NDPR Compliance Notice

Chipon Alert — Preventive Safety Intelligence Platform

Date: 29 March 2026
Last Updated: 29 March 2026
Effective Date: 1 April 2026

1. Introduction and Scope

This Data Protection Notice ("Notice") sets out how Tanta Innovative Limited ("we," "us," "our," "the Company," or "Data Controller") collects, processes, uses, and protects personal data in connection with the Chipon Alert mobile application (iOS and Android) (the "App").

Chipon Alert is a preventive safety intelligence platform that provides real-time safety information, community-sourced incident alerts, route safety scoring, neighborhood intelligence, and safety heatmaps to help users make informed decisions about their safety and movement within Nigerian cities.

This Notice is issued in accordance with the Nigeria Data Protection Act 2023 (the "Act") and applies to all users of the Chipon Alert App and all personal data processed by the Company in connection with the App. The Act replaced the Nigeria Data Protection Regulation (NDPR) 2019 and establishes the legal framework for personal data protection in Nigeria.

2. Data Controller Identification

Tanta Innovative Limited is the Data Controller for all personal data collected and processed through the Chipon Alert App. The parent company, Jyv Tech LLC, is a joint controller for certain cross-border processing activities and analytics (subject to a Data Processing Agreement with Tanta Innovative Limited).

3. Lawful Basis for Data Processing

The Company processes personal data only where there is a lawful basis under the Nigeria Data Protection Act 2023. The lawful bases applicable to Chipon Alert are:

3.1 Consent

Basis: User's freely given, specific, informed, and unambiguous consent
Processing Activities:

• Location data collection (when app is in active use)
• Push notifications (for proximity-based safety alerts)
• Community incident reporting and verification
• Marketing communications and feature announcements
• Analytics and usage data collection (non-safety critical)

Mechanism: Explicit opt-in during onboarding and in-app permission requests (iOS/Android OS-level location permissions). Users may withdraw consent at any time in Settings > Notification Preferences.

3.2 Contractual Necessity

Basis: Performance of the contract to provide the App
Processing Activities:

• Phone number verification (OTP-based authentication)
• User account creation and maintenance
• Real-time incident data synchronization
• Route optimization and safety scoring
• Push notification delivery
• Incident photo storage (S3)

3.3 Legal Obligation

Basis: Compliance with Nigerian law
Processing Activities:

• Data breach notification to NDPC (within 72 hours)
• Record-keeping for regulatory audit (minimum 3 years)
• KYC/identity verification (if future payment features are introduced)
• Cooperation with law enforcement requests

3.4 Vital Interests

Basis: Protection of the data subject's life or safety
Processing Activities:

• Processing emergency safety alerts without prior consent (critical incidents)
• Location data use to identify users in high-risk zones during active crises
• Emergency contact notification (future phase — with parental consent for minors)

3.5 Public Interest

Basis: Public safety and disaster response in Nigeria
Processing Activities:

• Aggregated, anonymized incident heatmaps for public display
• Real-time alert dissemination for mass casualty events or natural disasters
• Data sharing with emergency response agencies (NEMA, state authorities) — only with explicit legal notice

3.6 Legitimate Interests

Basis: The Company's legitimate interests, balanced against user rights
Processing Activities:

• App security and fraud prevention
• Incident data verification and trust scoring
• Platform analytics (feature usage, bug detection, performance optimization)
• User behavior analysis to improve safety recommendations (aggregated, pseudonymous where possible)

4. Categories of Personal Data Processed

The Company collects and processes the following categories of personal data:

4.1 Identity Data

• Phone number (for OTP-based registration, not stored permanently unless user opts in)
• Full name (optional, user-provided)
• Avatar/profile image (optional, user-uploaded)
• Username (unique identifier, optional user-chosen)

4.2 Contact Data

• Email address (optional, for account recovery and notifications)
• Device contact list (only if user grants explicit permission for emergency contacts — future feature)

4.3 Location Data

• Real-time GPS coordinates (while app is in active use)
• Neighborhood/area tags (user's current city, district)
• Saved locations (home, work, school, frequent destinations)
• Route history (origin and destination for route planning — pseudonymized after 30 days)

4.4 Safety and Incident Data

• Incident reports submitted (date, time, location, category, severity, description, photos)
• Incident reactions (upvotes, verification status, confirmation)
• Historical incident data (aggregate safety scores for areas)

