Privacy Policy

Effective date: 12 June 2026

This Privacy Policy describes how Richinei Technologies Limited (RC [YOUR_RC_NUMBER]), the operator of Richinei ERP (the "Service"), collects, uses, discloses, and protects information about you. We are committed to handling your data in compliance with the Nigeria Data Protection Act 2023 ("NDPA"), the Nigeria Data Protection Regulation 2019 ("NDPR") where it applies, the EU General Data Protection Regulation ("GDPR") for users in the European Economic Area, the California Consumer Privacy Act ("CCPA") / California Privacy Rights Act ("CPRA") for California residents, and other applicable data-protection laws.

This Policy applies to our website, the Service, and any related applications, APIs, or integrations.

Important note for B2B customers (Tenants). Richinei ERP is a multi-tenant business-management platform. When a business ("Tenant") uses the Service to process information about its own customers, employees, or suppliers, the Tenant is the data controller of that information and we act as a data processor on the Tenant's behalf. The Tenant's relationship with its own data subjects is governed by the Tenant's own privacy policy, not this one. Our Data Processing Agreement (/legal/data-processing-agreement) sets out the rules of that processing arrangement.

1. Who we are and how to contact us

Legal entity: Richinei Technologies Limited
RC number: [YOUR_RC_NUMBER]
Registered address: No 255 Mbiama-Yenagoa Road, Amarata, Yenagoa, Bayelsa State, Nigeria
General contact: richineitechnologies@gmail.com
Data Protection Officer ("DPO"): richineitechnologies@gmail.com
Phone: 08077423899
Website: https://richinei.com

You may contact our DPO at any time with privacy enquiries, requests to exercise your rights, or complaints.

2. The information we collect

We collect personal data only to the extent necessary to provide, secure, and improve the Service. The categories below describe what we collect; Section 4 explains why.

2.1 Information you provide to us

Account registration data: name, email address, phone number, password (stored hashed), business name, role.
Tenant configuration data: business address, logo, tax registration number, currency, locations, cash accounts, fiscal-year start.
Payment information: when you subscribe to a paid plan, we collect billing name, billing email, billing address, and the last four digits + brand of your payment card. Full card details are processed directly by our payment processor and are never stored on our servers.
Support communications: messages you send us by email, in-app chat, or telephone, including any attachments.
User-generated content: notes, attachments, knowledge-base articles, and other content you upload.

2.2 Information about your operations (Tenant content)

When you use the Service, you and your authorised users create and store operational records — sales, purchases, inventory movements, customer records, supplier records, employee records, financial entries, audit logs. We process this content only on your instructions and only to provide the Service.

2.3 Information collected automatically

Device and connection data: IP address, user-agent string, browser version, operating system, screen size, time-zone, referrer URL.
Usage data: pages viewed, features used, click events, time-on-page, error events.
Cookies and similar technologies: see our Cookie Policy at /legal/cookie-policy.

2.4 Information from third parties

Payment processor: payment confirmation, refund status, chargeback notices from our designated payment processor.
Authentication providers: if you sign in using a third-party identity (e.g. Google), we receive your name, email, and profile picture from that provider.
AI provider responses: when you use the in-app AI assistant, your query and the resulting response are processed by our AI provider (Anthropic, OpenAI, or Google as configured by your Tenant). We log token usage but not the content of conversations (Tenant may configure their own retention).

2.5 Special categories of data

We do not intentionally collect sensitive personal data (health, racial or ethnic origin, religious beliefs, political opinions, sexual orientation, trade-union membership, genetic or biometric data). If you choose to include such data in user-generated content (e.g. an employee record in HRM), you and your Tenant are responsible for ensuring you have a lawful basis for doing so.

3. Children

The Service is intended for use by businesses and is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact our DPO immediately.

4. How and why we use your data (legal bases)

Under NDPA / NDPR / GDPR, every use of personal data must have a lawful basis. The table below sets out the purposes for which we process your data and the corresponding lawful basis.

