ECOMLIT Privacy Policy

This Privacy Policy explains how ECOMLIT TECH. LTD ("ECOMLIT", "we", "us" or "our") processes personal data in connection with our website, hosted commerce platform, merchant onboarding, billing, customer support, analytics, security, compliance, and related services. It is deliberately comprehensive. We want merchants, end customers, visitors and regulators to understand not only what data we process, but also why we process it, the legal basis we rely upon, how long we keep it, with whom we share it, and what rights data subjects may exercise.

Because ECOMLIT operates a commerce platform, our role under privacy law changes depending on context. For example, we generally act as a data controller when handling merchant application data, merchant account information, billing records, our own website analytics, support communications, and compliance or security investigations. We may act as a processor or service provider when we host, store or otherwise process merchant customer data strictly on behalf of a merchant and under the merchant's instructions. In limited situations, we may also act as an independent controller for our own legal obligations, fraud prevention, network security, product integrity, and the defence of claims.

This Policy is designed to align primarily with the Nigeria Data Protection Act 2023, the NDPC General Application and Implementation Directive 2025 and related Nigerian privacy, security and governance expectations. It is also written so that it can serve as a practical notice to platform users, not merely as a legal formality.

1. Sections 1 to 6 explain the scope of this Policy, ECOMLIT's privacy roles, the categories of people whose data we process, and the categories of personal data we collect.

2. Sections 7 to 14 explain where we get personal data from, our lawful bases, the purposes for which we use data, our controller-versus-processor position, our use of cookies and similar technologies, and any profiling or automated tools that materially affect privacy.

3. Sections 15 to 23 explain whom we share data with, cross-border transfers, retention, security, individual rights, how to exercise those rights, marketing choices, children's privacy, and our approach to third-party links and integrations.

4. Sections 24 to 30 explain our governance controls, breach handling, complaints, policy updates, contact details and supporting annexes with more operational detail.

ECOMLIT is committed to handling personal data in a lawful, fair, secure and transparent manner. Privacy is not treated as a one-time legal notice or a box-ticking exercise. It is part of the way we design features, onboard merchants, support customers, manage security, select vendors, respond to legal requests, and maintain trust in the platform.

This Policy has four primary purposes. First, it explains to data subjects what personal data ECOMLIT processes and the circumstances in which that processing occurs. Second, it describes the lawful bases and business reasons for our processing activities. Third, it sets out the choices and rights available to data subjects. Fourth, it documents the privacy safeguards, governance structures and accountability measures we use to support compliance and maintain confidence in our services.

Although this Policy is drafted for external publication, it is intentionally more detailed than a short marketing notice. The platform processes data relating to merchant applicants, merchant administrators, merchant team members, end customers interacting with merchant storefronts, support contacts, website visitors and technical users. A concise policy would leave material questions unanswered. We therefore prefer clarity over minimalism.

Nothing in this Policy is intended to limit any right available under applicable law. Where this Policy uses examples, descriptions or categories, those are intended to help understanding; they do not necessarily represent an exhaustive list of every processing activity ECOMLIT may perform. If we introduce new data uses that materially change the privacy position, we will update this Policy and, where required, give additional notice.

This Policy applies to personal data processed by or on behalf of ECOMLIT in connection with our website, applications, merchant onboarding workflows, merchant account administration, support channels, communications, marketing, fraud prevention systems, compliance processes, analytics environments, infrastructure operations, and any other product or service that links to or references this Policy.

It applies whether the personal data is collected directly from a data subject, received from a merchant, obtained from a service provider, collected automatically through platform use, or generated internally through risk scoring, support case handling, monitoring, fraud analysis, security reviews or legal compliance activity.

This Policy covers both online and offline interactions. For example, it covers data we receive when someone creates an account, fills a web form, transacts through a merchant store hosted or enabled by ECOMLIT, opens a support ticket, attends a training or webinar, responds to a survey, interacts with us on social media, or communicates with us by email, phone, messaging channel or other support medium.

This Policy does not replace a merchant's own privacy policy to its customers. Merchants using the platform remain responsible for communicating their own privacy practices to their customers and other contacts. However, where ECOMLIT acts as a controller or processor in respect of the same data, our obligations still apply and this Policy explains those obligations.

This Policy should also be read alongside any other notice, terms, merchant agreement, cookie notice, data processing addendum, or feature-specific notice that ECOMLIT may publish. Where a more specific notice applies to a particular service or processing activity, that specific notice will supplement this Policy to the extent of the overlap.

This Policy is primarily aligned with the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Commission's General Application and Implementation Directive 2025. It is also informed by Section 37 of the Constitution of the Federal Republic of Nigeria 1999, which protects privacy, and by other Nigerian legal and regulatory requirements relevant to security, consumer protection, financial integrity, taxation, records retention, dispute management and lawful disclosure obligations.

In preparing this Policy, ECOMLIT has particularly taken into account the Nigerian rules and guidance on the principles of personal data protection, lawful bases for processing, transparency to data subjects, cookies and similar tracking technologies, rights of data subjects, breach notification, data processing agreements, cross-border transfers, designation and obligations of data controllers and processors of major importance, and data protection officer requirements.

ECOMLIT operates in the e-commerce and technology environment. Depending on the scale of data processing, the number of data subjects, the sensitivity of the data, the degree of reliance on third-party hosting and cross-border infrastructure, and the significance of its services to the digital economy, ECOMLIT may be subject to registration, audit or other obligations applicable to controllers or processors of major importance. This Policy is drafted to support that level of governance and disclosure even where operational details may evolve over time.

