Privacy Policy

Personal Data:

Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to the individual's physical, physiological, genetic, mental, economic, cultural, or social identity. Personal Data does not include information that has been anonymized or aggregated such that it can no longer be used to identify a specific individual.

Data Subject:

The natural person to whom Personal Data relates, whether the person is a user, customer, visitor, or any individual interacting with our services. This Policy protects the rights of all Data Subjects whose Personal Data we process. (Note: This Policy does not apply to data relating to legal entities or deceased persons, which are not considered "personal data" under NDPR and GDPR.)

Processing:

Any operation or set of operations performed on Personal Data, whether or not by automated means. Processing includes activities such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission or dissemination, alignment or combination, restriction, erasure, or destruction of Personal Data.

Data Controller:

The natural or legal person (alone or jointly with others) that determines the purposes and means of the processing of Personal Data. For this Policy, Cromakod acts as the Data Controller of your Personal Data.

Data Processor:

A natural or legal person or other body that processes Personal Data on behalf of the Data Controller. Data Processors (for example, service providers engaged by Cromakod) handle Personal Data only according to our instructions and are contractually obligated to protect it.

Sensitive Personal Data:

Certain categories of Personal Data that are subject to additional protections under law. This may include information about an individual's health, genetic or biometric data, sex life or sexual orientation, religious or philosophical beliefs, political opinions, trade union membership, or criminal convictions, among others (often referred to as "special categories of data" under GDPR). We generally do not collect Sensitive Personal Data unless it is necessary and we have obtained explicit consent or another lawful basis to do so, in accordance with applicable regulations.

Cookies:

Small text files or similar tracking technologies that are placed on your device when you visit websites. Cookies allow us to recognize your browser or device and collect certain information (see Section 6 below and Appendix A for details on how we use cookies and your choices).

Cromakod (or "the Company"):

Refers to Cromakod Academy Limited, a company registered in Nigeria. In this Policy, "we" or "us" means Cromakod Academy Limited as the organization responsible for Processing your Data.

NDPR:

The Nigeria Data Protection Regulation 2019, which is Nigeria's primary data protection regulation. This Policy is designed to comply with the NDPR (and any applicable successor law, such as the Nigeria Data Protection Act 2023) for data processing within Nigeria.

GDPR:

The European Union's General Data Protection Regulation (EU Regulation 2016/679). Although Cromakod operates under Nigerian jurisdiction, we align our practices with the GDPR and other international data protection standards to protect the Personal Data of individuals globally.

Interpretation:

Unless otherwise defined in this Policy, terms used herein shall have the same meaning as defined by the NDPR, GDPR, or other applicable data protection laws. In case of any conflict between definitions, the definition under the strictest applicable law will apply for the protection of the Data Subject.

Jurisdiction and Applicable Law:

Cromakod is subject to the laws of Nigeria. In practice, this Policy incorporates key principles from international data protection laws to ensure compliance and interoperability. If you are located in a jurisdiction with privacy laws offering additional protections, we will also comply with those requirements to the extent applicable. This Policy is not a substitute for any legal rights you may have under local law; rather, it is intended to transparently inform you how we safeguard your data and comply with our legal obligations globally.

Third-Party Websites:

Please note that our website or services may contain links to external websites or services operated by third parties. This Policy does not cover those third-party sites. We encourage you to review the privacy policies of any external sites or services before providing any Personal Data to them. Cromakod is not responsible for the privacy practices or content of third-party websites. (See also Section 7 on data disclosure and Section 6 on third-party cookies.)

Information You Provide Directly:

This includes data that you give us when you use our services, contact us, or otherwise interact with Cromakod. For example:

• Contact and Identity Data: such as your name, email address, telephone number, postal address, job title, and company or organization name (if you are engaging with us on behalf of an entity).
• Account Credentials: such as usernames, passwords, or other security information for accessing our platforms (if you register an account with us).
• Profile Information: such as preferences, feedback, and any other Personal Data you choose to share with us (for instance, when filling out forms, responding to surveys, or participating in promotions).
• Customer Support and Communications: any information you provide when you contact us for support or with inquiries, including the content of emails or messages, and your contact details for follow-up.

Information Collected Automatically:

When you interact with our websites or online services, we automatically collect certain data about your device and usage through cookies and similar technologies (see Section 6 and Appendix A for details). This data may include:

• Technical Data: such as your IP address, browser type and version, device identifiers (e.g., device ID, MAC address, IMEI), operating system, network provider, and device model.
• Usage Data: such as timestamps of visits, pages or screens viewed, features used, links clicked, content interactions, and the page you visited before navigating to our website. We may also collect crash logs and other diagnostic data to help us improve our services.
• Cookies and Tracking Data: as further described in Section 6, we and third parties use cookies and other tracking technologies to collect information about your browsing actions and patterns. This may include data on how you navigated to and from our site, your preferences (like language settings), and your engagement with our ads or content on third-party sites.

Information from Third Parties:

We may receive Personal Data about you from third-party sources, but only where those third parties have a legal basis to share your information with us. Such data may include:

• Third-Party Services: If you interact with our services through social media platforms or other third-party services (for example, if you log in via a social network account, or use an integration with a third-party tool), we may receive certain information from that service such as your public profile, name, contact information, or friends/contacts list, according to the authorization procedures determined by such third party.
• Service Providers and Business Partners: We might obtain data from partners such as resellers, analytics providers, advertising networks, or payment processors. For instance, our analytics providers may supply us with aggregate demographic or preference information; our advertising partners might provide information on your interactions with our ads on other platforms.
• Publicly Available Sources: We may also collect information from public databases, industry directories, or social network platforms if, for example, we are verifying identity or conducting due diligence as permitted by law.

