Data Protection Policy
Legal documentation and compliance framework
Effective Date: January 1, 2026
1. Policy Statement
Evituum ("Evituum", "Company", "we", "our", or "us") is committed to protecting personal information and maintaining the highest standards of privacy, confidentiality, integrity, and security.
This Data Protection Policy establishes the principles, controls, and responsibilities governing the collection, processing, storage, transmission, retention, and disposal of personal data handled through our platforms, applications, services, and supporting infrastructure.
2. Purpose
The purpose of this Policy is to:
- Protect personal information entrusted to Evituum.
- Maintain compliance with applicable data protection laws.
- Reduce risks associated with data breaches.
- Promote responsible handling of personal data.
- Strengthen trust among customers and stakeholders.
- Ensure accountability across all business operations.
3. Scope
This Policy applies to:
- Employees and contractors.
- Consultants and temporary staff.
- Third-party service providers.
- Schools and institutions using our platforms.
- All systems, applications, databases, and infrastructure operated by Evituum.
4. Applicable Regulations
Evituum seeks to comply with applicable data protection and privacy regulations including:
- Nigeria Data Protection Act (NDPA 2023).
- General Data Protection Regulation (GDPR).
- UK GDPR.
- Applicable education-sector privacy regulations.
- Other relevant national and international privacy laws.
5. Data Protection Principles
Personal data shall be processed in accordance with the following principles:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimization.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality.
- Accountability.
6. Categories of Protected Data
The Company may process and protect the following categories of information:
- Personal identification information.
- Contact information.
- Educational records.
- Academic performance data.
- Attendance records.
- Employee information.
- Financial and billing records.
- Authentication and access logs.
- Technical and device information.
7. Data Classification
Information processed by Evituum may be classified into categories including:
- Public Information.
- Internal Information.
- Confidential Information.
- Restricted or Sensitive Information.
Appropriate security controls shall be applied based on the classification level.
8. Data Governance and Accountability
Evituum maintains governance structures designed to ensure responsible processing of personal information.
- Defined roles and responsibilities.
- Access control procedures.
- Data handling standards.
- Security review processes.
- Compliance monitoring activities.
9. Security Measures
We implement administrative, technical, and organizational safeguards appropriate to the nature and sensitivity of the information processed.
- TLS/HTTPS encryption.
- Encryption of sensitive information.
- Role-based access controls.
- Authentication and authorization controls.
- Multi-factor authentication where applicable.
- Network security monitoring.
- Audit logging.
- Backup and recovery procedures.
- Vulnerability management.
- Periodic security assessments.
10. Access Control
Access to personal data is granted strictly on a need-to-know basis and in accordance with assigned responsibilities.
Users are prohibited from accessing information beyond the scope of their authorized role.
11. Data Retention and Disposal
Personal information shall be retained only for as long as necessary to fulfill legitimate business, contractual, educational, legal, or regulatory requirements.
When retention periods expire, data may be securely deleted, anonymized, or archived in accordance with applicable laws.
12. Third-Party Processors
Evituum may engage trusted third-party providers for hosting, payments, analytics, communications, monitoring, and support services.
Such providers are required to maintain appropriate security and privacy safeguards and may process data only for authorized purposes.
13. International Data Transfers
Personal information may be transferred to jurisdictions outside the country in which it was originally collected.
Appropriate safeguards shall be implemented where required by law to protect transferred information.
14. Data Subject Rights
Subject to applicable laws, individuals may have rights to:
- Access their information.
- Correct inaccurate information.
- Request deletion.
- Restrict processing.
- Object to processing.
- Withdraw consent.
- Request data portability.
- File complaints with relevant authorities.
15. Employee and Contractor Responsibilities
Personnel handling personal data must:
- Follow approved security procedures.
- Protect confidential information.
- Report suspected security incidents.
- Complete applicable security awareness training.
- Use systems only for authorized purposes.
16. Incident Response and Breach Management
Evituum maintains procedures for detecting, investigating, responding to, and mitigating security incidents.
Where required by law, affected individuals, institutions, customers, and regulators will be notified within applicable statutory timelines.
17. Monitoring and Auditing
We may conduct audits, reviews, assessments, monitoring, and compliance activities to ensure adherence to this Policy and applicable regulations.
18. Policy Violations
Violations of this Policy may result in disciplinary action, suspension of access privileges, termination of agreements, legal action, or regulatory reporting where appropriate.
19. Policy Review and Updates
This Policy may be reviewed and updated periodically to reflect changes in technology, regulations, operational requirements, or security practices.
20. Contact Information
Questions regarding this Data Protection Policy may be directed to:
Email: privacy@evituum.com
Legal: legal@evituum.com
Support: support@evituum.com
Website: https://evituum.com