Where ECOMLIT provides services into or from other jurisdictions, or where a data subject is located in a jurisdiction with additional privacy requirements, ECOMLIT may apply supplementary controls, contractual terms or notices to address those requirements. Nothing in this Policy should be read as reducing the standard that applies where a more protective law is mandatory for a specific processing activity.

For ease of reading, a detailed Definitions and Interpretation section is included in Annex 4. In summary, when this Policy refers to 'personal data' it means information that relates to an identified or identifiable natural person. When this Policy refers to 'merchant customer data' it generally means personal data that a merchant collects, stores or uses through ECOMLIT's platform in relation to the merchant's own customers, visitors or contacts. When this Policy refers to 'process' or 'processing', it includes collection, recording, organisation, storage, use, disclosure, transfer, analysis, restriction, deletion and any other handling of personal data.

References to 'controller' mean an entity that determines why and how personal data is processed. References to 'processor' mean an entity that processes personal data on behalf of a controller. In practice, ECOMLIT may perform both roles in different parts of the service. For that reason, this Policy repeatedly distinguishes between merchant account data, platform operations data, and merchant customer data.

In this Policy, examples introduced by wording such as 'including', 'for example', 'such as' or 'may include' are illustrative and are not intended to be limiting. Headings are included for readability only and do not alter the meaning of the substantive text. Where a term is used but not specifically defined, it should be interpreted in line with applicable law, regulatory usage or its ordinary meaning in the privacy and commerce context.

ECOMLIT's role under data protection law depends on the context in which personal data is processed. This distinction is essential. A single platform can be a controller for some data sets, a processor for others, and an independent controller for specific purposes that arise from legal compliance, platform security or fraud management.

As a controller, ECOMLIT generally determines the purposes and means of processing when dealing with website visitor data, merchant application data, merchant account administrator data, billing data, contract records, marketing preferences, support interactions, product usage analytics relating to our own service, recruitment information, compliance and risk files, vendor records, and security logs maintained to protect our environment.

As a processor or service provider, ECOMLIT may process merchant customer data on behalf of the merchant where we provide hosting, order management, checkout support, customer relationship tools, communications tooling, analytics, support functions, or other platform features used by the merchant to manage its own relationship with end customers. In that context, the merchant ordinarily decides why the data was collected in the first place, what the merchant wants to do with it, and how long the merchant wants to retain it, subject to the platform features and applicable law.

ECOMLIT may also be an independent controller for certain limited processing of merchant customer data where we need to use that data for our own legitimate and lawful purposes, such as maintaining platform security, preventing fraud, detecting abuse, meeting tax or records obligations, complying with lawful requests from regulators or law enforcement, investigating breaches of our terms, or using aggregated and de-identified data to understand service performance. In those cases, our processing is not carried out solely on the merchant's instructions.

Where merchant customer data is processed on behalf of a merchant, ECOMLIT expects the merchant relationship to be supported by appropriate contractual terms, including a data processing addendum or equivalent terms where required. Where the role is unclear in a given scenario, ECOMLIT will analyse the factual context, the purpose of the processing, contractual responsibilities, operational control, and applicable law in order to classify the role appropriately.

ECOMLIT may process personal data relating to a broad range of individuals, depending on how the platform is used. The first category comprises merchant applicants and merchants. This includes sole proprietors, business owners, directors, beneficial owners, authorised signatories, nominated representatives and other persons whose information is submitted as part of account creation, KYB verification, ownership verification, compliance review, contract management or ongoing merchant support.

The second category comprises merchant administrators, employees, contractors and team members who are given access to a merchant account or who otherwise use ECOMLIT's dashboard, tools, support channels, integrations or platform controls. This may include their login details, role permissions, device information, account activity logs and communications with ECOMLIT.

The third category comprises end customers, prospective customers and other contacts who interact with a merchant's storefront, checkout page, invoices, customer communications or support channels supported by ECOMLIT. The exact data involved depends on what the merchant collects and the ECOMLIT features used by the merchant.

The fourth category comprises website visitors and marketing contacts who browse ECOMLIT's public pages, sign up for demos, attend events, subscribe to newsletters, download materials, request contact from sales or support, or interact with us on our public channels.

The fifth category comprises vendors, partners, implementation contacts, integration providers and professional advisers whose personal data is processed as part of procurement, service delivery, technical integration, billing, legal support, audits or other business operations.

The sixth category comprises complainants, regulators, investigators, dispute participants and other third parties whose personal data is processed in connection with legal requests, complaints, fraud reports, governance reviews, dispute resolution or compliance matters.

The categories of personal data processed by ECOMLIT depend on the context, but they generally include identity and profile data, such as names, business names, usernames, display names, titles, date of birth where necessary, photographs on identification documents, and unique identifiers assigned within our systems.

We may collect contact data, such as email addresses, telephone numbers, business addresses, billing addresses, service addresses, social media handles, and other contact channels used for onboarding, account support, billing, security or communications.

We may collect business and KYB data, such as incorporation details, registration numbers, tax or equivalent business identifiers, industry sector, line of business, store URL, ownership structure, beneficial ownership information, director and signatory details, proof of address, business licences, verification documents, and statements or information relating to the nature of the merchant's business and expected platform usage.

