Privacy Policy

Last Updated: July 3, 2026

⚖️ NDPC Compliance Notice: This Privacy Policy complies with the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Commission (NDPC) General Application and Implementation Directive (GAID) 2025.

1. Introduction

The FCC Whistleblower Platform ("we," "us," "our," or "Service") is committed to protecting your privacy and ensuring transparent data handling practices. This Privacy Policy explains how we collect, process, use, and protect your personal data in compliance with the Nigeria Data Protection Act (NDPA) 2023 and NDPC regulations.

By using our Service, you consent to the data practices outlined in this Privacy Policy. If you do not agree with our practices, please do not use this Service.

2. Data We Collect

A. Information You Provide Directly

  • Complaint Information: Name, contact information, email, phone number, physical address
  • Complaint Details: Description of reported violations, dates, locations, names of individuals involved
  • Evidence & Attachments: Images, documents, audio files, PDFs, and other supporting materials you upload
  • Sensitive Data (if applicable): When relevant to your complaint (health data, biometric data, etc.)
  • Communication Data: Messages, inquiries, and correspondence with our team

B. Information Collected Automatically

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Data: Pages visited, time spent on site, links clicked, features accessed
  • Location Data: Approximate location (city/region level, not precise coordinates)
  • Cookies & Tracking: See Section 7 for details on cookie usage

C. Children's Data

Under NDPA Section 32, our Service is not intended for individuals under 18 years old. Processing a child's data requires explicit consent from a parent or legal guardian. If we become aware that personal data of a child has been collected without such consent, we will delete it immediately.

3. Lawful Basis for Processing (NDPA Section 25)

We process your personal data under the following lawful bases as specified in NDPA Section 25:

a) Consent

You provide explicit, freely given, specific, and informed consent for the purposes stated in this Privacy Policy and our Terms of Service.

b) Legal Obligation

Processing necessary to comply with Nigerian laws, court orders, and regulatory requirements from the NDPC or other government agencies.

c) Vital Interests

Processing necessary to protect the life, physical safety, or vital interests of you or another person.

d) Public Interest

Processing necessary for tasks carried out in the public interest, including investigating federal character violations and promoting institutional accountability.

e) Legitimate Interests

Processing necessary for our legitimate interests in operating the Service, securing against fraud, and improving our platform (subject to your rights and freedoms not being overridden).

4. Your Data Rights (NDPA Sections 34-38)

Under the NDPA, you have the following rights regarding your personal data. To exercise these rights, contact us at the details provided in Section 9.

✓ Right to be Informed

You have the right to transparent information about how we collect, process, and use your personal data.

✓ Right of Access

You can request a copy of all your personal data we hold. We will provide this in a commonly used electronic format within 30 days of verified request.

✓ Right to Rectification

You can request correction of inaccurate or outdated personal data. We will process this without undue delay.

✓ Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data when:

  • The data is no longer necessary for its original purpose
  • You withdraw your consent
  • You object to processing and no overriding legitimate grounds exist
  • The data was processed unlawfully

✓ Right to Withdraw Consent

You can withdraw consent at any time. Withdrawing consent is as easy as giving it - simply use the "Withdraw Consent" link in your account settings or contact us.

✓ Right to Object to Processing

You can object to the processing of your personal data. We must cease processing unless we demonstrate compelling legitimate grounds that override your rights.

✓ Right to Data Portability

Where processing is based on consent or contract and performed by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format, and to transmit that data to another organization.

✓ Right Not to be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects about you.

✓ Right to Restrict Processing

You can request that we limit the use of your personal data during investigation or rectification processes.

5. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.

  • Complaint Data: Retained for the duration of the complaint investigation and 7 years afterward (as required by Nigerian record-keeping laws)
  • Correspondence: Retained for 3 years from last contact, or longer if required by law
  • Session Cookies: Deleted when you close your browser
  • Persistent Cookies: Retained for 12 months (unless you clear them sooner)
  • Audit Logs: Retained for 5 years for security and compliance purposes

After the retention period, data is securely deleted or anonymized. You can request early deletion by exercising your Right to Erasure in Section 4.

6. Data Security & Protection

We implement multi-layer security measures to protect your personal data:

  • 🔐 Military-Grade Encryption: AES-256-CBC encryption for data at rest and in transit
  • 🛡️ HTTPS/TLS: All communications encrypted with Secure Socket Layer (SSL)
  • 🔑 Access Control: Role-based access control (RBAC) with strong authentication
  • ✓ File Sanitization: All uploaded files undergo malware scanning, EXIF/metadata removal
  • 🔍 Security Headers: CSP, X-Frame-Options, HSTS, XSS Protection headers
  • 🍪 Secure Cookies: HttpOnly flag, SameSite=Strict CSRF protection
  • 📝 Audit Logging: All access and modifications logged for compliance
  • 🔐 Private Storage: Uploaded files stored outside web root, not directly web-accessible

7. Cookies & Tracking (NDPC GAID 2025)

Per NDPC GAID 2025 requirements: All cookies require active, explicit consent. Pre-checked boxes or implied consent by continued browsing do not satisfy this requirement.

Cookie Categories

🔒 Essential Cookies (No Consent Required)

These cookies are necessary for basic website functionality (session management, CSRF protection, authentication). These are placed automatically for security.

📊 Analytics Cookies (Consent Required)

Help us understand how users interact with our Service. Only placed when you explicitly consent through the cookie banner.

🎯 Preference Cookies (Consent Required)

Remember your preferences and settings. Only placed when you explicitly consent.

⚠️ Marketing Cookies (Consent Required)

Currently not used on this Service. If implemented in future, explicit consent will be required.

Your Cookie Preferences

You can manage your cookie preferences at any time by:

Note: If you disable essential cookies, some features of the Service may not function properly.

8. Breach Notification (NDPA Section 28)

In the event of a personal data breach, we will:

  • Notify NDPC: Report to the Nigeria Data Protection Commission within 72 hours of discovering the breach
  • Notify You: If the breach poses a high risk to your rights and freedoms, we will notify you immediately with clear, Plain language explanation of what happened and steps you should take
  • Document Details: Record the nature of the breach, affected data categories, number of individuals affected, likely consequences, and remediation measures

9. Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your data rights, please contact:

FCC Whistleblower Platform

  • Email: privacy@whistleblower.fcc.gov.ng
  • Address: 3 Maputo Street, Near Abuja Shopping Mall, Zone 3, FCT-Abuja, Nigeria
  • Response Time: Within 30 days of verified request

Report Violations

Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by updating the "Last Updated" date at the top of this page and, where required, by sending you an email notification. Your continued use of the Service following such notifications constitutes your acceptance of the updated Privacy Policy.