INTRODUCTION
This privacy policy describes the information we collect from you when you use our website. In collecting this information, we are acting as a data controller and, by law, we are required to provide you with information about us, about why and how we use your data, and about the rights you have over your data.
ACCEPTANCE OF THE POLICY
You accept this Privacy Policy by using our website (referred to herein as the “Site”), placing an order for Services (as defined in the Terms of Use) with us or joining our email list. IF YOU DO NOT AGREE TO THE TERMS OF THIS PRIVACY POLICY, PLEASE STOP USING THE SERVICES IMMEDIATELY.
WHO WE ARE
Ercas Integrated Solutions Limited (“Ercas” “the Company”, “We”, “Us” or “Our”) offers an online payment gateway that makes it easy for merchants to accept electronic payments from Customers. Ercas values the Privacy of Merchants who use our website and all related sites, applications, services and tools (collectively, our “Services”).
The services are primarily intended for and provided to businesses and other organizations (“Merchants”), and not individual consumers. Thus, we generally process personal data at the direction of and on behalf of Merchants. When we do, we do so as a Service Provider or a “data processor” to those Merchants, but we do not control and are not responsible for the privacy practices of those Merchants. If you are a Customer of an Ercas Merchant, you should read that Merchant’s Privacy Policy and direct any privacy policy to that Merchant.
This Privacy Policy does not apply to Services that are not owned or controlled by Ercas, including third party websites and services of other Ercas Merchants. This Privacy Policy applies to all forms of systems, operations and processes within the Ercas environment that involves the processing of personal data.
ERCAS INTEGRATED SOLUTIONS LIMITED
We have a qualified Data Protection Officer(s) (DPO) responsible for overseeing the Company’s data protection strategy and implementation to ensure compliance with the NDPA requirements. The DPO is knowledgeable on data privacy and protection principles and is familiar with the provisions of the NDPA.
HOW WE USE YOUR INFORMATION
HOW YOU USE OUR WEBSITE
When you use our website to browse our products and services and view the information we make available, a number of cookies are used by us and by third parties to allow the website to function, to collect useful information about visitors and to help to make your user experience better. Some of the cookies we use are strictly necessary for our website to function, and we do not ask for your consent to place these on your computer. These cookies are shown below.
COOKIE NAME | PURPOSE |
Secure-nextauth-sessiontoken | Used to hold authentication information.It stores a CSRF session token that ensures the user’s authentication session is secure.It is a security measure against Cross-Site Scripting attacks. |
Secure-nextauthcallbackurl | It stores the callback URL that the user will be redirected to after successfully authentic, whenever a session is accessed by the clie nt. |
next-auh.csrftoken | It stores a Cross-Site Request Forgery (CSRF) token. CSRF tokens are used to protect against CSRF attacks by ensuring that requests made to the server originate from the legitimate application |
Table 1: Cookies (strictly necessary)
USING YOUR PERSONAL INFORMATION
We use your information in order to provide you with the Service and to comply with our legal requirements and internal guidelines. This means that we will use the information to set up your account, provide you with support regarding the Service, communicate with you for updates, marketing offers or concerns you may have and conduct statistical and analytical research to improve the Service.
DATA CONFIDENTIALITY RIGHTS
Your information is regarded as confidential and will not be divulged to any third party except under legal and/or regulatory conditions. You have the right to request sight of, and copies of any and all information we keep on you, if such requests are made in compliance with the Freedom of Information Act and other relevant enactments. While ERCAS is responsible for safeguarding the information entrusted to us, your role in fulfilling confidentiality duties includes, but is not limited to, adopting and enforcing appropriate security measures such as non-sharing of passwords and other platform login details, adherence with physical security protocols on our premises, dealing with only authorized officers of the Agency.
DISCLOSURE OF INFORMATION
We may disclose your personal information with:
• Agencies for the purposes listed above, for example fraud prevention
agencies and law enforcement agencies
• Other companies / entities for the purposes listed above, or when we believe
it will enhance the services and products we can offer to you, but only where
you have not objected to such sharing
We may also disclose your information:
• Where we have a duty or a right to disclose in terms of law or industry codes; or
• Where we believe it is necessary to protect our rights.
DELETING PERSONAL INFORMATION
You may request that we delete your personal information, and we shall attempt to accommodate such requests. However, we may retain and use personal information for such periods of time as required or permitted by law or best business practices.
DATA RETENTION
We will retain your personal data for as long as is required to provide our services to you and comply with our legal and statutory obligations. Even after discontinuance of our services, we may retain certain personal data and transaction data to comply with legal and statutory obligations.
All personal data shall be destroyed by us where possible. For personal data and records obtained, used, and stored by us, we will carry out reviews of the data periodically to verify the accuracy, purpose, validity, and requirements to retain.
The length of storage of personal data shall, among other things, be determined by:
• the contract terms agreed between you and us or the length of time it is
needed for the purpose for which it was obtained; or
• whether the transaction or relationship has statutory implication or a required retention period or;
• whether there is an express request for deletion of the personal data by you, provided that such request will only be treated where you are not under any investigation which may require us to retain your personal data, or there isno subsisting contractual arrangement with you that would require the processing of the personal data; and
• whether we have a lawful basis for retaining the data beyond the period for which it is necessary to serve the original purpose.
