Privacy Policy | NGE Portal

Legal Document

NGE Portal Privacy Policy

Last updated: February 24, 2026. This notice explains how Zhift Platforms Limited ("we", "us", "our") processes personal data in NGE Portal and related connector workflows.

1. Scope

This policy applies to personal data processed through NGE Portal web applications, API integrations, onboarding workflows, billing operations, support interactions, and connector pipelines (ERPNext, QuickBooks Online, Sage, and Direct Upload).

2. Data Protection Roles

For account, platform, security, and billing administration, Zhift Platforms Limited acts as a Data Controller.
For invoice and connector payloads processed on customer instruction, we primarily act as a Data Processor and the customer remains the controller.
Where required by law or contract, a separate data processing agreement may define additional controller or processor obligations.

3. Personal Data We Process

Categories may include:

Identity and contact data (name, email, phone, user role, tenant membership).
Organization profile data (company name, tax identifier, compliance settings).
Authentication and security data (login metadata, session records, audit trails).
Connector data from customer systems, including invoice/customer fields required for compliance workflows.
Billing and subscription data (plan, status, payment reference, entitlement state).
Support and operational diagnostics (error traces, run metrics, troubleshooting logs).

4. Purposes and Legal Bases

We process personal data for the following purposes and legal bases:

Service delivery and contract performance: account setup, connector execution, validation/signing pipeline, event tracking, and operational notifications.
Legitimate interests: platform security, abuse prevention, reliability monitoring, and product improvement using aggregated telemetry.
Legal obligation: compliance with tax/e-invoicing obligations, lawful requests, and mandatory records retention.
Consent: where consent is required for optional communications or non-essential tracking.

6. Cross-Border Transfers

Data may be processed outside Nigeria depending on hosting location and third-party connector infrastructure. Where cross-border transfer applies, we use contractual and technical safeguards consistent with applicable laws, including NDPA transfer rules, GDPR transfer requirements, and UK GDPR safeguards where relevant.

7. Retention and Deletion

We retain personal data only as long as necessary for contractual service delivery, legal obligations, security investigations, and legitimate business records.
Connector run logs and event records may be retained for auditability and compliance traceability within defined retention periods.
On termination or valid deletion requests, we apply deletion or anonymization workflows subject to legal hold and statutory record requirements.

8. Security Measures

Role-based access control and tenant scoping on all operational APIs.
Secret storage through encrypted/password fields with masked UI and logging behavior.
Transport protections and endpoint controls for connector communications.
Audit trails for critical account, settings, and sync actions.
Monitoring and retry controls to reduce integrity and availability risks.

9. Data Subject Rights

Where applicable law grants rights, data subjects may request:

Access to personal data and details of processing.
Correction of inaccurate or incomplete data.
Deletion of data where legal conditions permit.
Restriction or objection to certain processing activities.
Data portability where technically and legally applicable.
Withdrawal of consent where processing relies on consent.

Rights can be exercised by contacting us at the address below. If a request relates to customer-controlled invoice data where we act as processor, we may direct the request to the relevant customer controller.

10. Cookies and Similar Technologies

We use necessary cookies and session tokens to operate login, authentication, security controls, and user session continuity. Optional analytics or marketing cookies are used only where legally permitted and, where required, based on consent.

11. Children and Sensitive Data

NGE Portal is designed for business users and is not intended for use by children.
Customers should not upload special category or sensitive personal data unless strictly required and legally justified for their processing purposes.
If prohibited data is identified, we may restrict processing and request remediation by the Customer.

12. Incident and Breach Response

We maintain incident response procedures. Where a personal data breach is confirmed and reportable, affected customers are notified without undue delay with known impact, affected categories, and mitigation actions. Customers remain responsible for regulator or data subject notifications where they are the controller.

13. Policy Updates

We may update this policy to reflect legal, regulatory, operational, or platform changes. Updated versions are posted on this page with the new "Last updated" date. Material updates may be additionally communicated via in-app notice or email.

14. Contact

For privacy and data protection requests, contact support@zhiftplatforms.com. You may also contact your applicable data protection authority, including NDPC in Nigeria, where you believe your rights have been infringed.

Regulatory Framework Alignment

This policy is designed to align with, and be interpreted with reference to, applicable requirements such as:

Nigeria Data Protection Act, 2023 (NDPA).
Nigeria Data Protection Regulation, 2019 (NDPR) and implementation guidance where applicable.
EU General Data Protection Regulation (GDPR).
UK GDPR and UK Data Protection Act 2018.
Nigeria Cybercrimes (Prohibition, Prevention, etc.) Act and related lawful access obligations.