Legal · Privacy

Privacy Policy

Last updated: May 2026 · Governed by the Nigeria Data Protection Act 2023

ESGTrack is operated by Finaccx Ltd ("we", "us", "our") — a Nigerian company providing ESG compliance tracking software for petroleum sector companies. This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the Nigeria Data Protection Act 2023 (NDPA) and its implementing regulations.

By using ESGTrack, you agree to the practices described here. If you do not agree, please do not use the platform.


1. Who is the Data Controller?

Finaccx Ltd is the Data Controller for personal data processed through ESGTrack. We are responsible for determining how and why your data is processed.

Finaccx Ltd
Nigeria
DPO contact: privacy@finaccx.com

2. What data we collect

We collect only the data required to operate the ESGTrack workspace:

Account identityFull name, work email address, company affiliation, job role
Authentication dataHashed passwords (never stored in plaintext), MFA factors, session tokens, login timestamps
Company workspace dataESG metric entries, supporting documents, reporting periods, assessment responses, compliance notes
Audit eventsWho created, edited, or approved each data record, with timestamps and IP addresses
Security eventsLogin attempts, MFA verifications, password changes, session activity — used to detect and respond to threats
Usage dataPage views, feature interactions via PostHog — anonymised analytics used to improve the product
Error dataCrash reports and performance traces via Sentry — linked to session context, not sold or used for profiling

We do notcollect payment card data, government-issued IDs, biometrics, or children's data. ESGTrack is intended for professional use by adults at registered companies.


3. Why we process your data (legal basis)

Under NDPA 2023, we rely on the following lawful bases:

Contract performanceProcessing your account data and workspace data to deliver the ESGTrack service you contracted for
Legitimate interestsSecurity monitoring, fraud prevention, product analytics, and service improvement — balanced against your rights
Legal obligationRetaining audit logs and security records as required by applicable Nigerian law
ConsentWhere we ask for your explicit consent (e.g. optional marketing communications) — always revocable

4. Third-party data processors

We share your data only with vetted sub-processors who are contractually bound to process it solely on our instructions, under Data Processing Agreements (DPAs) consistent with the NDPA:

ProcessorDomainPurposeLocationSafeguard
Railwayrailwayapp.comBackend application hostingEUSCCs + DPA
Supabasesupabase.comDatabase, authentication, and file storageEUDPA
Anthropicanthropic.comAI-assisted report drafting (optional feature)EUDPA
Resendresend.comTransactional email deliveryEUDPA
Sentrysentry.ioError monitoring and performance tracingEUDPA
PostHogposthog.comPrivacy-first product analytics (EU cloud)EUDPA
Vercelvercel.comFrontend hosting and edge deliveryEUDPA

We do not sell your personal data to any third party, ever.


5. International data transfers

Our processors are based in the European Union. When your data is transferred outside Nigeria, we ensure adequate safeguards are in place through Standard Contractual Clauses (SCCs) issued by the Nigerian Data Protection Commission (NDPC), or equivalent transfer mechanisms recognised under NDPA 2023 Section 43.


6. Data retention

Account dataRetained for the duration of your active subscription, plus 24 months after termination to support regulatory audit requirements
ESG metric entries and documentsRetained for 7 years from the reporting period end date — aligning with FRC Nigeria and IFRS S1/S2 audit trail obligations
Security and audit logsRetained for 24 months from the event date
Deleted dataSoft-deleted entries are permanently purged after 30 days
BackupsDatabase backups are retained for 30 days on a rolling basis

7. Your rights under the NDPA 2023

As a data subject, you have the following rights, which you can exercise by emailing privacy@finaccx.com:

Right of access (S.34)Obtain a copy of the personal data we hold about you
Right to rectification (S.35)Correct inaccurate or incomplete data
Right to erasure (S.36)Request deletion of your data where there is no overriding legal basis to retain it
Right to data portability (S.37)Receive your data in a structured, machine-readable format
Right to restrict processing (S.38)Request that we limit how we use your data in specific circumstances
Right to object (S.39)Object to processing based on legitimate interests
Right to withdraw consentWhere processing is based on consent, withdraw it at any time without affecting prior processing

We will respond to all verifiable requests within 30 days. There is no charge for exercising your rights unless the request is manifestly unfounded or excessive.


8. Security measures

We apply the following technical and organisational measures to protect your data:

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Row-Level Security (RLS) enforced in the database — each company can only access its own data
  • Multi-factor authentication (MFA) available and encouraged for all users
  • JWT-based access control with short-lived tokens (8-hour expiry)
  • Content Security Policy (CSP) and strict security headers on all responses
  • Audit trail for every create, update, and approval action in the workspace
  • Rate limiting on login and authentication endpoints
  • Regular penetration testing and OWASP ZAP scans before each major release

9. Cookies and tracking

ESGTrack uses first-party cookies to maintain your authenticated session. These are strictly necessary for the service to function and do not require consent under NDPA. We do not use third-party advertising cookies or cross-site tracking pixels.

PostHog analytics runs in privacy-first mode — IP addresses are anonymised, no fingerprinting is used, and data is stored on PostHog's EU cloud. You can opt out by contacting us at privacy@finaccx.com.


10. Changes to this policy

We may update this policy to reflect changes in our practices or applicable law. When we make material changes, we will notify active users by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of ESGTrack after the effective date constitutes acceptance.


11. Complaints and the NDPC

If you are unhappy with how we handle your personal data, please first contact our Data Protection Officer at privacy@finaccx.com. We will investigate and respond within 30 days.

If you remain dissatisfied, you have the right to lodge a complaint with the Nigerian Data Protection Commission (NDPC):

Nigerian Data Protection Commission (NDPC)
Website: ndpc.gov.ng
Email: info@ndpc.gov.ng