Contents
1. Scope of this policy
This policy explains how FinovaMax handles personal data we collect through:
- This marketing website (finovamax.com) — pages you visit, forms you submit, demo requests, newsletter signups, and consultation enquiries.
- Direct interactions with our team — email, sales calls, demos, contracts, and onboarding conversations.
If you are a customer of a microfinance bank that uses FinovaMax and you have questions about your personal data, please contact your bank's Data Protection Officer first. They are the right party to handle requests about your account.
2. Who we are
FinovaMax is a core banking software platform operated by Apex Grid Technologies Limited, a company incorporated in Nigeria. For the personal data we collect through this website and direct business interactions, Apex Grid Technologies Limited is the data controller.
We are registered with the Nigeria Data Protection Commission (NDPC) and process personal data in accordance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and applicable sector regulations issued by the Central Bank of Nigeria.
3. Personal data we collect
We only collect what we need. The categories below cover everything:
| Category | Examples | When we collect it |
|---|---|---|
| Identity & contact | Name, business email, phone, job title, organisation name | When you submit a form on this site or contact us directly |
| Professional context | Type of financial institution, regulatory licence type, approximate AUM, region | Demo requests and consultation enquiries |
| Communications | Emails you send us, meeting notes, contract correspondence | Throughout the sales cycle and ongoing customer relationship |
| Technical & usage | IP address, browser type, pages viewed, time on page, referrer | Automatically as you browse this website |
| Cookies & analytics | Session cookies, optional analytics cookies (only with your consent) | See the Cookies section below |
We do not collect special-category data (race, religion, health, biometrics, political views) through this website. Any such data processed through the FinovaMax platform on behalf of a financial institution is covered by that institution's privacy notice and the processing agreement we hold with them, not this policy.
4. How we use your data
We use personal data collected through this website to:
- Respond to your demo, consultation, and API access requests.
- Send the product information, proposals, and contracts you have asked for.
- Manage our customer relationship if you become a FinovaMax client.
- Send security and service announcements when we are obliged to (e.g. a planned outage that affects your environment).
- Improve the website by understanding which pages visitors find useful (aggregated, anonymous analytics — with your consent).
- Comply with our regulatory obligations under Nigerian law (record-keeping, AML/CFT documentation, tax-invoice retention).
We do not sell your personal data and we do not share it with third parties for their own marketing purposes.
5. Legal basis for processing
Under NDPA §25, we must have a clear legal basis for each kind of processing. The bases we rely on are:
- Performance of a contract — or steps taken at your request before entering one (NDPA §25(c)). Covers responding to demo requests, sending proposals, and onboarding new customers.
- Legitimate interest (NDPA §25(f)) — covers basic website analytics, fraud prevention, and our communications with people who have asked to hear from us. We balance our interest against your privacy rights and stop when you object.
- Consent (NDPA §25(a)) — covers optional analytics cookies, marketing emails (where applicable), and any other processing where we explicitly ask you to opt in. You can withdraw consent at any time.
- Legal obligation (NDPA §25(b)) — covers record-keeping required by CBN, NFIU, FIRS, and other Nigerian regulators.
7. International transfers
Some of the processors we use to deliver this website and our internal operations may be located outside Nigeria. Where personal data is transferred outside Nigeria, we ensure one of the lawful bases set out in NDPA §41 applies:
- The destination jurisdiction has been recognised as providing an equivalent level of data protection (for example, countries subject to the European Union General Data Protection Regulation).
- The transfer is governed by NDPC-approved standard contractual clauses with the recipient.
- You have given explicit consent to the transfer after being informed of the possible risks.
- One of the specific exceptions in NDPA §41(b)–(d) applies.
For customer data processed on behalf of a financial institution, the institution's data processing agreement with us governs the permitted regions.
8. How long we keep data
We keep personal data only as long as we need it:
- Form submissions and enquiries that don't lead to a contract — up to 24 months, then deleted.
- Customer records (active contract) — for the duration of the contract.
- Customer records (after contract end) — 7 years, to satisfy CBN and FIRS retention requirements.
- Website analytics — 14 months in aggregated form, then deleted.
- Marketing email opt-ins — until you withdraw consent.
- Legal-hold data — for as long as the relevant proceeding requires.
When the retention period ends, we delete or fully anonymise the data. Backup copies are overwritten on our normal backup rotation.
9. Your rights
Under NDPR §3.1 and NDPA §34, you have the following rights regarding your personal data:
- Right of access — ask for a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — ask us to delete data we no longer need (subject to legal-retention exceptions).
- Right to restrict processing — ask us to pause processing while you contest accuracy or our legal basis.
- Right to object — refuse legitimate-interest processing for direct marketing or analytics.
- Right to data portability — receive your data in a structured machine-readable format.
- Right to withdraw consent — at any time, where processing is based on consent.
- Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
To exercise any of these rights, write to [email protected]. We respond to verified requests within thirty (30) calendar days as required by NDPR §3.1(7). We may ask you to verify your identity before releasing personal data.
11. How we secure your data
We apply industry-standard security controls to personal data we hold, including:
- Encryption in transit and at rest.
- Role-based access control with least-privilege principles.
- Multi-factor authentication for accounts with administrative access.
- A documented incident-response process designed to meet the NDPA §40 notification window for personal-data breaches.
No system is ever fully secure. If a breach affects your personal data we will notify you and the NDPC within the statutory window.
12. Children's data
This website is not directed at children under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please write to [email protected] and we will delete it.
Where the FinovaMax platform is used by a financial institution to onboard a minor as a customer (for example, a children's savings account), the institution's own privacy notice governs that processing — not this policy.
13. Changes to this policy
We may update this policy from time to time. The "Effective" date at the top of this page tells you when the current version took effect. Material changes will be announced via the website's homepage and, where we have your contact details, by email at least 14 days before they take effect.
14. How to contact us
Privacy enquiries
[email protected]
We respond to verified requests within thirty (30) calendar days, as required
by NDPR §3.1(7).