Data Privacy Notice

The Privacy Policy (the “Policy”) is designed to enable CardinalStone Trustee Limited (“we,” “our,” “us,” or “the company”) to define its structure and approach to the collection, handling, and processing of data of both internal and external clients.

This Policy ensures transparency regarding how data is collected, the purpose of its use, how it is handled and processed, and the security measures in place. It also explains when and why CardinalStone Trustee Limited collects personal information about its shareholders, clients, investors, employees, and other stakeholders (collectively referred to as “Data Subject” or “You”), how the personal information is used, how it is secured, and the rights of the Data Subjects.

For the purposes of the Nigeria Data Protection Act, 2023 (NDPA 2023), CardinalStone Trustee Limited acts as the “Data Controller”, determining how and why personal data is processed.

Your Trust is Our Priority

When you use our services, you entrust us with your information. We understand this is a significant responsibility and strive to safeguard your information while empowering you with control. This Privacy Policy explains what data we collect, why we collect it, and how you can manage, access, and delete your information.

 

a. LEGAL COMPLIANCE

This Policy is established in compliance with:

  • Section 37 of the Constitution of the Federal Republic of Nigeria (CFRN) 1999 (as amended)
  • The Nigeria Data Protection Act (NDPA), 2023
  • The General Application and Implementation Directive (GAID), 2025
  • All other applicable data privacy legislation

This Policy applies to the personal data of:

  • Customers/Clients
  • Staff
  • Vendors
  • Visitors
  • Any third party interacting with CardinalStone Trustee Limited

b.  DATA PROCESSING PRINCIPLES

We are committed to processing your personal data in accordance with the principles outlined in Section 24 of the Nigeria Data Protection Act (NDPA):

  • Fairness, lawfulness, and transparency: We will always obtain your consent or rely on another lawful basis for processing your data and will be transparent about its use.
  • Specified, explicit, and legitimate purposes: We will collect and process your data only for clearly communicated purposes.
  • Data minimization: We collect only the necessary data for the intended purpose.
  • Accuracy: We ensure that personal data is accurate and updated as necessary.
  • Security: We implement robust security measures to protect data against unauthorized access, disclosure, alteration, or destruction.

Beyond compliance, we demonstrate accountability and uphold the data protection triad of

S/N Purpose of Collection Type of Data Processed Lawful Basis
1 Identification Full name, title, marital status, phone number, email address, contact address, gender, date of birth, identification documents (e.g., driver’s license, international             passport, national identity card, voter’s card), signature, postal address,                 educational records, billing address, and personal information of next of kin and guarantors. Legal             Obligation (Some instances may also involve Public Interest or require Consent as prescribed by the NDPA).
2 Notifications/Contact Contact     details     including name, phone number, email address,         and         mailing address. Legitimate Interest or Consent,      depending on the nature of the communication.
3 Financial Data Bank account details, Bank Verification Number (BVN), biometrics, and payment card details. Consent (Processing may also be based on Legitimate Interest or Legal            Obligation, particularly for fraud
      prevention               and security analytics).
4 Security (Safety and Protection of Lives and Property) Name, phone number, email address, contact address, gender, date of birth, video recordings/still images from CCTV cameras, and passport photograph. Legal             Obligation (Processing may also rely on Legitimate Interest  or  Public Interest for security purposes).
5 Employment Name, phone number, email address, contact address, gender, date of birth, passport photograph, medical records, educational records, and details of referees/guarantors. Contractual Obligation (In certain cases, processing may be based on Consent, Vital Interest, or Legal Obligation).
6 Contractual Agreements Name, phone number, email address, contact address, and gender. Contractual Obligation           (Some instances may involve Legitimate Interest or Public                Interest, particularly for due diligence processes).
7 Transactions Details of payments made or received, as well as records of subscribed products and services. Legal             Obligation (Processing may also be           based           on Legitimate Interest or Public  Interest  for security                      and compliance analytics).
8 Technical Usage Data Internet Protocol (IP) address, login credentials, browser type and version, time zone setting, location data, browser plug-in details, operating system, and platform information. Legitimate Interest (To enhance              system security,             prevent fraud, and improve user experience).
9 Profile Data Username, password, user preferences, feedback, and survey responses. Legitimate Interest or Consent,      depending on user interactions.
10 Usage Data Information on how users interact with our website, products, and services. Legitimate      Interest, particularly for service improvement          and analytics.
11 Marketing and Communications Preferences       related       to marketing                             and communications,     including interactions        with       third parties. Consent (Users retain the right to withdraw consent at any time).

All data processing activities are carried out in accordance with NDPA 2023, ensuring that personal data is handled transparently, securely, and lawfully.

 

ARTICLE 2:

HOW CARDINALSTONE TRUSTEE LIMITED COLLECTS YOUR INFORMATION

In accordance with the Nigeria Data Protection Act (NDPA) 2023, we collect personal data through various channels, including direct interactions, website usage, third-party sources, and security recordings.

 

2.1  Direct Collection from You

We collect personal information that you provide to us when engaging with our services, including:

  • Account Registration and Service Usage – When you create an account, log in, or access our services via our website or mobile application, we collect the information you provide. This includes data from forms you complete, policy transfers, document uploads, and communications sent via email, phone, or postal mail.
  • Inquiries and Correspondence – We collect information whenever you make inquiries or communicate with CardinalStone Trustee Limited, either directly or through authorized representatives.

 

2.2  Website Browsing and Automated Technologies

We automatically collect certain information when you interact with our website or digital platforms:

i. Cookies and Similar Technologies – As you browse our website, we gather data on your browsing patterns and device-related technical information using cookies, server logs, and other tracking technologies. You can manage your cookie preferences on any of our websites.

