Privacy Policy
Last Updated: July 3, 2026
⚖️ NDPC Compliance Notice: This Privacy Policy complies with the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Commission (NDPC) General Application and Implementation Directive (GAID) 2025.
Table of Contents
1. Introduction
The FCC Whistleblower Platform ("we," "us," "our," or "Service") is committed to protecting your privacy and ensuring transparent data handling practices. This Privacy Policy explains how we collect, process, use, and protect your personal data in compliance with the Nigeria Data Protection Act (NDPA) 2023 and NDPC regulations.
By using our Service, you consent to the data practices outlined in this Privacy Policy. If you do not agree with our practices, please do not use this Service.
2. Data We Collect
A. Information You Provide Directly
- Complaint Information: Name, contact information, email, phone number, physical address
- Complaint Details: Description of reported violations, dates, locations, names of individuals involved
- Evidence & Attachments: Images, documents, audio files, PDFs, and other supporting materials you upload
- Sensitive Data (if applicable): When relevant to your complaint (health data, biometric data, etc.)
- Communication Data: Messages, inquiries, and correspondence with our team
B. Information Collected Automatically
- Device Information: IP address, browser type, operating system, device identifiers
- Usage Data: Pages visited, time spent on site, links clicked, features accessed
- Location Data: Approximate location (city/region level, not precise coordinates)
- Cookies & Tracking: See Section 7 for details on cookie usage
C. Children's Data
Under NDPA Section 32, our Service is not intended for individuals under 18 years old. Processing a child's data requires explicit consent from a parent or legal guardian. If we become aware that personal data of a child has been collected without such consent, we will delete it immediately.
3. Lawful Basis for Processing (NDPA Section 25)
We process your personal data under the following lawful bases as specified in NDPA Section 25:
a) Consent
You provide explicit, freely given, specific, and informed consent for the purposes stated in this Privacy Policy and our Terms of Service.
b) Legal Obligation
Processing necessary to comply with Nigerian laws, court orders, and regulatory requirements from the NDPC or other government agencies.
c) Vital Interests
Processing necessary to protect the life, physical safety, or vital interests of you or another person.
d) Public Interest
Processing necessary for tasks carried out in the public interest, including investigating federal character violations and promoting institutional accountability.
e) Legitimate Interests
Processing necessary for our legitimate interests in operating the Service, securing against fraud, and improving our platform (subject to your rights and freedoms not being overridden).
4. Your Data Rights (NDPA Sections 34-38)
Under the NDPA, you have the following rights regarding your personal data. To exercise these rights, contact us at the details provided in Section 9.
✓ Right to be Informed
You have the right to transparent information about how we collect, process, and use your personal data.
✓ Right of Access
You can request a copy of all your personal data we hold. We will provide this in a commonly used electronic format within 30 days of verified request.
✓ Right to Rectification
You can request correction of inaccurate or outdated personal data. We will process this without undue delay.
✓ Right to Erasure (Right to be Forgotten)
You can request deletion of your personal data when:
- The data is no longer necessary for its original purpose
- You withdraw your consent
- You object to processing and no overriding legitimate grounds exist
- The data was processed unlawfully
✓ Right to Withdraw Consent
You can withdraw consent at any time. Withdrawing consent is as easy as giving it - simply use the "Withdraw Consent" link in your account settings or contact us.
✓ Right to Object to Processing
You can object to the processing of your personal data. We must cease processing unless we demonstrate compelling legitimate grounds that override your rights.
✓ Right to Data Portability
Where processing is based on consent or contract and performed by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format, and to transmit that data to another organization.
✓ Right Not to be Subject to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects about you.
✓ Right to Restrict Processing
You can request that we limit the use of your personal data during investigation or rectification processes.
5. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.
- Complaint Data: Retained for the duration of the complaint investigation and 7 years afterward (as required by Nigerian record-keeping laws)
- Correspondence: Retained for 3 years from last contact, or longer if required by law
- Session Cookies: Deleted when you close your browser
- Persistent Cookies: Retained for 12 months (unless you clear them sooner)
- Audit Logs: Retained for 5 years for security and compliance purposes
After the retention period, data is securely deleted or anonymized. You can request early deletion by exercising your Right to Erasure in Section 4.
6. Data Security & Protection
We implement multi-layer security measures to protect your personal data:
- 🔐 Military-Grade Encryption: AES-256-CBC encryption for data at rest and in transit
- 🛡️ HTTPS/TLS: All communications encrypted with Secure Socket Layer (SSL)
- 🔑 Access Control: Role-based access control (RBAC) with strong authentication
- ✓ File Sanitization: All uploaded files undergo malware scanning, EXIF/metadata removal
- 🔍 Security Headers: CSP, X-Frame-Options, HSTS, XSS Protection headers
- 🍪 Secure Cookies: HttpOnly flag, SameSite=Strict CSRF protection
- 📝 Audit Logging: All access and modifications logged for compliance
- 🔐 Private Storage: Uploaded files stored outside web root, not directly web-accessible
8. Breach Notification (NDPA Section 28)
In the event of a personal data breach, we will:
- Notify NDPC: Report to the Nigeria Data Protection Commission within 72 hours of discovering the breach
- Notify You: If the breach poses a high risk to your rights and freedoms, we will notify you immediately with clear, Plain language explanation of what happened and steps you should take
- Document Details: Record the nature of the breach, affected data categories, number of individuals affected, likely consequences, and remediation measures
9. Contact Us
If you have questions about this Privacy Policy or wish to exercise any of your data rights, please contact:
FCC Whistleblower Platform
- Email: privacy@whistleblower.fcc.gov.ng
- Address: 3 Maputo Street, Near Abuja Shopping Mall, Zone 3, FCT-Abuja, Nigeria
- Response Time: Within 30 days of verified request
Report Violations
- NDPC: www.ndpc.gov.ng
- NDPC Email: info@ndpc.gov.ng
- NDPC Phone: +234 (0) 916 061 5551
- Privacy Breach Report: services.ndpc.gov.ng/breach
Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by updating the "Last Updated" date at the top of this page and, where required, by sending you an email notification. Your continued use of the Service following such notifications constitutes your acceptance of the updated Privacy Policy.