Data Privacy & Compliance

NDPC Compliance Statement

Nigeria Data Protection Act 2023  ·  Last reviewed: 1 June 2026

Compliant — Nigeria Data Protection Act 2023
Section 01

Our Commitment to Data Privacy

Gravio Digital is a digital client acquisition consultancy that operates in a sector where data discretion is not optional — it is the baseline expectation. Our prospective clients are senior legal professionals whose engagements involve commercially sensitive matters, private client information, and high-value business instructions. The data they submit through our intake systems is treated with the same level of professional seriousness that governs their own practice.

This Compliance Statement sets out, with full transparency, how Gravio Digital collects, processes, stores, and protects personal data submitted through the website at graviodigital.com, and how we fulfil our obligations as a data controller under the Nigeria Data Protection Act 2023 ("NDPA") and the regulations, guidelines, and codes of conduct issued by the Nigeria Data Protection Commission ("NDPC") — the primary supervisory authority for data protection in Nigeria.

Our compliance programme is not a formality. It reflects a genuine operational commitment to the proposition that law firms considering engagement with us should be able to do so with complete confidence that their information — and the information of their own clients as it may be referenced in their Application — is handled with the same standard of care they would expect from their own data processors and professional service providers.

This statement is addressed directly to the law firm partners, managing partners, and senior associates who are evaluating Gravio Digital's services. If you have questions about any specific data processing activity not addressed here, our Data Protection Officer is available at support@graviodigital.com and will respond to all compliance enquiries within three business days.


Section 02

Statutory Framework & Regulatory Alignment

2.1 The Nigeria Data Protection Act 2023

The Nigeria Data Protection Act 2023 (the "NDPA") — which received Presidential assent on 14 June 2023 and came into force upon publication in the Federal Government Official Gazette — is the primary federal legislation governing the collection, storage, processing, use, and transfer of personal data in Nigeria. It establishes the rights of natural persons (data subjects) in relation to their personal data, and imposes corresponding obligations on organisations (data controllers and data processors) that handle such data.

Gravio Digital operates as a data controller within the meaning of the NDPA in respect of personal data submitted through the website application form. In that capacity, we determine the purposes for which personal data is collected and the means by which it is processed. Where third-party service providers process data on our behalf — specifically the Web3Forms secure API — they operate as data processors acting under our instruction and subject to appropriate contractual obligations consistent with the NDPA's requirements.

2.2 Pre-Existing Framework and Continuity

The NDPA 2023 supersedes and substantially consolidates the Nigeria Data Protection Regulation 2019 (the "NDPR") issued by the National Information Technology Development Agency ("NITDA"). Gravio Digital was designed and built in conformity with both the NDPR and the NDPA, and our compliance posture reflects the higher and more comprehensive standards of the 2023 Act. References in this statement to "applicable data protection law" or "applicable law" encompass the NDPA 2023 together with all subordinate instruments, guidelines, and codes of conduct issued by the NDPC thereunder.

2.3 The Nigeria Data Protection Commission

The Nigeria Data Protection Commission ("NDPC") is the independent statutory body established under Part VII of the NDPA as the competent supervisory authority for data protection in Nigeria. The NDPC is responsible for registering data controllers of major importance, issuing data protection guidelines and codes of practice, investigating complaints from data subjects, enforcing the NDPA's obligations, and imposing administrative sanctions on non-compliant organisations. Gravio Digital recognises the NDPC's jurisdiction and co-operates fully with its supervisory mandate. Any data subject who wishes to escalate a complaint regarding our data processing activities may do so directly with the NDPC in accordance with the procedures described in Section 10 of this Statement.

2.4 Scope of This Statement

This Compliance Statement covers all personal data collected through the graviodigital.com website — specifically the data submitted via the Application form in the "Founding Client Application" section of the homepage. It does not address the processing of personal data in the context of a live service engagement between Gravio Digital and a client; those processing activities are governed by the data protection provisions of the applicable Service Agreement.


Section 03

The Seven Principles of Data Processing

Section 24 of the NDPA establishes seven fundamental principles governing the lawful processing of personal data by data controllers in Nigeria. Gravio Digital's data handling practices are designed from the ground up to satisfy each of these principles without exception. The following sets out each principle and the specific measures by which Gravio Digital gives it operational effect.