 

2.3  Collection from Third Parties and Public Sources

We may obtain certain categories of personal data from third-party service providers, business partners, and publicly available sources, including:

  • Technical Data – We receive technical information about your device from analytics providers, advertising networks, and search engine providers.
  • Contact, Financial, and Transaction Data – We collect financial and transactional data from third- party service providers, including payment processors, credit bureaus, and fraud prevention agencies.
  • Financial Crime Prevention and Compliance – To comply with financial regulations, we work with third-party agencies to verify data related to fraud prevention, sanctions screening, Politically Exposed Persons (PEPs), and anti-money laundering (AML) measures.

 

2.4  Security and Monitoring Data

For security, regulatory compliance, and quality assurance, we collect the following:

  • Call Monitoring and Recording – We may record or monitor phone calls with our representatives for regulatory compliance, staff training, quality assurance, security, and dispute resolution purposes.
  • CCTV Surveillance – Our premises are monitored using CCTV cameras to ensure the safety and security of our employees, clients, and visitors.

All data collection processes comply with NDPA 2023, ensuring transparency, accountability, and respect for the rights of data subjects.

 

ARTICLE 3:

DATA SUBJECT RIGHTS

At CardinalStone Trustee Limited, we take your data privacy rights seriously. In accordance with the Nigeria Data Protection Act (NDPA) 2023 (Sections 34, 35, 36 and 37), you have the following rights regarding your personal data:

 

3.1  Right to Access

You have the right to request a copy of the personal data we hold about you. This allows you to understand how your data is being processed.

 

3.2  Right to Rectification

If any personal data we hold about you is incorrect or incomplete, you can request that we correct or update it.

 

3.3  Right to Object

You have the right to object to the processing of your personal data in certain circumstances, including when we rely on legitimate interest as our lawful basis. You may also request that we limit or restrict how your personal data is used.

 

3.4  Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, and machine-readable format, enabling you to transfer it to another service provider.

 

3.5  Right to Erasure (Right to be Forgotten’)

You may request the deletion of your personal data from our systems, subject to legal and regulatory obligations that may require us to retain certain records.

 

3.6  Right to Restrict Processing

Under specific circumstances, you have the right to request that we restrict the processing of your personal data. This means we will continue storing your data but will not process it further without your consent or as permitted by law.

 

3.7  Right to Object to Automated Decision-Making

If we use automated processes to make decisions affecting you, you have the right to challenge such decisions and request human intervention.

 

3.8  Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. You can:

  • Opt-out of interest-based advertising by sending an email to compliance@cardinalstone.comUnsubscribe from marketing emails by clicking the “unsubscribe” link in the emails we send or by contacting us directly.

For more details on your rights and how to submit a complaint, please refer to Part VI of the NDPA or contact our Data Protection Officer (DPO) at the provided contact details.

 

ARTICLE 4:

DATA RETENTION AND SECURITY

4.1  Commitment to Data Protection

CardinalStone Trustee Limited is committed to safeguarding your personal data in full compliance with the Nigeria Data Protection Act (NDPA) 2023. We implement appropriate technical and organizational measures to ensure the security, integrity, confidentiality, availability, and resilience of personal data against unauthorized access, alteration, disclosure, or destruction.

 

4.2  Data Retention Periods

The retention period for personal data is determined by the specific purpose for which it was collected and processed. We adhere to the following principles:

  • Cookie – A small piece of data stored by your web browser when you visit a website. Cookies help websites remember your preferences, login information, and browsing activity.
  • Consent – The freely given, specific, informed, and unambiguous indication of a Data Subject’s wishes by which they, through a statement or clear affirmative action, signify agreement to the processing of their personal data.
  • CardinalStone Trustee Limited (“we,” “our,” or “CardinalStone Trustee”) – The Data Controller responsible for handling your personal data under this Privacy Policy. CardinalStone Trustee Limited is located at: 5 Okotie Rd, Ikoyi, Lagos 106104, Lagos, Nigeria.
  • Country – Refers to Nigeria, the jurisdiction where CardinalStone Trustee Limited operates and is legally registered.
  • Customer – Any individual, organization, or company that uses our services to manage relationships with their consumers, clients, or service users.
  • Data Protection Officer (DPO) – The designated person responsible for advising CardinalStone Trustee Limited and its employees on their obligations under Data Protection Laws, ensuring compliance with applicable privacy regulations.
  • Device – Any internet-connected device (e.g., smartphone, tablet, and computer) used to access our website and services.
  • Internet Protocol (IP) Address – A unique numerical identifier assigned to a device connected to the internet. An IP address can sometimes indicate the general geographic location of the device.
  • Closed-Circuit Television (CCTV) – We deploy CCTV cameras at various locations to ensure safety and security. CCTV footage may include video recordings and still images, retained strictly for security purposes.
  • Personnel – Employees, contractors, and any individuals engaged to perform services on behalf of CardinalStone Trustee Limited.
  • Data – Any characters, symbols, or binary information on which computational operations are performed. This data may be stored, transmitted, or processed electronically.
  • Personal Data – Any information relating to an identified or identifiable natural person (Data Subject). Personal data includes but is not limited to:
    • Name, address, photograph, email, phone number, bank details
    • Medical records, biometric data, social security numbers
    • Online identifiers such as IP address, MAC address, IMEI number, IMSI number, SIM, and other Personal Identifiable Information (PII)
  • Service – The products and services provided by CardinalStone Trustee Limited, as described in our Terms and Conditions.
  • Third-Party Service – Any external service provider that interacts with our platform. This includes advertisers, marketing partners, promotional sponsors, and others offering products or services that may be of interest to you.
  • Data Subject (“You”) – Any individual or entity whose personal data is collected, stored, or processed by CardinalStone Trustee Limited.

