Introduction

MishTranzact Technologies Limited (“MishTranzact”, “we”, “our”, or “us”) is committed to protecting the privacy of its users, clients, employees, and stakeholders. This Privacy Policy explains how we collect, use, share, protect, and store your personal data in accordance with the Nigeria Data Protection Regulation (NDPR) 2019, and other applicable Nigerian laws.

By using our platform, mobile apps, products, or services, you consent to the practices described in this policy.

Scope of This Policy

This Privacy Policy applies to:

  • All users of MishTranzact services (including web and mobile applications)
  • All clients (including SMEs and startups).
  • Employees, contractors, vendors, and third-party partners
  • Visitors to our website or offices.

This policy governs all processing of personal data by MishTranzact whether automated or manual.

Legal Basis of Processing Personal Data

Under the NDPR, we collect and process personal data based on at least one of the following legal grounds:

  • Consent: Where you have explicitly agreed to our processing activities.
  • Performance of a Contract: To fulfill our obligations under service agreements with you or your organization.
  • Legal Obligation: To comply with regulatory requirements, such as AML/CFT laws.
  • Legitimate Interest: For internal operations like analytics, fraud detection, product improvement, etc.

What Personal Data We Collect

MishTranzact collects the following categories of personal data:

  • For Business Clients (SMEs/Startups)
    • Business name and registration details (CAC certificate)
    • Corporate bank account details.
    • Authorized contact person’s full name, email, phone number.
    • Tax Identification Number (TIN).
    • Employer identification documents
  • For Employees Managed via Our Platform
    • Full name, date of birth, gender
    • National Identification Number (NIN), BVN.
    • Contact address, email, phone number
    • Bank account details
    • Employment history and payroll records
    • RSA Pin & tax IDs
    • Next of kin information
  • For Platform Visitors or Prospects
    • Email addresses, name, IP address, and browser/device type (collected via cookies)

Purpose of Data Collection

We collect and process personal data for the following purposes:

  • To provide and manage workforce and billing services.
  • Account creation and access control
  • Identity verification (KYC/AML compliance)
  • Regulatory reporting (FIRS, PENCOM)
  • Marketing and communication (with explicit consent)
  • Internal audits, risk assessment, fraud detection

Data Subject Rights

Under the NDPR, individuals have the following rights, which MishTranzact fully respects and enables:

  • Right to be Informed: Data subjects are informed about the collection and use of their data through clear privacy notices.
  • Right of Access: Individuals can request access to their personal data, and we respond within the regulatory timeline.
  • Right to Rectification: Inaccurate or incomplete data will be corrected upon request.
  • Right to Erasure: Also known as the "right to be forgotten," data subjects may request deletion of their data when it is no longer necessary or was unlawfully processed.
  • Right to Object: Individuals can object to data processing based on legitimate interests or direct marketing.
  • Right to Restrict Processing: Individuals may request that we limit the processing of their data under certain conditions.
  • Right to Data Portability: Individuals may request that their data be transferred to another organization in a structured, machine-readable format.
  • Right to Withdraw Consent: Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

Requests related to these rights are handled by the Data Protection Officer (DPO), and responses are provided within the statutory period (typically within 30 days).

Retention of Personal Data

We retain your personal data for as long as necessary to:

  • Fulfill the purpose it was collected for
  • Comply with legal and regulatory obligations
  • Resolve disputes and enforce agreements

General retention periods:

  • Employee data: Minimum of 5 years post-employment (in line with NDPR and tax regulations)
  • Payroll and financial records: 7 years
  • Marketing and analytics data: 2 years, unless consent is withdrawn earlier

Once data is no longer required, it will be securely deleted or anonymized.

Data Sharing and Disclosure

We may share personal data with:

  • Regulators (e.g., FIRS, PENCOM) as required by law
  • Banks and payment processors for payroll disbursement
  • Auditors and consultants under strict confidentiality
  • Technology partners or third-party service providers (e.g., cloud providers, KYC platforms) who process data on our behalf

All third parties are required to sign Data Processing Agreements (DPAs) and comply with NDPR standards. We do not sell your personal data to any third party.

International Data Transfer

Where personal data is transferred outside Nigeria (e.g., cloud hosting in another country), MishTranzact ensures:

  • The receiving country has adequate data protection laws as recognized by NITDA, or
  • We use Standard Contractual Clauses (SCCs) approved by NITDA, or
  • We obtain explicit consent from the data subject before the transfer.

Such transfers will be limited, secure, and legally justified under NDPR guidelines.

Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Enhance user experience
  • Track session activity for security
  • Gather anonymized usage statistics

Users are informed via cookie banners and can manage preferences or disable cookies through their browser settings.

Children’s Privacy

MishTranzact does not collect personal data from children under 18 years. If you are a parent or guardian and believe your child has provided us with personal information, please contact our Data Protection Officer, and we will delete the data promptly.

Breach Notification

In the event of a data breach that poses a risk to your rights or freedoms, MishTranzact will:

  • Notify affected individuals and NITDA within 72 hours
  • Provide details of the breach, including affected data, likely consequences, and mitigation steps taken

A full incident response plan is in place to handle such events.

Role of the Data Protection Officer (DPO)

MishTranzact has appointed a Data Protection Officer responsible for:

  • Overseeing NDPR compliance
  • Handling data subject requests
  • Conducting Data Protection Impact Assessments (DPIAs)
  • Training staff and managing risks

DPO Contact:
Email: info@mishtranzact.com
Phone: +2349129518955