We will treat any Personal Data obtained from these sources in accordance with this Policy. Where appropriate, we will inform you of the source of Personal Data we collect indirectly and ensure that any third party has confirmed that they have your consent or another lawful basis to share such Personal Data with us.

Children's Data:

Our services are generally not directed at children under the age of 18. We do not knowingly collect Personal Data from anyone under 18 without verifiable parental consent. If you are a parent or guardian and believe we might have collected Personal Data from your child without proper consent, please contact us (see Section 15), and we will take appropriate steps to investigate and address the issue, including deleting the data if required. (For minors where applicable law requires a higher age threshold or parental authorization – e.g., age 13 in some jurisdictions for certain online services – we will comply with those requirements.)

Providing and Improving Our Services:

We use your Personal Data to deliver our products and services to you, to maintain and improve their functionality, and to personalize your experience. This includes using data to set up and administer accounts, provide customer support, process transactions or orders you request, and analyze usage to enhance performance and quality.

Legal basis: Performance of a contract (where processing is necessary to provide the services you requested) or our legitimate interest in ensuring our services operate effectively and are continuously improved (in such cases, we ensure our legitimate interest is balanced against your rights).

Communications and Responding to Inquiries:

We process contact information and communications content to respond to your questions, requests, or feedback, and to provide you with information you request about our services.

Legal basis: Performance of a contract (if your inquiry is related to a service you use), or consent/legitimate interests (to respond to unsolicited inquiries or general questions). We consider that we have a legitimate interest in responding to you to maintain good customer relations and improve our business, provided such communications are expected and not promotional.

Marketing and Promotional Communications:

With your consent (or as otherwise permitted by applicable law), we use Personal Data (primarily contact details and preferences) to send you marketing communications, such as newsletters, updates, or event invitations, and to deliver targeted advertising about our services or relevant offers. We may tailor these messages based on your interests and interaction with our content.

Legal basis: Consent – we will obtain your opt-in consent where required (for example, for email marketing to individuals in the EU/UK or Nigeria). In some cases, where allowed by law, we may rely on our legitimate interest to send you marketing about similar products or services that you have already signed up for. In all cases, you retain the right to opt out at any time (see Section 12 on your choices). We will not send unsolicited third-party marketing or share your details with third parties for their marketing without your consent.

Analytics and Product Development:

We process data (often in aggregated or pseudonymized form) to understand how our services are used, to measure the effectiveness of our features or marketing campaigns, and to develop new features, products, or services. This may include analyzing site traffic patterns, user behavior, and trends to improve user experience and functionality.

Legal basis: Our legitimate interests in analyzing and improving our products and services. Where required by law (e.g., for placing analytics cookies or using certain profiling technologies), we will obtain your consent before collecting analytics data. We use safeguards (like aggregating data and using privacy-preserving techniques) to minimize any impact on your privacy.

Security and Fraud Prevention:

We may process Personal Data as necessary to protect the security and integrity of our services and users. This includes using data to authenticate users, monitor for suspicious or fraudulent activities, debug and repair errors, and enforce our terms of service or other policies. For example, we may log and analyze IP addresses and user activity to detect potential hacking attempts or misuse of our platforms.

Legal basis: Legitimate interests in safeguarding our business, customers, and systems (we consider security measures to be in everyone's interest, and we proportionately implement them) and compliance with legal obligations (in cases where we are legally required to protect information or inform authorities of unlawful activities).

Compliance with Legal Obligations:

We process Personal Data to comply with laws and regulations that apply to us. This includes maintaining records, responding to lawful requests by public authorities, complying with accounting, tax, and audit obligations, and fulfilling reporting or data disclosure requirements under applicable law (e.g., know-your-customer regulations, data protection reporting duties, etc.).

Legal basis: Compliance with a legal obligation. For example, NDPR and GDPR may require that we disclose certain data to regulators or data subjects upon request, or we may be obligated to retain certain transaction records for statutory periods. Where we must process Personal Data for legal reasons, we may not be able to accommodate requests to erase or restrict data (see Section 11 regarding your rights) if it conflicts with these obligations.

Establishment, Exercise, or Defense of Legal Claims:

If necessary, we may use your Data to protect our rights or the rights of others. This can involve using data in connection with legal claims, debt collection, compliance audits, investigations of potential misconduct, or as evidence in litigation.

Legal basis: Legitimate interests in defending and asserting our legal rights or those of our users, staff, or other stakeholders. In some jurisdictions, this may also fall under legal obligation or public interest bases (for instance, cooperating with law enforcement requests).

Other Purposes (with Notice and Consent):

If we intend to process Personal Data for a purpose that is materially different from the purposes listed above, or that is not otherwise apparent to you, we will provide you with additional notice. Where required, we will obtain your consent for the new processing. We will not use your Data in a way that is incompatible with the purposes for which it was collected without informing you and, if necessary, getting your consent.

Use of Cookies:

Cromakod uses cookies and similar tracking technologies (such as web beacons, pixels, and device identifiers) on our websites and online services to provide a better user experience, for functionality, analytics, and advertising purposes. Cookies are small text files that a website saves on your computer or mobile device when you visit the site. They enable the website to remember your actions and preferences (such as login, language, and other display preferences) over a period of time, so you don't have to re-enter them whenever you come back to the site or browse from one page to another. Cookies also help us understand which pages are popular, whether users are encountering errors, and how we can improve our content and layout.