4.5 Device Data

• Device identifier (IDFA on iOS, AAID on Android)
• Device model and OS version (for app compatibility)
• Device push notification token (for FCM delivery)
• IP address (inferred from API requests)
• User-agent string (browser/app version info)
• Crash and error logs (for stability analysis)

4.6 Preference and Behavioral Data

• Notification settings (categories, quiet hours, radius thresholds)
• Language preference (English, Pidgin, Hausa, future locales)
• Theme preference (light/dark mode)
• Search history (locations searched — retained for 7 days)
• Feature usage patterns (time spent, screens accessed, anonymized)

4.7 Analytics Data

• Session duration and frequency
• Feature interaction heatmaps (which buttons/screens are used)
• App performance metrics (load time, crash rate, data usage)
• Aggregated map interactions (zoom levels, center points — heatmapped, not individual)

4.8 Sensitive Data (Special Category)

Location data is classified as sensitive personal data under the Nigeria Data Protection Act 2023 because:

• It can reveal patterns of movement, habits, and presence/absence from home
• It is particularly vulnerable to misuse (stalking, burglary, persecution)
• It is combined with incident severity data, creating inferences about risk tolerance and vulnerability

Biometric data is NOT collected (face/fingerprint authentication not supported in v1).

5. Purpose of Processing

Each processing activity is mapped to its lawful basis and stated purpose:

5.1 App Core Functionality

5.2 Safety & Verification

5.3 Platform Operations

5.4 Compliance & Legal

5.5 User Experience & Analytics

6. Data Subject Rights Under the Nigeria Data Protection Act 2023

Every individual has the following rights regarding their personal data, which can be exercised by contacting the Data Protection Officer at dpo@chiponalert.com.

6.1 Right of Access

You have the right to:

• Obtain confirmation of whether your personal data is being processed
• Receive a copy of your personal data in a structured, commonly used, machine-readable format
• Know the purposes of processing, categories of data, and recipients

Timeline: 14 days from receipt of request
How to exercise: Email dpo@chiponalert.com with "Data Subject Access Request" in subject line, including your phone number or username.

6.2 Right to Rectification

You have the right to:

• Correct inaccurate or incomplete personal data
• Have the Company update your profile information
• Request correction of location data or incident reports

Timeline: 14 days for correction; subsequent systems updated within 30 days
How to exercise: Email dpo@chiponalert.com with details of the data to be corrected. In-app, you may edit your profile, location history, and incident reports directly.

6.3 Right to Erasure ("Right to Be Forgotten")

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purpose collected
• You withdraw consent (for consent-based processing)
• You object to processing and there is no overriding legitimate interest
• The data has been unlawfully processed
• Legal obligation requires deletion

Exceptions (data will NOT be deleted if needed for):

• Compliance with legal obligations (e.g., fraud investigation, regulatory records)
• Establishment, exercise, or defense of legal claims
• Active incident verification (safety-critical incidents retained for 180 days minimum)
• Public interest (anonymized incident heatmaps)

Timeline: 14 days; safety-critical data may be retained as outlined above
How to exercise: Email dpo@chiponalert.com with "Data Erasure Request" in subject line.

6.4 Right to Restrict Processing

You have the right to:

• Limit processing of your data while a dispute is resolved
• Have your data "suspended" rather than deleted during verification
• Restrict location tracking while maintaining app functionality (via Settings)

When you can request restriction:

• You contest the accuracy of the data (until verified)
• You believe processing is unlawful but do not want erasure
• You believe your vital interests override the Company's interests
• You have objected to processing pending Company review

Timeline: 14 days
How to exercise: Email dpo@chiponalert.com with "Data Processing Restriction Request."

6.5 Right to Data Portability

You have the right to:

• Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV)
• Transmit that data to another service provider without hindrance
• Request direct transfer to a third-party (if technically feasible)

Data included: Profile info, location history (anonymized route patterns), incident reports you submitted, notification preferences

Timeline: 14 days
How to exercise: Email dpo@chiponalert.com with "Data Portability Request" in subject line.

6.6 Right to Object

You have the right to:

• Object to processing based on legitimate interest or public interest
• Opt out of marketing communications and analytics immediately
• Object to automated decision-making (future feature if implemented)

Examples of objection:

• "I do not want my location data used for analytics" → Granted (switch off analytics in Settings)
• "I do not want my incident reports used in public heatmaps" → Granted (reports anonymized or hidden)
• "I do not want push notifications based on my location" → Granted (disable in Notifications settings)

Timeline: 14 days; objection takes effect immediately for non-essential processing
How to exercise: Email dpo@chiponalert.com with "Objection to Processing" in subject line, or adjust Settings in-app.

