Privacy Policy

1. Introduction

Coopie Technologies Limited (“Coopie”, “we”, “us”, or “our”) operates the Coopie platform, a multi-tenant cooperative management software-as-a-service (SaaS) application. We are the data controller for personal data collected through the Platform for platform-level operations, and we act as a data processor on behalf of Cooperatives for cooperative-level member data.

This Privacy Policy applies to all Users, Members, Administrators, and visitors who interact with our Platform, website, and related services. It explains what personal data we collect, how we use it, who we share it with, and your rights regarding your data.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. For information about the terms governing your use of the Platform, please see our Terms of Service.

2. Regulatory Framework

Our data processing activities are governed by the following Nigerian regulations and international best practices:

• Nigeria Data Protection Regulation (NDPR) 2019: Issued by the National Information Technology Development Agency (NITDA), establishing requirements for the processing of personal data.
• Nigeria Data Protection Act (NDPA) 2023: The comprehensive data protection legislation that establishes the Nigeria Data Protection Commission (NDPC) and provides a legal framework for data protection in Nigeria.
• Central Bank of Nigeria (CBN) Guidelines: Applicable guidelines on data handling for financial technology platforms and cooperative financial activities.
• Cybercrimes (Prohibition, Prevention, etc.) Act 2015: Provisions on cybersecurity, data protection, and electronic transactions.

Coopie acts as a data processor when processing personal data on behalf of Cooperatives (e.g., member records, contribution data, loan records), and as a data controller for platform-level data (e.g., account registration, authentication, analytics, and support interactions).

3. Personal Data Collected

We collect and process the following categories of personal data:

Identity Information

Full name, date of birth, gender, marital status, and profile photograph.

Contact Information

Email address, phone number, residential address, state of residence, and Local Government Area (LGA).

Financial Information

Bank account details, Bank Verification Number (BVN), salary information, contribution records, loan records and repayment history, dividend records, and transaction history.

KYC Information

Bank Verification Number (BVN), National Identification Number (NIN), and any other identity documents required for verification.

Authentication Data

Password hash (encrypted; we never store plain-text passwords), session tokens, and security settings.

Technical Data

IP address, user agent string, device type, operating system, browser type and version, and platform interaction data.

Activity Data

Login and logout timestamps, actions performed on the Platform, request paths, and timing information.

Communication Data

Support tickets, notification preferences, and correspondence with our team.

Membership Data

Cooperative memberships, assigned roles (MEMBER, EXECUTIVE, ADMIN, SUPER_ADMIN), membership status, employer information, and guarantor relationships.

4. How Data is Collected

We collect personal data through the following means:

Directly from You

• Account registration and profile creation.
• Cooperative membership applications.
• Loan applications, guarantor forms, and contribution pledges.
• Support tickets and contact form submissions.
• Profile updates and preference settings.

Automatically

• Cookies and similar technologies placed on your device.
• IP address and user agent logging on each request.
• Session tracking for authentication and security monitoring.
• Platform usage analytics.

From Third Parties

• Payment processors (e.g., Paystack) — transaction confirmations and payment status.
• Banks — account verification and confirmation data.
• Employers — payroll deduction confirmations (where applicable).
• Identity verification providers — BVN/NIN verification results.

5. Legal Basis for Processing

We process your personal data based on the following legal grounds under the NDPA 2023 and NDPR 2019:

• Consent: Where you have given explicit consent, such as during account registration, opting in to marketing communications, or authorizing specific data processing activities. You may withdraw your consent at any time.
• Contractual Necessity: Processing required to perform our obligations under our Terms of Service, including providing platform services, managing your account, and facilitating cooperative operations.
• Legal Obligation: Processing required to comply with Nigerian laws, including KYC/AML requirements, tax reporting obligations, regulatory filings, and court orders.
• Legitimate Interest: Processing necessary for our legitimate business interests, including platform security, fraud prevention, service improvement, analytics, and maintaining audit trails — provided these interests are not overridden by your fundamental rights and freedoms.

6. Purpose of Data Processing

We process your personal data for the following purposes:

• Account Management: Creating, authenticating, and maintaining your user account and profile.
• Cooperative Membership: Processing membership applications, managing role assignments, and facilitating cooperative operations.
• Contribution Processing: Recording, tracking, and reporting on member contributions across multiple contribution types.
• Loan Management: Processing loan applications, managing guarantor relationships, tracking disbursements, and recording repayments.
• Dividend Administration: Computing, recording, and tracking dividend distributions.
• KYC & Identity Verification: Verifying your identity through BVN, NIN, and bank account verification to comply with regulatory requirements.
• Fraud Prevention & Security: Detecting and preventing unauthorized access, fraud, money laundering, and other security threats.
• Notifications: Sending transactional, administrative, and security-related communications.
• Customer Support: Responding to inquiries, resolving issues, and managing support tickets.
• Analytics & Improvement: Analysing platform usage to improve our services, features, and user experience.
• Legal & Regulatory Compliance: Meeting our obligations under Nigerian law, responding to regulatory inquiries, and maintaining records as required.