Types of Cookies:

We use both session cookies (which are temporary and deleted when you close your browser) and persistent cookies (which remain on your device for a set period or until you delete them). Cookies can also be categorized by their purpose. Broadly, the cookies on our services fall into the following categories: Strictly Necessary Cookies, Functional Cookies, Performance/Analytics Cookies, and Targeting/Advertising Cookies. Each of these categories is explained in detail in Appendix A: Cookie Categories and Examples of this Policy. We also indicate in the Appendix whether a given category is considered "essential" or "non-essential" under relevant laws. Generally, Strictly Necessary Cookies are essential for our site to function and do not require consent to deploy, whereas the other categories (functional, analytics, advertising) are non-essential and will only be used with your consent where required by law.

Third-Party Cookies:

Some cookies on our site are set by Cromakod (these are "first-party cookies"), and others may be set by third-party services that we use. For example, we may partner with third-party analytics providers, such as web traffic analysis services, which set cookies to collect usage information, or with third-party advertising networks that set cookies to deliver personalized ads on our behalf. We do not share Personal Data that directly identifies you with third-party advertisers or social media networks without your consent. However, if you consent to Targeting/Advertising cookies, those third parties may collect information via their cookies (such as your browsing activity or device identifiers), which could be combined with other information they hold about you for profiling or ad targeting purposes. These third-party cookies and tracking technologies are controlled by the third parties, not by Cromakod, and are subject to the third parties privacy policies. We list the categories of third-party cookies in Appendix A, but we do not list specific third-party cookie names in this Policy to keep it generalized; the specific cookies in use may change from time to time. You can manage or block third-party cookies through your browser settings.

Legal Compliance and Consent:

In jurisdictions such as the EU, UK, and others that have cookie consent requirements, Cromakod will not set non-essential cookies (e.g., analytics or advertising cookies) on your device unless and until you have given consent via our cookie banner or settings center. When you first visit our site, you will be presented with a cookie notice that allows you to accept or reject different categories of cookies (except strictly necessary cookies, which you cannot disable as they are essential for the site's operation). You can adjust your preferences at any time through the "Manage Cookies" link on our website or by updating your browser settings. We will record your cookie consent choice and honor it. Note that if you are in a jurisdiction that does not mandate prior consent for cookies (for example, some parts of the US), we may still provide you with controls to opt out of certain cookies as a matter of transparency and choice.

How to Manage or Disable Cookies:

You have the right to control how cookies are used on your devices:

• Cookie Consent Tool: On our website, you can access a cookie management tool (often found in the footer or the initial cookie banner) to review and change your preferences. Through this tool, you can typically see the categories of cookies in use and toggle your consent on or off for each category (except strictly necessary cookies, which are always enabled).
• Browser Settings: Most web browsers allow you to refuse new cookies, delete existing cookies, or be notified before a cookie is set. Please refer to your browser's help section for instructions on how to adjust your cookie settings.

Warning: If you disable cookies (especially strictly necessary ones) via your browser, some features of our site or services may not function properly. For example, you may not be able to log in or use certain interactive features.

Do Not Track:

Some browsers have a "Do Not Track" (DNT) feature that allows you to signal to websites that you do not want to be tracked. Our site currently does not respond to DNT signals in a uniform way, because there is not yet an established standard for how to interpret them. However, we treat DNT signals as an opt-out of targeted advertising cookies where legally required. Additionally, there are industry frameworks (such as the Global Privacy Control (GPC) signal) that allow you to broadcast an opt-out of sale/sharing for targeted advertising under U.S. state laws; to the extent such signals are detected and applicable, we will honor them as required by law.

Other Tracking Technologies:

We may use related technologies such as web beacons (also known as pixel tags or clear GIFs) in our emails or on our site. For example, we might include a pixel in marketing emails to understand if you open them or take any action. This helps us measure the effectiveness of our communications. These technologies often rely on cookies to function, so if you disable cookies, they may be less effective.

Service Providers (Data Processors):

We share Personal Data with third-party service providers that perform services and functions on our behalf to support our interactions with you. These include:

• IT and Hosting Providers: Companies that provide data storage, cloud hosting, infrastructure, and other IT services to ensure our platform runs securely and reliably.
• Analytics Providers: Partners that assist us in analyzing website/app traffic and user behavior (for example, analytics platforms that process data such as IP address or user actions on our behalf).
• Customer Support Tools: Platforms that help us manage customer inquiries, send notifications, or provide live chat services.
• Payment Processors: If you make payments to or through us, we may use secure payment gateways or processors that will process your payment information. They are responsible for safeguarding your financial data and only use it for transaction processing.
• Marketing and Communication Services: Third-party tools that help us send newsletters, surveys, or other messages, or organize events and registrations.

These service providers act under our instructions and are bound by contractual agreements to process Personal Data only for our purposes and in compliance with this Policy and applicable law. We require them to implement appropriate security measures to protect Personal Data and not to use it for their commercial purposes.

Within Cromakod and Affiliates:

If Cromakod Academy Limited has affiliates, subsidiaries, or parent companies (collectively, "affiliates"), we may share Personal Data within our corporate group as needed for business administration, centralized management, or to provide our services to you. Any intra-group data sharing will be consistent with the purposes stated in this Policy (for example, your data might be stored in a centralized customer database accessible by our affiliate that provides IT support). All our entities are required to follow the same data protection rules as outlined in this Policy.

Business Transfers:

If we undergo a business transaction such as a merger, acquisition by another company, reorganization, joint venture, sale of all or part of our assets, or transition of service to another provider, your Data may be transferred as part of that transaction. We will ensure that any party receiving your information as part of such a transaction is bound to respect your Data in a manner consistent with this Policy. If required by law, we will notify you and/or obtain your consent when your Personal Data is transferred in this context.

