Privacy Policy

3.1 Identity Data

• Full legal name (as it appears on your government-issued ID);
• Date of birth;
• Gender;
• Profile photograph (where voluntarily provided); and
• Government-issued identification numbers, specifically:
  • Bank Verification Number (BVN)— collected pursuant to CBN Regulatory Framework for BVN Operations and Watch-List for the Nigerian Banking Industry (2014) as amended;
  • National Identification Number (NIN)— collected where required for enhanced KYC verification; and
  • Voter’s card, international passport, or driver’s licence number (for supplementary identity verification where applicable).

3.2 Contact Data

• Email address;
• Mobile phone number;
• Residential address (street, city, state, postal code); and
• Next-of-kin name and contact details (collected at onboarding).

3.3 Financial Data

• Bank account number and bank name;
• Account type;
• Payment card details — we do not store full card numbers ourselves; these are tokenised and stored by Paystack in accordance with PCI-DSS standards;
• Commitment history (dates, amounts, units purchased, unit price at time of purchase);
• Withdrawal request history (dates, amounts, status, settlement records); and
• Total unit holdings, current portfolio value, and accrued returns.

3.4 KYC and Compliance Data

• Source of funds declaration (required under the CBN Anti-Money Laundering/Combating the Financing of Terrorism Regulations 2022);
• Politically Exposed Person (PEP) status screening results;
• Sanctions list screening results (against UN, OFAC, and EU lists);
• Document verification outcomes (pass/fail/flagged); and
• Any adverse media or risk assessment findings generated during customer due diligence (CDD) or enhanced due diligence (EDD) procedures.

3.5 Technical and Usage Data

• Internet Protocol (IP) address, approximate geolocation derived from IP, browser type and version, operating system, and device identifiers;
• Session data including pages visited, time spent on pages, click-through paths, features used, and session duration;
• Cookie identifiers and related preference data (see our Cookie Policy);
• Error logs, crash reports, and application performance data; and
• Referral source (e.g. which page or link brought you to the Platform).

3.6 Communications Data

• Content of messages you send to us via email, support forms, or in-platform chat, including attachments;
• One-Time Password (OTP) issuance and verification event logs (timestamp, device, IP);
• Email open rates and click-through tracking for transactional and marketing emails (where applicable);
• Referral codes issued to you and referrals you have made; and
• Records of consent given or withdrawn, including timestamps.

3.7 Special Categories of Data

We do not intentionally collect or process special categories of personal data as defined under Section 30 of the NDPA (including data concerning health, religion, political opinions, ethnic origin, biometric data, or sexual orientation) unless explicitly required by law and with your express consent. If you inadvertently provide such data to us, we will delete it unless we are legally required to retain it.

3.8 Data We Do Not Collect Directly

We may receive personal data about you from third parties where you have authorised that third party to share it with us, including:

• Identity verification services that cross-check your BVN or NIN with NIBSS (Nigeria Inter-Bank Settlement System) or the National Identity Management Commission (NIMC);
• Paystack, regarding your payment method status and transaction outcomes; and
• Referrers who provide your contact details when inviting you to join the Cooperative, subject to your subsequent consent.

6.1 Payment Processors

We use Paystack Commerce Inc.(a Stripe company, licensed by CBN as a payment solution service provider) to process all card and bank transfer payments on our Platform. When you make a payment, Paystack receives the data necessary to process that payment. Paystack is PCI-DSS Level 1 certified. We have entered into a data processing agreement with Paystack. Please review Paystack’s Privacy Policy at paystack.com/privacy for full details of how they process your data.

6.2 Identity and KYC Verification Providers

We share identity data (name, BVN, NIN, date of birth) with authorised identity verification services, including NIBSS and NIMC-licensed verification partners, for the purpose of conducting statutory KYC checks. These providers process your data on our instructions and are bound by applicable Nigerian data protection and financial services regulations.

6.3 Regulatory and Law Enforcement Authorities

We may be required by law to disclose your personal data to:

• The Central Bank of Nigeria (CBN) under its supervisory and regulatory powers;
• The Nigeria Financial Intelligence Unit (NFIU) pursuant to the Money Laundering (Prevention and Prohibition) Act 2022 and the Terrorism (Prevention and Prohibition) Act 2022;
• The Economic and Financial Crimes Commission (EFCC) and the Independent Corrupt Practices and Other Related Offences Commission (ICPC) under their investigative powers;
• The Federal Inland Revenue Service (FIRS) or relevant State Internal Revenue Service (IRS) for tax compliance purposes;
• The Securities and Exchange Commission (SEC) where applicable;
• The Nigeria Data Protection Commission (NDPC) in the discharge of its regulatory functions under the NDPA 2023; and
• Any Nigerian court, tribunal, or law enforcement agency acting under a valid legal order, subpoena, or court order.