For further clarifications regarding these definitions or your data rights, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

 

ARTICLE 20:

CONTACT

If you have any questions, comments, or requests regarding your privacy rights or this Privacy Policy, please reach out to us.

20.1 Data Controller

CardinalStone Trustee Limited.

5 Okotie Rd, Ikoyi, Lagos 106104, Lagos, Nigeria. Email: trustees@cardinalstone.com

20.2  Data Protection Officer (DPO)

For data protection inquiries, complaints, or to exercise your data rights, please contact our DPO at:

Email: compliance@cardinalstone.com

We are committed to addressing your concerns promptly and transparently, in compliance with the Nigeria Data Protection Act (NDPA) 2023.

  • Affiliated companies within the CardinalStone Trustee Limited
  • Third-party service providers (e.g., recruitment agencies, background check providers, IT system providers)
  • These transfers may occur within or outside your country of residence and will be conducted in compliance with the Nigeria Data Protection Act (NDPA) 2023.

     

    9.4  Data Retention

     We retain job application data for a maximum period of three years, after which it will be securely deleted or anonymized, unless:

    • Legal or regulatory obligations require a longer retention period
    • You have provided explicit consent for us to retain your data for future opportunities

    9.5  Data Subject Rights and Contact

    You have the right to access, update, or request deletion of your personal data. To exercise these rights or for inquiries regarding your application data, please contact our Data Protection Officer (DPO) at: Email: compliance@cardinalstone.com

    We are committed to transparency, fairness, and compliance with data protection regulations in all recruitment processes.

     

    ARTICLE 10:

    MAINTAINING ACCURATE INFORMATION

    At CardinalStone Trustee Limited, we are committed to maintaining accurate and up-to-date personal data for all users, in compliance with the Nigeria Data Protection Act (NDPA) 2023.

    If your personal information changes during your engagement with us, we encourage you to notify us promptly to ensure the accuracy, reliability, and completeness of our records.

    You can update your personal information by contacting our Data Protection Officer (DPO) at: compliance@cardinalstone.com

    This right to rectification ensures that your personal data remains current and accurate, in alignment with Section 34 of the NDPA 2023.

     

    ARTICLE 11:

    CHILDREN’S PRIVACY

    Our services are generally not intended for children under the age of 13. However, in rare cases where we provide specialized services for children, we implement strict safeguards to ensure their privacy and data security in compliance with the Nigeria Data Protection Act (NDPA) 2023.

     

    11.1  Safeguards for Children’s Data

    When processing children’s data, we adhere to the following strict protections:

    • Strong Data Protection Measures – We implement robust security controls to ensure the confidentiality, integrity, and safety of any child’s personal data we collect.
    • Limited Data Collection – We collect only the minimum information strictly necessary to provide the specialized service for children.
    • Parental Consent Requirement – In all instances involving children, we require verifiable parental or guardian consent before collecting, processing, or using any child’s data.

     

    11.2  Compliance with the NDPA

    We ensure full compliance with Section 31 of the NDPA 2023, which outlines parental consent requirements and protections for children’s personal data.

    For further information regarding children’s data protection, or to seek clarification on parental consent requirements, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

    We remain committed to protecting children’s privacy and ensuring responsible data practices in all cases involving minors.

     

    ARTICLE 12:

    CAVEAT ON WEBSITE LINKS

    Our website may contain links to external websites operated by third parties. These links are provided for your convenience only and do not constitute an endorsement, affiliation, or approval by CardinalStone Trustee Limited of the content, products, or services offered on those external sites.

     

    12.1  Third-Party Website Disclaimer

    CardinalStone Trustee Limited does not control and is not responsible for the privacy practices, security, content, or data handling policies of any third-party websites.

     

    12.2  Reviewing Third-Party Privacy Policies

    Our Privacy Policy applies exclusively to our own platforms. We strongly recommend that you review the privacy policies of any external websites you visit to understand:

    • What personal data they collectHow they process and store dataYour rights concerning their data processing activities

    For any concerns regarding external website links or third-party data sharing, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

    We are committed to ensuring transparency and accountability in our data processing activities.

     

    ARTICLE 13:

    TRANSFER TO THIRD PARTIES AND CROSS-BORDER DATA TRANSFERS

    In fulfilling our mandate efficiently, CardinalStone Trustee Limited may engage the services of third parties within or outside Nigeria. In such cases, we ensure that all data transfers comply with the Nigeria Data Protection Act (NDPA) 2023 and adhere to global best practices for data security and privacy protection.

     

    13.1  Safeguards for Third-Party Data Transfers

    Whenever we transfer personal data to a third party, we take the following steps to ensure the protection of your information:

    • We enter into a Data Processing Agreement (DPA) with the third party, ensuring they implement appropriate security and privacy controls.
    • If the purpose of processing was not originally stated at the time of collection, we will obtain your consent before sharing your data.
    • We assess and confirm that the third party has adequate security measures in place to protect personal data from accidental or unauthorized access, use, disclosure, loss, or destruction.

     

    13.2  Cross-Border Data Transfers

    If personal data needs to be transferred outside the jurisdiction of the NDPA, we will ensure the receiving entity meets core global regulatory standards before proceeding with the transfer. Specifically, data will only be transferred if:

    • The recipient country has adequate data protection laws – The country has an adequacy decision issued by the Nigeria Data Protection Commission (NDPC), confirming that its legal or self-regulatory framework ensures sufficient data protection.
    • Contractual Safeguards Are in Place – Where no adequacy decision exists, we ensure that a contract using NDPC-approved data protection clauses is in place to guarantee adequate protection.
    • Binding Corporate Rules (BCRs) Are Applied – If the transfer is within our corporate group, we will ensure the recipient entity adheres to binding corporate rules (BCRs) approved by the NDPC.

