Data Protection Policy
Last updated: 6 March 2026
1. Introduction
Peoplewise Technologies Limited ("Company"), registered in England and Wales with the Companies House in the United Kingdom, is committed to protecting the personal data of all individuals who use the Mobiliser platform ("Platform"). This Data Protection Policy outlines the principles, procedures, and responsibilities we maintain to ensure compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Nigeria Data Protection Regulation (NDPR).
2. Data Controller
Peoplewise Technologies Limited is the data controller for personal data processed through the Platform. This means we determine the purposes and means of processing personal data and are responsible for ensuring compliance with applicable data protection legislation.
3. Data Protection Principles
We adhere to the following principles when processing personal data:
- Lawfulness, fairness, and transparency: personal data is processed lawfully, fairly, and in a transparent manner.
- Purpose limitation: personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data minimisation: personal data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accuracy: personal data is kept accurate and up to date. Users can update their information through their profile settings.
- Storage limitation: personal data is kept in a form that permits identification of data subjects for no longer than is necessary.
- Integrity and confidentiality: personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
- Accountability: we are responsible for and able to demonstrate compliance with these principles.
4. Categories of Personal Data
The Platform processes the following categories of personal data:
| Category | Examples | Legal Basis |
|---|---|---|
| Identity data | First name, last name, username, date of birth, gender | Contract performance |
| Contact data | Email address, phone number | Contract performance |
| Authentication data | Hashed passwords, social login identifiers (Google, Facebook, Apple) | Contract performance |
| Location data | Country, state, LGA, ward, polling unit associations | Contract performance, legitimate interests |
| Organisational data | Membership records, roles, leadership assignments | Contract performance |
| Content data | Posts, comments, messages, media uploads, poll votes | Contract performance, consent |
| Financial data | Wallet balances, transaction records | Contract performance, legal obligation |
| Technical data | IP addresses, device tokens, browser type, platform | Legitimate interests |
| Audit data | Administrative actions, login/logout events, permission changes | Legitimate interests, legal obligation |
5. Data Security Measures
We implement the following technical and organisational measures:
5.1 Technical Measures
- Encryption in transit: all data transmitted between clients and servers is encrypted using TLS/SSL.
- Password security: passwords are hashed using industry-standard algorithms and are never stored in plain text.
- Authentication: JWT-based authentication with short-lived access tokens (12 hours for administrators, 7 days for regular users) and refresh tokens.
- Role-based access control: granular permission system with platform admin, movement admin, organisation admin, leader, and member roles ensuring users only access data appropriate to their role.
- Input validation: comprehensive input validation and sanitisation to prevent injection attacks.
- Secure token storage: mobile app stores authentication tokens in platform-specific secure storage (iOS Keychain, Android Keystore).
5.2 Organisational Measures
- Audit logging: all administrative actions are logged with user identity, action type, timestamp, and IP address.
- Access controls: administrative dashboard access is restricted to authorised personnel with appropriate roles.
- Data scope restrictions: administrators can only view and manage data within their assigned organisations or movements.
- Content moderation: mechanisms for reporting and censoring inappropriate content, with audit trails.
6. Data Processing Agreements
We maintain data processing agreements with all third-party processors, including:
- Render: cloud hosting and infrastructure.
- Resend: transactional email delivery.
- Firebase (Google): push notification services and cloud messaging.
- OpenAI: AI-powered content summaries and analytics (anonymised/aggregated data only).
- PostgreSQL/Redis providers: managed database and caching services.
7. Data Subject Rights
We support the exercise of the following rights:
- Right of access (Article 15 UK GDPR): you may request a copy of the personal data we hold about you.
- Right to rectification (Article 16): you may update your personal data through your profile settings or by contacting us.
- Right to erasure (Article 17): you may request deletion of your account and associated personal data, subject to legal retention requirements. Submit a deletion request.
- Right to restriction (Article 18): you may request that we restrict processing of your personal data in certain circumstances.
- Right to data portability (Article 20): you may request your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Article 21): you may object to processing based on legitimate interests.
To exercise any of these rights, please contact us at privacy@watchtowercommand.com. We will respond to your request within one month. To request account deletion specifically, you can visit our account deletion request page.
8. Data Breach Procedures
In the event of a personal data breach, we will:
- Assess the nature, scope, and potential impact of the breach.
- Notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms.
- Notify the National Information Technology Development Agency (NITDA) as required under NDPR.
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- Document the breach, including its effects and remedial actions taken.
9. International Transfers
The Platform operates across the United Kingdom and Nigeria. Personal data may be transferred between these jurisdictions and to other countries where our service providers operate. We ensure all international transfers are protected by:
- Standard contractual clauses approved by the UK Secretary of State.
- Adequacy decisions where available.
- Appropriate safeguards as required under UK GDPR and NDPR.
10. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals, including large-scale processing of location data, profiling for analytics dashboards, and broadcast communications targeting users by geographic criteria.
11. Retention Schedule
| Data Type | Retention Period |
|---|---|
| Active user account data | Duration of account plus 30 days after deletion |
| Authentication tokens | 7–30 days (automatic expiry) |
| Audit logs | Minimum 12 months |
| Financial transaction records | 7 years (legal requirement) |
| Email verification codes | 24 hours (automatic expiry) |
| Password reset tokens | 1 hour (automatic expiry) |
| Push notification device tokens | Until user logs out or deactivates |
12. Training and Awareness
All personnel with access to personal data receive appropriate data protection training. We maintain awareness of data protection obligations and update our practices in line with regulatory guidance from the ICO and NITDA.
13. Complaints
If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with:
- Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint
- National Information Technology Development Agency (NITDA): nitda.gov.ng
14. Contact
For data protection enquiries:
Peoplewise Technologies Limited
Registered in England and Wales
Email: privacy@watchtowercommand.com