Privacy Policy

This Privacy Policy explains how Kwickswap Technologies Limited (RC-8607983) ("Kwickswap", "we", "us", "our"), the operator of AuthentiqDocs ("the Service"), collects, uses, discloses, and safeguards personal data when you use the Service or interact with our website.

We comply with the Nigeria Data Protection Act, 2023 and the Nigeria Data Protection Regulation, 2019 (NDPR) issued by the Nigeria Data Protection Commission. Where you are located outside Nigeria, we also apply equivalent protections under the laws of your jurisdiction where required.

1. Overview and Our Role

When you sign up for AuthentiqDocs as an organisation administrator, you are our Customer, and we act as a Data Controller in respect of the limited personal data we collect to provide the Service to you (your name, email, billing contact, etc.).

When your organisation uploads documents and records into the Service that contain personal data of your employees, clients, or third parties ("Customer Personal Data"), we act as a Data Processor on your behalf. Your organisation remains the Data Controller for that Customer Personal Data.

2. Personal Data We Collect

2.1 Information you provide directly

• Account information: full name, work email address, hashed password, role within your organisation, and any profile details you choose to provide.
• Workspace information: organisation name, subdomain, custom domain, branding (logo and colours), service categories, and HQ address.
• Billing information: billing contact name, billing email, company registration details, and tax identifiers. Payment card details are processed directly by our payment processor and are never stored on our servers.
• Communications: the contents of emails, support tickets, and onboarding requests you send to us.

2.2 Information collected automatically

• Usage data: log records of actions you take in the Service (uploads, approvals, document views, share-link generations), along with timestamps and the IP address from which the action was taken.
• Device and browser data: browser type, operating system, screen resolution, and referrer URL, for diagnostic and security purposes.
• Cookies: see Section 9 below.

2.3 Customer Personal Data

Customer Personal Data is any personal data contained inside documents, certificates, recipient lists, or other content that your organisation uploads to the Service. We do not control what Customer Personal Data is uploaded - your organisation determines that. Examples might include employee names, certificate-holder names, technician licence numbers, and contact details on records issued to your clients.

3. How We Use Personal Data

We use the personal data we collect for the following purposes:

• To provide the Service: authenticate users, render dashboards, generate QR codes and signed certificates, route approvals, dispatch reminder emails, and operate client document rooms.
• To bill and account: issue invoices, collect payment, and maintain financial records.
• To communicate with you: respond to support requests, send service notices (such as outages, security alerts, and material changes to terms or pricing), and confirm transactions.
• To improve and secure the Service: diagnose bugs, monitor performance, prevent fraud and abuse, and harden security.
• To comply with legal obligations: retain records as required by applicable tax, anti-money-laundering, and other laws, and respond to lawful requests from competent authorities.

We do not sell personal data, and we do not use Customer Personal Data to train machine-learning models for general-purpose use.

4. Legal Basis for Processing

Where the NDPR or equivalent law requires a lawful basis, we rely on:

• Performance of a contract with you (or steps prior to entering into a contract) - for account creation, providing the Service, and billing;
• Legitimate interests - for security monitoring, fraud prevention, product improvement, and limited service communications, balanced against your rights;
• Consent - where you have given clear affirmative consent, such as opting into non-essential marketing communications. You may withdraw consent at any time;
• Legal obligation - for tax, accounting, and other regulatory retention requirements.

5. Sharing and Disclosure

We share personal data only as follows:

5.1 Within your organisation

Other authorised users in your Workspace may see your name, email, role, and the activity you record in the Service, as appropriate for their permissions level.

5.2 Sub-processors

We engage carefully vetted third parties to help operate the Service. Current sub-processors include:

• Email delivery: Resend (Resend, Inc.) - sends transactional emails (password resets, expiry reminders, welcome messages, sales notifications).
• Hosting and storage: our primary infrastructure is hosted in Nigeria; encrypted backups may be replicated to a disaster-recovery region operated by a reputable cloud provider.
• Error monitoring and analytics: aggregated, non-personal performance metrics may be collected by a hosted monitoring tool to help us diagnose issues.

We require all sub-processors to commit, by written contract, to confidentiality and security standards at least as protective as those in this Policy. A current list of sub-processors is available on request to privacy@authentiqdocs.com.

5.3 Legal compliance

We may disclose personal data if required by law, court order, or a binding request from a competent authority. Where lawful, we will give you advance notice so you can seek to limit or challenge the disclosure.

5.4 Business transfers

If Kwickswap is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected Customers and provide a meaningful opportunity to opt out before any change in how their data is used.

