NDPR / NDPA Compliance Addendum
This addendum maps our practice to specific articles of the Nigeria Data Protection Act 2023 ("NDPA") and the Nigeria Data Protection Regulation 2019 ("NDPR"). It complements — not replaces — our Data Protection Policy (v1.3).
Data Controller
Qonstruct-Mart Limited (a Nigerian company; RC pending) is the data controller for all personal data collected through qonstructmart.com and our mobile applications.
Data Protection Officer
Adaeze Okonkwo (DPO) dpo@qonstruct-mart.com Registered with the Nigeria Data Protection Commission (NDPC) under DPO registration NDPC/DPO/QM/2026/0001 (pending finalisation).
Lawful basis — per processing purpose
| Purpose | Lawful basis (NDPA § 25) | Notes | |---|---|---| | Operating your account | Contract (§25(1)(b)) | Required to deliver the service | | KYC (BVN / NIN / face) | Legal obligation (§25(1)(c)) | NFIU / CBN requires it | | Sanctions / PEP screening | Legal obligation (§25(1)(c)) | NFIU | | Marketing emails | Consent (§25(1)(a)) | You can withdraw at any time | | Welcome email sequence | Consent (§25(1)(a)) + legitimate interest | Opt-out one click | | Public professional profile | Consent (§25(1)(a)) | Off by default; opt-in to publish | | Push notifications | Consent (§25(1)(a)) | OS-level prompt | | Fraud detection (device fingerprint, SIM-swap signals) | Legitimate interest (§25(1)(f)) | Cannot be turned off without losing access | | Audit-v2 logging | Legal obligation + legitimate interest | 7-year retention | | FIRS / WHT reporting | Legal obligation | Tax statute | | Mortgage data sharing with lender | Consent + contract | You select the lender; share-button is explicit |
Cross-border transfers (NDPA § 41)
Production data is hosted in Lagos (AWS af-west-1). Transfers to processors outside Nigeria are limited to:
- Smile Identity (Kenya) — Adequacy comparable to NDPA; under
binding processor agreement.
- Cloudflare (global edge) — TLS-terminated only; no application
data leaves Nigeria.
- Paystack (Nigeria-headquartered)
- Flutterwave (Nigeria-headquartered)
- Termii (Nigeria-headquartered)
We do not transfer raw PII to any other jurisdiction without your specific consent and a documented transfer mechanism.
Subject rights workflow
Submit any subject-rights request to privacy@qonstruct-mart.com or in-app at /me/privacy. We acknowledge within 5 working days and respond substantively within 30 days (extendable once by 30 days for complex requests, with notice to you).
| Right | NDPA § | Our SLA | |---|---|---| | Access | § 34 | 30 days | | Correction | § 35 | 5 days | | Erasure | § 36 | 30 days (7-year holds preserved) | | Restriction | § 37 | 5 days | | Portability | § 38 | 30 days (JSON + ZIP) | | Objection | § 39 | Immediate for marketing; 5 days for legitimate-interest | | Not to be subject to automated decisions | § 40 | Human review always available for matching, scoring, suspension |
Automated decision-making (NDPA § 40)
We use automation in three places:
- AI matching — surfaces candidate matches for projects + jobs.
You can always see the full list and override our ranking.
- Anti-fraud scoring — may flag a session for review. You can
request a human review by emailing privacy@qonstruct-mart.com; we respond within 24 hours.
- Title Health Score — a public-records-driven indicator for real
estate listings. The underlying data is shown so you can disagree.
No suspension, KYC rejection, or financial decision is made by automation alone. A human in our Trust & Safety team is always the final decision-maker.
Breach notification (NDPA § 43)
In a confirmed breach of personal data affecting your account, we will notify:
- The NDPC within 72 hours of becoming aware.
- You within 72 hours of becoming aware, by both email and
in-app banner. The notice will tell you: what happened, what data, what we did about it, and what you should do.
Children's data (NDPA § 31)
The platform is for users 18 and over. We do not knowingly process children's data. If you believe we have, contact the DPO and we will erase it within 7 days.
Complaints
- First, contact our DPO — dpo@qonstruct-mart.com.
- If unresolved within 30 days, you can complain to the NDPC
directly: ndpc.gov.ng/complaints (Plot 1257, Adetokunbo Ademola Crescent, Wuse II, Abuja).
- You retain the right to seek judicial remedy under NDPA § 51.
Annual NDPR audit
As a data controller of major importance (transactions on PII of > 200,000 data subjects), we file an annual NDPR audit with the NDPC through a Data Protection Compliance Organisation (DPCO). The 2026 audit will be filed by KPMG Nigeria DPCO. The summary will be published at /legal/ndpr-audit-2026 when filed.