Legal
Cookie Policy
Effective date: 1 April 2026 — Last updated: 1 April 2026
This Cookie Policy explains how Atheq LLP(“we”, “us”, or “our”) uses cookies and similar tracking technologies when you visit or use the www.atheqpartners.com platform. It should be read alongside our Privacy Policy and our Terms of Service.
Our use of cookies is governed by the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and the NITDA Guidelines on Data Protection Implementation (2020). Where cookies process Personal Data, they are handled in accordance with the lawful bases set out in this policy and our Privacy Policy.
1. What Are Cookies?
Cookies are small text files that a website places on your device (computer, tablet, or smartphone) when you visit it. They allow the website to recognise your device on subsequent visits and to remember information about your preferences or session.
Similar technologies include:
- Local storage — a browser-side key-value store with no built-in expiry, used for persisting UI state across browser restarts;
- Session storage — like local storage but cleared when the browser tab is closed;
- IndexedDB — a low-level, structured browser database used for offline capability; and
- Pixel tags / web beacons — invisible 1×1-pixel images embedded in web pages or emails to track opens and clicks.
We use the term “cookies” in this policy to refer collectively to all such technologies unless stated otherwise.
2. Legal Basis for Cookie Use
Under the NDPA 2023 and NDPR 2019, the placement of cookies that process Personal Data requires a lawful basis. We rely on the following bases for different categories of cookie:
| Cookie category | Lawful basis | Consent required? |
|---|---|---|
| Strictly necessary | Contract performance (Art. 2.2(b) NDPR) — essential to deliver the service you requested | No |
| Preference / functional | Legitimate interest (Art. 2.2(e) NDPR) — providing a consistent, personalised experience | No (but you may opt out) |
| Analytics | Legitimate interest (Art. 2.2(e) NDPR) — improving platform performance and identifying errors | No (but you may opt out) |
| Third-party / cross-site tracking | We do not use such cookies — see Section 5 | N/A |
Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms under the NDPA 2023. You may object to processing based on legitimate interest at any time — see Section 7.
3. Cookies We Use
3.1 Strictly Necessary Cookies
These cookies are essential for the platform to function correctly. They cannot be switched off without breaking core services such as authentication, session continuity, and payment processing. They do not store any personally identifiable information beyond what is technically required to operate your session.
| Cookie name | Provider | Purpose | Type | Duration | Attributes |
|---|---|---|---|---|---|
sb-access-token | Supabase / Atheq LLP | Stores your short-lived JWT access token, which authenticates your API requests. Refreshed automatically before expiry. | HTTP cookie | 1 hour (auto-refreshed) | HttpOnly, Secure, SameSite=Lax |
sb-refresh-token | Supabase / Atheq LLP | Stores a long-lived opaque token used to silently obtain new access tokens without requiring you to log in again. | HTTP cookie | 7 days (sliding) | HttpOnly, Secure, SameSite=Lax |
sb-auth-token / sb-*-auth-token* | Supabase / Atheq LLP | Chunks of the serialised auth session stored in local storage for client-side access. Contains the same JWT payload as above. | Local storage | Until logout or token rotation | JavaScript-accessible (no server flag) |
__paystack_* | Paystack | Required by Paystack to fingerprint the browser session, detect fraudulent payment attempts, and maintain payment flow state across redirect steps. | HTTP cookie | Session | Secure, SameSite=None (cross-origin payment pop-up) |
3.2 Preference (Functional) Cookies
These cookies remember choices you make so that the platform can provide a more personalised experience. Blocking them may mean that your preferences are not remembered between visits.
| Cookie name | Provider | Purpose | Type | Duration | Attributes |
|---|---|---|---|---|---|
public-theme | Atheq LLP | Stores your chosen display theme (dark or light) for public-facing pages so your preference persists across browser sessions and return visits. | HTTP cookie | 365 days | Secure, SameSite=Lax, path = / |
You can reset this preference at any time using the theme toggle on the homepage, or by deleting the public-theme cookie from your browser — see Section 7.
