Data Protection & NDPR/NDPC Compliance
This page describes how Excella Digital Limited ("Excella Digital") complies with Nigeria's data protection framework — the Nigeria Data Protection Regulation (NDPR 2019), the Nigeria Data Protection Act 2023 (NDPA), and the directives of the Nigeria Data Protection Commission (NDPC) — in operating the Urgent2k platform.
Effective date: 1 February 2026 | Last updated: 5 February 2026
1. Our Commitment
Excella Digital is committed to protecting the personal data of every Urgent2k user — beneficiaries, donors, and visitors — in accordance with the highest standards prescribed by Nigerian law. We treat data protection not as a compliance checkbox but as a core product principle.
2. Regulatory Framework
The Nigeria Data Protection Regulation issued by NITDA in January 2019 established baseline requirements for how organisations collect, store, process, and share personal data of Nigerian residents. Urgent2k was designed with NDPR principles from day one.
The Nigeria Data Protection Act 2023 enacted by the National Assembly supersedes and strengthens the NDPR. It establishes the NDPC as the independent regulatory body and introduces enforceable rights for data subjects and obligations for data controllers and processors.
The Nigeria Data Protection Commission is the supervisory authority responsible for monitoring and enforcing compliance with the NDPA. Excella Digital cooperates fully with any NDPC inquiry or audit.
3. Data Protection Principles We Follow
We process data only on a lawful basis (consent, contractual necessity, legitimate interest, or legal obligation). We are transparent about what we collect and why.
Data is collected for specific, explicit purposes — identity verification, eligibility enforcement, payout execution, fraud prevention, and customer support. We do not repurpose data for unrelated activities.
We collect only the minimum data necessary to operate the service. We do not request information that is not directly relevant to verifying identity, processing a disbursement, or preventing fraud.
We verify data against authorised national databases (NIMC for NIN) and provide users the ability to correct inaccurate information.
Personal data is retained only for as long as necessary to fulfil its purpose or to comply with legal retention requirements. Inactive accounts are anonymised after a defined period.
We implement robust technical and organisational measures — encryption, access controls, audit logs — to protect data against unauthorised access, loss, or destruction.
4. Your Rights as a Data Subject
Under the NDPA 2023, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate or incomplete personal data.
- Right to erasure — request deletion of your data where there is no compelling legal reason for continued processing.
- Right to restriction — request that we limit processing in certain circumstances (e.g., while a dispute is being resolved).
- Right to data portability — receive your data in a structured, commonly used, machine-readable format.
- Right to object — object to processing based on legitimate interest or for direct marketing (we do not engage in direct marketing based on personal data).
- Right to withdraw consent — withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right not to be subject to automated decision-making — request human review of any decision made solely by automated processing that significantly affects you.
To exercise any right, email our Data Protection Officer at dpo@excelladigital.com. We will respond within fourteen (14) days.
5. Data Processing Activities
| Activity | Data involved | Legal basis | Retention |
|---|---|---|---|
| Account registration | Name, email, phone, password hash | Consent / Contract | Duration of account + 90 days |
| NIN verification | NIN, name, DOB, phone | Contract / Legal obligation | Hashed permanently; raw deleted after verification |
| Disbursement | Bank/wallet details, amount, timestamp | Contract | 6 years (financial regulations) |
| Donation processing | Payment method, amount, timestamp | Consent / Contract | 6 years (financial regulations) |
| Fraud prevention | Device fingerprint, IP, behavioural signals | Legitimate interest | Indefinite (for platform protection) |
| Analytics | Aggregated, anonymised usage data | Legitimate interest | Indefinite (non-personal) |
6. Technical & Organisational Measures
TLS 1.2+ for all data in transit. AES-256 for data at rest. NIN stored as salted one-way hashes.
Role-based access with MFA enforced for all staff. Principle of least privilege across all systems.
All data access is logged with user identity, timestamp, and action. Anomalies trigger automated alerts.
Documented incident response plan with notification to NDPC and affected users within 72 hours of a confirmed breach.
All third-party processors sign Data Processing Agreements (DPAs) that meet NDPA requirements.
All employees with access to personal data complete mandatory data protection training annually.
7. Third-Party Data Processors
We engage the following categories of processors, each bound by a DPA:
- Payment processor — Flutterwave (payment initiation and settlement).
- Identity verification — authorised NIN verification API providers.
- Cloud infrastructure — hosting and database services with data centres that meet international security standards.
- Communication — email and SMS delivery providers for transactional notifications.
No processor has access to more data than strictly necessary for their specific function.
8. Cross-Border Data Transfers
Personal data is primarily stored and processed within Nigeria. Where infrastructure necessitates transfer to servers outside Nigeria, we ensure:
- The receiving country provides adequate data protection, or
- Appropriate safeguards are in place (contractual clauses, DPAs), and
- The transfer is lawful under Section 43 of the NDPA 2023.
We do not transfer data to jurisdictions that fail to meet NDPC adequacy standards without explicit user consent.
9. Data Protection Impact Assessment (DPIA)
We conduct Data Protection Impact Assessments before introducing new features or processing activities that may pose a high risk to data subjects. DPIAs are documented internally and available for review by the NDPC upon request.
10. Data Protection Officer (DPO)
Excella Digital has appointed a Data Protection Officer responsible for:
- Monitoring compliance with the NDPA, NDPR, and internal data protection policies.
- Serving as the point of contact for data subjects exercising their rights.
- Liaising with the NDPC on audits, complaints, and breach notifications.
- Conducting internal training and awareness programmes.
Contact the DPO at dpo@excelladigital.com.
11. Complaints
If you believe your data protection rights have been violated, you may:
- Contact our DPO at dpo@excelladigital.com — we will investigate and respond within 14 days.
- If unsatisfied, lodge a formal complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
12. Updates to This Notice
This data protection notice may be updated from time to time to reflect changes in law, technology, or our business practices. Material changes will be communicated via in-app notification or email. The "Last updated" date at the top of this page will always reflect the most recent revision.
Questions about your data?
Our DPO is here to help. Your rights are our priority.