Purpose	Legal basis (NDPA / GDPR)	What we do
Provide the Service	Performance of contract	Run your account, store your records, process transactions, send receipts
Account administration	Performance of contract	Authentication, password resets, sending operational notices
Billing and collections	Performance of contract / Legal obligation	Process subscriptions, send invoices, handle refunds
Security and fraud prevention	Legitimate interest / Legal obligation	Detect unauthorised access, prevent abuse, maintain audit logs
Customer support	Performance of contract / Legitimate interest	Respond to enquiries, troubleshoot issues
Product improvement	Legitimate interest	Analyse aggregate usage patterns to improve the Service
Compliance with law	Legal obligation	Respond to lawful requests, meet tax / regulatory obligations
Marketing communications	Consent	Send newsletters and feature announcements (opt-in; opt-out at any time)
Operational notices	Performance of contract / Legitimate interest	Notify you of changes, planned downtime, security incidents

We do not sell your personal data, and we do not share it with third parties for their direct marketing purposes.

5. Sharing your information

We share personal data only as described below. We require all third parties to whom we disclose personal data to apply appropriate safeguards.

5.1 Subprocessors and service providers

We use carefully selected subprocessors to provide the Service. A current list is maintained at /legal/subprocessors. As of the effective date, our subprocessors include:

Railway (cloud infrastructure hosting, United States)
Anthropic (AI assistant, United States)
OpenAI (alternate AI assistant, United States)
Google (alternate AI assistant + Gemini, United States / Ireland)
Resend (transactional email, United States)
Termii (SMS notifications in Nigeria)
GitHub (source code hosting and CI, United States)

We update this list when subprocessors are added or removed and notify Tenants of changes in line with our Data Processing Agreement.

5.2 Within your organisation

Authorised users within your Tenant workspace see data necessary to perform their roles. Permissions and access controls are set by the Tenant's administrators.

5.3 Compliance and legal obligations

We may disclose personal data when required by law, court order, or competent authority — for example, the Federal Inland Revenue Service (FIRS), the Nigeria Data Protection Commission (NDPC), law-enforcement agencies, or regulators. Where lawfully permitted, we will notify you before disclosing your information.

5.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you (by email and a prominent notice in the Service) before your data becomes subject to a different privacy policy.

5.5 With your consent

We share personal data with other third parties only with your explicit consent.

6. International data transfers

Some of our subprocessors are located outside Nigeria, including in the United States and the European Union. When personal data is transferred outside Nigeria, we ensure adequate safeguards as required under Section 41 of the NDPA, which may include:

transferring to jurisdictions formally recognised by the NDPC as having adequate protection;
using NDPC-approved standard contractual clauses or equivalent contractual safeguards;
relying on a derogation permitted under the NDPA where applicable.

For EU/EEA data subjects, we use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to countries without adequacy decisions, supplemented by technical and organisational measures.

7. How long we keep your data

We retain personal data for as long as necessary to provide the Service and meet our legal obligations. General retention guidance:

Category	Retention guidance
Active account data	For the duration of your subscription
Tenant operational records	For the duration of your subscription + 90 days after termination, then permanent deletion or anonymisation unless you request earlier deletion
Financial records (invoices, receipts, ledger)	Retained for the period required by the Companies and Allied Matters Act 2020 ("CAMA") and applicable tax law (currently 6 years after the financial year they relate to)
Audit logs	Retained for as long as we consider necessary to investigate incidents, typically not less than 12 months
Marketing preferences	Until you opt out, plus a reasonable grace period to honour the change
Backups	Retained on a rolling basis in accordance with our infrastructure provider's backup policy; older backups are securely overwritten

After the applicable period, we securely delete or anonymise the data. Records subject to a legal hold are preserved until the hold is released.

8. How we protect your data

We implement appropriate technical and organisational measures to safeguard personal data, including:

Encryption in transit — connections to the Service use HTTPS (TLS) as provided by our infrastructure provider, Railway.
Encryption at rest for the production database and managed backups, as provided by Railway's managed Postgres.
Password hashing using bcrypt; passwords are never stored in plain text.
Multi-factor authentication (TOTP) available for every user, enforceable as a workspace-wide policy by Tenant administrators.
Role-based access control at the application level, with per-user permission overrides; principle of least privilege.
Audit logging of meaningful application actions, including logins, permission changes, and administrative operations.
Dependency monitoring through GitHub's security advisory tooling on our source repository.
Restricted production access for our staff via our infrastructure provider's team controls.
Incident response procedures including breach assessment and notification timelines aligned with the NDPA.

