Introduction

MishTranzact is a technology company committed to building secure, reliable, and privacy-conscious digital platforms that simplify workforce management and billing solutions for SMEs and startups. As a company that processes personal and sensitive data of individuals and businesses, we recognize the importance of protecting the privacy rights of data subjects. This policy articulates our commitment to safeguarding personal data in accordance with the Nigeria Data Protection Act (NDPA) 2023, the NDPR, and other applicable local and international data protection laws.

We view data privacy not merely as a legal obligation but as a foundational principle that underpins customer trust, operational transparency, and ethical innovation.

Purpose of the Policy

The purpose of this policy is to establish clear principles, rules, and procedures governing the collection, use, storage, disclosure, transfer, and disposal of personal data processed by MishTranzact. It outlines how we ensure the confidentiality, integrity, and availability of personal information, and the responsibilities of all employees, contractors, and third-party service providers who may access such data.

This policy ensures that data processing at MishTranzact is fair, lawful, and transparent, and that data subjects can exercise control over their personal information.

Scope and Applicability

  • All employees and contractors of MishTranzact.
  • All systems, applications, products, platforms, and processes owned or controlled by MishTranzact that handle personal data.
  • All data processing activities conducted within Nigeria or related to Nigerian citizens or residents.
  • All third parties or vendors that MishTranzact contracts to process personal data on its behalf.

The term "personal data" refers to any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, biometric data, phone numbers, banking information, employment records, and device identifiers.

Legal Basis for Data Processing

MishTranzact only processes personal data when there is a valid legal basis. These include:

  • The consent of the data subject, which must be freely given, specific, informed, and unambiguous.
  • The necessity of processing for the performance of a contract to which the data subject is a party, such as payroll, workforce analytics, or billing services.
  • Compliance with a legal obligation, such as regulatory reporting to government agencies (e.g., tax authorities).
  • Protection of vital interests, particularly in emergency situations.
  • The legitimate interest of MishTranzact or a third party, provided such interest does not override the rights and freedoms of the data subject.

Consent is always obtained explicitly for sensitive personal data (such as health or biometric information) and data subjects are informed of their right to withdraw consent at any time.

Principles of Data Processing

MishTranzact is committed to processing personal data in accordance with the following principles:

  • Lawfulness, Fairness, and Transparency: All personal data processing must be lawful and transparent to the data subject. Our privacy notices clearly describe the purpose and scope of data collection.
  • Purpose Limitation: We collect personal data only for specific, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
  • Accuracy: Personal data must be accurate and kept up to date. Data subjects have the right to request rectification of inaccurate data.
  • Storage Limitation: Personal data is not retained longer than necessary. MishTranzact implements defined data retention schedules and securely disposes of outdated information.
  • Storage Limitation: Personal data is not retained longer than necessary. MishTranzact implements defined data retention schedules and securely disposes of outdated information.
  • Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized access, disclosure, alteration, or destruction.
  • Accountability: MishTranzact assumes full responsibility for demonstrating compliance with these principles. We document all processing activities and conduct regular audits.

Data Subject Rights

Under the NDPR, individuals have the following rights, which MishTranzact fully respects and enables:

  • Right to be Informed: Data subjects are informed about the collection and use of their data through clear privacy notices.
  • Right of Access: Individuals can request access to their personal data, and we respond within the regulatory timeline.
  • Right to Rectification: Inaccurate or incomplete data will be corrected upon request.
  • Right to Erasure: Also known as the "right to be forgotten," data subjects may request deletion of their data when it is no longer necessary or was unlawfully processed.
  • Right to Object: Individuals can object to data processing based on legitimate interests or direct marketing.
  • Right to Restrict Processing: Individuals may request that we limit the processing of their data under certain conditions.
  • Right to Data Portability: Individuals may request that their data be transferred to another organization in a structured, machine-readable format.
  • Right to Withdraw Consent: Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

Requests related to these rights are handled by the Data Protection Officer (DPO), and responses are provided within the statutory period (typically within 30 days).

