Privacy Policy

Use of our web and mobile platform at ngoasaservice.com;

Registration and account management for NGO, company, or individual users;

Verification submissions, outreach reports, CSR activity records, and any other data submitted through Platform features;

Communications with us by email, contact forms, or any other channel.

For all users: email address, hashed password, account type (NGO or Company), and registration timestamp.

For NGO accounts: foundation/organisation name, contact person name, phone number, contact address, and optionally a custom profile slug (URL).

For Company accounts: company name, industry, contact person name, phone number, website URL, and contact address.

Legal section: CAC registration number, year of incorporation, about / mission statement, board member names and contact details, uploaded legal documents (CAC certificate, constitution, board resolutions).

Financial section: funding sources, income and expense summaries, uploaded financial documents (audited accounts, bank statements).

Impact section: description of past interventions, uploaded evidence documents and images.

Digital section: website URL, social media handles and links.

Report content including title, intervention type, location, dates, number of beneficiaries, cost breakdowns, beneficiary testimonies (names, contacts, and statements), uploaded photos, and Cloudflare Stream video content.

When a company submits a report access request: company name, industry, purpose, optional message, and timestamps. This data is shared with the relevant NGO to enable an informed consent decision.

Activity titles, descriptions, partner NGO references, start and end dates, budget amounts, disbursement records (amount, date, description), and activity status.

IP address, browser type and version, device type, pages visited, timestamps, and referring URLs — collected automatically when you use the Platform.

Account provision and authentication: to create and manage your account, authenticate your identity, and maintain account security.

Verification processing: to review submitted documents, assess verification status, and generate Readiness Scores for NGO profiles.

Public profile display: to display summary NGO information, Readiness Scores, and outreach data on public-facing profile pages accessible to all visitors without an account.

Report access facilitation: to enable companies to submit access requests and to share company profile information with NGOs so they can make an informed consent decision.

CSR activity management: to enable companies to create, track, and report on CSR activities linked to NGO partners.

Communications: to send transactional emails (account verification, password resets, request notifications, verification status updates). We do not send marketing emails without your explicit consent.

Platform improvement: to analyse usage patterns, troubleshoot issues, and improve the Platform's functionality and user experience.

Legal and compliance: to comply with applicable Nigerian law, respond to lawful requests from regulatory or law enforcement authorities, and enforce our Terms of Service.

Contract performance: processing necessary to provide the Services you have registered for — including account management, verification review, and platform features.

Legitimate interests: processing for Platform security, fraud prevention, abuse detection, and service improvement, where such interests are not overridden by your rights.

Consent: where we rely on consent (e.g. for marketing communications or optional features), you may withdraw that consent at any time without affecting the lawfulness of prior processing.

Legal obligation: processing required to comply with applicable Nigerian law or a lawful order of a competent authority.

Public profile data: Summary NGO information, Readiness Scores, beneficiary statistics, published outreach report summaries, and section verification statuses are publicly visible to anyone accessing the Platform, including non-registered visitors. You control what you submit to each section.

Report access (company-granted): When an NGO grants a company's access request, full NGO documentation, financial records, board contacts, and outreach report details become accessible to that specific company's account. NGOs remain in full control of whether to grant or decline each request.

Company profile sharing: When a company submits an access request, the requesting company's profile data is shared with the target NGO to enable an informed consent decision.

Service providers: We share data with third-party service providers who process data on our behalf solely to provide the Platform. These include Firebase (Google LLC) for authentication, database, and hosting, and Cloudflare for file storage and video streaming. All service providers are bound by data processing agreements.

Legal requirements: We may disclose your data if required to do so by law, court order, or a lawful request from a government or regulatory authority in Nigeria.

Business transfers: In the event of a merger, acquisition, or sale of all or a substantial part of our assets, user data may be transferred to the acquiring entity, subject to equivalent privacy protections.

Active accounts: All account data, verification records, outreach reports, and CSR activity data are retained for the duration of your account.

Deleted accounts: Upon account deletion, we will delete or anonymise your personal data within 90 days, except where retention is required by law or legitimate business necessity (e.g. financial records for tax compliance, data subject to an active legal dispute).

Published outreach reports: If an NGO has published outreach reports that are linked to CSR activity records held by a company user, we may retain anonymised impact data following NGO account deletion to maintain the integrity of the company's records.

Legal and compliance records: Certain records may be retained for up to 7 years as required by Nigerian financial, tax, and corporate law.

Encryption of data in transit using TLS/HTTPS for all Platform communications.

Secure credential storage — passwords are hashed using industry-standard algorithms via Firebase Authentication and are never stored in plain text.

Role-based access controls — NGO data is accessible only to the relevant account holder and to companies with explicitly granted access.

Firestore security rules enforcing that users can only access data they are authorised to view.

Cloudflare R2 and Stream presigned URL mechanisms ensuring uploaded documents and videos are not publicly accessible without authorisation.

Right of access: You may request a copy of the personal data we hold about you.

Right to rectification: You may request that we correct inaccurate or incomplete personal data about you.

Right to erasure (“right to be forgotten”): You may request that we delete your personal data in certain circumstances, including where it is no longer necessary for the purpose it was collected.

Right to restrict processing: You may request that we restrict the processing of your data in certain circumstances.

Right to data portability: Where processing is based on consent or contract and is carried out by automated means, you may request a copy of your data in a structured, machine-readable format.

Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.

Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Strictly necessary cookies: Required for authentication and session management (including Firebase Authentication session tokens). These cannot be disabled without preventing core Platform functionality.

Functional cookies: Used to remember your preferences (such as filter settings) during a session.

Analytics cookies: We may use anonymous analytics tools to understand how users interact with the Platform. Where used, no personally identifiable information is collected through analytics cookies without your consent.

Google Firebase (Google LLC): Authentication, real-time database (Firestore), and cloud infrastructure. Governed by Google's Privacy Policy and Data Processing Terms. Data may be processed in the United States and other jurisdictions where Google operates.

Cloudflare, Inc.: File storage (Cloudflare R2) for uploaded documents and images, and video streaming (Cloudflare Stream) for uploaded video content. Governed by Cloudflare's Privacy Policy.