1. INTRODUCTION

By accessing or visiting our website [greenafrica.com] (the "Website"), our mobile application (both website and mobile applications hereinafter referred to as “Platforms”), and more generally, use any of our services (the "Services", which include the Platforms), you agree on behalf of yourself and any organization that you represent (together, “you”, “your” or “User”) that you have read and understood this Privacy Policy (the “Policy”) and that you consent to the collection, use, and sharing of information as discussed below.

2. PERSONAL INFORMATION WE COLLECT

Green Africa collects and maintains personal information about you from many sources to understand and meet your needs. when you register on the platforms, express an interest in obtaining information about us or our services, participate in activities on the Platforms, or otherwise when you contact us, we collect information across three cardinal points:

a) Personally Identifiable Information (PII) voluntarily provided by you.

b) Information provided by a third-party to verify and/or augment a User’s PII; and

c) Information is automatically provided because the user engaged with our platform (terms of use are contained in our Cookie Policy).

Personal Information we collect includes but is not limited to:

a) Full name, physical residential address, nationality, telephone number and email address.

b) Date of birth, marital status, and gender.

c) Bank account number, credit or debit card details and billing address.

d) Photographic Identification, which includes but is not limited to international passport details and driver’s license.

e) Corporate address, tax identification number, and employer contact information; and

f) Other technical information like user IP address, browser type, and internet service provider.

 

All personal information you provide must be true, complete, and accurate, and you must notify us of any changes to such personal information. Also, we collect information through cookies and similar technologies like many other businesses.

3. PURPOSE OF COLLECTION

Green Africa collects users’ personal information to provide an efficient and secure user experience and may retain such personal data for the period necessary to fulfil the purposes outlined in this Policy unless a longer retention period is required or permitted by law. In accordance with relevant laws, we may collect or process your information on the following legal basis:

• Consent: We may process your information if you have given us specific consent to use your personal information for a specific purpose.

 

• Legitimate Interests: We may process your information when it is necessary to achieve our legitimate business interests.

 

• Performance of a Contract: Where we have entered a contract with you, we may process your personal information to fulfil the terms of our contract.

 

• Legal Obligations: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).

 

• Vital Interests: We may disclose your information where we believe it is necessary to investigate, prevent, or act regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

More specifically, Information gathered on the Platforms from each user may be used to:

a) Fulfil legal and contractual obligations to Users.

b) Develop, operate, support, maintain enhance and provide its services.

c) Process payment transactions.

d) Provide receipts and reports on the user’s account.

e) Resolve disputes arising from using our platforms.

f) Customize measure, and improve the services offered on our platforms.

g) Protect the interests and rights of our platform.

h) Protect the health and safety of our employees and customers.

i) Protect our property.

j) Enforce our agreements on the Platforms.

k) Detect and prevent fraud and other potentially illegal activities.

l) For administrative, operational, and reporting purposes.

m) Promote marketing communication (taking into consideration the option to opt out).

n) Manage and protect the platforms’ information technology and physical infrastructure; and

o) Measure the performance of the Platforms and improve content, technology, and layout.

4. DATA SUBJECT CONSENT

4.1 Generally, we rely on your clear, unequivocal, and comprehensible consent as the legal basis for processing your data. This covers cases where you require us to process your data to perform a contract with you, or access our services, raising a complaint for clearance of faults; whistleblowing; accessing any of our customer care services; or for use in our marketing and advertising services. In any of the foregoing instances, we will seek your consent before sharing your personal data with any third party.

 4.2 With regards to what constitutes data subject’s consent, by the applicable laws and regulations, Green Africa shall ensure that consent is freely given and is obtained following full disclosure of its intended use and without fraud, coercion, or undue influence. Since the performance of a contract with you and the provision of our services to you are conditional to your consent, we shall deem that you have granted us free and express consent to collect and process your data when you fill any of our forms, access or create an account on our platforms, correspond with us by post, phone, email as well as other related medium/platforms.

