Privacy Policy

LEEMA INVESTMENT LIMITED

(Identity Verification Service Provider - Nigeria)

Effective Date: 1 January 2024

Last Updated: 1 January 2026

1. Policy Statement

Leema Investment Limited ("LeemaID", "the Company", "we", "us", or "our") operates as an Identity Verification Service Provider (IVSP) within the Nigerian digital identity ecosystem. In the course of delivering identity authentication, verification, and related compliance services, we process personal data and, in certain instances, sensitive personal data.

We are firmly committed to safeguarding personal data in full compliance with the Nigeria Data Protection Act (NDPA 2023), all applicable regulations and guidelines issued by the National Identity Management Commission (NIMC), relevant subsidiary data protection regulations and sectoral compliance frameworks, and internationally recognized data protection principles, including standards reflected in the EU General Data Protection Regulation (GDPR). Our information security architecture is designed in alignment with globally accepted standards, including ISO/IEC 27001.

We acknowledge that identity data, including National Identification Number (NIN) information and biometric attributes, constitutes highly sensitive personal data. Accordingly, we apply enhanced technical, organizational, and governance controls to ensure its confidentiality, integrity, and availability.

2. Role Within the Identity Ecosystem

Depending on the nature of a particular engagement, Leema Investment Limited may act as a Data Controller, a Data Processor, or an authorized verification partner/service integrator.

Where we determine the purpose and means of processing personal data, we act as a Data Controller. Where we process personal data strictly on behalf of a client and in accordance with documented instructions, we act as a Data Processor. Where services require access to identity validation infrastructure, we function as an authorized verification partner or service integrator, interfacing with NIMC-approved APIs or identity verification frameworks.

We do not own, control, or replicate the National Identity Database (NIDB). All NIN records remain under the custody, control, and regulatory authority of NIMC.

3. Scope of the Policy

This Policy applies to all personal data processed by Leema Investment Limited in connection with identity verification services. It binds all employees, directors, contractors, consultants, vendors, subprocessors, and technology partners who process personal data on our behalf. It also applies to all platforms, digital applications, APIs, databases, and systems deployed or managed by the Company.

4. Legal Basis for Processing

We process personal data strictly on lawful grounds recognized under the NDPA 2023. These include explicit consent of the data subject, performance of a contractual obligation, compliance with a legal obligation, legitimate interests pursued by the Company (subject to a documented balancing test), and public interest or statutory authorization where applicable. Where NIN-based verification services are involved, processing is strictly limited to purposes authorized under applicable NIMC integration agreements and governed by valid user consent protocols and regulatory approvals.

5. Purpose of Processing

Personal data is collected and processed solely for legitimate, specific, and transparent purposes. These include identity verification and authentication, Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance, lawful voter or membership verification activities, fraud detection and risk mitigation, regulatory compliance, and client-authorized identity confirmation. Where marketing or promotional communication is undertaken, it is based on separate and explicit consent. We do not process identity data for unrelated profiling, behavioral surveillance, or any unauthorized secondary use inconsistent with the original purpose of collection.

6. Categories of Personal Data Processed

Depending on the nature of the service provided, we may process basic identity data such as full name, date of birth, gender, address, and contact details. We may process government-issued identity data including National Identification Number (NIN), Voter Identification Number (VIN), or other official identification details where lawfully required. Where enhanced verification is necessary, we may process biometric or sensitive data such as facial images for facial matching, fingerprint confirmation where applicable, and liveness detection indicators. In addition, technical and security-related data such as IP addresses, device identifiers, system logs, and timestamped authentication records may be processed to ensure platform security and audit integrity.

7. NIN and NIMC-Specific Compliance

Where services involve NIN verification, Leema Investment Limited operates strictly within the regulatory framework established by NIMC. Access to NIN validation services is conducted exclusively through authorized and approved integration channels or licensed partners. We do not store full NIN records beyond what is legally permissible and operationally necessary. Where identity verification responses are displayed or transmitted, NIN details may be masked, such as displaying only the last four digits, in accordance with data minimization principles. We do not replicate, download, or maintain local copies of the National Identity Database. Biometric data, where processed for authentication purposes, is used strictly for verification and is not retained longer than necessary under applicable law or regulatory guidance. All API interactions and NIN-related transactions are logged in a secure and auditable manner to ensure regulatory traceability and compliance oversight.

