EQ
EQUA Legal
arrow_back Back to App
Home chevron_right Legal chevron_right Privacy Policy
shield

Privacy Policy

How we collect, use, store, and protect your personal information and business data in compliance with NDPA 2023.

calendar_today Effective: 1 January 2026 update Updated: 1 January 2026 schedule 20 min read

This Privacy Policy ("Policy") describes how Equa Finance Ltd. ("Equa Finance", "Company", "we", "us", "our") collects, uses, stores, shares, and protects personal information and business data when you use the EQUA Finance cloud-based enterprise resource planning platform (the "Platform"). This Policy applies to all users of the Platform, including account administrators, authorized users, and visitors to our website.

Equa Finance is committed to protecting your privacy and handling your data responsibly and transparently in compliance with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and, where applicable, the General Data Protection Regulation (GDPR) and other relevant data protection frameworks.

By accessing or using the Platform, you consent to the collection, use, and processing of your information as described in this Policy. If you do not agree with this Policy, please do not use the Platform.

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide when you register for, access, and use the Platform:

Account and Organization Information:

  • Full name, email address, phone number, and job title of account administrators and authorized users;
  • Organization name, business registration number (RC Number), Tax Identification Number (TIN), VAT registration number;
  • Organization address, industry sector, and business type;
  • Workspace configuration preferences, including currency, fiscal year, and jurisdiction settings;
  • Brand assets such as organization logo and color preferences;
  • Billing contact information and payment method details.

Financial and Business Data:

  • Chart of accounts, journal entries, general ledger transactions, and account balances;
  • Invoices, customer records, payment records, credit notes, and accounts receivable data;
  • Expense records, vendor information, expense categories, and approval workflow data;
  • Tax calculations, tax obligations, tax filings, and audit trail records;
  • Tax filing submissions, authority references, and filing status information;
  • Audit engagement records, workpapers, queries, findings, and adjustment entries;
  • Financial reports including trial balances, profit and loss statements, and balance sheets;
  • Imported data from third-party systems (Sage, QuickBooks, SAP, CSV, Excel);
  • Fixed asset records, depreciation schedules, and inventory data.

Communication Data:

  • Support tickets, feedback, and communications sent to our support team;
  • Email notification preferences and subscription settings;
  • AI Assistant conversation history and queries.

1.2 Information Collected Automatically

When you access the Platform, we automatically collect certain technical and usage information:

Device and Browser Information:

  • IP address, browser type and version, operating system, and device type;
  • Screen resolution, language preference, and time zone;
  • Device identifiers and hardware model information.

Usage Data:

  • Pages visited, features used, and actions taken within the Platform;
  • Date and time of access, session duration, and frequency of use;
  • Clickstream data, navigation paths, and feature interaction patterns;
  • Search queries and filter selections within the Platform;
  • Error logs, crash reports, and performance diagnostics.

Cookies and Similar Technologies:

  • Session cookies for authentication and maintaining your login state;
  • Preference cookies for storing your display settings (e.g., theme, language);
  • Security cookies for fraud prevention and account protection;
  • Analytics data collected through our analytics systems.

For detailed information about our use of cookies, please see our Cookie Policy.

1.3 Information from Third Parties

We may receive information about you from third-party sources, including:

  • Payment processors (e.g., Paystack): Transaction confirmation, payment status, and partial payment card details;
  • Tax authorities: Filing acknowledgments, acceptance/rejection notifications, and status updates received through API integrations or webhooks;
  • AI service providers (e.g., Groq, Google Gemini, OpenAI, Anthropic): AI-generated responses and analysis results based on queries you submit;
  • Data import sources: Financial data imported from accounting systems (Sage, QuickBooks, SAP) at your direction;
  • Business registries: Publicly available business registration information for verification purposes.

1.4 Sensitive Information

We do not intentionally collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data. If such information is incidentally included in Customer Data (e.g., within uploaded documents), it will be treated with the same level of protection as all other Customer Data.