We may collect financial and transaction-related data, such as billing records, subscription plan information, invoices, settlement references, order values, refund records, payment processor responses, masked payment card information where provided by a processor, bank account or payout information, chargeback records, wallet or account balance data, and tax-related information where relevant.

We may collect technical, device and usage data, such as IP addresses, browser type, operating system, device identifiers, log-in records, timestamps, account activity, feature usage, session information, error logs, performance logs, security events, approximate location derived from IP, cookies, pixels, SDK identifiers and other telemetry used to secure and improve the service.

We may collect communications and support data, such as emails, chat transcripts, call records where permitted, attachments, ticket history, merchant-submitted screenshots, complaints, feedback, product survey responses, and any information a user chooses to provide when contacting us.

We may collect compliance, risk and security data, such as sanctions and watchlist screening outcomes, fraud indicators, unusual activity flags, behavioural risk markers, document authenticity review results, adverse media hits, complaints history, and records of legal or regulatory requests.

In certain limited contexts, we may process sensitive personal data or data that requires heightened protection under law. We do not seek to collect such data unless it is relevant and lawful to do so. Examples are addressed in Section 12.

ECOMLIT collects personal data directly from data subjects when they create accounts, submit onboarding forms, enter their details at checkout, communicate with support, subscribe to communications, participate in events, or otherwise interact with us. Direct collection often provides the most transparent basis for processing because the individual can see the fields they are completing and the context in which the data is provided.

We also receive personal data from merchants. For example, a merchant may upload customer data to the platform, add team members to a merchant account, submit documents about directors or beneficial owners, or request support that requires the inclusion of customer or order information. Where we receive data from a merchant, the merchant remains responsible for ensuring that it had an appropriate basis to provide the data to us.

We may receive data from third-party service providers and partners, such as payment processors, identity verification services, sanctions screening vendors, analytics providers, cloud hosting providers, messaging and communications vendors, fraud monitoring tools, CRM platforms, support software, or professional advisers. Such information is used only where there is a lawful reason and an operational need to do so.

We may also obtain data from public, regulatory or semi-public sources where appropriate. Examples include company registries, sanctions lists, watchlists, court filings, adverse media, internet sources, corporate websites, professional networking pages, and public enforcement announcements. We may use these sources to verify merchant representations, assess risk, or fulfil legal obligations.

Finally, some personal data is generated internally by ECOMLIT as part of using or securing the service. Examples include unique internal account IDs, session logs, audit trail records, support case numbers, screening results, fraud risk indicators, security incident records, and account status changes.

ECOMLIT does not assume that all processing rests on a single legal basis. Instead, we evaluate the purpose and context of each processing activity and rely on the lawful basis that best fits that activity under applicable Nigerian law. This approach is important because a subscription billing activity is different from a fraud investigation, which is different from a marketing email, which is different from a merchant's instructions to process customer order data.

We rely on contract where the processing is necessary to take steps at the request of a data subject before entering into a contract, or to perform a contract with that data subject. Examples include creating a merchant account, providing platform access, administering a subscription, responding to a demo request, or providing merchant support necessary for the service.

We rely on legal obligation where we must process personal data in order to comply with a law, regulation, court order, lawful request, tax rule, accounting obligation, data protection duty, anti-fraud or security obligation, or other binding requirement. Examples include keeping certain records, responding to legal requests, preserving evidence, meeting data breach notification obligations, or complying with regulatory directives.

We rely on legitimate interests where the processing is reasonably necessary for the operation, security, improvement or lawful protection of our business or the platform, and where those interests are not overridden by the rights and freedoms of the data subject. Examples may include platform security, service analytics, product integrity, abuse prevention, limited business communications, vendor management, debt recovery, corporate governance, and the defence or establishment of legal claims. Where appropriate, we apply a structured balancing assessment to confirm that reliance on legitimate interests is appropriate.

We rely on consent where the law requires consent or where consent is the most appropriate lawful basis. Examples may include non-essential cookies and similar technologies, certain direct marketing communications, optional features, or situations where the individual should be able to make a free and informed choice without adverse consequences for saying no. Where consent is relied upon, we aim to ensure it is freely given, specific, informed and unambiguous, and that it can be withdrawn.

In limited situations, we may rely on vital interests where processing is necessary to protect someone's life or physical safety, or on public interest where the law clearly authorises or requires processing for a public function or public interest objective. These bases are expected to be less common in the context of a private commerce platform but may arise in specific safety, fraud or legal response scenarios.

Examples of how lawful bases may apply

ECOMLIT uses personal data to provide, secure, support and improve the platform. For merchant applicants and merchants, this includes evaluating applications, verifying business identity and beneficial ownership, creating and managing accounts, administering subscriptions, enabling features, providing onboarding and support, issuing invoices, managing refunds or credits, communicating about platform changes, and maintaining records of the merchant relationship.

For merchant administrators and team members, we use personal data to authenticate logins, assign roles and permissions, facilitate collaboration within a merchant account, provide usage logs, troubleshoot issues, manage access security, send important notices, and maintain an audit trail of actions taken within the platform.

For end customers interacting with merchant storefronts, we use personal data as needed to host storefront functionality, process orders, provide checkout and order management features, enable communications and notifications, prevent fraud, secure transactions, and provide technical assistance to the merchant. Some of this processing is carried out on behalf of merchants; some may be performed by ECOMLIT in its own right where necessary for security, legal compliance or platform integrity.