6.7 Right to Withdraw Consent

You have the right to:

• Withdraw consent at any time, with effect from the moment of withdrawal
• Use the app with reduced functionality after withdrawal (no location-based alerts, no community features)

How to exercise: In-app, go to Settings > Notification Preferences > Withdraw Consent. Or email dpo@chiponalert.com with "Consent Withdrawal" in subject line.

Effect of withdrawal:

• Location services disabled
• Incident reporting disabled (you cannot submit new reports, but past reports remain published unless you request erasure)
• Push notifications paused
• Non-essential analytics stopped

7. How to Exercise Your Rights

7.1 Formal Rights Request Process

Step 1: Submit Request

• Email: dpo@chiponalert.com
• Subject line: Specify the right (e.g., "Data Subject Access Request", "Right to Erasure Request")
• Include: Your registered phone number or username, details of the request, preferred response format

Step 2: DPO Acknowledgment

• You will receive acknowledgment within 2 business days
• DPO will confirm receipt and provide a reference number

Step 3: Investigation & Response

• The DPO will investigate and prepare a substantive response within 14 calendar days
• Extensions: If the request is complex or requires third-party verification, the DPO may request an additional 14-day extension (communicated within the first 14 days)

Step 4: Response Delivery

• Response delivered via email or in-app notification (your choice)
• Includes decision, reasoning, and further steps if applicable

7.2 Timeline and Compliance

7.3 Exemptions & Limitations

The Company may refuse or partially limit a rights request if:

• The request is manifestly unfounded or excessive (e.g., repetitive requests from the same user within 30 days)
• Granting the request would reveal personal data of another individual
• Granting the request would compromise ongoing legal proceedings
• The request conflicts with a legal obligation (e.g., data breach investigation, law enforcement holds)

In such cases, the DPO will explain the refusal and inform you of your right to lodge a complaint with the NDPC.

8. Data Protection Impact Assessment (DPIA)

8.1 DPIA Status

Location data and incident safety information are high-risk personal data under the Nigeria Data Protection Act 2023. The Company has conducted a Data Protection Impact Assessment (DPIA) for:

1. Real-time Location Tracking

   • Risk: Stalking, burglary, political persecution, intimate partner violence
   • Mitigation: Data minimization (location deleted after 24 hours unless persisted by user), encryption in transit, strict access controls, user-initiated tracking (not background)

2. Incident Data & Community Verification

   • Risk: False accusations, harassment of reporters, data misuse by third parties
   • Mitigation: Reporter anonymity (optional), verification requirements before publication, moderation, abuse reporting, incident photo encryption (S3)

3. Cross-border Data Transfer (to Jyv Tech LLC parent)

   • Risk: Different data protection standards in USA
   • Mitigation: Data Processing Agreement with Jyv Tech LLC, limited transfer (analytics only), no raw location or incident reports transferred without explicit user consent

8.2 DPIA Documentation

A full DPIA document has been prepared and is available upon request to the NDPC or data subjects. Key findings:

• Overall Risk Level: Medium (with strong procedural safeguards)
• Data Minimization: Implemented (location retained 24 hours default, user can extend)
• User Control: High (users can disable location, opt out of analytics, anonymize reports)
• Transparency: High (this Notice provides full disclosure)
• Accountability: High (DPO, audit trails, breach protocol)

Users may request a copy of the DPIA by emailing dpo@chiponalert.com.

9. Consent Management

9.1 How Consent Is Obtained

Primary Consent Flows:

1. Onboarding (First Launch)

   • Users are presented with a plain-language consent request before account creation
   • Request specifies: Location access, push notifications, analytics, incident reporting
   • Users must explicitly accept to proceed (no pre-ticked boxes)
   • Consent is recorded with timestamp and consent version number

2. OS-Level Permissions

   • iOS: Users see Apple's location permission dialog ("Always," "While Using," "Never")
   • Android: Users see Android's location & notification permission dialogs
   • App respects OS-level choice; users can revoke permission in device Settings

3. In-App Preference Settings

   • Users can granularly control: Notifications, analytics, location persistence, report anonymity
   • Changes are immediate and logged

9.2 Consent Recording & Proof

Consent Record Structure:

{
  user_id: <anonymized>,
  consent_type: "location_tracking|push_notifications|analytics|incident_reporting",
  consent_status: "given|withdrawn",
  timestamp: <ISO 8601>,
  version: "2026-03-29",
  method: "in-app_dialog|os_permission",
  ip_address: <hashed>,
  device_id: <hashed>
}

Storage: PostgreSQL with encryption at rest (AES-256); retention: lifetime of account + 3 years post-deletion

Audit Trail: All consent changes are logged and cannot be modified retroactively.

