on remediation progress
9. AUDITS AND COMPLIANCE
9.1 Audit Rights
Company retains the right to:
Conduct audits of Subprocessor data processing activities
Review security controls and compliance measures
Access relevant documentation and records
Interview key personnel involved in data processing
Require third-party audit reports (e.g., SOC 2, ISO 27001)
9.2 Compliance Monitoring
Subprocessors must:
Maintain records of processing activities
Provide regular compliance reports
Allow access for monitoring and auditing purposes
Implement corrective actions within agreed timeframes
Maintain evidence of compliance with contractual obligations
10. DATA PROTECTION IMPACT ASSESSMENTS
10.1 DPIA Support
Where required, Subprocessors must assist Company in conducting Data Protection Impact Assessments by:
Providing information about processing activities
Identifying and assessing privacy risks
Recommending mitigation measures
Cooperating with supervisory authority consultations
10.2 High-Risk Processing
For processing likely to result in high risk to Data Subjects, Subprocessors must:
Implement additional safeguards
Conduct regular risk assessments
Monitor processing activities more closely
Report any identified risks to Company
11. CHANGES TO SUBPROCESSORS
11.1 New Subprocessors
Company will:
Provide at least 30 days' notice of new Subprocessor engagement
Conduct due diligence on proposed Subprocessors
Ensure new Subprocessors agree to equivalent data protection obligations
Allow Customers to object to new Subprocessors
11.2 Subprocessor Changes
For changes to existing Subprocessors, Company will:
Assess impact on data protection
Update contractual arrangements as necessary
Notify Customers of material changes
Maintain continuity of protection standards
12. LIABILITY AND INDEMNIFICATION
12.1 Subprocessor Liability
Subprocessors are liable for:
Compliance with their specific obligations under data processing agreements
Security of Personal Data while in their possession
Proper implementation of technical and organizational measures
Timely notification of security incidents
12.2 Chain of Liability
Company remains liable to Customers for Subprocessor performance and will:
Ensure Subprocessors meet all relevant obligations
Coordinate remediation of any non-compliance
Maintain appropriate insurance coverage
Indemnify Customers for Subprocessor-related breaches where appropriate
13. TERMINATION AND DATA RETURN
13.1 Service Termination
Upon termination of Subprocessor services:
All Personal Data must be returned or securely destroyed
Copies and backups must be deleted unless retention is required by law
Certificate of destruction must be provided where requested
Access to Company systems must be immediately revoked
13.2 Data Return Procedures
Subprocessors must:
Return data in agreed formats within 30 days
Provide confirmation of complete data transfer
Maintain data integrity during return process
Securely destroy remaining copies after successful transfer
14. CONTACT INFORMATION
For Subprocessor-related inquiries:
Data Protection Officer
Email: hello@accentity.tech
Subprocessor Management
Email: hello@accentity.tech
15. UPDATES AND AMENDMENTS
This document will be reviewed and updated:
Annually or as required by regulatory changes
When new Subprocessors are engaged
Following significant changes to processing activities
In response to audit findings or security incidents
Customers will be notified of material changes with appropriate notice periods as specified in the main service agreement.
Document Version: 1.0 Next Review Date: May 25, 2026