For website visitors and prospects, we use data to operate our public website, understand traffic and engagement, improve pages and content, deliver requested materials, schedule demos, respond to enquiries, and, where appropriate, send updates or marketing communications based on the lawful basis relied upon.

We use personal data for security and fraud prevention purposes, including account monitoring, authentication, log analysis, threat detection, unusual behaviour reviews, bot detection, abuse prevention, incident investigation, platform integrity controls and dispute management. This type of processing is essential to protecting both ECOMLIT and its users.

We use personal data for analytics and product improvement, including service performance analysis, reliability measurement, feature adoption analysis, customer experience improvements, testing and debugging, trend analysis, and service planning. Where possible and appropriate, we use aggregated or de-identified data, but some analytics must necessarily begin with personal data before it can be reduced or transformed.

We use personal data for legal, compliance and governance purposes, including keeping statutory records, handling complaints, responding to regulators or law enforcement, defending or bringing legal claims, ensuring tax and accounting compliance, conducting audits, managing data subject requests, and fulfilling internal governance and assurance obligations.

We may also use personal data for carefully limited marketing and relationship management purposes, such as sending relevant updates, event invitations, educational content, product announcements or renewal reminders. Where consent is required, we will request it. Where legitimate interests are relied upon, we will provide an appropriate opportunity to object or unsubscribe.

Because ECOMLIT powers merchant-facing functionality, end-customer personal data is one of the most important and potentially misunderstood categories of data processed through the platform. This section explains the position in more detail.

When a merchant uses ECOMLIT to host a storefront, receive orders, manage customer records, send transactional notifications, analyse store performance or otherwise conduct its commerce operations, ECOMLIT may process personal data relating to the merchant's customers, prospective customers, recipients, subscribers or support contacts. Examples include names, shipping or billing details, order items, email addresses, phone numbers, order histories, customer messages, discount usage, support issues, and device or session data associated with the merchant's storefront.

In many of these scenarios, the merchant is the controller because the merchant decides why it wants to collect customer data, what product or service it is selling, what communications it wants to send, what retention period it intends to apply, and what lawful basis it relies upon for its own customer relationship. ECOMLIT may then act as the processor or service provider, supplying the technical means by which the merchant stores, transmits, views and manages that data.

ECOMLIT may nevertheless act as an independent controller for a limited subset of the same data where the processing is necessary for our own obligations and interests, such as platform security, fraud detection, systems monitoring, legal compliance, abuse prevention, the investigation of merchant breaches, response to lawful requests, service reliability analysis, or the defence of legal claims. Where practicable, we separate these purposes from merchant-instructed processing and limit them to what is necessary.

Merchants remain responsible for presenting an appropriate privacy notice to their customers, obtaining any necessary consents, honouring rights requests that belong to them as controller, and using ECOMLIT only in ways that are lawful and consistent with merchant agreements. If an end customer sends ECOMLIT a request about data that is controlled by a merchant, ECOMLIT may refer the request to the merchant, help the merchant respond, or respond directly where required by law or where ECOMLIT is acting as a controller for that processing context.

Where the law or the contract requires a separate data processing agreement, ECOMLIT expects that arrangement to describe the subject matter and duration of processing, the nature and purpose of processing, the types of personal data, the categories of data subjects, the documented instructions of the merchant, the parties' security obligations, audit or assurance rights where relevant, sub-processor rules, breach cooperation, and deletion or return obligations at the end of the service relationship.

ECOMLIT does not generally require sensitive personal data for ordinary browsing of its public website or for routine low-risk enquiries. However, some services and legal obligations may require processing of data that is sensitive, special, high-risk or otherwise deserving of heightened care.

Examples may include identification documents submitted for merchant verification; photographs embedded in identity documents; personal data that reveals or is capable of implying financial difficulty or fraud risk; accessibility or health-related information voluntarily disclosed in support interactions; sanctions or politically exposed person screening results; and information that becomes part of a dispute, complaint or legal response file.

Where ECOMLIT processes sensitive personal data, we aim to do so only where there is a clear lawful basis, a clear purpose, and proportionate technical and organisational safeguards. We also aim to minimise access to such data, limit retention, and ensure that any vendor or processor handling the data is subject to suitable privacy and security obligations.

ECOMLIT does not intentionally request information relating to race or ethnic origin, religious belief, sexual life or orientation, trade union membership, or similar especially sensitive matters unless one of three things is true: the law requires it, the individual voluntarily provides it in a context where it is relevant, or the information becomes necessary for the establishment, exercise or defence of legal claims or similar exceptional purposes. Even then, we will aim to limit the processing to what is necessary.

ECOMLIT and certain authorised partners may use cookies, software development kits, tags, pixels, local storage, session technologies and similar tools on our websites, dashboards, emails or applications. These technologies support basic functionality, security, authentication, fraud prevention, performance monitoring, analytics, troubleshooting and, where lawful, personalisation or marketing.

Some cookies and similar technologies are strictly necessary for the operation of the website or platform. For example, they may keep you signed in, preserve your session, remember core security choices, support load balancing, or help us detect malicious traffic. Because these are necessary for the service to operate, they may be used without a separate opt-in where law permits.

Other cookies and tracking tools are optional or non-essential. These may support analytics, advertising, referral attribution, personalisation, social plug-ins, A/B testing or similar functions. Where consent is required, ECOMLIT aims to obtain that consent through a clear banner, settings centre or equivalent tool before placing or activating non-essential cookies. Where consent is not given, we aim not to use optional tracking technologies except in a privacy-preserving way that does not require consent under applicable law.