SECURITY
We have implemented technical, physical and administrative safeguards designed to protect personal information against loss and against unauthorized access, use, and disclosure. Passwords are stored on our server in encrypted form. We have personal information retention processes designed to retain personal information as necessary for the purposes stated above or to otherwise meet legal requirements. Unless this Privacy Policy states otherwise, our employees are required to keep the information set out here confidential.
WHEN YOU SUBMIT AN ENQUIRY VIA OUR WEBSITE
When you submit an enquiry via our website, we ask you for your name, contact telephone number and email address.
We use this information to respond to your query, including providing you with any requested information about our products and services. We may also email you after your enquiry in order to follow up on your interest and ensure that we have answered your questions to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale.
Your enquiry is stored and processed. Your enquiry information is not shared with a third party except when absolutely required for the resolution of issues. They are used to respond to your enquiries in order to serve you better.
We do not use the information you provide to make any automated decisions that might affect you.
We keep enquiry emails for one year, after which they are securely archived and kept for seven years, when we delete them. CRM records are kept for three years after the last contact with you.
TRANSFER OF PERSONAL DATA
As part of our service provision, we may rely on third-party servers, databases colocated with hosting providers, resident in foreign jurisdictions, which constitutes the transfer of your personal data to computers or servers in foreign countries. We take steps designed to ensure that the data we collect under this Privacy Policy is processed and protected according to the provisions of this Policy and applicable law wherever the data is located.
Where personal data is to be transferred to a country outside Nigeria, Ercas shall put adequate measures in place to ensure the security of such Personal Information. Any transfer of Personal Information out of Nigeria will be in accordance with the provisions of relevant data protection regulations. In particular, Ercas shall, among other things, use contractual terms to ensure protection of the data or ensure the country has adequate data protection laws (i.e. listed in the National Information Technology Development Agency’s (“NITDA”) White List of Countries, or the General Data Protection Regulation’s (“GDPR”) Adequacy List).
Should you wish to transfer personal data to a country deemed to have inadequate data protection laws, Ercas will take all necessary steps to ensure that informed consent is obtained from you, and you are aware of the risks entailed with such transfer. In any instance, Ercas will ensure Personal Information is transmitted in a safe and secure manner. Details of the protection given when your Personal Information is transferred abroad, and details of the basis of such transfers shall be provided to you upon request.
WHEN YOU ARE FUNDING YOUR WALLET FROM THE USE OF OUR WEBSITE
When you fund wallets from the use of our websites via card, we ask you for card information.
We will use your information to process your funding request and fund the wallet from the processing of your transactions. We will also send you a notification via text and we may use your telephone number to contact you regarding your wallet funding.
We require this information in order to process your payment, deliver your products or services and fulfil our contract with you.
Your information is stored not stored on our website.
We do not use the information you provide to make any automated decisions that might affect you.
OTHER TYPES OF TRANSACTIONS VIA OUR WEBSITE
No other transactions apart from checkout on the payment gateway, merchant management and API requests, take place on the website.
YOUR RIGHTS AS A DATA SUBJECT
By law, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate. If we have asked for your consent to process your personal data, you may withdraw that consent at any time.
If we are processing your personal data for reasons of consent or to fulfil a contract, you can ask us to give you a copy of the information in a machine-readable format so that you can transfer it to another provider.
If we are processing your personal data for reasons of consent or legitimate interest, you can request that your data be erased.
You have the right to ask us to stop using your information for a period of time if you believe we are not doing so lawfully.
Finally, in some circumstances you can ask us not to reach decisions affecting you using automated processing or profiling.
To submit a request regarding your personal data by email, post or telephone, please use the contact information provided below in “Your Right To Complain” section of this policy.
YOUR RIGHT TO COMPLAIN
If you have a complaint about our use of your information, we would prefer you to contact us directly in the first instance so that we can address your complaint. Kindly contact us via the information below:
• Phone: +2348132515543
• Email: support@ercas.com.ng
• Address: House 5, Plot 265, S.E. Asebe Street, Dantata Estate, OppositeEmadeb Energy Filling Station, Beside Ga247-Kingfem Plaza, Mabushi , Abuja.
However, you can also contact the Data Protection Commission via their website at https://ndpc.gov.ng/ or write to them at:
Nigerian Data Protection Commission (NDPC)
Address: 12 Clement Isong Street, Asokoro, Abuja, Nigeria.
DATA PROTECTION AUDIT
We conduct an annual data protection audit through a licensed Data Protection Compliance Organization (DPCO) to verify Ercas’ compliance with the provisions of the NDPA and other applicable data protection laws. The audit report will be certified and filed by the DPCO to the NDPC.
GOVERNING LAW
This Privacy Policy is made pursuant to the Nigeria Data Protection Act (2023) and other relevant Nigerian laws, regulations or international conventions applicable to Nigeria. Where any provision of this Policy is deemed inconsistent with a law, regulation or convention, such provision shall be subject to the overriding law, regulation or convention.
UPDATES TO THIS PRIVACY POLICY
We regularly review and, if appropriate, update this privacy policy from time to time, and as our services and use of personal data evolves. If we want to make use of your personal data in a way that we have not previously identified, we will contact you to provide information about this and, if necessary, to ask for your consent.
We will update the version number and date of this document each time it is changed. This policy was last reviewed on 28th May