Offers

Privacy Policy | Nigeria Data Protection

🇳🇬 NDPR & NDPA Compliant

Privacy Policy

This policy governs how we collect, use, store, and protect your personal data in line with Nigerian law.

Effective Date 1 January 2025 Last Updated March 2026 Governing Law NDPA 2023 · NDPR 2019 Regulator NDPC (Nigeria Data Protection Commission)
01 — Introduction

Who We Are & What This Policy Covers

[ R&F OLOWOSIBI RESTAURANT] is a company registered under the laws of the Federal Republic of Nigeria. This Privacy Policy explains how we handle personal data belonging to our customers, website visitors, employees, and other individuals whose data we process.

This policy complies with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR) issued by the National Information Technology Development Agency (NITDA) and enforced by the Nigeria Data Protection Commission (NDPC).

By using our services, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.

02 — Data We Collect

Personal Data We Collect

We may collect the following categories of personal data:

  • Identity Data: Full name, date of birth, gender, national identification number (NIN), BVN (where applicable)
  • Contact Data: Email address, phone number, home or business address
  • Financial Data: Bank account details, payment card information, transaction history
  • Technical Data: IP address, browser type, device identifiers, cookies, log data
  • Usage Data: How you use our website, app, or services
  • Location Data: Approximate or precise geographic location (only with your consent)
  • Communications Data: Messages, inquiries, and feedback you send us
  • Sensitive Personal Data: Health information, biometric data — only collected with explicit consent

We do not collect more data than is necessary for the purposes stated in this policy (data minimisation principle under NDPA s.24).

04 — How We Use Your Data

Purposes of Processing

We use your personal data to:

  • Provide, operate, and improve our products and services
  • Process transactions and send related communications
  • Verify your identity and prevent fraud (AML/KYC compliance)
  • Send administrative notices, updates, and support messages
  • Send marketing communications where you have opted in
  • Comply with applicable Nigerian laws and regulations
  • Analyse usage patterns to improve user experience
  • Respond to inquiries, complaints, and requests

We will not use your data for any purpose incompatible with the original purpose without obtaining fresh consent.

05 — Sharing Your Data

When We Share Your Personal Data

We do not sell your personal data. We may share it only in the following circumstances:

  • Service Providers: Third parties who process data on our behalf (e.g., payment processors, cloud providers) under strict data processing agreements
  • Regulatory Bodies: NDPC, CBN, FIRS, EFCC, or other Nigerian authorities as required by law
  • Legal Proceedings: Courts, law enforcement, or government agencies pursuant to valid legal orders
  • Business Transfers: In the event of a merger, acquisition, or sale of assets (with adequate data protection safeguards)
  • With Your Consent: Any other sharing with your explicit prior consent

Important: Any third party receiving your data is contractually obligated to protect it in line with the NDPA 2023 and NDPR 2019 standards.

06 — Data Retention

How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements.

  • Customer transaction records: 7 years (in line with FIRS and CBN requirements)
  • KYC/AML data: 5–7 years after business relationship ends
  • Website logs and cookies: Up to 12 months
  • Marketing consent records: Until withdrawal of consent
  • Complaint records: 3 years from resolution

When data is no longer needed, we securely delete or anonymise it.

07 — Your Rights

Your Rights Under the NDPA 2023

As a data subject in Nigeria, the NDPA 2023 grants you the following rights:

Right to Information

Know what data we hold about you and how it is being used (NDPA s.34).

Right of Access

Request a copy of your personal data we process (NDPA s.35).

Right to Rectification

Correct inaccurate or incomplete personal data we hold (NDPA s.36).

Right to Erasure

Request deletion of your data where there is no legitimate reason to retain it (NDPA s.37).

Right to Object

Object to processing based on legitimate interests or for direct marketing (NDPA s.39).

Right to Portability

Receive your data in a structured, machine-readable format (NDPA s.38).

Withdraw Consent

Withdraw consent at any time without affecting prior lawful processing.

Right to Complain

Lodge a complaint with the NDPC at ndpc.gov.ng or call 09-4605500.

To exercise any of these rights, contact our Data Protection Officer (DPO) using the details below. We will respond within 30 days as required by the NDPA.

08 — Security

How We Protect Your Data

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or disclosure, in line with NDPA s.43.

  • Encryption of data at rest and in transit (TLS/SSL)
  • Role-based access controls and regular access reviews
  • Secure data centres and cloud infrastructure within or equivalent to Nigeria standards
  • Regular security audits and penetration testing
  • Staff training on data protection obligations
  • Incident response plans for data breaches

Data Breach Notification: In the event of a breach likely to affect your rights, we will notify the NDPC within 72 hours and inform affected data subjects without undue delay, as required under NDPA s.40.

09 — Children

Children's Privacy

Our services are not directed to children under the age of 13. We do not knowingly collect personal data from children without verifiable parental or guardian consent as required under the NDPA 2023.

If you believe a child has provided us with personal data without consent, please contact us immediately and we will take steps to delete such information.

10 — Cross-Border Transfers

Transfer of Data Outside Nigeria

Where we need to transfer your personal data outside Nigeria, we will only do so where adequate data protection safeguards exist as required by NDPA 2023 s.43 and the NDPC's approved transfer mechanisms, including:

  • Countries with an NDPC adequacy determination
  • Standard contractual clauses approved by the NDPC
  • Your explicit informed consent for the specific transfer
  • Binding corporate rules where applicable
11 — Cookies

Cookies & Tracking Technologies

We use cookies and similar technologies on our website to:

  • Essential cookies: Ensure the website functions correctly (no consent required)
  • Analytics cookies: Understand how visitors use our site (requires consent)
  • Marketing cookies: Deliver relevant advertising (requires consent)

You can manage your cookie preferences at any time through our cookie settings banner or your browser settings. Withdrawing consent for non-essential cookies will not affect your ability to use core services.

12 — Changes

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via email or a prominent notice on our website at least 30 days before the changes take effect.

The "Last Updated" date at the top of this page reflects when the most recent revision was made.

You also have the right to lodge a complaint directly with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng