NDPR Nigeria Addendum

NDPR Nigeria Addendum

Reviewed by counsel pre-launch — final review pending. This document was drafted from primary NDPR 2023 source by the CAREER iNTEL team. Formal counsel review is scheduled post-first-revenue (D-16). Material questions can be directed to [email protected].

Effective: 2026-05-20 · Last updated: 2026-05-20

This is an international-customer addendum for Nigeria. CAREER iNTEL is a US-primary service (data stored in the United States); this addendum supplements — and does not replace — our US-primary Privacy Policy and DPA for users covered by the Nigeria Data Protection Act 2023 (NDPR 2023). Where this addendum is silent, the Privacy Policy and DPA govern; where Nigerian law grants a Nigerian data subject a right or protection beyond them, this addendum (and Nigerian law) prevails for that data subject.


1. Scope

The Nigeria Data Protection Act 2023 (the "NDPR Act") applies to the processing of Personal Data of natural persons in Nigeria, regardless of where the processor is located, where the processing relates to:

  • Offering goods or services to data subjects in Nigeria
  • Monitoring the behaviour of data subjects in Nigeria

CAREER iNTEL is therefore subject to the NDPR Act for Nigerian users.

2. Data Controller + Sub-Processor roles

For Nigerian data subjects, CAREER iNTEL is the Data Controller as defined in NDPR Act Section 65. We rely on the sub-processors listed at /legal/sub-processors.

3. Rights of Nigerian Data Subjects (NDPR Act §§30-41)

Nigerian data subjects have the following rights, which we honor:

NDPR RightHow to exerciseResponse SLA
Section 32 — Right to informationThis Privacy Policy + DPA + sub-processors pageContinuous
Section 33 — Right of accessSettings → Data & Privacy → Export< 60 seconds
Section 34 — Right to rectificationSettings → ProfileImmediate
Section 35 — Right to erasureSettings → Data & Privacy → Delete30 days
Section 36 — Right to restrictionEmail [email protected]5 business days
Section 37 — Right to data portabilitySettings → Data & Privacy → Export (JSON + Markdown)< 60 seconds
Section 38 — Right to objectSettings → Data & Privacy → Consent (granular toggles)Immediate
Section 39 — Rights re automated decision-makingEmail [email protected] for review5 business days
Section 41 — Right to complaintLodge with the NDPC at https://ndpc.gov.ngNDPC-determined

4. NDPC Registration

CAREER iNTEL has not yet registered with the Nigeria Data Protection Commission (NDPC). Registration is on the post-launch roadmap. Updates will be published here.

5. Local Data Protection Officer (DPO)

Local DPO appointment status: Deferred.

The NDPR Act §65 may require a local DPO depending on processing volume. We currently rely on the principal DPO ([email protected]) for all jurisdictions. If processing volume triggers the local-DPO requirement, we will appoint and publish the appointment here.

6. Cross-border transfer (NDPR Act Section 41)

Personal data of Nigerian users is processed in:

  • USA (Hetzner, Ashburn, VA) — primary storage, plus US sub-processors (Stripe, OpenRouter, Anthropic, Meta, Sentry, Cloudflare, Unstructured.io)
  • France (Brevo, Mistral via OpenRouter) — sub-processor regions

The NDPR Act §41 permits cross-border transfer where adequate safeguards exist. We rely on:

  • EU-US Data Privacy Framework and the 2021 Standard Contractual Clauses for transfers to / storage in the United States
  • Standard Contractual Clauses (2021) for onward transfers to EU sub-processors
  • Sub-processor agreements that bind each downstream party to NDPR-equivalent protection

7. Lawful basis for processing (NDPR Act §25)

We rely on the following lawful bases:

BasisUse case
Contract performance (§25(b))Account management, Score, Tailor, billing
Legitimate interest (§25(f))Service improvement, abuse detection, usage logs
Consent (§25(a))Waitlist signup, AI-improvement training opt-in, marketing email
Legal obligation (§25(c))Tax reporting, regulatory disclosures

8. Children's data (NDPR Act §36)

CAREER iNTEL does not knowingly process personal data of children under 18 from Nigeria. If we discover such processing, we delete the data within 30 days.

9. Breach notification (NDPR Act §40)

For breaches affecting Nigerian data subjects, we will notify:

  • The affected user(s) within 72 hours
  • The NDPC within 72 hours (or such longer period as the Commission may specify)

10. Special categories (NDPR Act §30)

CAREER iNTEL does not knowingly process sensitive personal data (genetic, biometric, health, religious, political views) as part of its core service. Resume content may incidentally contain such data; we treat all content as sensitive.

11. Cross-references

12. Contact


Reviewed by counsel pre-launch — final review pending.