Data Collection and Use

MishTranzact collects personal data through various channels including:

  • Online registration on our platforms
  • Onboarding of businesses and their employees.
  • Contact forms and customer support interactions.
  • Integration with financial institutions and third-party services

We use this data for:

  • Provision of payroll and billing services
  • Communication with customers and users
  • Compliance with legal and tax requirements
  • System monitoring and performance improvement
  • Fraud prevention and identity verification

We do not sell, lease, or trade personal data to third parties.

Data Security and Protection Measures

MishTranzact implements technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data. These include:

  • Encryption of data at rest and in transit using industry-standard protocols.
  • Access controls to ensure that only authorized personnel can access sensitive information.
  • Two-factor authentication for internal and customer-facing systems.
  • Firewall and intrusion detection systems to protect our infrastructure.
  • Regular penetration testing and vulnerability assessments by cybersecurity professionals.
  • Automated monitoring of unusual activity, login attempts, or unauthorized access.

Employees are required to sign non-disclosure agreements (NDAs) and undergo periodic security training. In the event of a data breach, our Data Breach Response Plan is activated immediately to contain the breach, assess impact, notify regulators and affected data subjects (if applicable), and document remediation steps.

Data Transfers

MishTranzact may transfer data outside Nigeria when:

  • The data subject has given explicit consent.
  • The transfer is necessary for the performance of a contract or legal obligation.
  • The receiving country has adequate data protection laws or the recipient entity has appropriate safeguards (e.g., Standard Contractual Clauses).

All cross-border data transfers are evaluated by the DPO and must adhere to the requirements of the NDPA and NDPR.

Third-Party Processors

Before engaging any third party that will process personal data on our behalf (such as cloud service providers or payroll partners), MishTranzact conducts a Vendor Data Protection Risk Assessment.

  • Are contractually bound to uphold our data protection standards.
  • Process data only on our documented instructions.
  • Provide proof of their data security and compliance capabilities.
  • Submit to audits or reviews upon request.

If a vendor fails to meet these obligations, their contract is terminated and data is withdrawn.

Data Retention and Disposal

MishTranzact retains personal data only as long as necessary to fulfill the purposes for which it was collected or as required by law. Once data is no longer needed, it is securely deleted or anonymized. Retention periods include:

  • Payroll and billing records: Minimum 5 years (in line with tax and labor regulations).
  • User account data: Retained as long as the user remains active plus 12 months.
  • Inactive data: Reviewed annually and deleted in line with data minimization obligations.

Secure deletion methods include data wiping, encryption key destruction, and, where applicable, physical destruction of storage media.

Governance and Responsibilities

The Data Protection Officer (DPO) oversees the enforcement, monitoring, and updating of this policy. The DPO reports directly to the executive team and has authority to:

  • Conduct Data Protection Impact Assessments (DPIAs).
  • Investigate complaints and handle requests from data subjects.
  • Ensure training and awareness across departments.
  • Interface with the Nigeria Data Protection Commission (NDPC).

All departments are required to designate a Privacy Champion to liaise with the DPO on compliance initiatives.

Staff Training and Awareness

All employees and contractors undergo mandatory data protection training during onboarding and annually thereafter. This training covers:

  • Principles of data privacy
  • How to handle and secure data
  • Recognizing and reporting breaches
  • Role-based data protection responsibilities

Employees who handle sensitive or large volumes of data receive additional in-depth training.

Breach Notification and Response

MishTranzact has a documented Data Breach Response Plan. If a data breach occurs:

  • The DPO must be notified within 2 hours of detection.
  • An initial investigation is conducted to assess scope and risk.
  • If the breach is likely to result in harm to data subjects, the NDPC and affected individuals will be notified within 72 hours, as required by law.
  • A root cause analysis is conducted and corrective measures are taken.

All breaches are logged and reviewed quarterly to improve organizational resilience.

Policy Review and Updates

This Data Protection Policy is reviewed at least once every 12 months, or earlier if there are regulatory changes, audit findings, or operational shifts. All updates are approved by the executive team and communicated to staff and stakeholders.

Conclusion

MishTranzact is deeply committed to ensuring that all personal data entrusted to us is handled with the highest standards of privacy, care, and compliance. Through this policy, we reaffirm our responsibility to uphold the rights of data subjects and foster a data protection culture within and beyond our organization.