Where permitted by law, we will notify you before disclosing your data in response to such a request. If we are prohibited from notifying you, we will record the request and disclose only the minimum data necessary.

6.4 Technology and Cloud Service Providers

We engage the following categories of third-party service providers who process personal data on our behalf under data processing agreements:

• Cloud hosting and database(Supabase / AWS) — for storing member data and application infrastructure;
• Email and notification delivery— for sending transactional emails and OTPs;
• Application performance monitoring— for detecting errors and platform performance issues (data is anonymised or pseudonymised where possible); and
• Web hosting and content delivery(Vercel) — for serving the Platform globally.

All third-party processors are required by contract to: (a) process personal data only on our documented instructions; (b) implement appropriate technical and organisational security measures; (c) not engage sub-processors without our prior written consent; and (d) assist us in complying with our obligations under the NDPA 2023.

6.5 Professional Advisers

We may share your data with our lawyers, auditors, accountants, and insurers on a need-to-know basis, subject to professional confidentiality obligations.

6.6 Business Transfers

In the event of a merger, acquisition, restructuring, or dissolution of Atheq LLP or Orglobal Tech Network Ltd., personal data held by us may be transferred to a successor entity. We will notify affected members in advance and ensure equivalent privacy protections are in place before any transfer occurs.

6.7 Cross-Border Data Transfers

Some of our technology providers (including cloud infrastructure and email service providers) may be located outside Nigeria. Where we transfer your personal data to a country that the NDPC has not determined provides adequate data protection, we will ensure that appropriate safeguards are in place, which may include:

• Standard contractual clauses approved by the NDPC;
• The recipient’s adherence to binding corporate rules; or
• Your explicit consent to the transfer, following disclosure of the risks.

You may obtain a copy of the safeguards applicable to any specific cross-border transfer by contacting our DPO.

8.1 Technical Measures

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced);
• Encryption at rest: Sensitive data fields (BVN, bank account numbers, NIN) are encrypted at rest using AES-256 encryption;
• Database security: Row-level security (RLS) policies are enforced at the database layer, ensuring that members can only access their own data;
• Authentication: OTP-based two-step verification is required for account access and all sensitive actions (including withdrawal requests and profile changes);
• Access controls: Role-based access control (RBAC) limits internal staff access to personal data on a strict need-to-know basis; and
• Infrastructure security: Our cloud infrastructure is hosted in ISO 27001-certified data centres with physical access controls, redundancy, and regular security patching.

8.2 Organisational Measures

• A designated Data Protection Officer (DPO) who oversees compliance with this policy and applicable data protection law;
• Staff data protection training conducted at least annually and upon onboarding;
• Data processing agreements with all third-party processors;
• A documented data breach response procedure (see Section 8.3); and
• Regular privacy impact assessments (PIAs) for new processing activities involving sensitive data.

8.3 Data Breach Response

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, in accordance with Section 40 of the NDPA 2023;
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, providing information about the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address the breach; and
• Maintain an internal register of all data breaches, including those not required to be notified, detailing the facts, effects, and remedial actions taken.

No method of electronic transmission or storage is completely secure. While we take all commercially reasonable steps to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials (email, OTP) confidential and for promptly notifying us if you suspect unauthorised access to your account.

9.1 How to Submit a Request

To exercise any of the above rights, please send a written request to our Data Protection Officer at privacy@atheqpartners.com. Your request should include:

• Your full name and registered email address;
• A clear description of the right you wish to exercise; and
• Sufficient information for us to verify your identity (we may request a copy of a government-issued ID).

We will respond to your request within 30 days of receipt. In complex or high-volume cases, we may extend this period by a further 60 days, in which case we will notify you within the initial 30-day period. There is no charge for making a request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request.

9.2 Complaints to the NDPC

If you are not satisfied with our response to your request or believe we are processing your personal data in a manner that violates applicable Nigerian data protection law, you have the right to lodge a complaint with the:

We would, however, appreciate the opportunity to address your concerns before you approach the NDPC, so we encourage you to contact us first.