Privacy Policy
Last updated: 24 June 2026
1. Who We Are
Brela Technologies & Media Limited (‘Brela’, ‘we’, ‘our’, ‘us’) is a digital agency registered in Nigeria under the Companies and Allied Matters Act (RC: [Insert RC number]). Our registered address is 21 Bekwere Nwosu Street, D/Line, Port Harcourt, Rivers State, Nigeria.
We operate the website at brela.agency and provide web design, digital marketing, software development, training, and related digital services.
For the purposes of the Nigeria Data Protection Act 2023 (‘NDPA’), Brela Technologies & Media Limited is a Data Controller.
Data protection contact: [email protected]
2. The Law That Governs This Policy
This policy is written to comply with:
- The Nigeria Data Protection Act 2023 (NDPA) — the primary Nigerian data protection legislation
- The General Application and Implementation Directive 2025 (GAID) — effective September 19, 2025, which provides detailed compliance requirements under the NDPA
- The Nigeria Data Protection Commission (NDPC) — the regulatory authority enforcing the NDPA
Where our website is accessed by users in the European Economic Area (EEA) or the United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and UK GDPR respectively, to the extent applicable.
Note for international visitors: Nigeria’s NDPA 2023 has extraterritorial scope. Organisations outside Nigeria that process the personal data of Nigerian residents are subject to the NDPA.
3. What Personal Data We Collect
3.1 Data you provide directly
- Contact and enquiry data — name, email address, phone number, business name, and project description when you submit our contact form, email us, or message us on WhatsApp
- Client onboarding data — business registration details, bank account information (for payment processing), and project-specific information provided during a client engagement
- Training and course data — name, email, payment details, and assessment responses when you purchase or enrol in a Brela training programme
- Communications data — emails, WhatsApp messages, and records of video calls relevant to a project or enquiry
3.2 Data collected automatically
- Website usage data — pages visited, time spent, referring URL, browser type, device type, and IP address, collected via Google Analytics 4
- Cookie data — see Section 8 (Cookie Policy) for full details
3.3 Data we do NOT collect
- We do not collect payment card numbers directly — all card payments are processed by Paystack or Wise, which are PCI-DSS compliant
- We do not collect sensitive personal data (health information, biometric data, political opinions, religious beliefs) unless specifically required for a project and with explicit written consent
4. How We Use Your Personal Data
4.1 Purposes of processing
- Responding to enquiries and providing requested services (legal basis: contract performance or legitimate interest)
- Managing client projects and delivering contracted work (legal basis: contract performance)
- Sending invoices, proposals, and service-related communications (legal basis: contract performance)
- Improving our website using aggregated analytics data (legal basis: legitimate interest)
- Sending marketing communications where you have opted in (legal basis: consent)
- Complying with Nigerian legal and regulatory obligations including FIRS tax requirements (legal basis: legal obligation)
4.2 We do not
- Sell your personal data to any third party
- Use your data for automated decision-making that produces legal or similarly significant effects without human review
- Use your data for purposes incompatible with those stated above without seeking fresh consent
5. Legal Basis for Processing (NDPA)
Under the NDPA 2023, we process personal data on the following legal bases:
- Consent (Section 25 NDPA) — where you have freely given, specific, informed, and unambiguous consent (e.g., marketing email opt-in)
- Contract (Section 25 NDPA) — processing necessary for a contract with you or to take pre-contractual steps at your request
- Legal obligation (Section 25 NDPA) — processing required to comply with Nigerian law, including tax and company law
- Legitimate interest (Section 25 NDPA) — processing necessary for our legitimate business interests, balanced against your rights, where those interests are not overridden by your interests or rights (e.g., website analytics, fraud prevention)
6. Who We Share Your Data With
We share personal data only where necessary and with appropriate safeguards in place:
- Service providers acting as Data Processors — Google LLC (Google Analytics, Google Workspace), Paystack Holdings Limited, Wise Payments Limited, Notion Labs Inc., and project management tools used in client delivery. All processors are subject to data processing agreements.
- Professional advisors — lawyers, accountants, and auditors where legally necessary, under confidentiality obligations
- Regulatory authorities — the NDPC, FIRS, CAC, or other Nigerian regulators where legally required
- Business transfer — in the event of a merger, acquisition, or sale of assets, personal data may be transferred, subject to equivalent data protection obligations
We do not transfer personal data outside Nigeria or the EEA/UK without ensuring appropriate safeguards exist, including Standard Contractual Clauses where required.
7. How Long We Retain Your Data
- Enquiry data (no project initiated): 12 months from last contact
- Active client data: Duration of contract plus 6 months
- Completed project data: 5 years from project completion (contractual and NDPA compliance)
- Financial records and invoices: 6 years (FIRS requirement)
- Marketing consent records: Until consent is withdrawn, then 2 years for audit purposes
- Website analytics data: 26 months (Google Analytics default retention)
Data is securely deleted or anonymised at the end of the applicable retention period.
8. Your Rights Under the NDPA 2023
The NDPA grants Nigerian data subjects the following rights. To exercise any right, email [email protected]. We will respond within 30 days (extendable to 60 days for complex requests with notice to you).
- Right to information (Section 34 NDPA) — to know how your data is processed, as set out in this policy
- Right of access (Section 35 NDPA) — to obtain a copy of your personal data we hold
- Right to rectification (Section 36 NDPA) — to correct inaccurate or incomplete personal data
- Right to erasure (Section 37 NDPA) — to request deletion of your data, subject to legal retention obligations
- Right to restriction (Section 38 NDPA) — to restrict processing while a dispute is resolved
- Right to data portability (Section 39 NDPA) — to receive your data in a structured, machine-readable format
- Right to object (Section 40 NDPA) — to object to processing based on legitimate interest
- Right to withdraw consent — at any time where consent is the legal basis, without affecting prior processing
If you are dissatisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
9. Cookie Policy Summary
Our website uses cookies. For full details, see our Cookie Policy at brela.agency/cookie-policy. In summary:
- Strictly necessary cookies — required for the website to function (cannot be disabled)
- Analytics cookies — Google Analytics 4, measuring website usage. Can be declined via our cookie consent tool
- We do not use advertising, tracking, or third-party marketing cookies
10. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- SSL/TLS encryption on all data transmitted to and from our website
- Access controls — personal data is accessible only to team members who need it for their role
- Regular security monitoring and malware scanning of our website infrastructure
- Secure storage of client files and credentials
In the event of a personal data breach that risks harm to data subjects, we will notify the NDPC within 72 hours in accordance with Section 41 of the NDPA, and affected individuals without undue delay where required.
11. Data Transfers Outside Nigeria
Some of our service providers are based outside Nigeria (including Google in the United States and Wise in the United Kingdom). We ensure appropriate safeguards exist for such transfers, including standard contractual clauses or adequacy decisions where available. Details of transfer mechanisms are available on request.
12. Children’s Data
Our website and services are not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact [email protected] and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in law, our data practices, or our services. We will notify you of material changes by updating the ‘Last updated’ date at the top of this page and, where appropriate, by email to active clients. Continued use of our website after changes constitutes acceptance of the updated policy.
14. Contact
Data protection enquiries: [email protected]
General enquiries: [email protected]
Postal address: Brela Technologies & Media Limited, 21 Bekwere Nwosu Street, D/Line, Port Harcourt, Rivers State, Nigeria.
Nigeria Data Protection Commission: ndpc.gov.ng