Privacy Policy | Preneurdemy Ltd

Key Privacy Summary - What You Need to Know

📋We collect data to deliver our services - including identity, contact, performance data, and usage logs.
🔒Some data is sensitive and requires explicit consent - including personal stories, media, and socioeconomic information.
🚫We do not sell your personal data - ever.
⚖You have rights under NDPA, GDPR, and UK GDPR - including access, correction, deletion, objection, and withdrawal of consent.
👶Additional safeguards apply to users under 18. Processing minor data without verifiable guardian consent is prohibited.
🌐Data may be transferred internationally - always with appropriate safeguards and transfer risk assessments in place.
✉Contact us anytime: privacy@preneurdemy.com

This summary is for convenience only. The full policy below is legally binding in its entirety.

Introduction

Preneurdemy Ltd ("Preneurdemy", "we", "us", "our") is a data-driven education and talent development company incorporated in the Federal Republic of Nigeria (CAC RC: 9253638). We operate globally through preneurdemy.com, tech.preneurdemy.com, Vision1000, and all associated digital services.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have. It applies to all individuals whose data we process - students, participants, employers, partners, sponsors, mentors, and website visitors.

📋

This policy is issued in compliance with the Nigeria Data Protection Act (NDPA) 2023, NDPR 2019, UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, and the EU GDPR 2016/679. Where mandatory standards apply in your jurisdiction, they are applied to your data to the minimum extent required by law.

Data Controller and Representatives

2.1 Data Controller

Data Controller	Preneurdemy Ltd
CAC Registration	RC: 9253638
Registered Address	Plot 1907, Ibrahim Nok Street 4th Avenue, Gwarimpa, FCT, Nigeria
Data Protection Contact	privacy@preneurdemy.com
Response Time	Within 30 calendar days (14 days for urgent matters)

2.2 EU/UK Representative

Preneurdemy Ltd does not currently have an establishment in the UK or EU. In accordance with Article 27 EU GDPR and its UK equivalent, Preneurdemy may appoint a representative in the UK and/or EU. If and when appointed, their details will be published at www.preneurdemy.com/privacy.

📌

Until a formal representative is appointed, all UK and EU data protection enquiries should be directed to privacy@preneurdemy.com. We will respond within the applicable statutory timeframes.

Personal Data We Collect

We apply data minimisation - collecting only what is necessary. The table below sets out all categories of personal data, their purpose, and their risk classification.

Category	Data Items	Purpose	Risk
Identity Data	Full name, date of birth, gender (where relevant), nationality, profile photograph	Account management, identity verification	Standard
Contact Data	Email, phone, country, city, postal address	Service delivery, communications	Standard
Educational & Professional	CV, skills assessments, course performance, task submissions, trial evaluation results	Programme delivery, performance scoring, employer matching	Standard
Platform Usage & Technical	IP address, device type, browser, access timestamps, session duration, resource accessed, consent records	Security, fraud prevention, dispute resolution	Standard
Financial Data	Payment references, transaction IDs, billing address. Full card data held by licensed processors only - not stored by Preneurdemy.	Payment processing, financial compliance	Standard
Special Category Data	Personal stories and testimonials; socioeconomic background; video/audio submissions; images for profiles or marketing	Vision1000 delivery; impact reporting; marketing (with explicit consent only)	HIGH - Art. 9(2)(a) explicit consent required
Minor Data	Any data belonging to a person under 18	Programme participation where applicable	HIGH - guardian consent mandatory
Communications Data	Emails, in-platform messages, mentor session notes, support tickets	Service delivery, mentoring, dispute resolution	Standard
Cookies & Tracking	Cookie identifiers, analytics data, preference settings	Platform functionality, performance analytics	Standard - see Section 12

🔴

Red Line - Special Category Data. Personal stories, testimonials, images, and media are only processed and published with explicit, informed, and separately obtained consent - independently for each use case (internal records, public publication, marketing, third-party sharing). No sensitive storytelling or media content is used under any circumstances without this consent.