5.5 With your consent

We share personal data with any other party only where you have given explicit consent.

6. International Data Transfers

Your data is primarily hosted in Nigeria. Where backups, sub-processor services, or operational tooling require transfer of personal data outside Nigeria, we ensure such transfers are protected by appropriate safeguards in line with the NDPR's data-transfer provisions, including:

• Transfers to jurisdictions recognised by the Nigeria Data Protection Commission as providing an adequate level of protection;
• Written contractual commitments from the receiving party to standards substantially equivalent to the NDPR;
• Your explicit consent where required.

7. Data Retention

We retain personal data only for as long as needed to fulfil the purposes for which it was collected, including any retention required to comply with legal, accounting, or reporting obligations.

• Account data is retained for the lifetime of your subscription and for ninety (90) days after termination, after which it is permanently deleted (subject to the backup-retention timeline below and any longer legal retention obligation).
• Customer Personal Data uploaded to your Workspace is retained for as long as you choose to keep it in the Service. On termination, you have ninety (90) days to export it, after which it is permanently deleted from production systems within thirty (30) days and from encrypted backups within ninety (90) days.
• Billing records are retained for six (6) years to satisfy Nigerian tax and accounting requirements.
• Audit logs are retained for the lifetime of the corresponding document for accountability and compliance purposes.

8. Your Rights

Subject to applicable law, you have the right to:

• Access - request a copy of the personal data we hold about you;
• Correct - ask us to fix inaccurate or incomplete data;
• Delete - ask us to delete your data, subject to legal retention obligations;
• Restrict or object - to certain types of processing, including direct marketing;
• Portability - receive a copy of data you provided to us in a structured, commonly used, machine-readable format;
• Withdraw consent - where processing relies on your consent, withdraw it at any time (without affecting the lawfulness of processing already carried out);
• Lodge a complaint - with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng, or with the data protection authority in your jurisdiction.

To exercise any of these rights, contact us at privacy@authentiqdocs.com. We will respond within thirty (30) days, or sooner where required by law.

If you are a person whose data is held inside a Workspace by one of our Customers (for example, a certificate holder), please direct your request to that Customer in the first instance, as they are the Data Controller for that data. We will support our Customer in responding within a reasonable time.

9. Cookies and Similar Technologies

We use a small set of cookies and equivalent technologies:

• Strictly necessary - session cookies that keep you signed in, CSRF tokens that protect form submissions, and the cookie that records your active Workspace. These cannot be turned off without breaking the Service.
• Functional - small client-side state such as the open/closed state of the mobile menu. These are not personal-data tracking cookies.
• Analytics - aggregated and anonymised page-view metrics where enabled, never tied to your identity or used for advertising.

We do not use third-party advertising cookies, cross-site tracking pixels, or social-media share-trackers. You can control cookies via your browser settings; blocking strictly-necessary cookies will prevent the Service from working.

10. Security Measures

We employ industry-standard administrative, technical, and physical safeguards, including:

• Encryption in transit - all traffic between you and the Service is protected by TLS 1.2 or higher;
• Encryption at rest - Customer Data is encrypted at the storage layer using AES-256 or equivalent;
• Per-tenant cryptographic signing keys - each Workspace is issued a unique signing key, stored in isolation from every other Workspace, used to sign documents so tampering is detectable;
• Authentication controls - bcrypt password hashing, session timeouts, brute-force rate limiting on login and password-reset endpoints, and optional single sign-on on Professional and Enterprise plans;
• Audit logging - every upload, approval, signature, share, and view is recorded immutably with timestamp, actor, and IP address;
• Daily encrypted backups - taken nightly and retained for thirty (30) days, with periodic restore-drills;
• Least-privilege access - employee access to production systems is granted only on a need-to-know basis and logged.

No system is 100% secure, and we cannot guarantee absolute security. If we become aware of a security breach that affects your personal data, we will notify you and the relevant authorities without undue delay and in any case within seventy-two (72) hours of becoming aware, in line with NDPR breach-notification requirements.

11. Children's Privacy

The Service is intended for business use only and not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided personal data through the Service, contact us at privacy@authentiqdocs.com and we will take steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective date" at the top of this page indicates when the latest version takes effect. For material changes, we will give you at least thirty (30) days' notice by email or in-app notification before the changes take effect, and where required by law we will seek your renewed consent.

13. Contact Us

If you have questions about this Privacy Policy or how we handle personal data, contact our Data Protection contact:

Kwickswap Technologies Limited
Attn: Data Protection Officer
RC-8607983
Lagos, Nigeria
Email: privacy@authentiqdocs.com