9.3 Consent Withdrawal

How Users Withdraw Consent:

1. In-App: Settings > Notification Preferences > Withdraw Consent (one-tap)
2. Email: dpo@chiponalert.com with "Consent Withdrawal" in subject line
3. NDPC Portal: File a complaint requesting withdrawal (once available)

Immediate Effect:

• Location services disabled
• Push notifications paused
• Analytics disabled
• App remains usable in "safe mode" (public heatmaps, non-location features only)

Retroactive: Withdrawal does NOT require deletion of already-processed data; past consented use is lawful. But prospective processing stops.

10. Children's Data

10.1 Age Restrictions

Chipon Alert is not intended for children under 13 years of age.

• Minimum age for service: 13 years
• Full rights without parental consent: 18 years and above
• Parental consent required: 13–17 years

10.2 Parental Consent for Minors (13–17 years)

Verification Process:

• User indicates age during signup
• If user is 13–17, app requests parental email
• Parent receives email with consent link and verification code
• Parent must click link and enter verification code to authorize use
• Parental consent is recorded and retained for 3 years

Parental Rights: Parents of minor users have the same data subject rights:

• Right of access (receive copy of child's data)
• Right to rectification (correct child's profile)
• Right to erasure (delete child's account and data)
• Right to withdraw consent (suspend child's account)

Contact: Email dpo@chiponalert.com with minor's phone number and your full name (parental consent holder).

10.3 Data Processing for Minors

Special Safeguards:

• Location data for minors is encrypted in transit and at rest
• Incident reports from minors cannot include photos or identifying language (auto-redacted)
• Minors are not identified in public incident heatmaps; only aggregated as "13–17 age band"
• No marketing or behavioral targeting of minors
• Push notifications for minors use safe/verified sources only

11. Data Breach Notification

11.1 What Constitutes a Breach

A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

Examples:

• Unauthorized access to user location data due to security vulnerability
• Loss of encrypted incident photos due to S3 misconfiguration
• Accidental data export to third party
• Ransomware attack on server
• Insider theft of user phone numbers

11.2 Notification Obligations

To NDPC:

• Timeline: 72 hours from discovery of breach
• Method: Online portal or registered mail to NDPC headquarters
• Content: Breach description, data affected, estimated users, measures taken, contact details

To Affected Data Subjects:

• Timeline: As soon as practically possible after NDPC notification (typically same day to 2 business days)
• Method: In-app push notification, SMS to registered phone, or email
• Content: Plain-language explanation of breach, data types affected, recommended actions (e.g., reset password, monitor account), DPO contact, NDPC complaint link

11.3 Breach Response Steps

11.4 User Actions in Event of Breach

If you receive a breach notification:

1. Change your password (if you had one; Chipon uses OTP so passwords N/A)
2. Review your account activity in Settings > Account Activity
3. Report suspicious access to dpo@chiponalert.com immediately
4. Monitor for phishing attempts — Chipon will never ask for OTP via email/SMS unsolicited
5. File a complaint with NDPC if you believe your rights were violated (see Section 13)

12. Annual Audit & Compliance Filing with NDPC

12.1 Audit Frequency

The Company conducts the following audits:

12.2 NDPC Filing

Annual Report to NDPC:

• Submission deadline: 31 March each year
• Content: Processing summary, breach incidents (if any), audit findings, DPIA updates, consent metrics, user rights requests
• Retention: Submitted reports retained indefinitely; available to NDPC inspectors

First Filing: March 2027 (covering processing from launch date through 31 December 2026)

12.3 Inspection & Monitoring

The NDPC may:

• Request audit reports and consent records at any time
• Conduct unannounced inspections of Company premises and systems
• Issue compliance orders if violations are found
• Fine the Company up to ₦50 million for serious breaches (per Nigeria Data Protection Act 2023)