Data collected through cookies and similar technologies may include IP address, browser details, device characteristics, identifiers, session data, pages viewed, time spent, click behaviour, referring URLs, language settings and general location. Some of this information may be personal data, especially where it can be linked to an account or individual.

Users can manage cookie choices through our cookie settings where available, as well as through browser or device controls. However, blocking strictly necessary cookies may impair service functionality. Merchants using ECOMLIT should also ensure that their own storefronts provide legally compliant cookie notices and consent tools where required, especially if they deploy marketing tags or third-party scripts through the platform.

ECOMLIT uses automated tools and rule-based systems to help manage platform integrity, security and service delivery. These tools may support spam detection, login security, fraud screening, abnormal behaviour detection, transaction risk flagging, onboarding workflow routing, suspicious activity review, content abuse controls, and performance optimisation.

Automated tools are helpful because they allow the platform to identify unusual patterns at scale and to act quickly where human-only review would be too slow. However, ECOMLIT recognises that automated outputs can be wrong, incomplete or context-blind if not supported by governance and review.

Where ECOMLIT uses automated tools to produce signals that may materially affect a person, we aim to apply reasonable safeguards such as layered decisioning, human review where appropriate, appeal or escalation pathways, audit trails, sample testing, false-positive review, and clear case documentation. We also aim to avoid making legally significant decisions based solely on automated processing where that would be inappropriate or prohibited under applicable law.

Examples of profiling or automated analysis may include scoring a merchant application for risk triage, identifying a suspicious login, detecting bot activity, assessing likely fraudulent orders, or suppressing repeated abuse of support channels. These processes are used to support decision-making, not to replace careful judgement in every case.

ECOMLIT does not disclose personal data indiscriminately. We share personal data only where there is a lawful basis, a clear operational need, and an appropriate relationship with the recipient. Recipients may include processors, service providers, merchants, payment providers, regulators, advisers or other parties described in this section.

We may share personal data with hosting, cloud, infrastructure, security, monitoring, communications, analytics, customer support, CRM, document management, verification, screening, fraud prevention, tax, accounting, legal, audit and other operational service providers that help us operate the platform. These providers are expected to receive only the data necessary for their role and to be bound by contractual, security and privacy obligations.

We may share personal data with payment processors, financial service providers, billing tools, payout partners and other commerce-related providers where that is necessary to enable subscriptions, transactions, settlements, fraud checks or financial reconciliation.

We may share personal data with merchants where the merchant is the relevant controller, such as where an end customer interacts with a merchant storefront or where a merchant administrator needs access to account information for operational purposes. Equally, a merchant may disclose data to us where we need it to provide support, security or compliance services.

We may disclose personal data to regulators, law enforcement, courts, tax authorities or other public bodies where required by law, where necessary to respond to lawful requests, or where disclosure is reasonably necessary to protect rights, property, safety, service integrity or the public interest. We review such requests carefully and aim to disclose only what is necessary.

We may share personal data with professional advisers, insurers, acquirers, investors, auditors or transaction counterparties where necessary for legal advice, compliance, financing, corporate reorganisation, merger, acquisition, sale, restructuring, insolvency process, insurance claim, or governance review. Where possible, such disclosures are controlled through confidentiality obligations and limited-access arrangements.

Finally, we may share aggregated, de-identified or anonymised information with third parties for analytics, benchmarking, reporting, research or product purposes, provided the information is no longer personal data or is handled in accordance with applicable law.

ECOMLIT may store, access, transfer or otherwise process personal data outside Nigeria where our infrastructure, support teams, vendors, integration partners, payment providers or group functions operate internationally. This may happen because cloud providers replicate data across regions, because an international vendor provides a service we use, because support or engineering access occurs from another country, or because a merchant or customer is located outside Nigeria.

Where personal data is transferred across borders, ECOMLIT aims to assess the legal basis and transfer mechanism carefully. We may rely on an adequacy determination where available, appropriate contractual safeguards, binding internal rules, certifications, codes of conduct, technical measures, or another recognised legal mechanism permitted under applicable law.

We also take into account the sensitivity of the data, the purposes of the transfer, the role of the foreign recipient, onward-transfer risk, practical enforceability of rights, and the need for supplementary technical and organisational protections such as encryption, role-based access controls, pseudonymisation, data minimisation, transfer logging and vendor due diligence.

Because international data flows are common in modern hosted services, ECOMLIT will not always be able to guarantee that all data remains physically resident in one jurisdiction at all times. What we do commit to is to assess transfer risk, use lawful safeguards, select reputable providers, and communicate clearly about the possibility of international processing.

If a data subject wants more information about the safeguards ECOMLIT uses for a particular transfer, they may contact us using the details in this Policy. We may not always be able to disclose the full text of vendor contracts, but we will provide a meaningful explanation where possible and lawful.

ECOMLIT retains personal data only for as long as it is reasonably necessary for the purposes explained in this Policy, together with any longer period required or justified by law, regulation, contract, security, dispute management, fraud prevention, tax, accounting, audit, backup integrity, or the establishment, exercise or defence of legal claims.

Retention decisions depend on context. For example, merchant account and billing records may need to be kept for longer than web analytics logs. Support records may need to be retained long enough to manage repeat issues, while some session and telemetry data may be kept only for a shorter period unless it becomes relevant to security or fraud investigations.