Legal Obligations and Safety:

We may disclose Personal Data to third parties (such as courts, law enforcement or government agencies, regulators, or external advisors) if we determine that such disclosure is necessary to:

• Comply with any applicable law, regulation, legal process, or governmental request. For example, we may be required to respond to a court order or a subpoena, or to report data to the Nigeria Data Protection Commission (NDPC) or other regulatory bodies.
• Enforce our terms of service or other agreements, or to investigate potential violations thereof.
• Protect the rights, property, or safety of Cromakod, our users, employees, or the public. This includes exchanging information with other companies and organizations for fraud prevention, spam/malware detection, or other security concerns.

When feasible and lawful, we will notify you if we must disclose your data in response to legal process. However, in urgent or sensitive cases (e.g., responding to a lawful request in a criminal investigation or to prevent imminent harm), we may not be able to provide notice.

With Your Consent:

We will share your Personal Data with others outside of the above circumstances only when we have your explicit consent to do so. For instance, if you opt-in to a feature that involves sharing data with a third-party partner (not acting as our service provider), we will disclose your Personal Data in that context. You have the right to withdraw such consent at any time (see Section 12).

No Unmentioned Third-Party Use:

We do not grant third parties any independent right to use or disclose your Personal Data for their own purposes, except as set out above. Wherever Personal Data is shared with a third party, we take steps to ensure it will be processed in a manner consistent with this Policy and under an appropriate duty of confidentiality.

International considerations for third parties:

If any third-party recipients are located outside of Nigeria or your home jurisdiction, we will implement appropriate measures to ensure that your Personal Data remains protected (see Section 8 below regarding international data transfers).

Transfers out of Nigeria:

For Personal Data originating from Nigeria, the NDPR (and NDPA 2023) imposes conditions on international transfers. We will only transfer such data to a third country if one of the following applies:

• The destination country has been officially deemed by Nigerian authorities to have an adequate level of protection for Personal Data.
• The receiving party is bound by standard contractual clauses, binding corporate rules, codes of conduct, or certification mechanisms that ensure an adequate level of data protection. In practice, this means we may rely on GDPR-approved Standard Contractual Clauses (SCCs) or other approved agreements to contractually require that your data receive a level of protection comparable to that under Nigerian law.
• The transfer is otherwise allowed by law, for example:
  • You have explicitly consented to the proposed transfer after being informed of any potential risks.
  • The transfer is necessary for the performance of a contract between you and us (or for pre-contractual steps at your request), or for the conclusion or performance of a contract in your interest between us and a third party (for instance, if we need to route data through an international service provider to deliver a service you requested).
  • The transfer is necessary for the establishment, exercise, or defense of legal claims.
  • The transfer is necessary to protect vital interests of you or others (e.g., in an emergency).
  • The transfer is part of our compliance with an international agreement or for important reasons of public interest (rare scenarios).

In all cases, we document the basis for transfer and ensure that appropriate safeguards are applied.

Transfers from the EU/UK or Other Countries:

Similarly, if we transfer Personal Data from the European Economic Area (EEA), the United Kingdom, or other regions with data transfer restrictions, we will ensure such transfers comply with the GDPR/UK GDPR and local laws. This typically means:

• Transferring data only to countries that have been deemed adequate by the European Commission or UK authorities, or
• Implementing Standard Contractual Clauses or other lawful transfer mechanisms (such as binding corporate rules, or relying on exceptions where appropriate) to safeguard the data.

We also perform, where required, a transfer impact assessment to evaluate if additional security measures are needed to handle any unique risks of transferring to certain countries.

Your Acknowledgment:

By using our services or submitting your Personal Data to us, you understand that your Personal Data may be transferred internationally as described above. Regardless of where your data is transferred, stored, or processed, we will take steps to ensure that your data is treated securely and in accordance with this Policy and applicable laws.

Access Controls:

We limit access to Personal Data to employees, contractors, and agents who have a "need-to-know" that data for their role. Those with access are subject to strict confidentiality obligations. We use authentication and authorization mechanisms to ensure only authorized personnel can access systems storing Personal Data.

Encryption and Pseudonymization:

Where appropriate, we use encryption to protect sensitive Personal Data, both in transit (e.g., SSL/TLS encryption for data transmitted between your device and our websites) and at rest. For certain data, we may employ hashing, pseudonymization, or anonymization techniques to reduce the risk to individuals in case of a data incident.

Network and Application Security:

We protect our IT infrastructure with firewalls, intrusion detection systems, and anti-malware tools to guard against external threats. Our websites and applications are developed following security best practices (for example, protection against SQL injection, XSS, and other vulnerabilities) and we regularly update our software and systems to address security patches. We also conduct periodic vulnerability assessments and penetration testing through internal or third-party experts.

Monitoring and Logging:

We monitor our systems for potential vulnerabilities and attacks. Access to Personal Data and key actions are logged where feasible, and logs are reviewed for anomalies. This helps us detect and respond to suspicious activities.

Training and Policies:

We ensure that our staff are trained in data protection and information security practices. Cromakod has internal policies and incident response plans that guide our personnel on how to handle Personal Data and how to report and respond to security incidents or potential data breaches.

Vendor Due Diligence:

When we engage third-party service providers (Section 7), we evaluate their security practices. We require that our Data Processors implement adequate security measures to protect Personal Data, and we include appropriate data protection and security requirements in our contracts with them.