How We Collect Personal Data

Source	How and What
Direct Submission	Registration forms, applications, CV uploads, programme responses, and assessments.
Platform Usage	Automatically collected technical and usage data when you interact with the platform.
Assessments & Programmes	Performance data generated through task submissions, mentor sessions, AI analysis, and employer evaluations.
Consent-Based Submissions	Stories, images, audio, and video submitted voluntarily for specific, consented purposes under Vision1000 or similar initiatives.
Third-Party Integrations	Limited data from payment processors (transaction references only) and analytics tools (aggregated data).
Cookies & Tracking	Non-essential cookies placed only with your prior consent. See Section 12.

Lawful Basis for Processing

We must have a valid lawful basis before processing personal data. We rely on the following bases:

Lawful Basis	When We Rely On It	Examples
Contractual Necessity Art. 6(1)(b) GDPR; NDPA s.25(b)	Processing necessary to perform our contract with you or take pre-contractual steps.	Delivering training; managing your account; facilitating employer trials; processing payments.
Consent Art. 6(1)(a) GDPR; NDPA s.25(a)	Freely given, specific, informed, and unambiguous consent - separately obtained for each purpose.	Marketing communications; public profiles; stories, images, video; non-essential cookies.
Legitimate Interests Art. 6(1)(f) GDPR; NDPA s.25(f)	Processing necessary for our legitimate interests, provided those interests are not overridden by the rights and freedoms of users. We conduct a Legitimate Interest Assessment (LIA) for each activity, ensuring processing is proportionate and balanced.	Security and fraud prevention; platform monitoring; usage logs for dispute resolution.
Legal Obligation Art. 6(1)(c) GDPR; NDPA s.25(c)	Processing required to comply with a legal obligation applicable to Preneurdemy.	Financial record-keeping; regulatory disclosures; tax compliance.
Explicit Consent - Special Category Art. 9(2)(a) GDPR	Exclusive basis for processing special category data (stories, images, socioeconomic data). Consent is granular, separately recorded, and freely withdrawable.	Vision1000 personal stories; participant photographs and videos; testimonials used publicly.

✉

Marketing Communications. Sent only where we have obtained your prior consent, or where permitted under applicable law (for example, soft opt-in under UK PECR for existing customers). You may withdraw marketing consent at any time by emailing privacy@preneurdemy.com or clicking "Unsubscribe" in any marketing email.

Purposes of Processing

We process personal data only for defined purposes and do not repurpose data without fresh consent or a new lawful basis.

#	Purpose	Lawful Basis
1	Deliver training programmes and platform services	Contractual necessity
2	Assess performance and readiness for employer matching	Contractual necessity
3	Facilitate employer trials and hiring pipeline	Contractual necessity
4	Manage Vision1000 sponsorship programme	Contractual necessity + Explicit consent (special category)
5	Process payments and manage billing	Contractual necessity + Legal obligation
6	Provide mentorship and career development services	Contractual necessity
7	Send marketing and programme update communications	Consent
8	Improve platform functionality and user experience	Legitimate interests
9	Ensure platform security and prevent fraud	Legitimate interests
10	Maintain evidence records for dispute and chargeback resolution	Legitimate interests + Legal obligation
11	Comply with legal and regulatory obligations	Legal obligation
12	Conduct anonymised impact reporting for funders and partners	Legitimate interests (anonymised data only)

Data Sharing

🚫

We do not sell, rent, or trade personal data to third parties for commercial gain - under any circumstances.