Where ECOMLIT processes merchant customer data on behalf of a merchant, the retention position may also depend on the merchant's settings, the feature used, applicable law, and operational realities such as backups, archived logs, and deletion queues. Termination of a merchant account does not always result in immediate destruction of all related data because some records must be retained for legal, security or integrity reasons.

When retention periods expire, ECOMLIT aims to delete, anonymise, aggregate or otherwise irreversibly de-identify personal data unless a further lawful basis exists for continued retention. Deletion may occur through staged processes, especially in systems with backups, replication or archive logs. For that reason, residual copies may exist for a limited time before final purge, but access to such copies is restricted.

Annex 3 contains an illustrative retention schedule. It is illustrative because particular products, incidents, legal holds, disputes or regulatory requirements may require deviations in specific cases.

ECOMLIT applies technical and organisational security measures designed to protect personal data against unauthorised or unlawful processing, loss, destruction, misuse, damage, or accidental disclosure. Security is an ongoing programme rather than a static control list, and we aim to adapt our measures to the risks presented by our systems and the data we process.

Our security controls may include identity and access management, authentication, encryption in transit and at rest where appropriate, network segmentation, endpoint protection, logging and monitoring, vulnerability management, change control, environment separation, least-privilege access, secure backup practices, vendor diligence, staff training, incident response procedures and access review routines.

Not every user or every employee can see every category of data. We seek to apply role-based access controls and need-to-know restrictions so that access is limited to persons who require it for their work. We also log, sample or otherwise review access in sensitive contexts.

No internet or technology environment can promise absolute security. For that reason, ECOMLIT complements technical controls with governance processes, incident escalation pathways, internal policies, training, vendor contractual controls and periodic review. Users also have an important role to play by choosing strong passwords, using multi-factor authentication where available, protecting devices, limiting unnecessary data exposure and notifying us promptly of suspicious activity.

Depending on the circumstances and subject to applicable law, data subjects may have a range of rights in relation to personal data. These rights are not always absolute, and the way they apply may depend on whether ECOMLIT is acting as a controller, a processor, or an independent controller for a limited purpose.

Rights may include the right to be informed about processing; the right to access personal data and obtain relevant information about the processing; the right to rectification of inaccurate or incomplete data; the right to object to certain forms of processing; the right to restrict processing in certain circumstances; the right to data portability where the legal conditions are met; the right to erasure or to be forgotten in certain situations; the right to withdraw consent where consent is the lawful basis; the right to complain to the NDPC; and the right not to be subject to certain decisions based solely on automated processing without suitable safeguards.

Where ECOMLIT processes data on behalf of a merchant, a rights request may need to be handled by the merchant as the relevant controller. In such cases, ECOMLIT may redirect the request, inform the merchant, assist the merchant to respond, or respond directly where we have our own independent obligations or where the law requires us to do so.

Some rights may be limited where disclosure would adversely affect the rights of another person, undermine legal privilege, interfere with a fraud or security investigation, compromise trade secrets, conflict with a legal obligation, or otherwise fall within a lawful restriction or exemption. Where ECOMLIT cannot fully comply with a request, we will aim to explain the reason to the extent lawful and appropriate.

A data subject who wishes to exercise a privacy right should contact ECOMLIT using the details provided in this Policy or by any rights request process made available on our website or platform. To protect privacy and security, ECOMLIT may need to verify the identity of the requester before acting on the request. Verification steps are designed to be proportionate to the sensitivity of the request and the data involved.

When a request relates to data controlled by a merchant, ECOMLIT may ask the requester to contact the merchant directly or may forward the request to the merchant, depending on the context. Where ECOMLIT assists a merchant to fulfil a request, it will do so in line with the merchant relationship, applicable law and any data processing obligations between the parties.

ECOMLIT aims to respond to rights requests within the time required by law or, where no fixed period applies, within a reasonable time having regard to complexity, volume, identity verification and any need to consult merchants, vendors or legal advisers. If a request is especially complex or repetitive, ECOMLIT may require more time or may apply lawful limits or charges where permitted.

To help us process a request efficiently, the requester should specify the right they are seeking to exercise, the context in which their data was collected, the email address or phone number associated with the account or interaction, and any information that will help locate the relevant data. We may ask follow-up questions if the request is too broad or unclear.

ECOMLIT may send service communications and, where lawful, marketing or relationship communications. Service communications are not the same as promotional marketing. Examples of service communications include account notices, login alerts, platform changes, billing reminders, security notifications, support responses, product outage updates and legal notices. These messages are generally necessary for the service relationship and users may not be able to opt out of all of them while maintaining an account.

Promotional communications may include newsletters, feature announcements, educational materials, event invitations, campaign messages, product updates, or commercial offers. Where consent is required for these communications, we will request it. Where we rely on legitimate interests, we aim to ensure that the communications are relevant, proportionate and accompanied by an easy way to object or unsubscribe.

Users can generally manage marketing preferences through the unsubscribe link in an email, by adjusting account preferences where available, or by contacting us. Opt-out requests may not apply immediately in all systems, but we aim to honour them promptly. Even after someone opts out of marketing, ECOMLIT may still retain limited information needed to respect that preference and avoid sending further marketing in error.

ECOMLIT's platform is designed primarily for merchants, business users and general commerce audiences. It is not built as a children's service and ECOMLIT does not intentionally target children as its primary user base. However, because merchants may operate stores that sell to a broad population, children's personal data may in some circumstances be processed through merchant storefronts or support interactions.

