Ignitech Academy ("Ignitech", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what personal data we collect when you use ignitechacademy.org and our learning platform (the "Service"), why we collect it, who we share it with, and the rights you have under the Nigeria Data Protection Act, 2023 (the "NDPA") and its General Application and Implementation Directive, 2025 (the "GAID").
Plain-language summary: We collect what we need to run your account, deliver courses, and process payments. We use Supabase to store your account data and Paystack to handle payments — we never see or store your full card details. We do not sell your data. You can access, correct, export, or delete your data at any time, and you can complain to the Nigeria Data Protection Commission if you're unhappy with how we handle it.
1Who we are (the data controller)
For the purposes of the NDPA, Ignitech Academy is the data controller of the personal data described in this policy — meaning we determine why and how your data is processed. Our service providers, such as our hosting and payment partners, act as data processors on our behalf (and, in the case of payments, as independent controllers of certain data).
- Entity: Ignitech Academy
- Registered office: Osogbo, Osun State, Nigeria
- Email: privacy@ignitechacademy.com
- Data Protection contact: dpo@ignitechacademy.com
If we process the personal data of more than 200 data subjects within any six-month period, we may qualify as a Data Controller of Major Importance (DCMI) under the GAID and will register with, and file Compliance Audit Returns to, the Nigeria Data Protection Commission (NDPC) as required.
2Scope and the law that applies
This policy applies to personal data we process about visitors, registered learners, instructors, and people who contact us. Because we are based in Nigeria and offer our Service to data subjects in Nigeria, the NDPA and the GAID apply to our processing. The NDPA also applies to data controllers and processors outside Nigeria who process the personal data of data subjects in Nigeria, so this policy reflects that framework throughout.
We process your personal data in line with the NDPA's core principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity, confidentiality and accountability.
3Personal data we collect
3.1 Data you give us directly
- Account data — your full name, email address, and a hashed password when you register. Authentication is managed through Supabase Auth.
- Profile data — optional details you choose to add, such as a profile photo, biography, country/city, and your learning goals.
- Enrollment & learning data — the courses you enroll in, lessons completed, quiz attempts and scores, progress, and certificates earned.
- Payment data — when you buy a paid course, you enter your card or bank details directly into Paystack's hosted, PCI-DSS-compliant checkout. We receive a transaction reference, the amount, status, the last four digits and card type, and your billing email — we never receive or store your full card number, CVV, or PIN.
- Communications — messages, support requests, and feedback you send us by email, contact form, or the in-app help assistant.
3.2 Data we collect automatically
- Usage data — pages and courses viewed, features used, and actions taken on the Service.
- Device and log data — IP address, approximate location derived from it, browser and device type, operating system, referring pages, and timestamps.
- Cookies and similar technologies — described in our Cookie Policy.
3.3 Sensitive personal data
We do not seek to collect sensitive personal data (such as data revealing health, religion, ethnic origin, or biometric data) in the ordinary course of providing the Service. Please do not submit such data to us unless we specifically request it with a clear lawful basis.
4How we use your personal data
We use your personal data to:
- Create, authenticate, and manage your account;
- Deliver the courses you enroll in and track your progress;
- Issue and verify certificates of completion;
- Process payments, issue receipts, and handle refunds;
- Provide customer support and respond to your enquiries;
- Send service messages (e.g. account, security, and transaction notices);
- Send newsletters, course recommendations, and offers where you have consented, which you can withdraw at any time;
- Understand and improve how the Service is used, and develop new features;
- Protect the Service, detect and prevent fraud and abuse, and keep it secure;
- Comply with our legal and regulatory obligations.
5Lawful basis for processing
Under Section 25 of the NDPA, we rely on one or more of the following lawful bases for each processing activity:
- Contract — to create your account, deliver courses, process payments, and issue certificates (performance of our agreement with you).
- Consent — for marketing emails and non-essential cookies. You may withdraw consent at any time without affecting processing carried out before withdrawal.
- Legitimate interests — to secure and improve the Service, prevent fraud, and understand usage, provided these interests are not overridden by your rights. We carry out a balancing assessment where we rely on this basis.
- Legal obligation — to comply with tax, accounting, and data-protection laws, and to respond to lawful requests from authorities.
6Payments and Paystack
We use Paystack Payments Limited ("Paystack") to process payments for paid courses. When you pay, you are taken to Paystack's secure, hosted checkout, and your card or bank details are submitted directly to Paystack — not to Ignitech. This "hosted gateway" model means card data does not pass through or rest on our servers, which materially reduces our security exposure.
- Paystack is licensed by the Central Bank of Nigeria as a Payment Solution Service Provider and is registered with the Nigeria Data Protection Commission.
- Paystack maintains PCI-DSS Level 1 (v4.0), ISO/IEC 27001:2022, and ISO/IEC 27701:2019 certifications.
- Paystack acts as an independent data controller of the payment data you provide to it. Its handling of that data is governed by its own privacy policy, available at paystack.com/privacy.
- We receive only limited transaction confirmation data (reference, amount, status, card type, last four digits, billing email) so we can fulfil your order and keep accounting records.
Please do not send your full card number, CVV, or bank password to us by email, chat, or any form. We will never ask you for them.