3.3 Analytics Cookies
We use analytics tools to understand how visitors interact with the platform — for example, which pages attract the most traffic, where users encounter errors, and how Core Web Vitals perform across devices. This data is used solely to improve the platform and is not shared with third parties for commercial purposes.
| Tool / Cookie | Provider | Data collected | Personally identifiable? | Duration | Data location |
|---|---|---|---|---|---|
| Vercel Analytics (script injection, no named cookie) | Vercel Inc. (USA) | Page URL, referrer, browser type, device type, country-level geolocation, Core Web Vitals (LCP, FID, CLS). No IP address is stored by default. | No — data is aggregated and anonymised | Aggregated data retained for up to 90 days | Vercel servers, USA. See cross-border transfer disclosure in Section 6. |
| Vercel Speed Insights (script injection) | Vercel Inc. (USA) | Real-user performance metrics per page load. No user identifier is persisted. | No | Session only | Vercel servers, USA |
PostHog (ph_* cookies and local storage) | PostHog Inc. (EU — Frankfurt) | Product analytics: page views, feature usage, session recordings (if enabled), and funnel analysis. IPs are masked before storage. Distinct-ID is pseudonymous and rotates on opt-out. | Pseudonymous distinct-ID only — no name, email, or financial data | ph_* cookies: 1 year; local storage entries cleared on opt-out | PostHog EU Cloud (Frankfurt, Germany) — data does not leave the EU. See cross-border transfer disclosure in Section 6. |
Do Not Track (DNT) and Global Privacy Control (GPC): Where your browser sends a DNT or GPC signal, Vercel Analytics will honour it and exclude your session from analytics collection. We do not override these signals.
3.4 Third-Party Service Cookies
Some third-party services embedded in or called by the platform may set their own cookies. We do not control the behaviour of these third-party cookies. Please review the privacy and cookie policies of each provider:
| Third party | Purpose | Their cookie / privacy policy |
|---|---|---|
| Paystack (Paystack Inc.) | Secure payment processing — debit card, bank transfer, and USSD flows | paystack.com/privacy |
| Vercel (Vercel Inc.) | Edge CDN delivery, DDoS protection, and performance optimisation | vercel.com/legal/privacy-policy |
| Supabase (Supabase Inc.) | Backend-as-a-service (database, authentication, storage) | supabase.com/privacy |
4. Cookies We Do Not Use
Atheq LLP does not use, and has no plans to introduce without explicit notice and (where required) consent:
- Advertising or retargeting cookies — we do not run ad campaigns that track you across third-party websites or serve you personalised advertisements based on your browsing behaviour;
- Social media tracking pixels — we do not embed Facebook Pixel, Twitter/X Pixel, LinkedIn Insight Tag, TikTok Pixel, or similar tools;
- Cross-site behavioural profiling — we do not share your browsing data with data brokers, aggregators, or any third party for commercial profiling; or
- Fingerprinting scripts — we do not use canvas fingerprinting, audio fingerprinting, or any other technique designed to identify your device without setting a cookie.
5. Sensitive Personal Data and Cookies
We do not store sensitive personal data in cookies or browser storage. In particular:
- Your Bank Verification Number (BVN) and National Identification Number (NIN) are collected once during KYC, transmitted over TLS, and stored exclusively in our encrypted server-side database. They are never written to a cookie, local storage, or any client-accessible location.
- Bank account numbers, card numbers, and payment instrument details are handled entirely by Paystack (a CBN-licensed payment service provider) and are never transmitted to or stored on our servers in unencrypted form.
- Authentication tokens stored in
HttpOnlycookies are opaque references — they contain no plaintext personal data and are not readable by JavaScript.
6. Cross-Border Data Transfers
Certain analytics data collected via cookies is processed by Vercel Inc. on servers located in the United States of America. Under the NDPA 2023 (Section 43) and NDPR 2019 (Article 2.12), cross-border transfers of Personal Data are only permitted where an adequate level of data protection is ensured. We rely on the following safeguards:
- Data minimisation: Vercel Analytics does not receive IP addresses or any directly identifying Personal Data. Only aggregated, anonymised metrics are transmitted.
- Standard Contractual Clauses (SCCs): Our agreement with Vercel incorporates appropriate data transfer mechanisms for international transfers consistent with applicable data protection law.
- Nigerian Data Protection Commission (NDPC) guidance: We monitor guidance issued by the NDPC on approved transfer mechanisms and update our safeguards accordingly.