8. Consent Management

Where consent forms the legal basis for processing, it is obtained in a manner that is explicit, informed, specific, and freely given. Consent is documented and time-stamped to provide evidentiary assurance. Data subjects may withdraw consent at any time, and withdrawal mechanisms are designed to be straightforward and accessible. Separate consent is obtained for optional marketing communications. In cases involving minors, parental or lawful guardian consent is obtained in accordance with applicable legal requirements.

9. Data Minimization and Purpose Limitation

We adhere strictly to the principles of data minimization and purpose limitation. Only the minimum data necessary for the defined verification purpose is collected and processed. We do not collect excessive attributes, retain raw biometric templates unnecessarily, or store identity data beyond regulatory or contractual requirements.

10. Data Security Measures

Leema Investment Limited implements robust technical and organizational safeguards to protect personal data. These include encryption of data both in transit and at rest, role-based access control mechanisms, multi-factor authentication for privileged system access, secure API gateways, periodic vulnerability assessments, penetration testing, and continuous security monitoring through appropriate incident detection systems. Secure cryptographic key management practices, data tokenization, masking protocols, and periodic independent security audits further strengthen our security posture. Our systems are engineered in accordance with Privacy by Design and Security by Default principles.

11. Data Retention

Personal data is retained only for as long as necessary to fulfill the purpose for which it was collected, meet regulatory audit requirements, or comply with contractual obligations. Retention schedules are formally documented and subject to periodic review. When data is no longer required, it is securely deleted, anonymized, or irreversibly destroyed using approved disposal methods.

12. Data Sharing and International Transfers

Personal data is shared only with authorized clients under binding Data Processing Agreements, with regulatory authorities where legally required, or with approved subprocessors operating under strict contractual and security controls. Where cross-border transfers are necessary, they are conducted only where adequate safeguards exist, including recognized adequacy decisions, standard contractual clauses, or regulatory approvals as required under the NDPA 2023.

13. Data Subject Rights

In accordance with the NDPA 2023, data subjects have the right to request access to their personal data, request rectification of inaccurate information, seek erasure where legally permissible, restrict or object to processing in certain circumstances, request data portability where applicable, and withdraw consent where processing is consent-based. All such requests are handled promptly and within statutory timelines.

14. Data Breach Management

In the event of a personal data breach, Leema Investment Limited activates its formal Incident Response Plan. The Company undertakes immediate containment and mitigation measures, conducts impact assessments, and notifies the Nigeria Data Protection Commission (NDPC) where required by law. Affected data subjects are notified where the breach presents a high risk to their rights and freedoms. All incidents are documented together with remedial actions taken.

15. Employee Confidentiality and Training

All employees and contractors are bound by confidentiality obligations. Mandatory and periodic data protection training is provided to ensure awareness of legal responsibilities and security best practices. Access to personal data is restricted in accordance with the principle of least privilege, and background screening is conducted for personnel occupying sensitive roles.

16. Governance Structure

Leema Investment Limited maintains a formal data protection governance framework, including the appointment of a designated Data Protection Officer (DPO), the establishment of internal oversight mechanisms, periodic Data Protection Impact Assessments (DPIAs) for high-risk processing activities, documented Records of Processing Activities (RoPA), and routine compliance audits.

17. Automated Decision-Making

Where identity verification services involve automated matching or scoring mechanisms, appropriate safeguards are implemented. Human oversight mechanisms exist to review automated decisions where necessary. Algorithms are periodically tested to assess fairness, accuracy, and absence of discriminatory bias.

18. Children's Data

We do not knowingly process children's personal data without lawful authorization and verifiable parental or guardian consent in accordance with applicable legislation.

19. Accountability and Record Keeping

We maintain comprehensive records of processing activities, executed Data Processing Agreements, vendor risk assessments, audit trails for identity verification queries, and NIMC integration logs. These records support regulatory compliance, audit readiness, and internal governance oversight.

20. Contact Information

Data Protection Officer (DPO)

Leema Investment Limited

Email: [email protected]

Phone: 08160476945

Address: Suite 11, Shalom Plaza, Plot 1088, Joseph Gomwalk Way, Gudu District, Abuja, FCT.

Data subjects may also lodge complaints with the Nigeria Data Protection Commission (NDPC) where they believe their data protection rights have been infringed.

21. Policy Review

This Policy is reviewed at least annually and may be updated in response to regulatory changes, updates in NIMC compliance requirements, system deployments, material risk events, or operational restructuring. Any amendments shall take effect upon publication of the updated version.