     

    13.3  Examples of Third-Party Services

    Examples of third-party services that may require domestic or cross-border data transfers include, but are not limited to:

    • Internet connectivity servicesCloud storage and computingData analytics and reportingCybersecurity and data protection servicesSoftware development and technical support

    We remain committed to ensuring the security and integrity of all personal data transfers and complying with NDPA 2023 and global privacy regulations.

    For further inquiries regarding third-party data transfers, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

     

    ARTICLE 14:

    DATA PROTECTION HELP DESK

    At CardinalStone Trustee Limited, we are committed to promptly addressing all data privacy requests, inquiries, and complaints. To ensure compliance with the Nigeria Data Protection Act (NDPA) 2023, we have established a Data Protection Help Desk led by our Data Protection Officer (DPO).

    Our DPO is responsible for ensuring that your data protection rights are upheld and that all privacy- related concerns are handled efficiently.

     

    14.1  How to Contact the Data Protection Officer (DPO)

    For any questions, requests, or complaints regarding data protection and privacy, you may contact our DPO via: compliance@cardinalstone.com

     

    14.2  Services Provided by the Data Protection Help Desk

    Our Data Protection Help Desk is responsible for the following core data privacy services:

    1. Ensuring Compliance with Data Protection Regulations – Assisting with adherence to the NDPA 2023 and other applicable data privacy laws.
    2. Data Protection and Privacy Advisory Services – Providing guidance on privacy best practices and legal compliance.
    3. Capacity Building and Awareness – Offering training and education on data protection and privacy management.
    4. Drafting and Reviewing Data Protection Contracts – Assisting with contractual obligations related to privacy and data security.
    5. Data Breach Remediation and Incident Management – Supporting businesses and individuals in addressing data breaches.
    6. Information Privacy Audits – Conducting privacy compliance assessments to identify risks and areas for improvement.
    7. Data Privacy Breach Impact Assessment – Evaluating and mitigating the impact of privacy violations.
    8. Data Protection Due Diligence Investigations – Performing risk assessments to ensure compliance before engaging with third parties.

    We are committed to ensuring transparency, accountability, and data security in all our operations. For further inquiries, please reach out to our Data Protection Help Desk.

     

    ARTICLE 15:

    DATA DELETION

    You have the right to request the deletion of your personal data at any time. CardinalStone Trustee Limited is committed to ensuring that all personal data is securely deleted when it is no longer required for legal, regulatory, or business purposes.

    We have established secure deletion procedures to ensure that personal data exceeding its retention period or deemed unnecessary for business operations is completely and irreversibly destroyed while maintaining data security and compliance.

     

    15.1  Data Deletion Process

    Our data deletion process follows a structured approach:

    • Identification – We regularly review our data storage systems to identify personal data that has reached the end of its designated retention period or is no longer required for legal or business purposes.
    • Scheduling – Identified data is placed on a scheduled deletion list, considering factors such as legal requirements, data type, and potential risks associated with delayed deletion.
    • Overwriting – To ensure permanent deletion, the data is overwritten with random characters or patterns, rendering it unreadable and irrecoverable.
    • Verification – After overwriting, we verify that the data deletion process has been successfully completed and that the original data is no longer accessible.
    • Audit Trail – We maintain a detailed audit log of all data deletion activities, including:
    • The type of data deleted
    • The date of deletion
    •  The individual responsible for deletion
    • Data Subject Requests for Deletion

    In addition to automated deletion processes, you may also formally request the deletion of your personal data at any time by submitting a Data Subject Access Request (DSAR) Form to our Data Protection Officer (DPO) at: compliance@cardinalstone.com

    We will take reasonable steps to fulfil your deletion request within a commercially reasonable timeframe, subject to any legal or regulatory requirements.

     

    15.3  Exceptions to Data Deletion

    There may be certain situations where we are unable to completely delete your personal data, including when:

    • Legal Retention Obligations Apply – We are required by law to retain your data for a specified period (e.g., financial regulations, audit requirements).
    • Ongoing Legal Disputes or Enforcement of Terms – Your data is needed to resolve legal disputes, enforce our terms of service, or defend against potential claims.
    • Anonymized Data Exists – If your personal data has been anonymized and can no longer be used to identify you, it may be retained for statistical or research purposes.

     

    15.4  Restricted Processing for Non-Deletable Data

    In cases where we cannot delete your data, we will take reasonable steps to restrict processing and limit its use to the minimum necessary extent.

    For further information on our data deletion policies, or to initiate a data deletion request, please contact our DPO.

     

    ARTICLE 16:

    DATA SUBJECT ACCESS REQUEST (DSAR)

    16.1  Right to Access Personal Data

    Under the Nigeria Data Protection Act (NDPA) 2023, you have the right to request access to your personal data held by CardinalStone Trustee Limited. A Data Subject Access Request (DSAR) allows you to obtain a copy of your personal information, which may include: 

    • Your name, contact details, demographics
    • Any other data that can directly or indirectly identify you
    • Records of transactions, communications, or interactions with us

    16.2  How to Submit a DSAR

    You may request access to your data through the following methods:

     

    16.3  Verification Process

    To protect your privacy and ensure that we provide access to the correct data subject, we may request additional verification, such as:

    • Official identification documents (e.g., driver’s license, international passport, National Identity Number (NIN slip)
    • Verification of information associated with your account

       

      16.4  Response Timeline

      We aim to respond to all DSARs within 30 days of confirming your identity. Our response will include:

