Privacy policy

Clause 1

What personal data do we collect and process?

The Company must receive or collect some information to operate, provide, improve, understand, customize, support, and market our services, including when you access our website or use our services.

The Company collects the personal data of all legal persons and natural and artificial entities. Thus, for individuals or companies that interact with our system, we collect and process your personal data. The category of personal data that we collect and process depends on whether you are an individual or a corporate organization. For individuals, we collect the following data:

• Full Name (first and last);
• Phone Number;
• Date of Birth;
• Email Address

For corporate entities, we collect and further process the following personal data:

• Name;
• RC number;
• Business Phone Number;
• Official Email Address;
• Bank Verification Number.

Clause 2

Why and how do we process your personal data?

Consistent with our unqualified respect for the privacy of your personal data with us, your dignity as a human being, and our policy to be transparent with the processing of your data; we seek to explain the purposes of collecting and processing of your data. Our policy is to keep it open so that you have full knowledge of why we collect and process your data. We make clear and accessible these purposes so that before you share your data with us, you appreciate why we process your data, the necessary consequence of us processing your data (for example we may send you advertisements of our services or other offers), and the extent to which we process your data. A transparent data protection framework builds trust and helps to protect your personal data while reassuring you that by interacting with us or our system, the privacy of your data with us is not compromised.

Personal data collected for User Management

The Company, through its website, collects and uses your personal data for the purpose of enabling you, as a user, to have access to and enjoy the services offered by the Company. Your contact details (email address, full name, date of birth, and phone number) may also be used for contacting you for support and quality management purposes.

Personal Data Collected for Account Identification and Credential Reset

The Company, through its website, collects and uses your personal data such as your name, mobile number, date of birth, and email address for the purpose of account identification. With these personal data, our system is able to recognize you through the account you have created with us in order to serve you satisfactorily.

Furthermore, the Company, through its website, collects and uses your personal data such as your name, mobile number, date of birth, and email address for the purpose of resetting your credentials. The Company’s data privacy policy is to ensure that your data with us are adequate, correct, and relevant. To consistently achieve these, the Company uses your personal data for resetting your credentials.

Personal Data Collected for Verification Purposes

The Company, through its website, collects and uses your Bank Verification Number (BVN) for enabling payouts to vendors in order to serve you satisfactorily. This is the only financial information that the Company collects and uses strictly for the purpose of enabling payouts to vendors. Your BVN is not collected and processed for any other purpose other than to enable payout to vendors.

The Company, through its website, collects your RC number if you are not a natural person (business name, partnership, companies, etc.) to verify your business registration. Your RC number is collected and used only to verify your business registration and any other purpose that is consistent with the purpose of verifying your business registration.

Personal Data Collected to Communicate our Services

We collect personal data such as your mobile number and email address to communicate our services and intimate you about our new terms of service, updated privacy policy, general policies, and other important updates.

Personal Data Collected for fulfilment of purposes

The Company collects personal data when any of the purposes cannot be reasonably fulfilled except by processing data.

Clause 3

On what legal ground(s) do we process your personal data?

The Company collects and uses your personal data only because they are relevant and necessary for the purposes explained in clause 2 of this data privacy policy and to serve you better. Consistent with this, there are legitimate reasons for collecting and processing your personal data. The legal grounds upon which the Company collects and uses your personal data are:

• You are aware that the Company will process your data without disproportionally interfering with the interests and freedom of the data subject.
• You have given the Company your consent after having full knowledge of what and how we will use them.
• You have not withdrawn your consent above even though you are aware that you can freely and easily withdraw it.
• You have/ will give the aforementioned consent by accepting this present privacy policy. Accepting this privacy policy is required before entering the website.
• You are aware that you can always withdraw your consent for the collection and use of your personal data consistent with the purposes in clause 2 of this data privacy policy.
• You are aware that you may request that your data be erased and stop further dissemination and processing of your data. The Company has a duty to do any of these after weighing your request against the public interest in the availability of data.
• You are aware that the Company will seek and obtain your freely given consent if any of your personal data is to be used for any purpose not consistent with the purposes mentioned in clause 2 of this data privacy policy.
• You are aware that your data is processed where it is necessary for the performance of any contract to which you are a party.
• You are aware that your consent is made conditional to perform a service only where consent is necessary to perform the service.
• You are aware that your consent is not needed where processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests of your fundamental rights and freedoms which require protection of personal data.
• You are aware that your data are processed where it is necessary for compliance with a legal obligation to which you are subject.
• You are aware that your data are processed when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company and Data Controller.
• You are aware that an automated-decision making system is integrated into the website.
• You are aware that the Company will collect your data from the Corporate Affairs Commission for the purpose of verifying your business registration as well as the Central Bank of Nigeria (or any other relevant financial regulatory authority) for the purpose of verifying your BVN.

