About This Policy
Click Limited ("Click") is committed to protecting personal data. This Privacy Policy explains what data we collect, the legal basis on which we collect and process it, how we use it, and what rights you have over it. It applies to all users of Click's products and to visitors to our website.
Click operates as a data processor for the personal data of students, staff, and other individuals held by subscribing institutions, which act as data controllers. For data generated directly through use of our platform — such as account and usage data — Click acts as a data controller in its own right.
This policy is governed by the Nigeria Data Protection Act 2023 (NDPA 2023) and the General Application and Implementation Directive 2025. Click is registered with the Nigeria Data Protection Commission (NDPC).
What Data We Collect & Why
We collect only what is necessary to deliver our services. We do not collect data for advertising purposes and we do not sell personal data to any third party under any circumstances.
| Category | Data Collected | Purpose | Legal Basis |
|---|---|---|---|
| Account data | Name, email, role, institution name | Account creation, authentication, communication | Contractual obligation |
| Usage data | Login times, actions taken, features used, IP address | Security, audit trails, platform improvement | Legitimate interests |
| Institutional data | Student records, staff payroll, fee records, assessment results | Delivery of contracted services on behalf of the institution | Contractual obligation; legal obligation |
| Support data | Messages, support tickets, correspondence | Customer support and service improvement | Legitimate interests |
| Device & technical data | Browser type, device type, operating system | Platform compatibility and troubleshooting | Legitimate interests |
| Marketing data | Email address, communication preferences | Product updates, newsletters, service communications | Consent |
Legal Basis for Processing
The NDPA 2023 and the General Application and Implementation Directive 2025 require every processing activity to have a lawful basis. Click relies on the following legal bases depending on the category of data and purpose of processing.
Contractual Obligation
The primary basis for processing institutional data. When a subscribing institution enters into a service agreement with Click, processing the personal data of their students, staff, and administrators is necessary to fulfil that contract.
Legal Obligation
Click is subject to Nigerian law and regulatory requirements. In certain circumstances, we are required by law to retain or process personal data — for example, to maintain records for regulatory audit purposes or to respond to lawful government requests.
Legitimate Interests
Click processes certain data where it has a legitimate business interest that is not overridden by individual rights — including platform security, fraud detection, and improving reliability. Where we rely on this, the processing is proportionate and individual rights are protected.
Where Click processes data on behalf of a subscribing institution (as data processor), the institution's own legal basis for collecting that data from its students or staff governs the underlying collection. Click processes such data only on the institution's instructions and in accordance with the applicable data processing agreement.
Who We Share Data With
Click does not sell, rent, or trade personal data with third parties under any circumstances. We may share data only in the following limited and defined circumstances.
Your Rights Under the NDPA 2023
Individuals whose personal data Click processes have the following rights under the Nigeria Data Protection Act 2023. You may exercise these rights at no cost. We will respond to valid requests within 30 days, or communicate with you if additional time is required.
You have the right to be told how your personal data is collected and used. This Privacy Policy serves that purpose.
You may request a copy of the personal data Click holds about you.
You may request correction of personal data that is inaccurate, incomplete, or out of date.
You may request deletion of your personal data where there is no legal justification for its continued processing, subject to our regulatory retention obligations.
You may request your personal data in a structured, commonly used, machine-readable format where technically feasible.
You may object to processing carried out on the basis of legitimate interests. Click will cease such processing unless it can demonstrate compelling legitimate grounds that override your rights.
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
You have the right not to be subject to a decision based solely on automated processing that produces a legal or similarly significant effect on you. Click does not currently make such decisions.
If you are not satisfied with how Click has handled your personal data or responded to your request, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).
Requests relating to institutional data should be submitted to your institution's administrator in the first instance. For direct requests to Click, contact privacy@getclickapps.com.
Data Retention
Click retains personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. Following the applicable retention period, data is securely and irreversibly deleted from Click's systems and all sub-processor systems.
| Data Category | Retention Period | Basis |
|---|---|---|
| Institutional data (student, staff, financial, assessment records) | Duration of subscription + 90 days for export | Contractual; then securely deleted |
| Usage logs and audit data | 12 months | Security and compliance |
| Support correspondence | 24 months | Legitimate interests |
| Marketing consent records | Until consent is withdrawn + 6 months | Legal obligation to demonstrate consent |
International Data Transfers
Click's infrastructure may involve sub-processors located outside Nigeria. Where personal data is transferred internationally, Click takes steps to ensure it is handled securely and in compliance with the NDPA 2023. These measures include:
Verifying that the destination country offers an adequate level of data protection, or implementing appropriate safeguards including the use of Standard Contractual Clauses (SCCs) and verifying that our infrastructure providers maintain data processing agreements compliant with international adequacy standards.
Click maintains a Sub-processor Directory detailing the specific cloud infrastructure, transactional email, and security providers used. We verify that each provider utilizes Standard Contractual Clauses (SCCs) to ensure your data receives the same level of protection as it does under Nigerian law. You may request our full Compliance Disclosure by emailing privacy@getclickapps.com.
Data Protection Officer
Click has designated a Data Protection Officer (DPO) responsible for overseeing compliance with the NDPA 2023, the General Application and Implementation Directive 2025, and Click's internal data protection policies. The DPO is the first point of contact for all privacy and data protection matters.
Data Protection Officer — Click Limited
📧 Email: privacy@getclickapps.com
⏱ Response: Within 30 days of receipt, or sooner for urgent matters
🏛️ Regulator: Nigeria Data Protection Commission (NDPC)
Data Security
Effective date: 1 January 2026 · Version 1.1
Click processes institutional data as a data processor on behalf of subscribing institutions, which act as data controllers. This section describes our technical and organisational measures to protect that data.
Click's infrastructure is designed to meet enterprise-grade security requirements, with 99.9% uptime SLA, Automated Daily Snapshots with Off-site Redundancy, and Strict SSH-Key Authentication and Kernel-level isolation via KVM virtualisation. Your data is never used for any purpose beyond delivering contracted services.
Technical Measures
| Measure | Detail |
|---|---|
| Encryption in transit | All data transmitted between users and Click's platform is encrypted using TLS 1.3 (with fallback to 1.2 for legacy compatibility only). |
| Encryption at rest | Institutional data stored on Click's servers is encrypted using AES-256. |
| Access controls & isolation | Strict SSH-Key Authentication and Kernel-level isolation via KVM virtualisation ensure your data environment remains private. |
| Data resiliency | Automated Daily Snapshots with Off-site Redundancy to prevent data loss. |
| Vulnerability management | Click conducts regular security assessments and patches known vulnerabilities promptly. |
Organisational Measures
Data Breach Notification
In the event of a confirmed data breach that is likely to result in risk to the rights of affected individuals, Click will notify the affected institution within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the data likely affected, the likely consequences, and the measures taken or proposed to address it.
Sub-Processors
Click uses a limited set of third-party sub-processors to deliver its services — including cloud infrastructure providers, transactional email services, and error monitoring tools. All sub-processors are bound by data processing agreements that impose equivalent data protection obligations. You may request our full Sub-processor Directory by emailing privacy@getclickapps.com.
Compliance
Click operates in compliance with the Nigeria Data Protection Act 2023 (NDPA) and associated regulations, and is registered with the Nigeria Data Protection Commission (NDPC). We monitor regulatory developments and update our practices accordingly. Click conducts Data Protection Impact Assessments (DPIA) for all major platform updates to ensure privacy is maintained as we grow.