Where ECOMLIT becomes aware that personal data relates to a child or another vulnerable individual, we aim to apply heightened care that is appropriate to the context and the law. This may include minimisation, additional review, limitation of marketing, enhanced security controls, or coordination with the relevant merchant where the merchant is the primary controller.

Merchants remain responsible for ensuring that their own data collection and customer experience are lawful, age-appropriate and supported by any required permissions or consents. If a parent, guardian or other authorised person believes that a child has provided personal data to ECOMLIT or through an ECOMLIT-supported storefront in a manner that raises legal or safety concerns, they should contact us promptly.

ECOMLIT may interoperate with or provide links to third-party sites, applications, plug-ins, payment providers, logistics systems, social tools, messaging providers, analytics tools, app partners and other integrations. Those services may have their own privacy notices, security practices and terms, and ECOMLIT does not control all aspects of how they process personal data.

When a merchant activates a third-party integration or directs ECOMLIT to exchange data with another service, the merchant should review that service's privacy and security position carefully. We may provide information about integrations and may impose platform requirements, but the merchant is still responsible for understanding what data will flow to or from the third party and whether that use is lawful in the merchant's own customer context.

ECOMLIT may suspend, limit or remove integrations where necessary for security, legal, technical or policy reasons. Where a third-party service fails, changes its terms, discontinues support, or processes data in a way that creates unacceptable risk, ECOMLIT may take steps to protect the platform and its users, which may include limiting data exchange or disabling the connection.

ECOMLIT aims to manage privacy as an accountability programme, not merely as an external notice. This means that we seek to embed privacy consideration into product design, vendor selection, systems change, project governance, onboarding, risk review, incident handling and contractual arrangements.

Our governance measures may include designation of a privacy lead or data protection officer where required, maintenance of records of processing activities, review of lawful bases, data minimisation controls, privacy input into new features and integrations, contractual privacy clauses, vendor due diligence, staff training, access reviews, retention controls, template notices, complaints handling, and periodic assurance or audit activity.

Where a project or processing activity presents a heightened privacy risk, ECOMLIT may conduct a data privacy impact assessment or similar review before launch or as soon as reasonably possible. We may also review whether the processing can be redesigned to reduce personal data collection, shorten retention, improve security or give individuals clearer choices.

ECOMLIT maintains incident response and breach management procedures intended to identify, contain, investigate, document and remediate personal data breaches and security incidents. A personal data breach may include accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data transmitted, stored or otherwise processed.

When ECOMLIT becomes aware of a suspected breach, we aim to assess its nature, scope, likely cause, categories of affected data, number of potentially affected individuals, system impact, likelihood of harm, and any immediate containment steps that are required. Where third parties are involved, we may coordinate with vendors, merchants, forensic specialists, legal advisers or regulators as appropriate.

If the breach is reportable under applicable law, ECOMLIT will notify the NDPC and, where required, affected data subjects within the timeframe and in the manner required by law. Not every security event results in a reportable breach, but all significant incidents are expected to be documented and assessed.

Even where a breach has not yet been fully resolved, ECOMLIT may provide interim notices where the law requires prompt notification or where immediate action is needed to protect individuals from misuse of their data. We also expect processors and service providers who process data on our behalf to notify us without undue delay when they become aware of a relevant breach affecting our data or services.

ECOMLIT encourages data subjects to contact us first if they have a privacy concern, rights request, complaint or question about how their personal data has been handled. We take such concerns seriously and aim to investigate them fairly, document them appropriately and respond within a reasonable time.

A complaint may relate to inaccurate data, excessive collection, lack of notice, unwanted marketing, a request that has not been handled properly, an alleged security issue, cross-border processing concerns, merchant-customer data issues, or any other privacy matter connected to the platform or our website.

If a data subject remains dissatisfied after engaging with ECOMLIT, or where the data subject prefers to do so, they may lodge a complaint with the Nigeria Data Protection Commission through the channels made available by the NDPC. The right to complain to the NDPC exists in addition to other rights and remedies that may be available under law.

Nothing in this Policy limits the right of a data subject to seek legal redress or to engage another competent supervisory or judicial authority where applicable.

ECOMLIT may update this Policy from time to time to reflect changes in law, regulation, technology, our business model, our products, our vendors, our data uses, our risk environment or our organisational structure. A revised version may also be published where we improve clarity, update contact details, add processing contexts, or address new rights or obligations.

When we make changes, we will update the effective date at the front of the document and, where required by law or where the changes are material, we may provide additional notice through the website, platform, email, dashboard messaging or another suitable channel. We encourage users and merchants to review the Policy periodically.

For privacy questions, rights requests, complaints or other data protection enquiries, you may contact ECOMLIT using the contact details below.

General Support Email: [Insert Support Email]

Privacy or DPO Email: [Insert Privacy Email]

Support URL: [Insert URL]

Telephone or Messaging Contact: [Insert Contact]

NDPC Contact Point for Complaints: Individuals may also contact the Nigeria Data Protection Commission through its official channels published.

Nigeria Data Protection Commission

Tel: +2349160615551

Email: info@ndpc.gov.ng

Website: www.ndpc.gov.ng

This Annex summarises the main categories of personal data processed by ECOMLIT, the relevant data subjects, the principal purposes for which the data is used, and the typical privacy role performed by ECOMLIT in that context. It is a practical summary only; the main body of the Policy prevails where more detail is required.