You may exercise your right to withdraw your consent by contacting the Data Controller at: support@chillsbay.com

Clause 4

How long do we keep your personal data?

Chiilsbay Staff Member (Internal User)

As long as you are a staff member of the Company, your user account remains active and your personal data is therefore retained as if you were a normal customer. However, you can, at any time, ask the Company to terminate your account if you no longer wish to use the service. In this case, your user account, all associated data, and all results will be permanently deleted.

Chillsbay Customer (External User)

The Company only keeps your data for the time necessary to fulfill the purposes in clause 2 so long as you still have an account with the Company. The Company stops keeping and using your data the moment you request that your personal data be erased, and indicate that you no longer wish to use the service or that your personal data are no longer needed to achieve the purpose(s) for which the data were collected initially.

When you indicate that you no longer wish to use the service and/ or that your personal data should be erased, your user account as well as all associated data and results will be deleted permanently from the website.

In addition, unused external user accounts are deleted after a period of inactivity of two (2) years.

Clause 5

How do we protect and safeguard your personal data?

In order to protect your personal data, the Company has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, maintenance of confidentiality, and integrity of data, taking into consideration the risk presented by the processing and the nature of the personal data being processed.

There’s a database backup that runs at intervals to ensure that your data is not lost, corrupted, or unnecessarily interfered with.

Where there is a likely risk to your personal data, the Company conducts a preliminary impact assessment to identify the risks and integrate into its system technical measures that guarantee the security of your personal data.

Organisational measures include restricting access to personal data solely to authorised persons with a legitimate need to know for the purpose of the processing operations.

Privacy by design is the policy that underpins the Company’s security architecture such that the Company has integrated data protection safeguards in the entire architecture of information systems and other technology used to process your data. Thus, we conduct an impact assessment at regular intervals as reasonably, and commercially required to determine the likely risks to your rights as a user.

The security of your personal data is important to us but remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use the best available means to protect your personal data, we cannot guarantee its absolute security.

Clause 6

Who has access to your personal data and to whom is it disclosed?

Access to your personal data is provided to the Company staff responsible for carrying out the processing operations for the purposes in clause 2 and to authorised staff according to the “need-to-know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

The Company also grants access to your personal data such as your BVN and RC Number to third parties such as the Corporate Affairs Commission (for the purpose of verifying your registration), the Central Bank of Nigeria (or any other relevant financial regulatory authority), and third-party contractors (as may be necessary) through a backend integration.

As a result, the staff and/ or independent contractor managing the Company’s website as well as the above-mentioned regulatory authorities have access to your personal data.

The Company will share your personal data with third parties for direct marketing. In other words, the Company will use your personal data to contact you with newsletters, SMS, and emails for marketing or promotional purposes. The Company may also use your email address to contact you with information or updates regarding developments in the Company that may likely affect you.

The information we collect will not be given to any third party, except to the extent and for the purpose stated in this data privacy policy or as we may be required to do so by law.

The Company acts in line with the principle of minimality such that access to your personal data granted to third parties is proportionate to the quantum of personal data needed to achieve specific purposes.