      • Confirmation that your request has been processed
      • The requested personal data in a clear, concise, and electronic format
      • If access is denied, we will provide a clear explanation for the refusal

         

        16.5  DSAR Fees

        Submitting a DSAR is free of charge. However, a reasonable administrative fee may apply if your request:

        • Is clearly unreasonable or excessive
        • Is submitted too frequently
        • Involves repeated requests for the same information within a short period

         

        16.6  Exceptions to Data Subject Access Rights

        In some cases, CardinalStone Trustee Limited may decline or limit your access request if required or permitted by law, including when:

        • Compliance with a legal obligation prevents disclosure
        • Protecting your vital interests or those of another person requires restriction
        • Public interest considerations or the exercise of official public functions justify withholding the data

        For further assistance or to initiate a DSAR, please contact our DPO at: compliance@cardinalstone.com

        We are committed to ensuring transparency and accountability in handling personal data access requests while complying with NDPA 2023 regulations.

         

        ARTICLE 17:

        REMEDIATION

        At CardinalStone Trustee Limited, we are committed to addressing and resolving any concerns regarding your data privacy and protection. If you have any complaints, inquiries, or requests related to your personal data, we encourage you to report them through our Data Protection Officer (DPO).

        For contact details, please refer to Article 20.

         

        17.1 Complaint Resolution Process

        • Our DPO will promptly investigate and respond to your concern within 7 business days.
        • If your request requires additional clarification or supporting documents, we will notify you accordingly.
        • In cases where a more complex issue requires additional time, we will keep you informed and take all necessary steps to ensure your rights and interests are protected throughout the process.

        We are dedicated to ensuring transparency, accountability, and compliance with the Nigeria Data Protection Act (NDPA) 2023 in handling data privacy concerns.

        For further assistance, please contact our DPO at: compliance@cardinalstone.com

         

        ARTICLE 18:

        ALTERATION OF PRIVACY POLICY

        CardinalStone Trustee Limited (as the Data Controller) reserves the right to update, modify, or amend this Privacy Policy periodically. These updates may be necessary to:

        • Enhance      data      privacy      rights      for      our      users      in      line      with      best      practices.
        • Align     with     evolving    public     interest    considerations     and     regulatory     requirements.
        • Comply with lawful directives issued by the Federal Government of Nigeria or relevant regulatory authorities.

         

        18.1  Compliance with Legal Frameworks

        Any revisions to this Privacy Policy will be made in strict compliance with: 

        • The Nigeria Data Protection Act (NDPA) 2023
        • The 1999 Constitution of the Federal Republic of Nigeria
        • Other applicable national and international data protection regulations

         

        18.2  Notification of Changes

        Where necessary, we will notify users of significant changes to this Privacy Policy through appropriate channels, including:

        • Email notifications
        • Website announcements
        • Other official communication methods

        By continuing to use our services after any updates, you acknowledge and agree to the revised Privacy Policy.

        For any inquiries or concerns regarding policy updates, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

         

        ARTICLE 19:

        DEFINITIONS AND KEY TERMS

        To ensure clarity and consistency throughout this Privacy Policy, we provide definitions for key terms frequently used:

         

        19.1 Key Terms and Their Definitions

        • Cookie – A small piece of data stored by your web browser when you visit a website. Cookies help websites remember your preferences, login information, and browsing activity.
        • Consent – The freely given, specific, informed, and unambiguous indication of a Data Subject’s wishes by which they, through a statement or clear affirmative action, signify agreement to the processing of their personal data.
        • CardinalStone Trustee Limited (“we,” “our,” or “CardinalStone Trustee”) – The Data Controller responsible for handling your personal data under this Privacy Policy. CardinalStone Trustee Limited is located at: 5 Okotie Rd, Ikoyi, Lagos 106104, Lagos, Nigeria.
        • Country – Refers to Nigeria, the jurisdiction where CardinalStone Trustee Limited operates and is legally registered.
        • Customer – Any individual, organization, or company that uses our services to manage relationships with their consumers, clients, or service users.
        • Data Protection Officer (DPO) – The designated person responsible for advising CardinalStone Trustee Limited and its employees on their obligations under Data Protection Laws, ensuring compliance with applicable privacy regulations.
        • Device – Any internet-connected device (e.g., smartphone, tablet, and computer) used to access our website and services.
        • Internet Protocol (IP) Address – A unique numerical identifier assigned to a device connected to the internet. An IP address can sometimes indicate the general geographic location of the device.
        • Closed-Circuit Television (CCTV) – We deploy CCTV cameras at various locations to ensure safety and security. CCTV footage may include video recordings and still images, retained strictly for security purposes.
        • Personnel – Employees, contractors, and any individuals engaged to perform services on behalf of CardinalStone Trustee Limited.
        • Data – Any characters, symbols, or binary information on which computational operations are performed. This data may be stored, transmitted, or processed electronically.
        • Personal Data – Any information relating to an identified or identifiable natural person (Data Subject). Personal data includes but is not limited to:
          • Name, address, photograph, email, phone number, bank details
          • Medical records, biometric data, social security numbers
          • Online identifiers such as IP address, MAC address, IMEI number, IMSI number, SIM, and other Personal Identifiable Information (PII)
        • Service – The products and services provided by CardinalStone Trustee Limited, as described in our Terms and Conditions.
        • Third-Party Service – Any external service provider that interacts with our platform. This includes advertisers, marketing partners, promotional sponsors, and others offering products or services that may be of interest to you.
        • Data Subject (“You”) – Any individual or entity whose personal data is collected, stored, or processed by CardinalStone Trustee Limited.

        For further clarifications regarding these definitions or your data rights, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

         

        ARTICLE 20:

        CONTACT

        If you have any questions, comments, or requests regarding your privacy rights or this Privacy Policy, please reach out to us.