Duration of Use:

We keep Personal Data for the period during which we have an ongoing relationship with you (e.g., for as long as you maintain an account with us or use our services). For example, if you are a registered user, we will keep your account information while your account is active or as needed to provide you with services.

Purpose Fulfillment:

We retain data as needed to achieve the purposes for which it was collected. For instance, if you provided your email to receive a newsletter, we will retain that email until you unsubscribe or the newsletter program ends. If we collected data for improving our services, we may keep that data (possibly in aggregated form) for the time necessary to complete the analysis.

Consent and Opt-Out:

For data processed based on your consent, we may delete the data sooner if you withdraw consent. For example, if you consented to marketing emails and later opt out, we will remove you from our marketing list promptly (but may keep a record of your opt-out request indefinitely to ensure we respect your no-contact preference).

Legal Obligations:

We may need to retain certain data to comply with legal and regulatory obligations. For example, financial and transaction records may be kept for several years to satisfy tax or accounting laws. Likewise, under NDPR/NDPA and other laws, we might need to retain records of consent, privacy requests, and how we responded, to demonstrate compliance.

Disputes and Enforcement:

If we are involved in a dispute with you or have to enforce our agreements, we will retain relevant data for the duration of the dispute and for a period allowed or required by law after its resolution, in case we need to respond to legal claims or regulatory inquiries. This is aligned with our legitimate interest in establishing or defending legal claims.

Right to Be Informed:

You have the right to be provided with clear, transparent information about how your Personal Data is processed. This Policy is one of the ways we fulfill this right. We aim to be transparent about our data practices at the time of data collection and whenever there are significant changes.

Right of Access:

You have the right to access the Personal Data we hold about you and to obtain a copy of that data, as well as information about how we process it. This is sometimes called a "Data Subject Access Request." Upon verification of your identity, we will provide you with the relevant data and details, such as the purposes of processing, the categories of data, the recipients (or categories of recipients) to whom the data has been disclosed, and the envisaged retention period.

Right to Rectification:

If any of your Personal Data we hold is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to keep your information up-to-date and will make rectifications promptly as required by law.

Right to Erasure:

Also known as the "Right to be Forgotten," this allows you to request that we delete your Personal Data in certain circumstances. This right is not absolute, but we will erase your data upon request if:

• the data is no longer necessary for the purposes it was collected;
• you withdraw consent (if the processing was based on consent) and no other legal basis exists;
• you object to processing (see below) and we have no overriding legitimate grounds to continue;
• the data was processed unlawfully; or
• erasure is required to comply with a legal obligation.

Please note we might refuse the erasure request if an exemption applies, for example, if retaining the data is necessary for exercising the right of freedom of expression, compliance with a legal obligation, or the establishment or defense of legal claims.

Right to Restrict Processing:

You have the right to request that we limit the processing of your Personal Data under certain conditions. For example, you can ask for restriction if you contest the accuracy of the data (for a period allowing us to verify it), or if the processing is unlawful but you oppose erasure and prefer restriction, or if we no longer need the data but you need us to keep it for legal claims, or if you have objected to processing (pending verification of overriding grounds). When processing is restricted, such data will be marked and, apart from storage, only processed for certain things like legal claims or with your consent.

Right to Object:

You have the right to object to certain types of processing of your Personal Data at any time, on grounds relating to your particular situation.

Direct Marketing: You can always object to processing of your Personal Data for direct marketing purposes, and if you do, we will stop processing your data for that purpose immediately.

Legitimate Interests: If we are processing your data on the basis of our legitimate interests (or those of a third party), you also have the right to object to that processing. In such a case, we will cease processing unless we have compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. (We have noted in Section 5 which purposes rely on legitimate interests.)

Right to Withdraw Consent:

Where we rely on your consent to process Personal Data (for example, for sending marketing emails or for using certain cookies), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Once you withdraw consent, we will stop the specific processing that was based on consent. (If you withdraw consent for cookies, see instructions in Section 6; if for marketing emails, see Section 12 below.)

Right to Data Portability:

For Personal Data that you have provided to us and is processed by automated means under the legal basis of consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, CSV or JSON). You also have the right to ask that we transmit this data directly to another data controller, where technically feasible. This right facilitates moving your data to other service providers, if desired.

Rights related to Automated Decision-Making:

If we make a decision about you that is solely based on automated processing (e.g., algorithms) which produces legal effects or similarly significant effects, you have the right not to be subject to such a decision, except in certain permitted cases. In practice, Cromakod does not carry out purely automated decisions with legal or significant effects without human involvement. If we ever do, you will be informed and given the right to contest the decision, express your point of view, and require human intervention. Examples of automated decisions could include credit scoring or algorithmic hiring, which we currently do not perform.

Right to Lodge a Complaint:

If you believe that we have infringed your data protection rights or are processing your Personal Data unlawfully, you have the right to lodge a complaint with a supervisory authority.

• Nigeria: You can file a complaint with the Nigeria Data Protection Commission (NDPC) or its authorized agency (formerly NITDA under NDPR).
• European Union: You may contact the data protection authority in the EU member state of your residence, place of work, or where the issue arose.
• United Kingdom: You can reach out to the UK Information Commissioner's Office (ICO).
• Other Regions: If you reside in another country with a data protection regulator, you can contact that regulator. We would appreciate the chance to address your concerns directly before you approach a regulator, so we encourage you to contact us first, but you are entitled to contact the authority at any time.