1
Lawfulness, Fairness & Transparency

We collect data only with the applicant's informed consent, which is obtained explicitly through the Application form's consent checkbox. The full scope of our processing is disclosed in this Statement and in our Privacy Policy before any data is submitted.

2
Purpose Limitation

Data submitted through the Application form is collected for one specific purpose: conducting an internal qualification review to determine whether the applicant's firm is a suitable candidate for the Founding Client programme. It is not processed for any secondary purpose without further explicit consent.

3
Data Minimisation

The Application form requests only the data that is strictly necessary to conduct the qualification review: name, email address, WhatsApp number, firm name, and matter value range. No sensitive personal data — including health information, religious affiliation, or political opinions — is collected at any point in the intake process.

4
Accuracy

Applicants are requested to confirm the accuracy of their submitted information via the consent declaration on the Application form. Where an applicant notifies us that their information is inaccurate or has changed, we will rectify or update the relevant records within five business days of receiving a valid correction request.

5
Storage Limitation

Personal data is retained only for as long as is necessary to fulfil the purpose for which it was collected. Applications from prospective clients who do not advance to a service engagement are deleted within 60 days of the last substantive interaction. Full retention periods are set out in Section 8 of this Statement.

6
Integrity & Confidentiality

All personal data is transmitted via TLS-encrypted channels and processed through the Web3Forms secure API, which routes form submissions without storing them on our web server. Access to submitted application data is restricted to the Agency's principal strategist only, with no third-party sharing absent explicit consent.

7
Accountability

Gravio Digital takes full and unconditional responsibility for demonstrating compliance with the NDPA in respect of all personal data processed through this website. We maintain this Compliance Statement as a public record of our processing activities, and we have designated a Data Protection Officer to oversee ongoing compliance. See Section 9 for DPO contact details.


Section 04

Personal Data We Collect

4.1 Data Submitted via the Application Form

The primary mechanism through which Gravio Digital collects personal data is the Founding Client Application form on the homepage. When a prospective client completes and submits this form, the following categories of personal data are collected:

  • Full name — the applicant's legal name as a practising lawyer or firm representative, used to identify and address the applicant during the qualification review;
  • Email address — used exclusively for internal record-keeping and, where applicable, for formal written correspondence that is expressly requested by the applicant;
  • Phone number (WhatsApp) — used by the Agency's principal strategist to contact qualified applicants directly for the Strategy Call. This is the Agency's primary communication channel with prospective clients;
  • Firm name — the trading name or registered name of the applicant's law practice, used to contextualise the qualification review against the Agency's current eligibility criteria; and
  • Matter value range — a non-specific, category-level indication of the applicant's typical matter value, selected from a dropdown. This is the sole piece of data relating to the applicant's commercial practice and is used only to assess threshold qualification.

No documentation, case files, engagement letters, client lists, or other materials relating to the applicant's legal practice are requested or collected at the Application stage.

4.2 Automatically Collected Technical Data

In addition to the data actively submitted through the Application form, the website may automatically collect certain technical data in connection with your use of the Site, including your Internet Protocol (IP) address, browser type and version, operating system, referring URL, pages visited, and the date and time of your visit. This technical data is collected through standard web server logs and any analytics tools deployed on the Site, and is used solely for the purposes of monitoring site performance, diagnosing technical issues, and understanding general usage patterns at an aggregate level. This technical data is not linked to the identity of individual applicants and is not used for any profiling, targeting, or decision-making activity.

4.3 Data Collected Through WhatsApp Communication

Where communication between the Agency and a prospective client takes place via WhatsApp — whether to arrange the Strategy Call or to exchange preliminary information — the content of those communications may be retained by the Agency's principal strategist on the personal device on which the Agency's WhatsApp Business account is operated. WhatsApp communications are subject to WhatsApp's own end-to-end encryption protocols. The Agency does not use third-party WhatsApp management platforms or CRM systems to store, process, or analyse WhatsApp message content without the explicit consent of the prospective client.

4.4 Consent & Voluntary Submission

The submission of the Application form is entirely voluntary. No prospective client is required or obligated to submit an Application as a condition of visiting, browsing, or obtaining information from the Site. The Application form includes an explicit, freely given consent declaration that the applicant must actively check before submission. Pre-ticked boxes, implied consent, or bundled consent are not used at any point in the Application process.


