Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, phone number, password, company name, and Tax Identification Number (TIN) provided during registration.
• Business Information: Company address, city, state, business registration details, and NRS credentials you configure in the dashboard.
• Document Data: All invoice data, credit notes, debit notes, bills, line items, tax calculations, payment records, and related metadata you create or upload through the Service.
• Counterparty Information: Names, TINs, addresses, and other details of your customers and vendors that you include in your documents.
• Payment Information: Billing details and payment card information processed through our payment provider, Flutterwave. We do not store your full card numbers on our servers.
• Communications: Messages you send to us via email, contact forms, or support channels.
• API Keys: Keys you generate for programmatic access to the Service.

1.2 Information Collected Automatically

• Usage Data: Login times, pages visited, features used, documents created, API requests made, and other interactions with the Service.
• Device Information: Browser type and version, operating system, screen resolution, and device type.
• Log Data: IP address, access times, referring URLs, and server logs generated when you use the Service.
• Cookies: We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

1.3 Information from Third Parties

• NRS: When you submit documents to NRS, we receive validation results, Invoice Reference Numbers (IRNs), QR codes, and status updates from the NRS MBS system.
• NRS Exchange: When counterparties send invoices to you via NRS, we receive the transmitted document data on your behalf.
• Payment Processor: Flutterwave provides us with transaction status, payment confirmations, and subscription status information.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing the Service

• Creating and managing your Account and Tenant
• Processing, storing, and managing your documents
• Submitting invoices to NRS on your behalf and retrieving validation results
• Receiving invoices from counterparties via NRS exchange
• Generating tax reports and compliance summaries
• Processing payments and managing your subscription
• Authenticating API requests and enforcing rate limits

2.2 Communication

• Sending account-related notifications (password resets, email verification, subscription changes)
• Responding to your support inquiries and contact form submissions
• Sending service updates, maintenance notices, and security alerts
• Providing information about new features or plan changes (you may opt out of non-essential communications)

2.3 Improvement and Analytics

• Analyzing usage patterns to improve the Service's functionality and user experience
• Identifying and fixing bugs, errors, and performance issues
• Generating aggregate, anonymized statistics about Service usage (no individual user data is shared)

2.4 Security and Compliance

• Detecting, preventing, and responding to fraud, abuse, and security incidents
• Enforcing our Terms of Service and acceptable use policies
• Complying with applicable legal and regulatory obligations

3. How We Share Your Information

We do not sell your personal data to third parties. We share your information only in the following circumstances:

3.1 Nigeria Revenue Service (NRS)

When you submit documents through the Service, we transmit the required invoice data to NRS as part of the e-invoicing compliance process. This includes supplier and buyer information, TINs, document amounts, tax calculations, and other data required by the NRS MBS system.

3.2 Payment Processor

We share billing information with Flutterwave to process your subscription payments. Flutterwave's handling of your payment data is governed by their own privacy policy.

3.3 Service Providers

We may engage trusted third-party service providers to assist with hosting, data storage, email delivery, and other operational functions. These providers are contractually obligated to protect your data and may only use it for the specific services they provide to us.

3.4 Legal Requirements

We may disclose your information when required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

3.5 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your information.

4. Data Security

We implement comprehensive security measures to protect your personal information:

• Encryption at Rest: Sensitive credentials, including NRS API keys and secrets, are encrypted using AES-256-GCM before storage in our database.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• Authentication: We use JWT (JSON Web Token) authentication with short-lived access tokens and refresh token rotation to protect your sessions.
• Password Security: User passwords are hashed using argon2, a state-of-the-art password hashing algorithm. We never store passwords in plain text.
• Multi-Tenant Isolation: Each organization's data is logically isolated from other tenants. Users can only access data belonging to their own Tenant.
• Rate Limiting: API and authentication endpoints are rate-limited to prevent brute-force attacks.
• Access Controls: Role-based access control (RBAC) ensures that team members can only perform actions appropriate to their role (admin, member, viewer).
• Infrastructure Security: Our infrastructure is hosted on managed cloud services with automatic security patches, firewalls, and encrypted database connections.
• Email Verification: We require email verification (OTP) for new account registrations to prevent unauthorized account creation.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents that may occur.

5. Data Retention

6. Cookies and Tracking

7. Your Rights

Subject to applicable law, you have the following rights regarding your personal information:

• Right of Access: You may request a copy of the personal information we hold about you.
• Right to Rectification: You may update or correct inaccurate personal information through your Account settings or by contacting us.
• Right to Deletion: You may request deletion of your personal information, subject to legal retention requirements (such as tax record retention periods).
• Right to Data Portability: You may export your documents and data in standard formats (CSV, JSON, PDF) at any time through the Service or via our API.
• Right to Restrict Processing: You may request that we restrict the processing of your personal information in certain circumstances.
• Right to Object: You may object to the processing of your personal information for certain purposes, such as non-essential communications.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at privacy@nvono.ng. We will respond to your request within 30 days.

8. International Data Transfers

Your data is primarily stored on servers located in Nigeria and may also be processed on cloud infrastructure in other regions. When your data is transferred outside of Nigeria, we ensure that appropriate safeguards are in place to protect your information, including contractual obligations on our service providers to maintain data security and confidentiality standards equivalent to those described in this policy.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

10. Third-Party Links

The Service may contain links to third-party websites or services (such as Flutterwave for payments). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you interact with through our platform.

11. Data Breach Notification

In the event of a data breach that compromises your personal information, we will: (a) notify affected users via email within 72 hours of becoming aware of the breach; (b) provide details about the nature of the breach and the data affected; (c) describe the measures we are taking to address the breach and mitigate its effects; and (d) report the breach to relevant authorities as required by Nigerian law, including the Nigeria Data Protection Commission (NDPC).

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes at least 30 days in advance via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

13. Regulatory Compliance

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Data Protection Officer: privacy@nvono.ng
• General Support: support@nvono.ng
• Address: Nvono Nigeria Limited, Lagos, Nigeria

We will respond to all privacy-related inquiries within 30 days.