        20.1 Data Controller

        CardinalStone Trustee Limited.

        5 Okotie Rd, Ikoyi, Lagos 106104, Lagos, Nigeria. Email: trustees@cardinalstone.com

        20.2  Data Protection Officer (DPO)

        For data protection inquiries, complaints, or to exercise your data rights, please contact our DPO at:

        Email: compliance@cardinalstone.com

        We are committed to addressing your concerns promptly and transparently, in compliance with the Nigeria Data Protection Act (NDPA) 2023.

        Our commitment to data protection aligns with the 1999 Constitution of the Federal Republic of Nigeria and other relevant international data protection frameworks.

        The table below provides general guidelines for data retention timelines. However, specific retention periods may vary depending on legal, contractual, or operational requirements:

        S/N Type of Data Retention Timeline Justification
        1 Customer/Client Records Retained for the duration of service usage. Upon termination, data is securely deleted or anonymized, unless required by law to be retained for up to 10 years. To fulfil contractual obligations, provide ongoing services, and comply with legal            or            regulatory requirements.
        2 Notifications                         and Communications Retained as long as necessary to fulfil service needs or legal obligations. To maintain communication records for reference, legal compliance, and  customer support.
        3 Employment Records Retained for the duration of employment    plus     any    legally mandated retention period. To comply with labour laws, regulatory obligations, and contractual commitments.
        4 Contract Records Retained for the duration of the contract and beyond, as required by law (typically up to 10 years). To           fulfil           contractual obligations,                     dispute resolution,    and    regulatory compliance.
        5 Transaction/Usage/Profile Data Retained as long as necessary for service delivery and legal obligations, unless required for national security or regulatory purposes. To           fulfil           contractual obligations, Legitimate/Public      Interest, national security, and service continuity.
        6 Technical Data Retained for a period necessary to ensure      cybersecurity,      fraud prevention,          and          service improvement. To           enhance           system performance, protect against cyber threats, and analyse usage patterns.
        7 Security Data (CCTV, Access Logs, etc.) Retained for security monitoring purposes and deleted within the legally stipulated period unless required for an ongoing investigation. To ensure workplace and customer security, fraud prevention, and compliance with law enforcement requirements.

         

        4.3  Secure Data Deletion

        Once personal data is no longer required, or the legal retention period has expired, CardinalStone Trustee Limited will:

        By implementing strict data retention policies, we ensure that personal information is handled with the highest level of security and compliance.

         

        ARTICLE 5:

        MANDATORY DATA COLLECTION

        In compliance with the Nigeria Data Protection Act (NDPA) 2023, certain categories of personal data are mandatory for us to fulfil our contractual, legal, or regulatory obligations. Without this information, we may be unable to provide you with the services or meet statutory requirements.

        If you require further clarification regarding our data processing practices, please contact our designated Data Protection Officer (DPO) at:

        Email: compliance@cardinalstone.com

        Phone: +234 (1) 631 2225 | +234 (1) 710 0433

        We are committed to ensuring transparency, accountability, and compliance in all our data collection and processing activities.

         

        ARTICLE 6:

        TRANSFER OF DATA TO THIRD PARTIES

        6.1  Third-Party Services Offered Through Our Platform

        CardinalStone Trustee Limited may collaborate with third-party service providers who offer essential or value-added services through our platform. These third parties process personal data in accordance with their own lawful bases as prescribed under the Nigeria Data Protection Act (NDPA) 2023.

        Personal data shared with third-party service providers may include contact information, transaction details, or other necessary identifiers, depending on the nature of the service being provided. We

        ensure that all third parties handling your personal data comply with applicable data protection regulations and maintain appropriate security measures.

         

        6.2  Your Right to Control Your Data

        You have the right to control how your data is shared with third parties, particularly for services that require your explicit consent. Where applicable:

        For more information on how we manage third-party data transfers, or to exercise your rights, please contact our Data Protection Officer (DPO) at compliance@cardinalstone.com

        We remain committed to ensuring transparency, security, and compliance in all third-party data transfers in line with the NDPA 2023.

         

        ARTICLE 7:

        TECHNICAL INFORMATION AND COOKIES

        7.1  Website Data Collection and Cookies

        When you visit our website, certain technical information is automatically collected. This includes your IP address, browser type, operating system, device information, and browsing behaviour. This data helps us analyse user interactions, enhance website functionality, and improve your overall experience.

         

        7.2  Cookies and Your Preferences

        Cookies are small text files stored on your device (computer, tablet, or mobile phone) when you visit a website. These files allow us to:

        You have full control over your cookie settings and can manage, disable, or delete cookies through your browser settings.

        However, please note that restricting certain cookies may impact website functionality.

         

        7.3  Our Commitment to Privacy

        We respect your privacy rights under the Nigeria Data Protection Act (NDPA) 2023 and ensure that all automated interactions comply with strict data protection measures. Our use of cookies and tracking technologies adheres to security best practices, preventing unauthorized access or misuse.

        For more information about our cookie policy or to update your preferences, please visit our Privacy Settings section or contact our Data Protection Officer (DPO) at compliance@cardinalstone.com

         

        ARTICLE 8:

        PERSONAL DATA SECURITY AND INTEGRITY

        8.1  Data Security and Regulatory Compliance

        CardinalStone Trustee Limited is committed to safeguarding your personal data through the implementation of advanced security technologies and robust protocols. We employ a multi-layered security approach to mitigate risks such as cyberattacks, unauthorized access, data breaches, data loss, and corruption.