We may share personal data in the following circumstances, always subject to appropriate contractual and technical safeguards:

Recipient	Data Shared	Safeguard
Employers (platform)	Performance profiles (score, task history, skills). PII is masked until hire is confirmed and paid.	Platform pipeline only. DPA required. PII masking enforced technically.
Partner organisations (NGOs/SMEs)	Task outputs against partner briefs. No PII unless separately consented.	Partner DPA required. Platform rules contractually enforced.
Payment processors	Transaction reference and billing address only. No full card data transmitted to Preneurdemy.	PCI-DSS compliant processors. Processor DPA in place.
Cloud infrastructure providers	Encrypted platform data (at rest and in transit).	DPAs in place. SOC 2/ISO 27001 certified providers required.
Analytics tools	Anonymised or pseudonymised usage data only.	No PII transmitted. Analytics provider DPA in place.
Legal and regulatory bodies	Data required to comply with a lawful request, court order, or regulatory obligation.	Limited to minimum required. Legal review conducted where time permits.
Mentors and instructors	Student progress, task submissions, session notes - limited to what is necessary for their role.	Role-based access controls. Mentor NDA/agreement in place.
Debt recovery agents	Identity and outstanding payment data only, where default has persisted beyond 30 days.	Processor DPA in place. NDPA-compliant transfer terms enforced.

7.1 Data Processing Agreements

All third parties processing personal data on our behalf must sign a DPA requiring them to: process data only on our documented instructions; implement appropriate security measures; not engage sub-processors without prior authorisation; assist us in meeting data subject obligations; and delete or return data on termination.

International Data Transfers

Personal data may be transferred between Nigeria, the UK, EU, and the US in the course of service delivery. We conduct transfer risk assessments where required to ensure that personal data remains adequately protected in the destination jurisdiction before any transfer takes place.

Safeguard	How We Apply It
Standard Contractual Clauses (SCCs)	Where data is transferred from the UK or EU without an adequacy decision, we use the UK IDTA or EU SCCs to provide equivalent protection.
Adequacy Decisions	Where the European Commission or UK Secretary of State has issued an adequacy decision for the destination country, we rely on that mechanism.
Transfer Risk Assessments (TRAs)	In accordance with Schrems II and UK GDPR guidance, we assess whether data will be effectively protected in the destination jurisdiction before transfer.
Secure Infrastructure	All cloud infrastructure is hosted by SOC 2 Type II / ISO 27001 certified providers with contractual data processing commitments.
NDPA Cross-Border Requirements	For transfers originating in Nigeria, we comply with NDPA 2023 cross-border obligations, ensuring the destination country provides adequate protection or that appropriate safeguards are in place.

✉

You may request information about the specific safeguards in place for any international transfer of your data by emailing privacy@preneurdemy.com.

Data Retention

Retention periods are determined based on legal obligations, contractual necessity, dispute resolution requirements, and legitimate business interests. We do not retain data indefinitely without justification - that is a red line.

Data Category	Retention Period	Basis
Active programme participant data	Programme + 5 years	Contractual; dispute resolution; performance records
Consent records (all categories)	7 years from consent/withdrawal	Legal obligation; audit; chargeback defence
Access logs and usage records	7 years from creation	Legitimate interests (dispute resolution, fraud prevention)
Financial and payment records	7 years from transaction	Legal obligation (tax and financial compliance)
Special category data (stories, images, media)	Duration of consent + 1 year	Consent-based; deleted on withdrawal unless legal obligation applies
Marketing data	Until consent withdrawn	Consent; deletion within 30 days of opt-out
Inactive account data	3 years from last login, then deleted/anonymised	Legitimate interests; legal obligation
Minor data	As per applicable category; reviewed at age 18	Legal obligation; minor's right to request deletion on majority
Dispute and legal proceedings data	Duration of dispute + 7 years	Legal obligation; legitimate interests

On expiry of the retention period, personal data is securely deleted or irreversibly anonymised. Anonymised data may be retained indefinitely for research, analytics, or impact reporting.

Your Data Protection Rights

You have significant rights over your personal data under the NDPA 2023, UK GDPR, and EU GDPR. Certain rights are subject to limitations under applicable law - we will notify you where this applies.

📂 Right of Access

Request a copy of all personal data we hold about you and information on how it is processed.

Subject: DATA ACCESS REQUEST

✍ Right to Rectification

Request correction of inaccurate or incomplete personal data.