7. Data Sharing & Disclosure

We may share your personal data with the following categories of recipients:

• Cooperative Administrators: Administrators of your Cooperative(s) can access your member profile, contribution records, loan records, and other data within the scope of their Cooperative. Access is strictly limited to data within their own Cooperative.
• Other Members: Limited information may be visible to other Members of your Cooperative, such as your name in guarantor requests, or directory information based on the Cooperative’s privacy settings.
• Payment Processors: Paystack and other integrated payment providers receive necessary transaction data to process payments.
• Identity Verification Providers: Third-party providers that verify BVN, NIN, and bank account information.
• Email & SMS Providers: Service providers that deliver notifications and communications on our behalf.
• Regulatory Authorities: The Central Bank of Nigeria (CBN), National Information Technology Development Agency (NITDA), Nigeria Data Protection Commission (NDPC), law enforcement agencies, and other regulators where required by law or regulation.
• Professional Advisors: Lawyers, auditors, and consultants who are bound by professional confidentiality obligations.

We do not sell your personal data to third parties. We will never sell, rent, or trade your personal information for marketing purposes.

8. Multi-Tenant Data Isolation

The Platform operates on a multi-tenant architecture with strict data isolation measures:

• Logical Segregation: All data is logically segregated by Cooperative using unique cooperative identifiers. Database queries are scoped to ensure that data from one Cooperative cannot be accessed through another Cooperative’s context.
• Admin Access Controls: Cooperative Administrators can only access data belonging to their own Cooperative. They cannot view or manage members, contributions, loans, or any other data of other Cooperatives.
• Cross-Cooperative Isolation: If you are a Member of multiple Cooperatives, your data in each Cooperative is maintained independently. Administrators of one Cooperative cannot see your data or activity in another Cooperative.
• SUPER_ADMIN Access: Platform-level SUPER_ADMIN accounts are used exclusively for platform support, maintenance, and compliance purposes. SUPER_ADMIN access is strictly controlled, logged, and auditable.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Active Accounts: Data is retained for the duration of your membership and active use of the Platform.
• Financial Records: Contribution, loan, dividend, and transaction records are retained for a minimum of six (6) years after the end of the relevant financial year, as required by Nigerian tax and financial regulations.
• Activity Logs: Login records, audit trails, and activity logs are retained for five (5) years for security and compliance purposes.
• Session Data: Authentication tokens and session data are retained for thirty (30) days after session revocation or expiration.
• Contact Form Submissions: Support inquiries and contact form data are retained for two (2) years after resolution.
• Invitations: Membership invitations are retained for ninety (90) days after expiration.
• Soft-Deleted Records: Records that have been soft-deleted (deactivated but not permanently removed) are retained as required for legal compliance, financial audit, and regulatory purposes.

Upon expiration of the retention period, data is securely deleted or anonymised unless continued retention is required by law.

10. Data Subject Rights

Under the NDPA 2023 and NDPR 2019, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you. The Platform provides a data export feature for self-service access.
• Right to Rectification: You may update or correct inaccurate personal data through your profile settings or by contacting support.
• Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements. Financial records required for regulatory compliance cannot be erased until the applicable retention period has expired.
• Right to Restriction: You may request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of contested data.
• Right to Data Portability: You may request your personal data in a structured, commonly used, and machine-readable format for transfer to another service provider.
• Right to Object: You may object to processing of your personal data based on legitimate interests, or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact our Data Protection Officer at dpo@coopie.ng or submit a request through the in-app support ticketing system. We will respond to your request within thirty (30) days.

11. Cookies & Tracking

The Platform uses the following cookies, all of which are strictly necessary for the operation of the service:

All cookies used by the Platform are strictly necessary for providing the service and do not require separate consent under the NDPA. We do not use advertising, analytics, or third-party tracking cookies. You may manage cookie settings through your browser, though disabling cookies may affect the functionality of the Platform.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration:

Technical Measures

• TLS encryption for all data in transit.
• Bcrypt hashing for password storage (passwords are never stored in plain text).
• httpOnly, Secure cookie flags for authentication tokens.
• JWT-based authentication with single active session enforcement.
• Role-Based Access Control (RBAC) for all platform features.