2. How We Use Your Information

2.1 Providing and Operating the Platform

We use your information to:

  • Create, maintain, and secure your account and Organization workspace;
  • Process financial transactions, generate reports, and perform calculations;
  • Submit tax filings to Nigerian tax authorities on your behalf and track filing statuses;
  • Process payments and manage your subscription;
  • Deliver email notifications related to your account activities (invoice reminders, expense approvals, filing status updates, deadline alerts);
  • Provide AI-powered financial analysis and recommendations;
  • Import and process data from third-party systems at your direction;
  • Generate and deliver exported documents (PDF, CSV).

2.2 Improving and Developing the Platform

We use aggregated and anonymized data to:

  • Analyze usage patterns to improve Platform functionality and user experience;
  • Identify and fix technical issues, bugs, and performance bottlenecks;
  • Develop new features, modules, and services;
  • Conduct research and statistical analysis on Platform usage trends;
  • Benchmark Platform performance and reliability.

2.3 Security and Fraud Prevention

We use your information to:

  • Detect, prevent, and investigate unauthorized access, fraud, and security threats;
  • Monitor for suspicious activity and enforce our Acceptable Use Policy;
  • Verify user identities and prevent account takeover;
  • Maintain audit logs for compliance and security purposes;
  • Respond to security incidents and data breaches.

2.4 Communication

We use your contact information to:

  • Send transactional emails related to your account (welcome emails, password resets, billing receipts);
  • Deliver system notifications (maintenance windows, security alerts, policy changes);
  • Provide customer support and respond to your inquiries;
  • Send product updates and feature announcements (with opt-out options);
  • Conduct customer satisfaction surveys.

2.5 Legal Compliance

We use your information to:

  • Comply with applicable laws, regulations, and legal processes;
  • Respond to lawful requests from government authorities, regulators, and law enforcement;
  • Establish, exercise, or defend legal claims;
  • Enforce our Terms of Service and other agreements;
  • Comply with financial reporting and anti-money laundering (AML) obligations.

3. Legal Basis for Processing

Under the NDPA 2023 and GDPR (where applicable), we process your personal information based on the following legal grounds:

Processing Activity Legal Basis
Providing the Platform and services Performance of contract (your Subscription agreement)
Processing payments Performance of contract; Legal obligation
Tax filing submissions Performance of contract; Legal obligation
Security monitoring and fraud prevention Legitimate interest (security of the Platform and users)
Platform improvement and analytics Legitimate interest (improving services); Consent (for non-essential analytics)
Customer support communications Performance of contract; Legitimate interest
Marketing communications Consent (opt-in); Legitimate interest (existing customers)
Legal and regulatory compliance Legal obligation; Legitimate interest
Data retention after termination Legal obligation; Legitimate interest (dispute resolution)

4. How We Share Your Information

4.1 We Do Not Sell Your Data

Equa Finance does not sell, rent, lease, or trade your personal information or Customer Data to third parties for their marketing purposes. We will never monetize your financial data.

4.2 Service Providers and Processors

We share your information with trusted third-party service providers who assist us in operating the Platform, subject to strict data processing agreements:

Category Purpose Data Shared
Cloud Infrastructure (PostgreSQL hosting, file storage) Data storage and processing All Customer Data (encrypted)
Payment Processor (Paystack) Subscription billing and payment processing Billing name, email, payment amount, payment method token
Email Delivery Service Transactional and notification emails Recipient email, name, email content
AI Service Providers (Groq, Gemini, OpenAI, Anthropic) AI-powered analysis and recommendations Query content and relevant financial data context (only when you use AI features)
Error Monitoring and Logging Platform stability and debugging Technical logs, error traces (anonymized where possible)

4.3 Tax Authorities

When you use the Tax Filing module, your tax filing data is transmitted directly to the relevant Nigerian tax authority (e.g., Federal Inland Revenue Service, State Internal Revenue Services) as directed by you. This transmission is necessary to fulfill your tax filing obligations. The handling of your data by tax authorities is subject to their own privacy policies and applicable Nigerian law.