Subject: DATA CORRECTION REQUEST

🗑 Right to Erasure

Request deletion of your personal data where there is no overriding legal basis for retention.

Subject: DATA DELETION REQUEST

⏸ Right to Restriction

Request that we restrict processing of your data in certain circumstances (for example, while accuracy is contested).

Subject: RESTRICT PROCESSING REQUEST

📤 Right to Portability

Receive your data in a structured, machine-readable format for transfer to another controller (where processing is based on consent or contract).

Subject: DATA PORTABILITY REQUEST

🛑 Right to Object

Object to processing based on legitimate interests, including profiling. You have an absolute right to object to processing for direct marketing at any time.

Subject: OBJECT TO PROCESSING

↩ Right to Withdraw Consent

Withdraw consent at any time. Withdrawal does not affect lawfulness of prior processing. Withdrawal of special category consent triggers deletion.

Subject: WITHDRAW CONSENT

🤖 Rights re: Automated Decisions

Not to be subject to a decision based solely on automated processing with significant effects. Request human review of any automated output. See Section 13.

Subject: AUTOMATED DECISION QUERY

⚖

Right to Object & Right to Complain. You also have the right to object to processing based on legitimate interests and the unconditional right to lodge a complaint with a relevant supervisory authority at any time - without prejudice to any other legal remedy. See Section 18 for authority contacts. All rights requests: privacy@preneurdemy.com

Protection of Minors

👶

Red Line. No personal data belonging to a person under 18 is processed without verifiable parental or guardian consent. This is non-negotiable and applies to all data categories without exception.

11.1 Consent Requirements

Verified parental or guardian consent is required before any account is created, data collected, or service delivered to a minor.
Consent must come from a person with legal parental responsibility - not from the minor themselves.
The guardian's identity, relationship to the minor, and specific processing purposes are documented electronically.

11.2 Additional Safeguards

Minor data is held in a separately flagged account category with restricted access controls.
No story, image, audio, or video involving a minor is published publicly or used in marketing without explicit documented guardian consent.
Minor profiles are not visible to employers until the individual reaches 18 and confirms their own consent.
On reaching 18, individuals are contacted to review, confirm, or withdraw consent for all existing processing.

11.3 Unverified Minor Discovery

If Preneurdemy discovers that minor data has been collected without verifiable parental consent: we immediately suspend the account; delete all data where permissible; notify the parent or guardian where possible; and review the verification mechanism.

Cookies and Tracking Technologies

🍪

Cookie Compliance. We use cookies and similar technologies to deliver and improve our services. Where required by applicable law - including UK PECR and the EU ePrivacy Directive - we obtain your consent before placing any non-essential cookies. You can manage preferences through our cookie banner at any time. Refusing non-essential cookies will not prevent access to core platform features.

Cookie Type	Purpose	Consent Required?
Strictly Necessary	Essential to platform functionality - login sessions, security tokens, access control.	No - core functionality
Performance / Analytics	Measure how users interact with the platform. Data is anonymised or pseudonymised.	Yes - via cookie banner
Functionality	Remember your preferences, language settings, and accessibility choices.	Yes (where consent-based)
Marketing / Targeting	Not currently deployed. If introduced, requires a separate explicit opt-in - soft opt-in does not apply to tracking cookies.	Yes - explicit opt-in only

Automated Decision-Making and AI

13.1 Our Use of AI

Automated systems are used to: score task submissions against structured rubrics; flag students as "Trial Ready" based on performance thresholds; match student profiles to employer discovery feeds; and provide AI-assisted study guidance.

👤

Human Oversight Commitment. We do not make decisions based solely on automated processing that produce legal or similarly significant effects without meaningful human oversight. Where AI-assisted analysis generates outputs that materially affect a student's profile, visibility to employers, or access to opportunities, a human review stage is built into the process. Automated outputs are inputs to - not substitutes for - human judgment.

13.2 Your Rights re: Automated Decisions

Request that any automated decision be reviewed by a human reviewer.
Express your point of view and contest the automated output.
Request an explanation of the logic involved in the automated process.