We continually work to improve our security posture. No system is perfectly secure. You play a critical role too: keep your password confidential, enable 2FA, review your audit log periodically, and notify us immediately of any suspected unauthorised access at richineitechnologies@gmail.com.

9. Data breaches

In the event of a personal data breach, we will:

begin our internal assessment as soon as we become aware;
notify the Nigeria Data Protection Commission within 72 hours of becoming aware, where required by Section 40 of the NDPA;
notify affected Tenants without undue delay so they can in turn notify their data subjects where required;
notify affected EEA data subjects in line with Article 34 GDPR where the breach is likely to result in a high risk to their rights and freedoms;
take reasonable steps to contain the breach, mitigate harm, and prevent recurrence.

10. Your rights

Under the NDPA, GDPR, CCPA/CPRA, and other applicable laws, you have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you.
Right of rectification — request that we correct inaccurate or incomplete data.
Right of erasure ("right to be forgotten") — request that we delete your personal data, subject to legal retention requirements.
Right to restrict processing — request that we temporarily pause processing.
Right to data portability — receive a machine-readable copy of your data and transmit it to another controller.
Right to object — object to processing based on legitimate interest or for direct marketing.
Right to withdraw consent — where processing is based on consent, withdraw it at any time.
Right not to be subject to automated decisions that produce legal or similarly significant effects.
Right to lodge a complaint with the Nigeria Data Protection Commission (https://ndpc.gov.ng) or the supervisory authority in your jurisdiction.

For Tenant operational data (records about your customers, employees, etc.), please direct rights requests to the Tenant — they are the controller. We will assist the Tenant in responding.

How to exercise your rights

Email our DPO at richineitechnologies@gmail.com with your request. We respond within 30 days of receiving a verifiable request. We may ask you to verify your identity to prevent unauthorised access. Exercising your rights is free of charge unless your request is manifestly unfounded or excessive.

California residents (CCPA / CPRA)

In addition to the above, California residents have:

the right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it;
the right to delete personal information we hold about them;
the right to correct inaccurate personal information;
the right to opt out of the sale or sharing of personal information (note: we do not sell or share personal information in the sense defined by the CCPA);
the right to limit use of sensitive personal information;
the right not to be discriminated against for exercising any of these rights.

11. Cookies and tracking

See our separate Cookie Policy at /legal/cookie-policy. We use only cookies and storage entries that are either strictly necessary to operate the Service or set in direct response to a setting you change in the app. We do not currently use third-party analytics or advertising cookies.

12. Marketing communications

We send marketing emails only with your consent. Every marketing email includes an unsubscribe link. We honour opt-outs promptly. Operational notices (security alerts, billing, service changes) are sent as part of providing the Service and cannot be opted out of while you remain a Tenant or user.

13. Third-party links

The Service may link to third-party websites or services. Their privacy practices are governed by their own policies — we are not responsible for those policies or practices.

14. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:

post the updated Policy on the Service;
update the "Effective date" at the top;
notify users by email or in-app banner at least 30 days before the change takes effect, except where a shorter period is required by law or where the change is favourable to data subjects.

Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Governing law and jurisdiction

This Privacy Policy is governed by the laws of the Federal Republic of Nigeria. Any dispute arising out of or in connection with it is subject to the exclusive jurisdiction of the courts of Lagos State, Nigeria, without prejudice to your statutory rights to lodge a complaint with a supervisory authority in your country of residence.

16. Contact and complaints

For any privacy enquiry, rights request, or complaint:

Richinei Technologies Limited Attn: Data Protection Officer No 255 Mbiama-Yenagoa Road, Amarata, Yenagoa, Bayelsa State, Nigeria Email: richineitechnologies@gmail.com Phone: 08077423899

If you are not satisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission:

Web: https://ndpc.gov.ng
Email: info@ndpc.gov.ng

Or with the supervisory authority in your jurisdiction.

This Policy was last updated on 12 June 2026.