4.4 Legal and Regulatory Disclosures

We may disclose your information when required or permitted by law, including:

  • In response to a court order, subpoena, or other legal process;
  • To comply with requests from Nigerian regulatory bodies, including the Nigeria Data Protection Commission (NDPC), Central Bank of Nigeria (CBN), Securities and Exchange Commission (SEC), or the Federal Inland Revenue Service (FIRS);
  • To cooperate with law enforcement investigations or national security requests;
  • To protect the rights, property, or safety of Equa Finance, our users, or the public;
  • To detect, prevent, or address fraud, security issues, or technical problems.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will provide notice of such transfer and any changes to this Policy via email and/or a prominent notice on the Platform.

4.6 With Your Consent

We may share your information with third parties when you have given your explicit consent to such sharing. You may withdraw your consent at any time by contacting us at dpo@equafinance.com.

5. Data Storage and Security

5.1 Data Location

Your Customer Data is stored on secure servers located in data centers that comply with international security standards. We primarily process data within Nigeria and the West African region. Where data is transferred outside these jurisdictions (e.g., for cloud infrastructure or AI processing), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms.

5.2 Security Measures

We implement comprehensive technical and organizational security measures to protect your data, including:

Technical Measures:

  • Encryption in Transit: All data transmitted between your browser/client and our servers is encrypted using TLS 1.2 or higher;
  • Encryption at Rest: Customer Data stored in our databases and file systems is encrypted using AES-256 encryption;
  • Credential Encryption: Sensitive credentials (API keys, integration tokens) are encrypted using HMAC-verified encryption with integrity checks;
  • Access Controls: Role-based access control (RBAC) with granular permissions ensuring users can only access data within their Organization and authorization scope;
  • Multi-Tenant Isolation: Complete data isolation between Organizations — no cross-tenant data access is possible;
  • Authentication: JWT-based API authentication and session-based authentication for web access, with support for multi-factor authentication;
  • Database Security: PostgreSQL database with encrypted connections, parameterized queries to prevent SQL injection, and regular security patches;
  • Web Application Security: CSRF protection, XSS prevention, Content Security Policy headers, and OWASP Top 10 vulnerability mitigation;
  • Automated Backups: Regular encrypted backups with tested restoration procedures;
  • Webhook Security: HMAC SHA-256 signature verification for all incoming webhooks.

Organizational Measures:

  • Regular security assessments and penetration testing;
  • Employee background checks and security training;
  • Incident response plan with defined escalation procedures;
  • Access logging and monitoring with anomaly detection;
  • Vendor security assessments for third-party service providers;
  • Code review and security testing as part of the software development lifecycle.

5.3 Data Breach Response

In the event of a data breach affecting your personal information, we will:

  • Notify the Nigeria Data Protection Commission (NDPC) within seventy-two (72) hours of becoming aware of the breach, as required by the NDPA;
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
  • Document the breach, its effects, and the remedial actions taken;
  • Implement measures to mitigate the impact of the breach and prevent recurrence.

6. Data Retention

6.1 Retention Periods

We retain your information for the following periods:

Data Category Retention Period Justification
Account registration data Duration of account + 30 days post-termination Contract performance; Data export period
Financial records and transactions Duration of account + 7 years post-termination Legal obligation (Companies and Allied Matters Act; tax laws)
Tax filing records Duration of account + 7 years post-termination Legal obligation (Federal Inland Revenue Service Act)
Audit trail and activity logs Duration of account + 7 years post-termination Legal obligation; Legitimate interest (compliance, dispute resolution)
Payment and billing records Duration of account + 7 years post-termination Legal obligation; Contract performance
Support tickets and communications Duration of account + 3 years post-termination Legitimate interest (service improvement, dispute resolution)
Security and access logs 12 months (rolling) Legitimate interest (security, fraud prevention)
AI Assistant conversation history Duration of account + 30 days post-termination Contract performance
Cookie and analytics data As specified in Cookie Policy Consent; Legitimate interest
Marketing preferences Duration of account + 30 days post-termination Consent

6.2 Deletion Process

Upon expiration of the applicable retention period, data is permanently deleted from our active systems within ninety (90) days. Data may persist in encrypted backup archives for up to an additional one hundred eighty (180) days before being permanently purged. We use secure deletion methods that render data unrecoverable.