Exercising Your Rights:

You may contact us at any time to exercise the above rights (see Section 15 for contact details). To protect your privacy, we will verify your identity (for example, by requiring you to provide information to confirm it's you) before fulfilling your request. In general, there is no fee to exercise your rights; however, if a request is manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable fee or refuse to act on it (as permitted by law). We will respond to legitimate requests as soon as possible, and in any event within the timeframe required by law (NDPR specifies a timely response; GDPR generally requires within one month, extendable by two more months if necessary with notice).

Please note that some rights may be limited if fulfilling them would adversely affect the rights and freedoms of others. For example, if a request for access would reveal Personal Data about another person, we might need to redact certain information. Additionally, certain Personal Data may be exempt from such requests under local law (such as data involved in ongoing investigations, or data held for legal compliance).

Cromakod will make every effort to accommodate your rights request. If we cannot fulfill your request, we will provide you with an explanation, subject to any legal restrictions.

Marketing Communications:

If you have subscribed to our marketing emails or newsletters, you can opt out at any time. Every marketing email from us includes an "Unsubscribe" link at the bottom – clicking that link will allow you to stop receiving that particular type of communication. You can also request to opt out by contacting us directly via email or through your account settings (if applicable). Once you opt out, we will remove you from the mailing list without undue delay, and no longer send you promotional emails. Please note that even if you opt out of marketing messages, we may still send you transactional or service-related communications (e.g., important account notices, customer service responses, security alerts) as these are not promotional in nature.

Tailored Advertising:

As explained in Section 6, we may use cookies and third-party advertising networks to show you relevant ads. If you prefer not to receive targeted advertising based on your browsing behavior or interests, you can adjust your cookie settings to disable Targeting/Advertising cookies (see Appendix A for more on these cookies). Additionally, many advertising partners are members of industry groups that provide simple ways to opt out of interest-based ads. For example, users can visit the Network Advertising Initiative (NAI) opt-out page or the Digital Advertising Alliance (DAA) opt-out page (or the Your Online Choices site in the EU) to opt out of interest-based advertising from participating companies. Keep in mind that opting out of targeted ads does not mean you will see no ads, only that the ads will not be personalized using cookies or data from the participating networks. If our site or app is linked with any mobile advertising, you can also use your device settings (like "Limit Ad Tracking" on iOS or "Opt out of Ads Personalization" on Android) to control targeted advertising on mobile apps.

Cookies Consent Management:

Upon your first visit to our site, you had the opportunity to manage your cookie preferences (as described in Section 6). If you want to change your decision later, you can do so at any time by using the "Manage Cookies" link or similar mechanism provided on our website. Through that interface, you can withdraw consent for categories of cookies by toggling them off. We ensure that withdrawing consent for cookies is as easy as giving consent. In addition, as mentioned, you can manage cookies through browser settings. Note that essential cookies cannot typically be opted out of through our consent tool because they are necessary for service functionality; however, you can still block them via your browser if you choose (with potential impact on site performance).

Do Not Sell or Share (for California and similar laws):

While Cromakod does not sell Personal Data for money, some transfers (such as using advertising cookies) may be considered a "sale" or "sharing" under certain U.S. state laws (like the California Consumer Privacy Act, CCPA, as amended by CPRA). If you are a resident of a jurisdiction with such laws and we engage in practices deemed a sale or share, you have the right to opt out. We will honor Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing request in covered jurisdictions. If you have enabled a GPC signal (via your browser or extension), our website will treat it accordingly, to the extent required by law. You may also contact us to manually exercise a "do not sell or share" request. Since our policy is not to sell data, any such request will be acknowledged and we will ensure that your data is not used in a manner that constitutes a sale or improper sharing under applicable law.

Consent Withdrawal:

For any processing that is based on your consent, you have the freedom to change your mind and withdraw consent. The methods for doing so vary by context:

• For cookies, use the cookie management methods described above.
• For marketing emails, use the unsubscribe link or contact us.
• For any other consent-based activities (for instance, if you consented to a testimonial or survey participation), contact us at our email in Section 15 to communicate your withdrawal. We will then cease the processing in question. Please be specific in your request so we can identify the consent you wish to withdraw.

Keep in mind that withdrawing consent will not affect processing that has already occurred, but we will stop future processing. In some cases, there may be a slight delay in updating systems to reflect withdrawn consent, but we will strive to implement changes promptly.

Account Settings:

If you maintain an account on a Cromakod service, there may be settings within your account profile that allow you to directly review, correct, or delete certain Personal Data associated with your account. We encourage you to use these tools where available. For example, you might be able to update your contact information, change notification preferences, or delete saved content. For anything you cannot self-service, you can reach out to us.

Non-Discrimination:

We will not discriminate against anyone who exercises their privacy rights or choices. For example, if you opt out of marketing or certain data uses, we will not deny you services or provide a lower quality of service, except as allowed by law (note that some features that rely on data may not function if you opt out – e.g., personalization features won't work without certain data, and that is a consequence of your choice, not a discriminatory action by us).

Assistance:

If you have any trouble managing your preferences or if you have questions about how to opt out of a particular data use, please contact our Data Protection Officer or Privacy Team for assistance (see Section 15). We are here to help you feel comfortable with how your data is used.

Breach Response Measures:

In the event of a suspected or confirmed data breach, we will:

• Immediately Investigate: Our security team will activate incident response procedures to contain the breach, secure our systems, and investigate the scope, cause, and impact of the incident. We will work diligently to identify what data was affected, which individuals may be impacted, and the steps needed to remediate the situation.
• Mitigation: We will take appropriate measures to mitigate any potential harm to individuals. This might include isolating affected systems, changing access credentials, restoring data from clean backups, patching vulnerabilities, and cooperating with law enforcement if a crime is suspected. Our goal is to prevent any further unauthorized access or data loss as soon as possible after discovery of the breach.