Email privacy@preneurdemy.com - Subject: AUTOMATED DECISION QUERY - [Name] - [Reference].

Data Security

Measure	Description
Encryption	All data at rest encrypted using AES-256 or equivalent. All data in transit encrypted using TLS 1.2 or higher.
Access Controls	Role-based access controls (RBAC) restrict data to authorised personnel on a need-to-know basis. Access rights reviewed quarterly.
Consent Record Logging	All consent events logged with timestamp, IP address, and user ID in a tamper-resistant consent record system.
Secure Cloud Infrastructure	All data hosted on SOC 2 Type II and/or ISO 27001 certified cloud infrastructure.
Security Audits	Regular internal security reviews and, where appropriate, external penetration testing.
Incident Response	Documented Data Breach Response Plan with escalation paths, notification timelines, and remediation procedures. See Section 15.
Staff Training	All staff with data access receive data protection training on joining and annually thereafter.

⚠

No information security system is 100% secure. We recommend using strong, unique passwords for your Preneurdemy account and not sharing your credentials with others.

🔒

System Logs & Evidence Records. We maintain system logs, access records, and consent records for security, compliance, fraud prevention, and dispute resolution purposes. These records are retained in accordance with applicable data protection laws for a minimum of 7 years and may constitute valid evidence in any dispute, chargeback, regulatory proceeding, or legal action - directly aligned with our Terms of Service and Refund & Cancellation Policy.

Data Breach Response

🚨

Data Breach Commitment. In the event of a personal data breach, we will assess the risk and notify relevant supervisory authorities and affected individuals where required by law - including within 72 hours of becoming aware of the breach under GDPR and UK GDPR - where the breach is likely to result in a risk to your rights and freedoms. This obligation applies whether the breach originated within Preneurdemy's systems or a third-party processor's systems.

15.1 What We Will Do

Notify the relevant supervisory authority (NDPC, ICO, or applicable EU DPA) without undue delay and within 72 hours where feasible.
Notify affected individuals in plain language - what happened, what data was affected, likely consequences, and measures being taken - where the breach poses a high risk to their rights.
Provide a reasoned explanation to the supervisory authority where notification within 72 hours is not feasible.

15.2 Internal Response

Immediate containment to stop the breach from escalating.
Assessment of nature, scope, and severity within 24 hours.
Notification decision - evaluating regulatory and individual notification requirements.
Documentation in our breach register, regardless of whether external notification is required.

If you believe your data has been compromised: email privacy@preneurdemy.com - Subject: DATA BREACH REPORT.

Storytelling, Media and Vision1000

🔴

Highest Risk Area. The collection and publication of personal stories, testimonials, images, and media - particularly through Vision1000 involving participants from underserved communities - is the highest data protection risk area in our business. The requirements in this section are non-negotiable.

16.1 What Constitutes Storytelling Data

Written narratives or testimonials; photographs, videos, or audio recordings in which a participant is identifiable; socioeconomic background information; family or community details; and any content that could reveal special category data - individually or in combination.

16.2 Legal Separation of Consent

⚖

Personal stories, testimonials, images, and media are processed only with explicit, informed, and separately obtained consent. Consent for each distinct use - internal records, public publication, marketing, third-party sharing, funder reports, social media - is obtained independently and can be withdrawn at any time without affecting other consents. This consent is legally separate from any general programme agreement or Terms of Service acceptance.

16.3 Right to Withdraw and Remove

Content removed from digital platforms within 5 business days of withdrawal.
Printed or third-party published materials withdrawn at next available opportunity (individual notified of any delay).
Withdrawal does not affect the lawfulness of use prior to withdrawal.

16.4 Story & Media Release Agreement

Every participant whose story or media is used in public communications, marketing, or funder reporting must sign a Story & Media Release Agreement as a separate document. A template is available from privacy@preneurdemy.com.

Consent Architecture

Consent must be freely given, specific, informed, unambiguous, and separately obtained for each purpose.