Organisational Measures

• Access to personal data is restricted to authorised personnel on a need-to-know basis.
• Regular security reviews and vulnerability assessments.
• Incident response procedures for timely detection and management of data breaches.

Monitoring

• Activity logging of all API requests for security auditing.
• Session monitoring to detect and respond to suspicious activity.
• Automated alerts for unusual access patterns.

13. International Data Transfers

Your personal data is primarily processed and stored in data centres located in secure cloud infrastructure. Where data is transferred outside of Nigeria, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the Nigeria Data Protection Commission.
• Adequacy decisions where the receiving country has been determined to provide an adequate level of data protection.
• Binding corporate rules or other approved transfer mechanisms.

We comply with data localisation requirements under Nigerian law and ensure that any cross-border transfer of personal data meets the requirements of the NDPA 2023.

14. Children’s Privacy

The Platform is not intended for use by individuals under the age of eighteen (18) years. We do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such data. If you are a parent or guardian and believe that your child has provided personal data to us, please contact our Data Protection Officer at dpo@coopie.ng so that we can take appropriate action.

15. Third-Party Links

The Platform may contain links to third-party websites, services, and resources, including:

• Payment processor portals (e.g., Paystack).
• Cooperative bye-laws documents and external resources.
• Government and regulatory authority websites.

These third-party services have their own privacy policies and practices. Coopie is not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any third-party service before providing your personal data.

16. Data Breach Notification

In the event of a personal data breach, we will:

• Notify NITDA/NDPC: Report the breach to the Nigeria Data Protection Commission (or NITDA, as applicable) within seventy-two (72) hours of becoming aware of the breach, as required by the NDPA 2023.
• Notify Affected Users: Inform affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Breach Notification Contents: Our notification will include the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to address the breach.
• Remedial Measures: We will take immediate steps to contain the breach, mitigate any potential harm, and implement measures to prevent recurrence.

We maintain a data breach register documenting all breaches, their effects, and the remedial actions taken.

17. Automated Decision-Making

The Platform may use automated processes to assist with certain decisions, including:

• Loan Eligibility Scoring: Automated calculations based on contribution history, membership duration, existing loan obligations, and cooperative-specific rules may be used to determine initial loan eligibility. These calculations are based on transparent criteria defined by each Cooperative.
• Risk Assessment: Automated indicators may flag potential issues such as irregular payment patterns or policy violations for administrative review.

No solely automated decision with significant legal or similarly significant effects will be made without human review. You have the right to:

• Request information about the logic involved in any automated decision-making process.
• Request human review of any automated decision that significantly affects you.
• Contest any automated decision and express your point of view.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last Updated” date at the top of this Policy.
• Notify you via email and/or in-app notification.
• Where required by law, seek your consent to the changes before they take effect.

Your continued use of the Platform after the effective date of the updated Policy constitutes your acknowledgement of the changes. We encourage you to review this Policy periodically.

19. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection practices and ensure compliance with applicable regulations:

• Title: Data Protection Officer
• Email: dpo@coopie.ng

The DPO operates independently and reports directly to senior management. The DPO’s responsibilities include monitoring compliance with the NDPA and NDPR, advising on data protection impact assessments, cooperating with the Nigeria Data Protection Commission, and acting as a point of contact for data subjects.

If you are unsatisfied with our response to a data protection concern, you may escalate the matter to the Nigeria Data Protection Commission (NDPC) or NITDA.

20. Contact & Complaints

If you have questions, concerns, or complaints about this Privacy Policy or our data protection practices, please contact us:

• General Inquiries: hello@coopie.ng
• Data Protection Officer: dpo@coopie.ng
• Support: In-app ticketing system (accessible from your dashboard)
• Address: Coopie Technologies Limited, Lagos, Nigeria

Complaint Process

1. Submit your complaint to our Data Protection Officer at dpo@coopie.ng.
2. We will acknowledge receipt within five (5) business days.
3. We will investigate and respond to your complaint within thirty (30) days.
4. If you are not satisfied with our response, you may escalate to the Nigeria Data Protection Commission (NDPC).

Regulatory Authority

You have the right to lodge a complaint with the supervisory authority:

• Nigeria Data Protection Commission (NDPC)
• Website: ndpc.gov.ng
• National Information Technology Development Agency (NITDA)
• Website: nitda.gov.ng

We encourage you to contact us first to resolve any concerns before escalating to a regulatory authority.