         

        8.2  Meeting Legal Requirements

        We fully comply with our legal obligations under the Nigeria Data Protection Act (NDPA) 2023 by implementing the following measures:

         

        8.3  Measures to Ensure Data Integrity and Confidentiality

        We have established adequate controls to protect the integrity and confidentiality of personal data, both in digital and physical formats. The following principles apply:

         

        8.4  Data Breach Notification

        In compliance with the NDPA 2023, CardinalStone Trustee Limited is required to report any data breach that poses a high risk to the rights and freedoms of data subjects to the Nigerian Data Protection Commission (NDPC) within 72 hours of becoming aware of the incident. This ensures immediate action to mitigate risks and implement corrective measures.

        For further details on data breach notification requirements, please refer to Sections 28, 39, and 40 of the NDPA.

        For any security concerns or inquiries, please contact our Data Protection Officer (DPO) at compliance@cardinalstone.com

         

        ARTICLE 9:

        JOB APPLICANTS

        9.1  Application Information

        When applying for a position at CardinalStone Trustee Limited, you will be required to provide certain personal and professional details necessary for us to assess your application. These include:

        Providing this information is essential for us to process your application in line with our recruitment policies and legal obligations.

         

        9.2  Data Usage for Recruitment

        The information you submit will be used to evaluate your suitability for the applied role and facilitate the recruitment process. Specifically, we process your data to:

         

        9.3  Optional Communications and Data Sharing

        With your explicit consent, we may use your information to:

        Additionally, we may share your application data with:

         

        9.4  Data Retention

         We retain job application data for a maximum period of three years, after which it will be securely deleted or anonymized, unless:

        9.5  Data Subject Rights and Contact

        You have the right to access, update, or request deletion of your personal data. To exercise these rights or for inquiries regarding your application data, please contact our Data Protection Officer (DPO) at: Email: compliance@cardinalstone.com

        We are committed to transparency, fairness, and compliance with data protection regulations in all recruitment processes.

         

        ARTICLE 10:

        MAINTAINING ACCURATE INFORMATION

        At CardinalStone Trustee Limited, we are committed to maintaining accurate and up-to-date personal data for all users, in compliance with the Nigeria Data Protection Act (NDPA) 2023.

        If your personal information changes during your engagement with us, we encourage you to notify us promptly to ensure the accuracy, reliability, and completeness of our records.

        You can update your personal information by contacting our Data Protection Officer (DPO) at: compliance@cardinalstone.com

        This right to rectification ensures that your personal data remains current and accurate, in alignment with Section 34 of the NDPA 2023.

         

        ARTICLE 11:

        CHILDREN’S PRIVACY

        Our services are generally not intended for children under the age of 13. However, in rare cases where we provide specialized services for children, we implement strict safeguards to ensure their privacy and data security in compliance with the Nigeria Data Protection Act (NDPA) 2023.

         

        11.1  Safeguards for Children’s Data

        When processing children’s data, we adhere to the following strict protections:

         

        11.2  Compliance with the NDPA

        We ensure full compliance with Section 31 of the NDPA 2023, which outlines parental consent requirements and protections for children’s personal data.

        For further information regarding children’s data protection, or to seek clarification on parental consent requirements, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

        We remain committed to protecting children’s privacy and ensuring responsible data practices in all cases involving minors.

         

        ARTICLE 12:

        CAVEAT ON WEBSITE LINKS

        Our website may contain links to external websites operated by third parties. These links are provided for your convenience only and do not constitute an endorsement, affiliation, or approval by CardinalStone Trustee Limited of the content, products, or services offered on those external sites.

         

        12.1  Third-Party Website Disclaimer

        CardinalStone Trustee Limited does not control and is not responsible for the privacy practices, security, content, or data handling policies of any third-party websites.

         

        12.2  Reviewing Third-Party Privacy Policies

        Our Privacy Policy applies exclusively to our own platforms. We strongly recommend that you review the privacy policies of any external websites you visit to understand:

        For any concerns regarding external website links or third-party data sharing, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

        We are committed to ensuring transparency and accountability in our data processing activities.

         

        ARTICLE 13:

        TRANSFER TO THIRD PARTIES AND CROSS-BORDER DATA TRANSFERS

        In fulfilling our mandate efficiently, CardinalStone Trustee Limited may engage the services of third parties within or outside Nigeria. In such cases, we ensure that all data transfers comply with the Nigeria Data Protection Act (NDPA) 2023 and adhere to global best practices for data security and privacy protection.

         

        13.1  Safeguards for Third-Party Data Transfers

        Whenever we transfer personal data to a third party, we take the following steps to ensure the protection of your information:

         

        13.2  Cross-Border Data Transfers

        If personal data needs to be transferred outside the jurisdiction of the NDPA, we will ensure the receiving entity meets core global regulatory standards before proceeding with the transfer. Specifically, data will only be transferred if:

         

        13.3  Examples of Third-Party Services

        Examples of third-party services that may require domestic or cross-border data transfers include, but are not limited to:

        We remain committed to ensuring the security and integrity of all personal data transfers and complying with NDPA 2023 and global privacy regulations.

        For further inquiries regarding third-party data transfers, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

         

        ARTICLE 14:

        DATA PROTECTION HELP DESK

        At CardinalStone Trustee Limited, we are committed to promptly addressing all data privacy requests, inquiries, and complaints. To ensure compliance with the Nigeria Data Protection Act (NDPA) 2023, we have established a Data Protection Help Desk led by our Data Protection Officer (DPO).

        Our DPO is responsible for ensuring that your data protection rights are upheld and that all privacy- related concerns are handled efficiently.