Section 05

Legal Bases for Processing

The NDPA requires that all processing of personal data rest on one of the lawful bases specified under the Act. Gravio Digital processes personal data submitted through this Site on the following lawful bases, as applicable to each specific processing activity:

5.1 Consent (Primary Basis — Application Data)

The processing of personal data submitted through the Application form rests on the explicit, freely given, specific, and informed consent of the data subject, as provided through the active opt-in consent checkbox on the form. The consent declaration reads: "I confirm the information above is accurate. I understand that my engagement is subject to a signed service agreement, and that my information is handled in strict confidence." This consent is granular — it covers the qualification review process only — and does not constitute blanket consent to any other form of processing. You may withdraw your consent at any time by contacting us at support@graviodigital.com, and your data will be deleted within 5 business days of a verified withdrawal request.

5.2 Legitimate Interests (Technical Data)

The processing of automatically collected technical data — including server logs and aggregated analytics — is conducted on the basis of Gravio Digital's legitimate interests in maintaining the security, performance, and integrity of the Site, and in understanding how the Site is used at a general level. This processing does not involve the collection of personal data in a form that identifies individual visitors, and the interest of the Agency in conducting it is proportionate and does not override any fundamental rights or freedoms of the data subject.

5.3 Pre-Contractual Steps (Qualification Process)

To the extent that the qualification review process constitutes the taking of steps at the request of the data subject prior to entering into a potential service engagement, the processing of Application data may also rest on the lawful basis of pre-contractual necessity. It is necessary for the Agency to process the submitted data in order to conduct the assessment the applicant has requested by choosing to submit an Application.

5.4 No Automated Decision-Making

Gravio Digital does not subject any applicant to automated decision-making — including algorithmic profiling — that produces legal or similarly significant effects. The qualification review is conducted manually by the Agency's principal strategist, who exercises personal judgment in assessing each Application against the Agency's criteria. No Application is declined, advanced, or categorised by automated means without human review and oversight.


Section 06

Technical & Organisational Security Measures

The protection of personal data submitted by legal professionals requires a security architecture that is technically robust, organisationally disciplined, and proportionate to the sensitivity of the information being handled. The following measures are deployed across all stages of the data lifecycle — from collection through processing to deletion.

  • TLS 1.2/1.3 Encryption in Transit. All data submitted through the Application form is transmitted over HTTPS using Transport Layer Security (TLS) protocol versions 1.2 and 1.3. This ensures that data in transit between the applicant's browser and the receiving server is encrypted end-to-end and cannot be intercepted, read, or tampered with by any third party during transmission. The site's SSL/TLS certificate is maintained current and valid at all times, and HTTP connections are automatically redirected to HTTPS.
  • Secure API Routing via Web3Forms. Application form submissions are processed through the Web3Forms API — a privacy-focused, zero-database form processing service. Web3Forms routes submitted form data securely to the Agency's designated email inbox without storing, logging, or retaining form submissions on any Web3Forms server. Form submissions are not cached, warehoused, or accessible by Web3Forms staff. The access key authenticating the API connection is stored as a non-public configuration variable and is not exposed in client-side code in a manner that would allow unauthorised parties to submit fraudulent data or to intercept legitimate submissions.
  • Strict Access Controls — Single Authorised User. Access to submitted Application data — which arrives in the Agency's designated email inbox — is restricted exclusively to the Agency's principal strategist, who is the sole designated data controller representative with access to Application submissions. No subcontractors, offshore personnel, junior staff, or third-party agents have access to incoming Application data at any stage. This single-point access model is a direct operational consequence of the Agency's one-client-at-a-time engagement model and is not a policy aspiration but a structural reality of how the Agency operates.
  • No Third-Party Sharing or Data Brokering. Personal data submitted through the Application form is never sold, licensed, rented, or shared with any third party for commercial, marketing, or analytical purposes. The only third-party entity that touches Application data in the course of normal processing is the Web3Forms API service, whose role is strictly limited to routing form submissions to the Agency's inbox and which does not retain the data thereafter. No data analytics, advertising, or lead generation platforms are connected to the Application form or to the email account into which submissions are routed.
  • Prompt Breach Notification Protocol. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected data subjects, Gravio Digital will notify the NDPC within 72 hours of becoming aware of the breach, in accordance with the requirements of the NDPA. Where the breach is likely to result in a high risk to the rights and freedoms of the data subject, the affected individual will also be notified directly without undue delay. The Agency maintains a documented breach response procedure that designates the Data Protection Officer as the primary incident response contact.
  • Secure Deletion Upon Retention Expiry. When Application data reaches the end of its applicable retention period — as set out in Section 8 — it is permanently and securely deleted from all email accounts, any local backup media, and any documentation in which it appears. Deletion is conducted by the Agency's principal strategist and logged in the Agency's internal data deletion register. No archived or "soft-deleted" copies are maintained after the deletion date.