Supabase (our database provider) operates in regions including the EU (Frankfurt). All data at rest is encrypted using AES-256. All data in transit is encrypted using TLS 1.2 or higher.
7. How to Control Cookies
7.1 Browser Settings
Most web browsers allow you to manage cookies through their settings. You can typically view, delete, or block cookies on a per-site or global basis. Note that blocking strictly necessary cookies will prevent you from logging in or making contributions.
| Browser | Path to cookie settings |
|---|---|
| Google Chrome | Settings → Privacy and security → Cookies and other site data |
| Mozilla Firefox | Settings → Privacy & Security → Cookies and Site Data |
| Apple Safari | Preferences → Privacy → Manage Website Data |
| Microsoft Edge | Settings → Cookies and site permissions → Cookies and site data |
| Opera | Settings → Advanced → Privacy & security → Cookies |
7.2 Do Not Track (DNT) and Global Privacy Control (GPC)
You can instruct your browser to send a DNT signal or enable GPC (supported by Firefox and Brave, among others). We honour both signals for analytics purposes. Strictly necessary and preference cookies are not affected by DNT/GPC.
7.3 Theme Preference
You can delete or reset the public-themepreference cookie at any time by using the theme toggle on the homepage or by deleting the cookie via your browser’s developer tools (Application → Storage → Cookies → www.atheqpartners.com).
7.4 Analytics Opt-out
If you prefer not to be counted in Vercel Analytics, you can:
- Enable your browser’s DNT signal or enable GPC (see 7.2); or
- Use a browser extension that blocks analytics scripts (e.g. uBlock Origin, Privacy Badger).
7.5 Your Rights Under the NDPA 2023
To the extent that cookies process your Personal Data, you may exercise the following rights under the NDPA 2023:
- Right to object (Section 35 NDPA) — object to processing based on legitimate interest;
- Right to erasure (Section 34 NDPA) — request deletion of cookie-linked Personal Data (e.g. analytics session IDs); and
- Right to information (Section 29 NDPA) — this Cookie Policy constitutes the required disclosure.
To exercise these rights, contact us at privacy@atheqpartners.com. We will respond within 30 days in accordance with Section 35(3) NDPA.
8. Consent Mechanism
Where a cookie category requires explicit consent (currently none — see Section 2), we will present a clearly labelled consent banner on your first visit that:
- Identifies each cookie category with a plain-language explanation;
- Provides granular opt-in toggles (i.e. you can accept analytics without accepting advertising, etc.);
- Makes it as easy to decline as to accept (no deceptive patterns);
- Records your choice server-side with a timestamp and version reference for audit purposes; and
- Allows you to withdraw consent at any time with the same ease as granting it, via a persistent “Cookie Settings” link.
We do not use pre-ticked boxes, consent bundled with terms acceptance, or any consent mechanism that does not meet the standards of the NDPA 2023 and NDPR 2019.
9. Cookie Retention and Deletion
Cookies are retained only for as long as necessary to fulfil their stated purpose:
- Session cookies are deleted automatically when you close your browser tab or window.
- Persistent cookies (e.g.
sb-refresh-tokenat 7 days,public-themeat 365 days) expire at the duration stated in Section 3 above, unless you delete them earlier. - Local storage entrieshave no built-in expiry; they are cleared on logout or when you clear your browser’s site data.
- Server-side analytics aggregates are retained for up to 90 days and then automatically purged.
10. Changes to This Policy
We may update this Cookie Policy to reflect changes in the cookies we use, applicable law, or guidance from the Nigerian Data Protection Commission (NDPC) or the National Information Technology Development Agency (NITDA). Material changes will be communicated via in-platform notice or email to your registered address at least 14 daysbefore taking effect. The “Last updated” date at the top of this page always shows when the policy was last revised. We encourage you to review this page periodically.
11. Contact Us
If you have questions about our use of cookies or wish to exercise your data subject rights, please contact our Data Protection Officer (DPO):
Atheq LLP — Data Protection Officer
Website: www.atheqpartners.com
Email: privacy@atheqpartners.com
You also have the right to lodge a complaint with the Nigerian Data Protection Commission (NDPC) at www.ndpc.gov.ng if you believe we have not handled your data in accordance with applicable law.