7Data processors and sharing
We do not sell your personal data. We share it only as set out below, and we put appropriate data-processing agreements in place with our processors as required by Section 29 of the NDPA.
| Recipient | Role | What they process | Where |
|---|---|---|---|
| Supabase, Inc. | Processor — hosting, database, authentication, storage | Account, profile, enrollment, and learning data; auth credentials (passwords stored hashed) | AWS region we select (see §8) |
| Paystack Payments Ltd. | Independent controller — payment processing | Card/bank details (entered directly with Paystack), transaction data | Nigeria / Paystack infrastructure |
| Email & analytics providers | Processors — transactional/marketing email and usage analytics | Email address, usage and device data | As stated in their terms |
We may also disclose personal data: to professional advisers (e.g. lawyers, auditors) under confidentiality; to authorities where required by law or valid legal process; and in connection with a merger, acquisition, or asset sale, in which case the recipient will be bound by terms consistent with this policy.
Supabase, Inc. is a US-incorporated company that hosts projects on Amazon Web Services (AWS) in the region selected at project creation. It maintains a SOC 2 programme and a Data Processing Addendum, encrypts data at rest using AES-256, and engages its own sub-processors (including AWS). See supabase.com/legal/dpa.
8International data transfers
Some of our processors, including Supabase and AWS, may store or process your personal data outside Nigeria. Part VIII of the NDPA permits such transfers only where the destination provides an adequate level of protection comparable to the NDPA, or where an appropriate safeguard applies — such as binding corporate rules, standard contractual clauses, a relevant certification, or your explicit consent — or another condition in Section 43 of the NDPA is met.
Where we transfer your data internationally, we rely on the data-processing agreements and standard contractual clauses offered by our processors (for example, the Supabase Data Processing Addendum and the AWS DPA), and we document the basis and safeguards for each transfer as the GAID requires. You may contact us for more information about the safeguards in place for a specific transfer.
9Cookies and similar technologies
We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Service is used. In line with Article 19 of the GAID, we obtain your opt-in consent before setting non-essential cookies. You can manage your choices at any time. Full details are in our Cookie Policy.
10How we protect your data
We apply technical and organisational measures appropriate to the risk, including:
- Encryption of data in transit (HTTPS/TLS) and at rest within our hosting infrastructure;
- Passwords stored only as salted hashes — never in plain text;
- Role-based access controls, so staff access data only on a need-to-know basis;
- Use of certified providers (Paystack: PCI-DSS, ISO 27001/27701; Supabase: SOC 2, AES-256 at rest);
- Logging, monitoring, and regular review of our security practices.
No method of transmission or storage is completely secure, so while we work hard to protect your data, we cannot guarantee absolute security.
11Data breach notification
We maintain a breach response procedure and a breach register. In line with Section 40 of the NDPA and Article 33 of the GAID, where a personal data breach occurs we will notify the Nigeria Data Protection Commission without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, without undue delay, in clear language, with practical steps you can take.
12How long we keep your data
We keep personal data only as long as necessary for the purposes set out in this policy:
- Account & learning data — for as long as your account is active, and for a reasonable period afterwards to support certificate verification and dispute resolution;
- Transaction records — for the period required by applicable tax and accounting law;
- Marketing data — until you unsubscribe or withdraw consent;
- Support communications — for as long as needed to resolve your matter and meet our legal obligations.
When data is no longer needed, we securely delete or anonymise it.
13Your rights under the NDPA
Subject to the conditions and exemptions in the NDPA, you have the right to:
- Be informed about how your data is processed (this policy);
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten") where a legal ground applies;
- Restrict or object to certain processing, including direct marketing;
- Withdraw consent at any time where we rely on consent;
- Data portability — receive your data in a structured, commonly used, machine-readable format and, where feasible, have it transmitted to another controller;
- Not be subject to a decision based solely on automated processing that significantly affects you, without safeguards.
To exercise any of these rights, email privacy@ignitechacademy.com. We will respond within the timeframe required by the NDPA (generally within 30 days) and may ask you to verify your identity first. Exercising your rights is free, though we may charge a reasonable fee or decline manifestly unfounded or excessive requests, as permitted by law.
14Children's privacy
The Service is intended for users aged 18 and above. Where a learner is between 13 and 17, the NDPA requires the consent of a parent or legal guardian before we process their personal data, and we may ask for verification of that consent. We do not knowingly process the data of children under 13. If you believe a child has provided us with personal data without the required consent, contact us and we will take appropriate steps to delete it.
15Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or the law. When we make material changes, we will update the "Last updated" date and version above and, where appropriate, notify you by email or through the Service. Your continued use after the changes take effect means you accept the updated policy.
16Contact us & complaints
For any privacy question or to exercise your rights:
- Privacy team: privacy@ignitechacademy.com
- Data Protection contact: dpo@ignitechacademy.com
- General: hello@ignitechacademy.com
- Address: Osogbo, Osun State, Nigeria
You have the right to lodge a complaint with the supervisory authority:
- Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
This document references the Nigeria Data Protection Act, 2023 and the GAID, 2025 and reflects the practices of a Nigerian education platform using Paystack and Supabase. It is provided for transparency and is not legal advice. Before publishing, have it reviewed by a qualified Nigerian data-protection lawyer or a licensed Data Protection Compliance Organisation (DPCO), and complete any required NDPC registration and Compliance Audit Returns.