Privacy Policy
Last updated: March 2026
1. Introduction
Welcome to Nelc Digital ("we", "us", "our"). We are a boutique governance‑first AI advisory and implementation firm serving clients in Nigeria, across Africa, and globally. This privacy policy explains how we collect, use, disclose, and protect your personal data when you visit our website, interact with us, or use our services, in line with the Nigeria Data Protection Act 2023 (NDPA), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.
By using our website or providing your personal data, you acknowledge that you have read this policy.
2. Who We Are and Contact Details
Nelc Digital operates primarily from Nigeria and provides services to clients in multiple jurisdictions. For most processing activities described in this policy, we act as a data controller (we determine why and how your personal data is processed).
If you have questions about this policy or our data practices, or wish to exercise your rights, you can contact us at:
- Email: lawrence@nelc.digital
- Postal address: 6th Floor, Investment House, Broad Street, Lagos
Where required by law (for example, if we qualify as a "data controller of major importance" under NDPA or are subject to GDPR representative/DPO obligations), we will publish additional contact details here.
3. What Personal Data We Collect
The types of personal data we may collect include:
- Identity Data: name, job title, organization, country.
- Contact Data: email address, phone number, business address.
- Professional Data: role, sector, areas of responsibility, information you share in discovery calls or forms about your organization's AI priorities.
- Technical & Usage Data: IP address, browser type, device identifiers, pages visited, time spent, referral URLs, and similar analytics data collected via cookies or similar technologies.
- Marketing & Communications Data: your preferences for receiving briefings, newsletters, or event invitations.
- Contract & Transaction Data (B2B clients): engagement history, proposals, statements of work, invoices, and related records (which may contain limited personal data such as signatory details).
We do not intentionally collect sensitive personal data (e.g., health data, religious beliefs) via our public website. If a client engagement requires processing such data, it will be governed by specific contracts and impact assessments.
4. How We Collect Personal Data
We collect personal data in three main ways:
- Directly from you: when you fill out forms, subscribe to briefings, register for events, book consultations, contact us by email, or share information during sales and delivery conversations.
- Automatically: through cookies, log files, and similar technologies when you visit our website (e.g., analytics on how you use our site).
- From third parties: professional platforms (e.g., LinkedIn) where you engage with our content; event partners or referrers where you have consented to information sharing; public records and corporate websites for B2B contact enrichment.
Where required by law, we will inform you when we obtain data from third parties and tell you what categories of data we have and from which source.
5. How and Why We Use Your Personal Data
We process personal data only where we have a lawful basis under NDPA, GDPR, or other applicable laws. Our main purposes and legal bases include:
To operate and improve our website
Purposes: security, performance, usage analytics, troubleshooting. Legal bases: legitimate interests (running a secure, effective website); in the EU/UK, consent for non‑essential cookies where required.
To respond to enquiries and deliver services
Purposes: responding to contact requests, scoping engagements, delivering consulting and training services, managing client relationships. Legal bases: performance of a contract or steps prior to entering into a contract; legitimate interests (B2B relationship management).
To send you insights and briefings (marketing)
Purposes: sending AI governance insights, sector briefings, event invitations, and related content. Legal bases: consent where required (e.g., many NDPA/GDPR scenarios), or legitimate interests for B2B marketing where permitted and balanced against your rights. You can opt out at any time.
To meet legal, regulatory, and risk management obligations
Purposes: record‑keeping, responding to lawful requests, enforcing our terms, protecting our rights. Legal bases: legal obligations; legitimate interests (protecting our business and clients).
We will not use your personal data for materially different purposes without informing you and, where required, obtaining fresh consent.
6. Cookies and Similar Technologies
We use cookies and similar technologies to:
- understand how visitors use our website,
- secure and administer the site,
- remember preferences where applicable.
Where required by law (e.g., in the EU/UK), we will present a cookie banner and obtain your consent for non‑essential cookies (such as analytics) before placing them. You can adjust your browser settings to refuse cookies, but some features may not function properly.
7. Sharing Your Personal Data
We do not sell your personal data. We may share it with:
- Service providers / processors: cloud hosting, CRM, analytics, email platforms, scheduling tools, collaboration tools, and other vendors that process personal data on our behalf under written contracts with appropriate safeguards.
- Professional advisors: lawyers, auditors, or consultants where reasonably necessary for our legitimate interests and legal obligations.
- Authorities: regulators, law enforcement, or courts where we are legally required to do so or where necessary to establish, exercise, or defend legal claims.
Where we act as a processor for our clients (e.g., in certain AI or data engagements), we process personal data strictly on their instructions and under the data protection commitments in our contracts.
8. International Transfers
Because we work with clients and service providers in multiple countries, your personal data may be transferred across borders, including to countries that may not have the same level of data protection as your home jurisdiction.
When we transfer personal data internationally, we implement appropriate safeguards, such as:
- standard contractual clauses approved under GDPR,
- NDPA‑compliant transfer mechanisms and contractual protections,
- ensuring recipients are subject to adequate data protection laws or frameworks where available.
You can contact us for more information about the specific safeguards that apply to your data.
9. Data Security
We use technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These may include access controls, encryption where appropriate, secure development and deployment practices, and vendor due diligence.
No system is completely secure; however, we work to ensure that our controls are appropriate to the nature of the data and the risks involved and review them periodically.
10. Data Retention
We retain personal data only for as long as reasonably necessary to fulfil the purposes described in this policy, including for satisfying legal, regulatory, accounting, or reporting requirements.
Retention periods depend on the category of data and context, for example:
- website analytics data retained for a limited period for trend analysis;
- contact and marketing data retained while you remain engaged with our content, or until you opt out;
- client and contract data retained for the duration of the engagement and a subsequent period to comply with legal obligations and to manage any potential disputes.
When data is no longer needed, we will delete or anonymize it in a secure manner.
11. Your Rights
Depending on where you are located and which law applies, you may have some or all of the following rights regarding your personal data:
- Right to access your personal data.
- Right to correct inaccurate or incomplete data.
- Right to request deletion (erasure) of your data, subject to legal/contractual limits.
- Right to restrict or object to certain processing, including direct marketing.
- Right to withdraw consent where processing is based on consent (this will not affect prior processing).
- Right to data portability (to receive certain data in a structured, commonly used format and transmit it to another controller).
- Rights related to automated decision‑making and profiling, where applicable.
To exercise your rights, contact us using the details above. We may need to verify your identity before responding. You also have the right to lodge a complaint with a relevant supervisory authority, such as the Nigeria Data Protection Commission (NDPC) or an EU/UK data protection authority where GDPR/UK GDPR applies.
12. Third‑Party Links
Our website may contain links to third‑party sites, services, or platforms. We are not responsible for the privacy practices or content of those third parties. We encourage you to read their privacy policies before providing any personal data.
13. Children's Privacy
Our services and website are directed at business and professional users and are not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.
14. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we do, we will update the "Last updated" date at the top of the policy and, where appropriate, notify you through our website or other channels.
15. How to Contact Us
If you have questions, concerns, or requests regarding this policy or your personal data, please contact us at:
- Email: lawrence@nelc.digital
- Postal address: 6th Floor, Investment House, Broad Street, Lagos