1) Scope

This policy explains how we collect, use, disclose, transfer and protect personal data of candidates, client contacts, referees, suppliers, and website visitors under the Nigeria Data Protection Regulation (NDPR) and, where we target or monitor people in the EEA/UK, the GDPR. The NDPR requires a conspicuous privacy policy covering consent, what we collect, purposes, methods (including cookies), third-party access and redress.

2) What we collect

• Identity & contact: name, email, phone, address, role, company.
• Career & placement data: CV/resume, skills, qualifications, work history, compensation expectations, interview notes, references, right-to-work/ID (where lawful/necessary).
• Client & supplier data: business contacts, contracts, billing.
• Technical/usage: IP address, device identifiers, pages viewed, referring URLs, cookie IDs and consent choices (see Cookie Policy). NDPR expects cookie purpose, who’s responsible, and how to withdraw consent.
• Marketing preferences & communications (opt-ins/outs, emails).

3) How we collect it

• Directly from you (forms, uploads, email, calls, interviews).
• From public sources and referees you nominate.
• From clients during an active hiring process.
• Automatically via our website (cookies/SDKs/analytics) with clear notice and consent where required.

4) Lawful bases & purposes

We rely on one or more of: consent, contract, legal obligation, vital interests, public interest/official mandate (NDPR and GDPR). Under GDPR we may also rely on legitimate interests (e.g., service improvement/fraud prevention) but NDPR does not list legitimate interests — in NDPR contexts we use another lawful basis or obtain consent.

Typical purposes:

• Recruitment delivery: sourcing, shortlisting, presenting to clients, interviews, offer support (contract/consent).
• Compliance & verification: right-to-work, references (legal obligation/contract).
• Service security & improvement: diagnostics, anti-fraud (legitimate interests (GDPR); consent/contract (NDPR)).
• Marketing: newsletters, updates (consent; freely given, informed, unbundled, with easy withdrawal).

Automated decisions: We do not make solely automated decisions that produce legal or similarly significant effects without appropriate safeguards and consent where required.

5) Children & special categories

Our services target adults. If processing targets children (<13), we provide child-friendly notices and obtain appropriate consent.

6) Sharing & processors

We share data only as needed and under written, NDPR/GDPR-compliant terms:

• Client employers (evaluation/selection).
• Background/verification providers (where lawful/necessary).
• Cloud/IT vendors (hosting: Zoho Corporation; ATS: Zoho Recruit; analytics: Google Analytics) under contracts addressing instructions, confidentiality, security, sub-processors, and audit rights.

7) International transfers

When transferring data outside Nigeria/EEA/UK we use recognised safeguards: adequacy/White List, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or explicit consent (documented). We keep a record of destination countries, safeguards, and encryption methods. Nigeria’s White List is coordinated by NITDA/AGF; if a destination is not on the White List, we rely on documented exceptions under NDPR Article 2.12.

8) Retention & deletion

If not set by law/contract, NDPR’s Framework guides retention to:

• 3 years after last active use of a digital platform; or
• 6 years after last contractual transaction;
• earlier deletion on a valid request where no lawful exception applies. We securely destroy data beyond retention and keep evidence of destruction.

9) Security

We maintain technical and organisational measures (access controls, MFA, encryption in transit/at rest, secure development, logging/monitoring, training, vendor due-diligence, DR/BCP). The Framework references alignment with recognised standards (e.g., ISO/IEC 27001).

10) Your rights

You may request access, rectification, erasure, restriction, portability, and withdraw consent at any time (for consent-based processing/marketing). Under GDPR you may also object where we rely on legitimate interests. We provide simple, free ways to object to marketing as NDPR requires. Contact: legal@erecruiterafrica.com.

11) DPIAs, DPO & audits

We conduct DPIAs for high-risk processing (profiling, automated decisions with significant effects, systematic monitoring, sensitive data, innovative tech). A Nigeria-based DPO is required where triggers apply (e.g., >10,000 data subjects annually, regular sensitive data). Controllers processing >2,000 data subjects in the prior 12 months file an annual NDPR audit via a licensed DPCO.

12) Breaches & complaints

We self-report qualifying personal data breaches to NITDA within 72 hours and notify affected individuals where high risk is likely. NITDA’s required content elements for notifications are adopted in our incident plan. You may also complain to NITDA or your local authority.

13) Contact & updates

eRecruiter Africa Ltd • 6th Floor, 103 Allen Avenue, Ikeja, Lagos • legal@erecruiterafrica.com
We may update this policy; the latest version will be posted here with a new effective date.

Annex — Public summary of our processing records