Notification to Authorities:

If the breach is likely to result in a risk to the rights and freedoms of data subjects, Cromakod will notify the appropriate Data Protection Authority within the timeframe required by law. Under the NDPR (as reinforced by the Nigeria Data Protection Act 2023) and GDPR, this is typically within 72 hours of becoming aware of the breach, unless a delay is justified (for example, if the breach is unlikely to pose any risk, notification might not be required). In Nigeria, the relevant authority is the Nigeria Data Protection Commission (NDPC). In the EU, it would be the supervisory authority in the member state of our establishment or the affected users. Our breach report to authorities will include information required by law, such as the nature of the breach, categories and approximate number of affected individuals and records, likely consequences, and measures taken or proposed to address the breach.

Notification to Data Subjects:

If a data breach is likely to result in a high risk to your rights and freedoms (for example, risk of fraud, financial loss, identity theft, or significant confidentiality breach), we will also inform you, the affected Data Subject(s), without undue delay. We will do so as soon as feasible after determining that such risk exists, and in a manner that is clear and communicates the nature of the breach and any recommended steps for you to protect yourself. For instance, we might advise you to reset your password and monitor your accounts for suspicious activity, if relevant. We may contact you through the email address on file, via our website, or by other direct communication channels that we have established with you. If direct communication would involve disproportionate effort (e.g., if we don't have contact info for all affected individuals), we may use public communication (such as a notice on our website) to reach affected users efficiently, as permitted by law.

Exceptions:

In certain cases, we might not notify individuals if:

• we have implemented subsequent measures that ensure the high risk to your rights is no longer likely to materialize (for example, if we quickly secure the data such that any stolen data is rendered unusable via encryption), or
• notification would require disproportionate effort (as noted, we would then use alternative means to inform everyone, like public announcements), or
• it would hinder a law enforcement investigation (in which case, notification may be delayed upon request of authorities). We will adhere to guidance from relevant authorities in these scenarios.

Documentation:

We will document all data breaches, regardless of severity, including the facts relating to the breach, its effects, and the remedial actions taken. This documentation may be requested by regulators to verify our compliance with breach notification duties.

User Responsibilities:

We also encourage you to remain vigilant for any suspicious activity. If you suspect that your Personal Data has been compromised in connection with Cromakod, please notify us immediately (see Section 15 for how to contact us). Prompt notification can help us take measures to investigate and mitigate any potential breach.

Commitment:

Our goal is to be fully transparent in the unfortunate event of a data breach and to protect our users' interests in any such scenario. We treat data breaches with utmost seriousness as part of our commitment to data security and privacy.

Strictly Necessary Cookies (Essential Cookies):

Purpose: These cookies are essential for the operation of our website and for you to be able to use its features. They enable basic functions like page navigation, access to secure areas (e.g. login, account management), and form submissions. Without these cookies, services you have asked for (such as adding items to a shopping cart, or e-billing) cannot be provided properly. Strictly Necessary Cookies do not collect information about you that will be used for marketing or remember where you have been on the internet.

Consent: Because these cookies are strictly necessary for the website to function, they do not require your consent under EU/UK law. You cannot disable them through our cookies preference center (though you may be able to via your browser, at the risk of some site functions breaking).

Examples:

• Cookies that keep you logged in during your session, and remember your login details when moving between pages (so you don't have to re-enter them).
• Session identifiers and security tokens, e.g. a cookie named SESSIONID or XSRF-TOKEN, which maintain state and protect against malicious cross-site requests.
• Preferences essential for service functionality, such as your language or region selection that is necessary to display content in the correct language (if the site defaults to a language based on a cookie).
• Load balancing cookies that distribute network traffic across different servers to ensure the website remains available. (These cookies are typically transient and only used for network management.)

Functional Cookies (Preference Cookies):

Purpose: These cookies allow our website to remember the choices you make and provide enhanced, more personalized features. They are not strictly necessary, but they enhance your user experience. For example, functional cookies might remember your preferences (such as your username, region, or language if not strictly required, preferred layout, or other customizations) so that you don't have to set them every time you visit. They may also be used to provide services you have asked for, such as playing videos or remembering if you've already completed a survey.

Consent: In jurisdictions with cookie laws, these cookies are considered non-essential, meaning we will ask for your consent before setting them on your device. If you choose to disable or not allow these cookies, some functionalities of the site may become unavailable, and your preferences may not be saved for future visits.

Examples:

• A cookie that remembers your preferred language or currency beyond the current session, so that on your next visit, the site appears in your chosen language by default. (e.g., a language cookie named lang_pref=en)
• Cookies that store layout settings or personalization, such as your preferred theme (light vs dark mode), text size, or other interface customizations.
• If our site has a chat support widget or similar feature, a cookie might remember your user name or previous chat history, so you have continuity between sessions.
• Cookies that remember whether you've dismissed a particular pop-up or message, e.g., a cookie that knows you've already seen and closed a one-time announcement, so it doesn't show again.

Performance and Analytics Cookies:

Purpose: These cookies collect information about how visitors use our website, in order to measure and improve performance. They help us understand which pages are popular, how visitors navigate through the site, and if they encounter errors. The information collected is usually aggregated and anonymous – it does not directly identify you as an individual. For instance, these cookies might track how much time you spend on different pages, conversion rates, or any error messages you receive. We use this data to make our content and user experience better (for example, by detecting broken links or slow pages).