Clause 7

What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under the Nigerian Data Protection Act. The following are your specific rights:

• The right to access your personal data.
• The right to request and obtain your stored data in an electronic form without constraint and at no cost provided that where providing the stored data would impose unreasonable cost on the Company, the Company may require you to bear all the costs.
• To rectify them by sending a request to the Data Controller at support@chillsbay.com, in case your personal data are inaccurate or incomplete.
• Where applicable, you have the right to erase your personal data by sending a request for this purpose to the Data Controller at support@chillsby.com. This is subject to the legal duty of the Company to erase your data only after weighing your request against the public interest in the availability of the data requested to be erased.
• To restrict the processing of your personal data for a particular duration or permanently by sending a request for this purpose to the Data Controller at support@chillsbay.com.
• To object to the processing of your personal data knowing that your account may likely be deleted upon the grant of this request by the Company.
• A right of data portability which means that you can share your data among different Data Controllers and the Company will not, through its act or omission, stop or frustrate you from being able to do so.
• The right to lodge complaints on the handling of your data to the Company via support@chillsbay.com
• The right to lodge complaints on the handling of your data to the Commission.
• The right to be notified by the Company in a clear, concise language of any data security breach within seventy-two (72) hours of the breach.
• Other rights that may not be specified in this Clause but which have been incorporated in other clauses in this Data Privacy Policy.

You can exercise your rights by contacting the Data Controller, or, in case of conflict, the Commission.

This Privacy Policy will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on the website and accepted by the user. In case of any changes to this Privacy Policy, we will notify you by placing a prominent acceptation message on the website immediately after the login. You will be requested to read and accept the new Privacy Policy.

Clause 8

Our policy on the use of cookies

To make the Company’s websites work properly, we sometimes place small data files called cookies on your device. Thus, our website uses cookies to afford you a better browsing experience.

8.1. What are cookies?

A cookie is a small text file that a website stores on your computer or mobile device when you visit the site. Cookies can be first-party or persistent. First-party cookies are cookies set by the website you are interacting with which only that website can read. Persistent cookies are cookies that are retained on your devices even after exiting a browser for the purpose of tracking your activities online.

Every time you visit the Company’s website, you will be prompted to accept or refuse cookies. The purpose is to enable the website to remember your preferences (such as username) for a certain period of time. This helps the website to remember you and save you from the stress of re-entering your details whenever you come on the website.

8.2. How do we use cookies?

We use cookies to operate and provide our services, including to provide our services that are web-based, improve your experiences, understand how our services are being used, and customize them. The Company’s website mostly use “first-party cookies”. These are cookies set and controlled by the Company, not by any external organisation. However, to view some of our pages, you will have to accept cookies from external organisations.

8.2. Purposes of Using Cookies

The Company uses first-party cookie to:

• store visitor preferences;
• make our website operational;
• gather analytics data (about user-behaviour); and
• Visitor preferences.

These are set by us and only we can read them.

8.3. How can you manage cookies?

You can manage cookies on our website in the following manner:

• Removing cookies from your device;
• You can delete all cookies that are already on your device by clearing the browsing history of your browser. This will remove all cookies from all websites you have visited. Be aware though that you may also lose some saved information (e.g. saved login details, site preferences);
• Managing site-specific cookies;
• You can set most modern browsers to prevent any cookies being placed on your device, but you may then have to manually adjust some preferences every time you visit the Company’s website. Also, some services and functionalities may not work properly at all;
• Blocking cookies

Clause 9

Assignment, change of control, and transfer

In the event that we are involved in a merger, acquisition, restructuring, bankruptcy, or sale of all or some of our assets, we will share your information with the successor entities or new owners in connection with the transaction in accordance with applicable data protection laws.

Clause 10

Updates to our policy

We are likely to amend our data privacy policy from time to time to guarantee the security of your data, protect your interest and freedom, and comply with any legal directive. We will provide you a notice of the amendments as appropriate. Please do review our policy from time to time.

Clause 11

Contact information

11.1. The Data Controller

If you would like to exercise your rights under the Nigerian Data Protection Act; or if you have comments, questions, or concerns; or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller via support@chillsbay.com.

11.2. The Commission

You have the right to lodge a complaint about any breach or possible breach of your rights to data privacy by the processing of your personal data by the Company within the confines of the law to the Commission.

The Commission acts as an independent supervisory authority. The Commission makes sure that all data controllers and processors in Nigeria and bodies respect people’s right to privacy when processing their personal data.