PLEASE NOTE THAT YOU HAVE THE RIGHT TO WITHDRAW CONSENT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA BY CONTACTING OUR DATA PROTECTION OFFICER (dpo@greenafrica.com). Please note however that the withdrawal of consent will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

4.3 Where we need to collect personal data by law, or under the terms of a contract we have with you, or to provide our products and our services and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (including to provide you with our products and services). In such case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

5. DATA SUBJECT RIGHT

Subject to applicable law, regulations, and/or guidelines, you may have the following rights:

• Consent

To be informed of and to provide consent before the use of your data for purposes other than that for which it was initially collected

• Access

To request a copy of the personal data processed about you, please note that we may, by law, charge a fee for this.

• Correction

To request that we correct your personal data found by you to be incorrect or to have changed.

• Erasure

To ask us to delete your personal data, for example if we no longer have a valid reason to process it.

• Object

To object to how we process your data. This does not mean you can decide or choose how we process your data other than in relation to marketing. If you have any concerns about how we process your personal data, please contact us at [*]. Please note that we may not be able to offer you services if you do not want us to process the personal data which we consider necessary for the provision of that services.

• Portability of data

To request the movement of data from us to a third Party.

6. SHARING INFORMATION WITH THIRD PARTIES

6.1 We may share your information with third-party service providers for the purpose of validating your credentials, securing data storage, marketing, advertising, customer service, and other applicable services, and we require that these third-party providers use personal data only in connection with the services they perform for Green Africa.

 6.2 Third parties to whom Green Africa outsources all or part of personal data processing activities must also comply with this policy. We will validate the privacy policy of any new third party with whom we engage that requires us to provide personal data of users, merchants, employees, and others. Existing third-party service providers will also be subject to validation.

6.3 We may share Users’ non-personally identifiable information with third parties that help us better understand how Users use our Service or help us detect and prevent fraud and other unauthorised or suspicious activity. These third parties may use cookies and other technologies to collect non-personally identifiable information about users and combine it with similar information collected from others. They may use this information to help us better understand our users and to help their other customers better understand the users.

6.4 Green Africa may share User information in the event of a merger, acquisition, debt financing, sale of all or a portion of our assets, or similar transaction, or in the event of insolvency, bankruptcy, or receivership in which User information is transferred to one or more third parties as one of our business assets. Should such an event occur, Green Africa will endeavour to ensure that the acquirer, successor, or assignee (as the case may be) follows this Privacy Policy concerning user information. If user information could be used contrary to this Privacy Policy, users will receive prior notice as well as the opportunity to opt out.

6.5 Green Africa may share User information with law enforcement, government officials, or other third parties in the event of a subpoena, court order, or similar legal procedure, or when Green Africa believes in good faith that the disclosure of User information is necessary or advisable to report suspected illegal activity, or to protect Green Africa’s property or legal rights or the property or rights of others, or otherwise to help protect the safety or security of the Services.

6.6 Except as expressly disclosed in this Privacy Policy, Green Africa will not sell or disclose Users’ information to third parties. Green Africa will not sell, rent, share, or trade PII to third parties (other than the platforms through which Green Africa collected such information) for their promotional purposes.

6.7 We may share personally identifiable information with third parties for the purposes set out in Section 2 of this Policy above and in compliance with the applicable laws and regulations. We may also share non-identifiable information with third parties that help us prevent fraud and analyze website activity.

6.8 When transferring personal data across borders, we ensure the highest level of security and compliance. All data shared with third-party vendors is encrypted using the latest cryptographic technologies to safeguard it against unauthorised access. At no time is personal data shared in plain text. Furthermore, we only collaborate with third-party vendors who demonstrate compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the Nigerian Data Protection Regulation (NDPR), and the Nigerian Data Protection Act 2023 (NDPA). These vendors are contractually obligated to adhere to strict data protection standards and implement robust measures to secure the information entrusted to them.

7. RETENTION POLICY

7.1 We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which we collected it, including the satisfaction of any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period if required by applicable law, in the event of a complaint or if we believe there is a prospect of litigation in respect to our relationship with you.

7.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure of your personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means; and the applicable legal, regulatory, tax, accounting, or other requirements.