This Annex is intended to make the rights section easier to apply in practice. It does not create rights beyond those provided by law, and it does not remove any exceptions, restrictions or role distinctions described in the main Policy.

The retention periods below are examples and should be read together with Section 17. A different period may apply where law, audit, disputes, legal hold, fraud review, merchant settings or technical architecture require it.

The following definitions are provided to support consistent interpretation of this Policy. They are drafted for ECOMLIT's platform context and should be read together with any definition provided by applicable law.

Account means any merchant account, administrator account, team member profile, support profile or other platform access relationship maintained by ECOMLIT.

Applicable Law means any law, regulation, directive, guideline, court order, supervisory requirement or binding obligation relevant to the processing of personal data by ECOMLIT or its processors.

Controller means a person or organisation that determines the purposes and means of processing personal data.

Processor means a person or organisation that processes personal data on behalf of a controller.

Data Subject means an identified or identifiable natural person to whom personal data relates.

Merchant means a business, business owner, organisation or similar user that applies to or uses the ECOMLIT platform to conduct commerce activities.

Merchant Customer Data means personal data relating to a merchant's customers, prospects, recipients or other contacts, processed through ECOMLIT's platform on behalf of the merchant or in the limited circumstances described in this Policy.

Personal Data means any information relating to an identified or identifiable individual, whether direct or indirect.

Process / Processing means any operation performed on personal data, including collection, storage, use, disclosure, analysis, transfer, restriction, deletion or destruction.

Sensitive Personal Data means personal data that is particularly sensitive under law or context and therefore requires heightened protection or a more specific lawful basis.

Sub-processor means a processor engaged by ECOMLIT where ECOMLIT is itself processing data on behalf of a merchant or another controller.

Supervisory Authority / NDPC means the Nigeria Data Protection Commission or any other competent authority with jurisdiction over the relevant processing.

Storefront means a merchant-facing or customer-facing store, site, checkout page, customer portal or commerce interface built or enabled through ECOMLIT.

User means any individual who uses ECOMLIT's website, platform or services in any capacity.

Website Visitor means a person who browses ECOMLIT's public website or landing pages without necessarily becoming a merchant.

This Annex is included because ECOMLIT operates a merchant platform. Strong platform privacy practices do not remove the merchant's own obligations. The merchant is often the controller for customer-facing collection and use of personal data through the merchant's store, campaigns, communications and support interactions.

Merchants using ECOMLIT should, at a minimum, do the following: maintain a clear privacy notice that accurately describes the merchant's own practices; collect only data that is necessary for the merchant's legitimate business purposes; ensure a lawful basis exists for each material processing activity; configure platform features in a privacy-aware manner; limit internal access to customer data; keep credentials secure; use customer data only for legitimate customer relationship purposes; and respond to customer rights requests promptly and fairly.

Merchants should also make careful decisions before enabling third-party integrations, marketing tags, pixels, external analytics scripts, messaging tools or export routines. Those tools may significantly expand the number of parties who receive customer data and may create additional transparency, consent and security obligations. A merchant should not assume that an integration is compliant simply because it is technically available.

Where a merchant uses ECOMLIT to collect customer data for direct marketing, behavioural analytics, advertising audiences, international order fulfilment, loyalty programmes, or other higher-risk uses, the merchant should assess whether additional notices, consents, contracts, retention controls or impact assessments are needed. Merchants remain accountable for their own business practices even where ECOMLIT provides the underlying technology.

Recommended merchant privacy controls

1. Publish and maintain an accurate merchant-facing privacy policy and cookie notice where required.

2. Collect only the customer, order and analytics data genuinely needed for the merchant's service.

3. Review and document the lawful basis for customer communications, advertising and analytics.

4. Use role-based access for staff and remove access when personnel no longer need it.

5. Enable security features such as multi-factor authentication where available.

6. Review integrations, apps, tracking tags and exports before activation and periodically thereafter.

7. Create an internal procedure for handling access, rectification, deletion and objection requests.

8. Promptly notify ECOMLIT where a suspected privacy or security incident may affect platform data.

These merchant responsibilities are included for transparency and user education. They do not replace the merchant agreement, data processing addendum or any applicable law, all of which may impose more specific duties.

If you believe ECOMLIT has handled your personal data improperly, it helps to include enough detail for the issue to be understood and investigated. A clear complaint or request will usually contain the name and contact details of the requester, the relationship to ECOMLIT or the merchant store concerned, the date or period of the relevant interaction, the type of data involved, the action requested, and any supporting documents or screenshots.

For example, a rights request might specify that the requester wants access to all personal data linked to a particular email address used at a merchant storefront between specific dates. A complaint might explain that a person continued to receive promotional emails after opting out, or that inaccurate order information remains visible in an account despite a request for correction. The more specific the request, the easier it is to locate and assess the relevant data.

ECOMLIT may ask for additional information or proof of identity before acting on a request. This is not intended to create friction; it is intended to prevent improper disclosure of personal data to the wrong person. Where a request relates mainly to a merchant-controlled data set, ECOMLIT may redirect the requester to the merchant or coordinate the response with the merchant as appropriate.

If the matter is not resolved internally, a complainant may contact the Nigeria Data Protection Commission through the channels published on the NDPC website. We encourage complainants to keep a copy of the original request, any follow-up correspondence, and the response received, as those records can help the NDPC or another competent body understand the issue more quickly.