Consent: These are non-essential cookies. We will request your consent before deploying analytics cookies in jurisdictions that require it (EU/UK, etc.). In some other jurisdictions, we might deploy them by default but still provide you an option to disable them. If you opt out of these cookies, your visits will not be included in our aggregated statistics (which is okay – it won’t affect your experience, but it helps us less in improving our services).

Examples:

• Web Analytics Cookies: e.g., cookies set by analytics platforms (like Google Analytics, Adobe Analytics, or others) that may carry identifiers like _ga, _gid, etc. These cookies might log the pages you visit, how long you stay, how you arrived at our site (referral source), and whether you are a new or returning visitor. The data is aggregated for statistical analysis. (We configure such tools in compliance with privacy guidelines, e.g., IP anonymization where applicable.)
• Performance Tracking Cookies: e.g., a cookie that tracks load times or errors – such as a cookie or local storage item that logs if a page or feature failed to load properly, so we can detect and fix performance issues.
• Testing and Optimization Cookies: Sometimes we run "A/B tests” or multi-variant tests to decide which site layout or content works better. Cookies like ABTestGroup might remember which version of the site you saw, to ensure consistency during your visit and to measure results (e.g., which version led users to engage more).
• Video / Media Performance: If our website includes videos or rich media from third parties (like YouTube or Vimeo), those providers might set analytics cookies to measure performance of the video playback (e.g., whether you watched the video and for how long). We count these under performance cookies as well.

(Note: We do not tie analytics cookies data to your identity. It’s used in aggregate form. Some analytics providers might use their cookies for their purposes as well; we ensure any such usage is disclosed and consented to.)

Targeting and Advertising Cookies:

Purpose: These cookies are used to deliver advertising that is more relevant to you and your interests. They may be set by us or by our advertising partners (third parties) with whom we contract to help us with marketing. Targeting cookies remember that you’ve visited our site or interacted with our content, and they may track your browsing habits across multiple websites or online services. This information is used to build a profile of your interests and to show you relevant ads on other websites (known as interest-based advertising). They also help us measure the effectiveness of advertising campaigns – for example, by limiting the number of times you see the same ad and by detecting if you have taken an action (like signing up or purchasing) after seeing an ad.

Consent: These are non-essential cookies, and opt-in consent is required in most jurisdictions before we use them. If you disable these cookies, you will still see advertisements online, but they may be less relevant to you because they won’t be tailored based on your interest profile derived from these cookies. Additionally, disabling targeting cookies means we will not know when you have visited our site via an advertisement, and we may not be able to as effectively gauge the success of our advertising efforts.

Examples:

• Ad Network Cookies: Cookies set by advertising networks we participate in, such as Google Ads/DoubleClick (e.g., cookies named IDE or _gads), Facebook (e.g., fr cookie for Facebook Pixel), or other ad tech platforms. These cookies can track your browser across sites and show you ads based on that tracking. For instance, if you visited our product page, you might later see an ad for our product on another site – this is enabled by targeting cookies and similar technologies.
• Retargeting Cookies: If we partner with third parties to show ads on their platforms (like social media or other websites), a cookie may be placed when you visit our site so that the third-party can recognize you and display our advertisement later. For example, a cookie may note that you visited a certain section of our site, and then we can ask a platform to show ads to "people who visited that section" – without identifying you by name.
• Cross-site Tracking Cookies: These might include technologies like pixels or tags that our advertising partners use to understand your actions on our site so they can optimize ad delivery. For example, a pixel might record that you registered on our site, so that we don't continue to show you an ad inviting you to register. Instead, you might see a different follow-up ad.
• Analytics for Ads: Some of the analytics cookies may also be used for advertising analytics. For instance, we may use an analytics cookie to know how many people who clicked on our ad eventually signed up. While those cookies might be categorized primarily under analytics, the information they provide could be used to refine targeting for future ads. We list them here to be transparent about all ad-related tracking.

Other Tracking Technologies:

(if applicable) In addition to cookies, we may utilize local storage or other web storage mechanisms, as well as web beacons/pixels as described in Section

These are used in conjunction with the above cookie categories. For example, an email pixel would fall under the Targeting/Advertising category if it’s used to see if you engaged with a marketing email, or under Performance if used to track email open rates just for our internal metrics. Similarly, local storage might be used to remember preferences (Functional) or to cache content for performance. Though not "cookies” in a technical sense, they operate similarly from a user perspective, and the choices you have for cookies often apply to these as well (for instance, browser settings that clear cookies might also clear local storage).

Managing Cookies by Category:

As explained in Section 6 and Section 12, you have the option to accept or reject different categories of cookies (except Strictly Necessary) through our cookie consent banner or settings. You can review your choices at any time by accessing the cookie settings tool on our site. The tool typically lists categories like the ones above and shows which are active or inactive based on your consent. You can modify your selection at any time. If you have any difficulties or require more information about specific cookies and their functions, please contact us (see Section 15).

Compliance Note:

We adhere to regional cookie regulations by categorizing cookies as above. In the EU/UK, as noted, we do not set non-essential cookies without consent, and we provide full transparency about each category’s purpose. In the US, while there is no federal cookie law, we respect user preferences and industry best practices (like honoring opt-outs for targeted advertising as described). This appendix is intended to give you clarity on how cookies interact with privacy standards across jurisdictions.

Updates to Cookie Appendix:

The cookies and categories we use may change over time as our website and services evolve, or as third-party services change. We will update this Appendix as needed to reflect such changes. An updated Appendix will be indicated by a revised "Last Updated” date at the top of the Policy. Major changes in cookie practices might also be communicated via our site’s cookie banner until you review or adjust your settings.