Consent Type	When Obtained	Record Kept
General Platform Consent	At account creation and first platform login.	Timestamped checkbox record with IP and user ID.
Marketing Consent	At registration - separate opt-in checkbox, not pre-ticked. Renewed after 12 months of inactivity.	Timestamped consent record; withdrawal timestamp on opt-out.
Special Category / Storytelling	Separately, before any story, image, or media is collected - via a dedicated consent form for the specific use case.	Signed/electronically verified form retained for duration of use + 7 years.
Cookie Consent	Via cookie banner on first site visit - granular by cookie category.	Consent management platform log with category, timestamp, and session ID.
Minor Consent (Guardian)	From parent or guardian before any data is collected - via a dedicated guardian consent form.	Guardian identity, relationship, and consent scope recorded and retained for 7 years.
Digital Content Cooling-Off Waiver	At checkout for digital content purchases where the consumer requests immediate access.	Timestamped checkout record with explicit waiver confirmation.

↩

Withdrawal of Consent. You may withdraw any consent at any time without detriment by emailing privacy@preneurdemy.com or using the relevant in-platform toggle. Withdrawal of consent for a specific purpose does not affect consent for other purposes and does not affect the lawfulness of processing before withdrawal. Some services may become unavailable where they depend on consent-based processing.

Complaints and Regulatory Escalation

Step 1 - Internal Complaint

✉

Email: privacy@preneurdemy.com
Subject: PRIVACY COMPLAINT - [Your Name] - [Reference]
Response: Acknowledgement within 3 business days; written response within 30 calendar days.

Step 2 - Supervisory Authority

You have the right to lodge a complaint with a supervisory authority at any time - independently and without prior internal escalation.

Jurisdiction	Authority	Contact
Nigeria (all users)	Nigeria Data Protection Commission (NDPC)	www.ndpc.gov.ng
United Kingdom	Information Commissioner's Office (ICO)	www.ico.org.uk \| 0303 123 1113
European Union	Relevant EU Member State Data Protection Authority	www.edpb.europa.eu
South Africa	Information Regulator	www.inforegulator.org.za
Other jurisdictions	Relevant national data protection authority	Contact us: privacy@preneurdemy.com

Policy Updates

Changes published at www.preneurdemy.com/privacy with a revised version number and effective date.
Material changes notified by email or platform notice at least 14 days before taking effect.
Where a change affects consent-based processing, fresh consent will be obtained before processing under the new basis.
Continued use after the effective date constitutes acceptance for non-consent-based activities.

Contact

Data Controller	Preneurdemy Ltd - RC: 9253638
Registered Address	Plot 1907, Ibrahim Nok Street 4th Avenue, Gwarimpa, FCT, Nigeria
Data Protection Contact	privacy@preneurdemy.com
Access Requests	privacy@preneurdemy.com - Subject: DATA ACCESS REQUEST
Correction Requests	privacy@preneurdemy.com - Subject: DATA CORRECTION REQUEST
Deletion Requests	privacy@preneurdemy.com - Subject: DATA DELETION REQUEST
Object to Processing	privacy@preneurdemy.com - Subject: OBJECT TO PROCESSING
Consent Withdrawal	privacy@preneurdemy.com - Subject: WITHDRAW CONSENT
Privacy Complaints	privacy@preneurdemy.com - Subject: PRIVACY COMPLAINT - [Name] - [Reference]
Data Breach Reports	privacy@preneurdemy.com - Subject: DATA BREACH REPORT
Story / Media Consent	privacy@preneurdemy.com - Subject: STORYTELLING CONSENT ENQUIRY
Website / Legal Hub	www.preneurdemy.com/legal
NDPC (Nigeria)	www.ndpc.gov.ng
ICO (United Kingdom)	www.ico.org.uk
EDPB (European Union)	www.edpb.europa.eu

Questions about your data?

Our data protection team responds to all requests within 30 calendar days.

Contact Privacy Team →