NDPR Nigeria Addendum
NDPR Nigeria Addendum
Reviewed by counsel pre-launch — final review pending. This document was drafted from primary NDPR 2023 source by the CAREER iNTEL team. Formal counsel review is scheduled post-first-revenue (D-16). Material questions can be directed to [email protected].
Effective: 2026-05-20 · Last updated: 2026-05-20
This is an international-customer addendum for Nigeria. CAREER iNTEL is a US-primary service (data stored in the United States); this addendum supplements — and does not replace — our US-primary Privacy Policy and DPA for users covered by the Nigeria Data Protection Act 2023 (NDPR 2023). Where this addendum is silent, the Privacy Policy and DPA govern; where Nigerian law grants a Nigerian data subject a right or protection beyond them, this addendum (and Nigerian law) prevails for that data subject.
1. Scope
The Nigeria Data Protection Act 2023 (the "NDPR Act") applies to the processing of Personal Data of natural persons in Nigeria, regardless of where the processor is located, where the processing relates to:
- Offering goods or services to data subjects in Nigeria
- Monitoring the behaviour of data subjects in Nigeria
CAREER iNTEL is therefore subject to the NDPR Act for Nigerian users.
2. Data Controller + Sub-Processor roles
For Nigerian data subjects, CAREER iNTEL is the Data Controller as defined in NDPR Act Section 65. We rely on the sub-processors listed at /legal/sub-processors.
3. Rights of Nigerian Data Subjects (NDPR Act §§30-41)
Nigerian data subjects have the following rights, which we honor:
| NDPR Right | How to exercise | Response SLA |
|---|---|---|
| Section 32 — Right to information | This Privacy Policy + DPA + sub-processors page | Continuous |
| Section 33 — Right of access | Settings → Data & Privacy → Export | < 60 seconds |
| Section 34 — Right to rectification | Settings → Profile | Immediate |
| Section 35 — Right to erasure | Settings → Data & Privacy → Delete | 30 days |
| Section 36 — Right to restriction | Email [email protected] | 5 business days |
| Section 37 — Right to data portability | Settings → Data & Privacy → Export (JSON + Markdown) | < 60 seconds |
| Section 38 — Right to object | Settings → Data & Privacy → Consent (granular toggles) | Immediate |
| Section 39 — Rights re automated decision-making | Email [email protected] for review | 5 business days |
| Section 41 — Right to complaint | Lodge with the NDPC at https://ndpc.gov.ng | NDPC-determined |
4. NDPC Registration
CAREER iNTEL has not yet registered with the Nigeria Data Protection Commission (NDPC). Registration is on the post-launch roadmap. Updates will be published here.
5. Local Data Protection Officer (DPO)
Local DPO appointment status: Deferred.
The NDPR Act §65 may require a local DPO depending on processing volume. We currently rely on the principal DPO ([email protected]) for all jurisdictions. If processing volume triggers the local-DPO requirement, we will appoint and publish the appointment here.
6. Cross-border transfer (NDPR Act Section 41)
Personal data of Nigerian users is processed in:
- USA (Hetzner, Ashburn, VA) — primary storage, plus US sub-processors (Stripe, OpenRouter, Anthropic, Meta, Sentry, Cloudflare, Unstructured.io)
- France (Brevo, Mistral via OpenRouter) — sub-processor regions
The NDPR Act §41 permits cross-border transfer where adequate safeguards exist. We rely on:
- EU-US Data Privacy Framework and the 2021 Standard Contractual Clauses for transfers to / storage in the United States
- Standard Contractual Clauses (2021) for onward transfers to EU sub-processors
- Sub-processor agreements that bind each downstream party to NDPR-equivalent protection
7. Lawful basis for processing (NDPR Act §25)
We rely on the following lawful bases:
| Basis | Use case |
|---|---|
| Contract performance (§25(b)) | Account management, Score, Tailor, billing |
| Legitimate interest (§25(f)) | Service improvement, abuse detection, usage logs |
| Consent (§25(a)) | Waitlist signup, AI-improvement training opt-in, marketing email |
| Legal obligation (§25(c)) | Tax reporting, regulatory disclosures |
8. Children's data (NDPR Act §36)
CAREER iNTEL does not knowingly process personal data of children under 18 from Nigeria. If we discover such processing, we delete the data within 30 days.
9. Breach notification (NDPR Act §40)
For breaches affecting Nigerian data subjects, we will notify:
- The affected user(s) within 72 hours
- The NDPC within 72 hours (or such longer period as the Commission may specify)
10. Special categories (NDPR Act §30)
CAREER iNTEL does not knowingly process sensitive personal data (genetic, biometric, health, religious, political views) as part of its core service. Resume content may incidentally contain such data; we treat all content as sensitive.
11. Cross-references
- Privacy Policy
- DPA — Section 14 NDPR-specific clauses
- Sub-processors — sub-processor list
12. Contact
- DPO (principal): [email protected]
- NDPC complaints: https://ndpc.gov.ng
Reviewed by counsel pre-launch — final review pending.