Section 07

Your Rights as a Data Subject

Under the Nigeria Data Protection Act 2023, every individual whose personal data is processed by a data controller is vested with a suite of enforceable rights in relation to that data. Gravio Digital fully recognises and is committed to honouring these rights without obstruction, delay, or fee. The following sets out each right and how it applies to Application data processed by the Agency.

Right to Be Informed

You have the right to be told, at the point of data collection, exactly how your data will be used, who will process it, on what legal basis, and for how long it will be retained. This Compliance Statement and our Privacy Policy satisfy that obligation in full.

Right of Access

You may request a copy of all personal data we hold about you, together with confirmation of the purposes for which it is being processed. We will fulfil all valid access requests within 30 days at no charge.

Right to Rectification

If any personal data we hold about you is inaccurate, incomplete, or out of date, you have the right to have it corrected. We will update any records within 5 business days of a verified rectification request.

Right to Erasure

You have the right to request the permanent deletion of all personal data we hold about you — sometimes called the "right to be forgotten." We will fulfil erasure requests within 5 business days and confirm deletion in writing.

Right to Data Portability

Where processing is based on your consent and is carried out by automated means, you may request a copy of your data in a structured, commonly used, machine-readable format (such as CSV or JSON) for transfer to another controller.

Right to Restriction

You may request that we suspend the processing of your data — for example, where you contest its accuracy or have objected to its processing — while the relevant question is being resolved. Your data will be flagged and processing suspended within 2 business days of a valid request.

Right to Object

You may object to any processing of your data that is conducted on the basis of legitimate interests. If you object, we will cease the relevant processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to Withdraw Consent

Where processing rests on your consent, you may withdraw that consent at any time without prejudice to the lawfulness of processing prior to withdrawal. Withdrawal is as straightforward as submitting a request to support@graviodigital.com.

To exercise any of the rights described above, please submit a written request to our Data Protection Officer at support@graviodigital.com. Please include your full name, the email address you used when submitting your Application, and a clear description of the right you wish to exercise. We will acknowledge your request within 3 business days and fulfil it within the statutory timeframe. We may request reasonable verification of your identity before processing a request to protect against unauthorised access to a third party's data.


Section 08

Data Retention Periods

The NDPA requires data controllers to retain personal data for no longer than is necessary for the purposes for which it was collected. The following table sets out the specific retention period applicable to each category of data processed by Gravio Digital in connection with this Site. All retention periods run from the date of the last substantive interaction with the data subject, unless otherwise specified.

Data Category Retention Period Rationale & Trigger for Deletion
Application data — non-qualifying enquiries 60 days Where an Application does not advance to a Strategy Call, all submitted data is deleted 60 days after the Application is received. This period allows for the completion of the internal review and, where applicable, any follow-up communication the applicant initiates.
Application data — Strategy Call completed, no engagement 90 days Where a Strategy Call is completed but the parties elect not to proceed to a formal engagement, Application and call-related data is deleted 90 days after the date of the Strategy Call. This period allows for any follow-up queries the prospective client may have after the call.
Client engagement data — active Service Agreement 5 years Where a Service Agreement is executed and a formal engagement commences, personal data related to the engagement is retained for 5 years from the date of the final deliverable or the formal termination of the engagement, whichever is later. This retention period reflects the Agency's legitimate interest in maintaining records sufficient to defend any contractual claim that might be brought within the applicable limitation period under Nigerian law.
Financial records (invoices, payment records) 7 years Financial records relating to a completed engagement — including issued invoices, payment confirmations, and refund documentation — are retained for 7 years from the date of the transaction, in accordance with Nigerian tax law and the requirements of the Federal Inland Revenue Service.
Anonymised aggregate analytics data Indefinite Aggregate, anonymised analytics data — from which no individual can be identified — may be retained indefinitely for the purpose of improving the Site's performance. This data is not personal data within the meaning of the NDPA and is therefore not subject to the Act's retention limitation requirements.
Data subject rights requests & correspondence 3 years Records of data subject rights requests — including the request itself, our response, and any verification documentation — are retained for 3 years from the date of fulfilment. This retention period supports the Agency's accountability obligations under the NDPA and allows for the resolution of any follow-up disputes regarding the fulfilment of a request.