8. HOW WE PROTECT YOUR INFORMATION

8.1 Access to personal data is restricted to authorised personnel only, based on their roles and responsibilities within the organisation. Role-Based Access Controls (RBAC) are implemented to ensure data security, and access is periodically reviewed and adjusted as needed.

8.2 We utilise advanced monitoring tools to identify and respond to potential data breaches in real time. A formal Incident Response Plan (IRP) is in place to ensure that any security incidents are managed promptly, minimising risks to personal data.

8.3 We conduct regular security assessments, including vulnerability testing and penetration testing, to identify potential risks and continuously enhance the security of our systems and data. These audits are performed by qualified experts and follow industry standards.

9. GOVERNING PRINCIPLES

Green Africa will comply with the principles outlined below to collect, store, and use a user’s personal information.

a) Data shall be collected and processed with a specific, legitimate, and lawful purpose, which shall be consented to by the user before collection and processing;

b) Data may be further processed for archiving, scientific research, historical research, and statistical purposes for public interest without obtaining the consent of the user;

c) Data collection and processing shall be adequate, accurate, and with consideration for the dignity of the human;;

d) Data shall only be stored for the period which is needed and as required by any written law; and

e) Data shall be secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire, or exposure to other natural elements.

10. REPORTING PERSONAL DATA BREACH

10.1 Green Africa is required to comply with the Nigeria Data Protection Regulation 2019 (“NDPR”) and other relevant regulations regarding reporting requirements to data breaches and report any personal data breach. Green Africa has a duty to report to NITDA within 72 hours of becoming aware of a breach and to notify the user within 7 working days, except as otherwise directed by NITDA.

10.2 Green Africa has placed procedures around its platforms to deal with any suspected personal data breach and will notify a user or NITDA (where legally required to do so). Any suspected breach of personal data of a user will be remedied within one (1) month from the date of the report of the breach.

10.3 All evidence relating to a personal data breach should be preserved to enable Green Africa to maintain a record of such breaches, as required by the data protection laws, and to preclude future recurrence.

10.4 Green Africa will not be responsible for any personal data breach that occurs because of:

a) An event that is beyond its control.

b) An act or threats of terrorism.

c) An act of God (such as, but not limited to, pandemics, fires, explosions, earthquakes, drought, tidal waves, and floods).

d) War, hostilities (whether war is declared or not), invasion, the act of foreign enemies, mobilisation, requisition, or embargo.

e) Rebellion, revolution, insurrection, or military or usurped power, or civil war, which compromises the data protection measures on Green Africa’s platform.

f) The transfer of a user’s personal data to a third party on his/her instructions and the use of a user’s data by a third party designated by a user.e of a user’s data by a third party designated by a user.

11. POLICY UPDATES

This Policy may be updated from time to time, and we shall notify you of any changes thereon via a notice on our website. It is also important that the personal data we hold about you is accurate and current. In view of this, we encourage you to always update your personal data and keep us informed if there are changes to your personal data during your relationship with us.

12. DATA PROTECTION OFFICER

12.1 To ensure that any concerns you may have regarding the protection of your personal data are addressed sufficiently and timeously, we have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Policy.

12.2 Without prejudice to any other provisions of this Policy, if you have any questions about this Policy or our privacy practices, including any requests to exercise your legal rights that have been specified in this Policy, please contact the DPO at [dpo@greenafrica.com]:

12.3 Without prejudice to your right to make a complaint at any time to the NITDA, the supervisory authority for data protection issues (www.nitda.gov.ng) for any alleged breach of your data privacy rights, we would appreciate it if you contacted us in the first instance through the DPO if you have any concerns regarding the protection of your data or this Policy.

13. GOVERNING LAW

This Policy is made pursuant to the provisions of the NDPR and any other relevant Nigerian laws, regulations, or international conventions applicable to Nigeria.

CONSENT CLAUSE

In accordance with the provisions of the Nigerian Data Protection Regulations that consent must be a freely given as specific, informed and unambiguous indication of a Data Subject's agreement to the processing of his/her Personal Data, I hereby confirm that I have read the foregoing policy and with a clear understanding of its implications as regards my privacy rights consent to the processing of my personal data by Green Africa.