         

        14.1  How to Contact the Data Protection Officer (DPO)

        For any questions, requests, or complaints regarding data protection and privacy, you may contact our DPO via: compliance@cardinalstone.com

         

        14.2  Services Provided by the Data Protection Help Desk

        Our Data Protection Help Desk is responsible for the following core data privacy services:

        1. Ensuring Compliance with Data Protection Regulations – Assisting with adherence to the NDPA 2023 and other applicable data privacy laws.
        2. Data Protection and Privacy Advisory Services – Providing guidance on privacy best practices and legal compliance.
        3. Capacity Building and Awareness – Offering training and education on data protection and privacy management.
        4. Drafting and Reviewing Data Protection Contracts – Assisting with contractual obligations related to privacy and data security.
        5. Data Breach Remediation and Incident Management – Supporting businesses and individuals in addressing data breaches.
        6. Information Privacy Audits – Conducting privacy compliance assessments to identify risks and areas for improvement.
        7. Data Privacy Breach Impact Assessment – Evaluating and mitigating the impact of privacy violations.
        8. Data Protection Due Diligence Investigations – Performing risk assessments to ensure compliance before engaging with third parties.

        We are committed to ensuring transparency, accountability, and data security in all our operations. For further inquiries, please reach out to our Data Protection Help Desk.

         

        ARTICLE 15:

        DATA DELETION

        You have the right to request the deletion of your personal data at any time. CardinalStone Trustee Limited is committed to ensuring that all personal data is securely deleted when it is no longer required for legal, regulatory, or business purposes.

        We have established secure deletion procedures to ensure that personal data exceeding its retention period or deemed unnecessary for business operations is completely and irreversibly destroyed while maintaining data security and compliance.

         

        15.1  Data Deletion Process

        Our data deletion process follows a structured approach:

        In addition to automated deletion processes, you may also formally request the deletion of your personal data at any time by submitting a Data Subject Access Request (DSAR) Form to our Data Protection Officer (DPO) at: compliance@cardinalstone.com

        We will take reasonable steps to fulfil your deletion request within a commercially reasonable timeframe, subject to any legal or regulatory requirements.

         

        15.3  Exceptions to Data Deletion

        There may be certain situations where we are unable to completely delete your personal data, including when:

         

        15.4  Restricted Processing for Non-Deletable Data

        In cases where we cannot delete your data, we will take reasonable steps to restrict processing and limit its use to the minimum necessary extent.

        For further information on our data deletion policies, or to initiate a data deletion request, please contact our DPO.

         

        ARTICLE 16:

        DATA SUBJECT ACCESS REQUEST (DSAR)

        16.1  Right to Access Personal Data

        Under the Nigeria Data Protection Act (NDPA) 2023, you have the right to request access to your personal data held by CardinalStone Trustee Limited. A Data Subject Access Request (DSAR) allows you to obtain a copy of your personal information, which may include: 

        16.2  How to Submit a DSAR

        You may request access to your data through the following methods:

         

        16.3  Verification Process

        To protect your privacy and ensure that we provide access to the correct data subject, we may request additional verification, such as:

         

        16.4  Response Timeline

        We aim to respond to all DSARs within 30 days of confirming your identity. Our response will include:

         

        16.5  DSAR Fees

        Submitting a DSAR is free of charge. However, a reasonable administrative fee may apply if your request:

         

        16.6  Exceptions to Data Subject Access Rights

        In some cases, CardinalStone Trustee Limited may decline or limit your access request if required or permitted by law, including when:

        For further assistance or to initiate a DSAR, please contact our DPO at: compliance@cardinalstone.com

        We are committed to ensuring transparency and accountability in handling personal data access requests while complying with NDPA 2023 regulations.

         

        ARTICLE 17:

        REMEDIATION

        At CardinalStone Trustee Limited, we are committed to addressing and resolving any concerns regarding your data privacy and protection. If you have any complaints, inquiries, or requests related to your personal data, we encourage you to report them through our Data Protection Officer (DPO).

        For contact details, please refer to Article 20.

         

        17.1 Complaint Resolution Process

        We are dedicated to ensuring transparency, accountability, and compliance with the Nigeria Data Protection Act (NDPA) 2023 in handling data privacy concerns.

        For further assistance, please contact our DPO at: compliance@cardinalstone.com

         

        ARTICLE 18:

        ALTERATION OF PRIVACY POLICY

        CardinalStone Trustee Limited (as the Data Controller) reserves the right to update, modify, or amend this Privacy Policy periodically. These updates may be necessary to:

         

        18.1  Compliance with Legal Frameworks

        Any revisions to this Privacy Policy will be made in strict compliance with: 

         

        18.2  Notification of Changes

        Where necessary, we will notify users of significant changes to this Privacy Policy through appropriate channels, including:

        By continuing to use our services after any updates, you acknowledge and agree to the revised Privacy Policy.

        For any inquiries or concerns regarding policy updates, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

         

        ARTICLE 19:

        DEFINITIONS AND KEY TERMS

        To ensure clarity and consistency throughout this Privacy Policy, we provide definitions for key terms frequently used:

         

        19.1 Key Terms and Their Definitions

        For further clarifications regarding these definitions or your data rights, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

         

        ARTICLE 20:

        CONTACT

        If you have any questions, comments, or requests regarding your privacy rights or this Privacy Policy, please reach out to us.

        20.1 Data Controller

        CardinalStone Trustee Limited.

        5 Okotie Rd, Ikoyi, Lagos 106104, Lagos, Nigeria. Email: trustees@cardinalstone.com

        20.2  Data Protection Officer (DPO)

        For data protection inquiries, complaints, or to exercise your data rights, please contact our DPO at:

        Email: compliance@cardinalstone.com

        We are committed to addressing your concerns promptly and transparently, in compliance with the Nigeria Data Protection Act (NDPA) 2023.

        Scroll to Top