13. Complaints Process

13.1 Internal Complaint (First-Tier)

Submit to: dpo@chiponalert.com
Timeline: Acknowledge within 2 business days, investigate within 14 days

Include in complaint:

• Your name and contact details
• Description of the data protection issue
• Date(s) of the incident
• Desired resolution
• Any supporting evidence

DPO will:

1. Investigate the complaint
2. Determine if a violation occurred
3. Propose corrective action if applicable
4. Issue written response with findings and next steps
5. Implement remedy if complaint is upheld

13.2 NDPC Complaint (Second-Tier)

If you are not satisfied with the Company's response, or if the Company does not respond within 14 days, you may lodge a formal complaint with the Nigeria Data Protection Commission.

Contact Details:

• Address: Nigeria Data Protection Commission (NDPC), Abuja, Nigeria
• Website: www.ndpc.gov.ng (once operational)
• Email: complaints@ndpc.gov.ng
• Portal: Online complaint filing portal at NDPC website

Complaint Requirements:

• Full name and contact details
• Clear description of the violation
• Company name and contact details (Tanta Innovative Limited, dpo@chiponalert.com)
• Supporting documents (emails, screenshots, previous DPO responses)
• Specific relief sought

NDPC Timeline:

• Complaint registration: Immediate
• Investigation: 30 days (extendable to 60 days)
• Decision: Written notice with reasons
• Appeal: Available to both parties

NDPC Remedies:

• Cease unlawful processing
• Correct or delete data
• Pay compensation to affected data subject (up to ₦1 million for non-material harm, unlimited for material harm)
• Fine Company up to ₦50 million

13.3 Remedies & Escalation

Statute of Limitations: No set limit in Nigeria Data Protection Act 2023; claims may be pursued indefinitely but damages may diminish over time.

14. Contact Information

14.1 Data Protection Officer

Name: Mr. Tan (Acting Data Protection Officer) Title: Data Protection Officer Email: dpo@chiponalert.com
Availability: Monday–Friday, 09:00–17:00 WAT
Response Time: Acknowledgment within 2 business days; substantive response within 14 days

14.2 Company Support

General Support: support@chiponalert.com
Support Hours: Monday–Friday, 08:00–20:00 WAT; Saturday 09:00–15:00 WAT
App In-App Chat: Available within app under Help > Support

14.3 Regulatory Contact

Nigeria Data Protection Commission (NDPC)

• Website: www.ndpc.gov.ng
• Email: info@ndpc.gov.ng
• Complaints Email: complaints@ndpc.gov.ng
• Headquarters: Abuja, Nigeria
• Hotline: +234 (0) 916 061 5551

14.4 Parent Company Contact

Jyv Tech LLC (Data Processor)

• Email: legal@jyvtech.com
• Role: Cloud infrastructure, analytics backend (joint controller for cross-border processing)
• DPA: Data Processing Agreement in place

15. Changes to This Notice

This Notice may be updated from time to time to reflect changes in:

• Our data practices
• Applicable law (Nigeria Data Protection Act 2023 updates)
• New features in the Chipon Alert App
• Regulatory guidance from NDPC

Changes will be:

• Posted in-app with a "Privacy Update" banner
• Emailed to users (if email on file)
• Published at www.chiponalert.com/privacy

Effective date of changes: Minimum 14 days after notice, unless legally required sooner.

Continued use of Chipon Alert after changes take effect constitutes acceptance of the updated Notice.

16. Definitions

17. Acknowledgment & Acceptance

By downloading, installing, and using Chipon Alert, you acknowledge that:

1. You have read and understood this Data Protection Notice
2. You consent to the processing of your personal data as described herein
3. You understand your rights under the Nigeria Data Protection Act 2023
4. You are aware of the DPO contact and complaint procedures
5. You accept the Terms of Service (available in-app)

If you do not agree with any part of this Notice, you should not use the Chipon Alert App.

Document Version: 1.0
Effective Date: 1 April 2026
Last Reviewed: 29 March 2026
Next Review: 29 March 2027

This notice is provided in English in compliance with the Nigeria Data Protection Act 2023. Translations into other Nigerian languages (Pidgin English, Hausa, Yoruba, Igbo) will be made available within 30 days of launch.

For questions or concerns, contact the Data Protection Officer at dpo@chiponalert.com or file a complaint with the NDPC at complaints@ndpc.gov.ng.