NDPR / NDPA Compliance Addendum

Back to Legal hub
🔒 Data protection

NDPR / NDPA Compliance Addendum

How we satisfy each substantive obligation under the Nigeria Data Protection Act 2023 and the NDPR 2019 — lawful-basis matrix, subject-rights workflow, breach notification, and DPO contact.

Version 1.0 Effective 1 July 2026

NDPR / NDPA Compliance Addendum

This addendum maps our practice to specific articles of the Nigeria Data Protection Act 2023 ("NDPA") and the Nigeria Data Protection Regulation 2019 ("NDPR"). It complements — not replaces — our Data Protection Policy (v1.3).

Data Controller

Qonstruct-Mart Limited (a Nigerian company; RC pending) is the data controller for all personal data collected through qonstructmart.com and our mobile applications.

Data Protection Officer

Adaeze Okonkwo (DPO) dpo@qonstruct-mart.com Registered with the Nigeria Data Protection Commission (NDPC) under DPO registration NDPC/DPO/QM/2026/0001 (pending finalisation).

Lawful basis — per processing purpose

| Purpose | Lawful basis (NDPA § 25) | Notes | |---|---|---| | Operating your account | Contract (§25(1)(b)) | Required to deliver the service | | KYC (BVN / NIN / face) | Legal obligation (§25(1)(c)) | NFIU / CBN requires it | | Sanctions / PEP screening | Legal obligation (§25(1)(c)) | NFIU | | Marketing emails | Consent (§25(1)(a)) | You can withdraw at any time | | Welcome email sequence | Consent (§25(1)(a)) + legitimate interest | Opt-out one click | | Public professional profile | Consent (§25(1)(a)) | Off by default; opt-in to publish | | Push notifications | Consent (§25(1)(a)) | OS-level prompt | | Fraud detection (device fingerprint, SIM-swap signals) | Legitimate interest (§25(1)(f)) | Cannot be turned off without losing access | | Audit-v2 logging | Legal obligation + legitimate interest | 7-year retention | | FIRS / WHT reporting | Legal obligation | Tax statute | | Mortgage data sharing with lender | Consent + contract | You select the lender; share-button is explicit |

Cross-border transfers (NDPA § 41)

Production data is hosted in Lagos (AWS af-west-1). Transfers to processors outside Nigeria are limited to:

  • Smile Identity (Kenya) — Adequacy comparable to NDPA; under

binding processor agreement.

  • Cloudflare (global edge) — TLS-terminated only; no application

data leaves Nigeria.

  • Paystack (Nigeria-headquartered)
  • Flutterwave (Nigeria-headquartered)
  • Termii (Nigeria-headquartered)

We do not transfer raw PII to any other jurisdiction without your specific consent and a documented transfer mechanism.

Subject rights workflow

Submit any subject-rights request to privacy@qonstruct-mart.com or in-app at /me/privacy. We acknowledge within 5 working days and respond substantively within 30 days (extendable once by 30 days for complex requests, with notice to you).

| Right | NDPA § | Our SLA | |---|---|---| | Access | § 34 | 30 days | | Correction | § 35 | 5 days | | Erasure | § 36 | 30 days (7-year holds preserved) | | Restriction | § 37 | 5 days | | Portability | § 38 | 30 days (JSON + ZIP) | | Objection | § 39 | Immediate for marketing; 5 days for legitimate-interest | | Not to be subject to automated decisions | § 40 | Human review always available for matching, scoring, suspension |

Automated decision-making (NDPA § 40)

We use automation in three places:

  1. AI matching — surfaces candidate matches for projects + jobs.

You can always see the full list and override our ranking.

  1. Anti-fraud scoring — may flag a session for review. You can

request a human review by emailing privacy@qonstruct-mart.com; we respond within 24 hours.

  1. Title Health Score — a public-records-driven indicator for real

estate listings. The underlying data is shown so you can disagree.

No suspension, KYC rejection, or financial decision is made by automation alone. A human in our Trust & Safety team is always the final decision-maker.

Breach notification (NDPA § 43)

In a confirmed breach of personal data affecting your account, we will notify:

  • The NDPC within 72 hours of becoming aware.
  • You within 72 hours of becoming aware, by both email and

in-app banner. The notice will tell you: what happened, what data, what we did about it, and what you should do.

Children's data (NDPA § 31)

The platform is for users 18 and over. We do not knowingly process children's data. If you believe we have, contact the DPO and we will erase it within 7 days.

Complaints

  1. First, contact our DPO — dpo@qonstruct-mart.com.
  2. If unresolved within 30 days, you can complain to the NDPC

directly: ndpc.gov.ng/complaints (Plot 1257, Adetokunbo Ademola Crescent, Wuse II, Abuja).

  1. You retain the right to seek judicial remedy under NDPA § 51.

Annual NDPR audit

As a data controller of major importance (transactions on PII of > 200,000 data subjects), we file an annual NDPR audit with the NDPC through a Data Protection Compliance Organisation (DPCO). The 2026 audit will be filed by KPMG Nigeria DPCO. The summary will be published at /legal/ndpr-audit-2026 when filed.

Questions about this policy? Email legal@qonstruct-mart.com.