7. Your Rights

7.1 Rights Under the NDPA 2023

Under the Nigeria Data Protection Act 2023, you have the following rights regarding your personal information:

  • Right of Access: You have the right to request a copy of the personal information we hold about you and details of how we process it.
  • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal information.
  • Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal information, subject to legal retention requirements.
  • Right to Restrict Processing: You have the right to request that we limit how we process your personal information in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that information to another controller.
  • Right to Object: You have the right to object to the processing of your personal information based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your rights have been violated.

7.2 Additional Rights Under GDPR (Where Applicable)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have additional rights under the GDPR, including the right to lodge a complaint with your local supervisory authority.

7.3 Exercising Your Rights

To exercise any of your rights, please contact our Data Protection Officer at:

  • Email: dpo@equafinance.com
  • Subject line: "Data Subject Rights Request"

We will respond to your request within thirty (30) days, or within the timeframe required by applicable law. We may ask you to verify your identity before processing your request. Where requests are manifestly unfounded, repetitive, or excessive, we may charge a reasonable fee or refuse to act on the request.

7.4 Data Export

The Platform provides built-in data export functionality. You can export your financial data in CSV, PDF, and JSON formats at any time during your active Subscription through the Platform's reporting and export features.

8. International Data Transfers

8.1 Cross-Border Transfers

Your data may be transferred to and processed in countries outside Nigeria for the purposes described in this Policy. Such transfers occur when using cloud infrastructure services, AI processing providers, and other third-party service providers located outside Nigeria.

8.2 Safeguards for International Transfers

When transferring data internationally, we ensure appropriate safeguards are in place, including:

  • Data Processing Agreements incorporating Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Adequacy determinations by the NDPC or relevant data protection authorities;
  • Binding Corporate Rules (BCRs) where applicable;
  • Specific consent for the transfer where other mechanisms are not available;
  • Technical measures such as encryption to protect data during transfer and storage.

8.3 AI Service Provider Transfers

When you use the AI Assistant feature, your queries and relevant data context may be processed by AI service providers located outside Nigeria (including providers in the United States). Data sent to AI providers is transmitted securely (TLS encrypted), is used solely for generating responses to your specific queries, and is subject to the AI provider's data processing agreements with Equa Finance. You can disable AI features at any time through your Organization settings.

9. Children's Privacy

The Platform is designed for business use and is not intended for children under the age of eighteen (18). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to promptly delete such information. If you believe a child has provided us with personal information, please contact us at dpo@equafinance.com.

10. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or applications that are not operated by Equa Finance. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through the Platform.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Policy;
  • Provide notice via email to the address associated with your account;
  • Display a prominent notice on the Platform;
  • Where required by law, obtain your consent before implementing material changes to how we process your personal information.

We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the revised Policy.

12. Data Protection Officer

Equa Finance has appointed a Data Protection Officer (DPO) responsible for overseeing our data protection practices. You may contact our DPO at:

Data Protection Officer
Equa Finance Ltd.
Email: dpo@equafinance.com
Lagos, Nigeria

13. Supervisory Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):

Nigeria Data Protection Commission
Website: https://ndpc.gov.ng
Abuja, Nigeria

If you are located in the EEA or UK, you may also lodge a complaint with your local data protection supervisory authority.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Equa Finance Ltd.
Email: privacy@equafinance.com
Data Protection Officer: dpo@equafinance.com
General Support: support@equafinance.com
Lagos, Nigeria

Questions about this document?

mail

legal@equafinance.com

We typically respond within 2 business days

arrow_back

Previous

Terms of Service

Next

Data Processing Agreement

arrow_forward