Upon the expiry of any applicable retention period, personal data is permanently deleted from all systems, email accounts, backup media, and documents in which it appears. Deletion is confirmed in writing and logged in the Agency's internal data deletion register, which is maintained by the Data Protection Officer.


Section 09

Data Protection Officer

Gravio Digital has designated a Data Protection Officer ("DPO") responsible for overseeing the Agency's data protection compliance programme, monitoring adherence to the NDPA and applicable guidelines, serving as the primary point of contact for data subject rights requests, and liaising with the NDPC on all regulatory matters relating to data protection. The DPO operates through a dedicated compliance routing address that is segregated from the Agency's general business correspondence to ensure that all data protection matters receive prompt and appropriate attention.

Designated Role Data Protection Officer — Gravio Digital
Compliance Contact
Response Commitment
Acknowledgement within 3 business days. Full response within the statutory timeframe under the NDPA.
Scope of Responsibility
Data subject rights requests, breach notifications, NDPC liaison, and internal compliance oversight.
Jurisdiction
Federal Republic of Nigeria — Nigeria Data Protection Act 2023.

9.1 How to Contact the DPO

When contacting the DPO, please include the following information to enable us to process your request efficiently and securely:

  • Your full name as it appears in the data you submitted to us;
  • The email address you used when submitting your Application or otherwise communicating with the Agency;
  • A clear, specific description of the right you wish to exercise or the matter you wish to raise;
  • Any reference number or date associated with your original Application or previous correspondence, if available; and
  • Sufficient identification information to allow us to verify your identity and match your request to the correct records, without disclosing sensitive identification documents unnecessarily.

The Agency will not charge any fee for the exercise of data subject rights in ordinary circumstances. Where a request is manifestly unfounded, repetitive, or excessive, the Agency reserves the right — in accordance with the NDPA — to either charge a reasonable fee or decline to act on the request, having first notified the data subject and provided written reasons for the decision.


Section 10

The NDPC & Your Right to Complain

If you are not satisfied with how Gravio Digital has handled your personal data, or with our response to a data subject rights request, you have the right to escalate your concern directly to the Nigeria Data Protection Commission — the statutory supervisory authority responsible for enforcing the NDPA.

Before lodging a formal complaint with the NDPC, we encourage you to first contact our Data Protection Officer at support@graviodigital.com. In the majority of cases, compliance concerns can be resolved at the Agency level quickly and without the need for formal regulatory intervention. The DPO will acknowledge all complaints within 3 business days and will endeavour to resolve them within 21 days. If, after engaging with the Agency directly, you remain dissatisfied, you are fully entitled to pursue the matter with the NDPC.

Nigeria Data Protection Commission (NDPC)

Supervisory Address: No. 5 Donau Street, Maitama, Abuja, Federal Capital Territory, Nigeria.

Mandate: The NDPC is the primary federal supervisory authority for data protection in Nigeria, established under Part VII of the Nigeria Data Protection Act 2023. It is empowered to receive and investigate complaints from data subjects, conduct audits of data controllers, issue enforcement notices, and impose administrative sanctions for non-compliance with the NDPA.

Complaint Procedure: Complaints to the NDPC may be submitted in writing to the Commission's registered address above, or through any digital submission channel published by the Commission at ndpc.gov.ng. The NDPC requests that complainants first attempt to resolve the matter directly with the data controller before filing a formal complaint.

This Compliance Statement is reviewed and updated on a regular basis to reflect changes in applicable data protection law, updates to the NDPC's regulatory guidance, and changes to the Agency's data processing practices. The effective date of the current version is displayed at the top of this page. Material revisions will be highlighted in the revision log maintained by the DPO. Continued use of the Site following any revision constitutes acknowledgement of the updated Statement.