Introduction
This Privacy Policy ("Policy") explains how Gravio Digital ("Gravio Digital," "we," "us," or "our"), a digital consultancy registered and operating from Lagos, Nigeria, collects, processes, stores, and protects personal data when you visit graviodigital.com (the "Site") or submit an application through our founding client intake form.
We are committed to responsible data stewardship. Given the nature of our clientele — senior partners and managing directors at Lagos law firms — we recognise that the confidentiality of your professional data is not merely a regulatory obligation; it is the foundation of any professional engagement with your firm.
This Policy is issued in compliance with the Nigeria Data Protection Act 2023 (NDPA 2023) and is supervised by the Nigeria Data Protection Commission (NDPC). It applies to all natural persons whose data we process, whether as prospective clients, website visitors, or contracted clients.
By accessing our Site or submitting an application, you acknowledge that you have read and understood this Policy. If you do not agree with any part of it, please do not submit your application.
1. Information We Collect
We collect the following categories of personal data through our Site. We collect only what is strictly necessary for the purposes described in this Policy.
a) Identity & Professional Data
When you submit our founding client application form, you provide your full name and professional title. This information is used solely to address you correctly and to verify your standing as a qualified legal practitioner.
b) Firm Data
We collect your law firm's registered name and, by inference from your matter value selection, the approximate scale of your practice. We do not collect your firm's client lists, case files, matter histories, or any information subject to legal professional privilege.
c) Contact Data
We collect your business email address and your phone number or WhatsApp number. The WhatsApp number is used exclusively for direct, person-to-person communication from the Chief Strategist. It is never entered into any automated messaging platform, SMS broadcast system, or marketing database.
d) Commercial Indicator Data
Our application form invites you to select your typical matter value bracket (e.g., Under ₦5M, ₦5M–₦10M, ₦10M–₦15M, or ₦15M+). This self-reported figure is used exclusively to assess your firm's eligibility for our 90-day ROI Dual Guarantee and to confirm that our minimum threshold requirements align with your current practice profile. It is never disclosed to third parties, used in advertising, or retained beyond the periods specified in Section 7.
e) Technical Data
Like most websites, our Site automatically receives certain technical data from your browser when you visit, including your IP address, browser type and version, operating system, referring URL, pages visited, and approximate session duration. This data is used in aggregate to monitor Site performance and is not linked to your personal identity unless required for security purposes.
f) Cookie Data
We collect minimal cookie data for operational purposes. Please see Section 6 for a full description of the cookies we use.
We do not collect any sensitive personal data as defined under the NDPA 2023, including health data, biometric identifiers, racial or ethnic origin, political opinions, religious beliefs, or information relating to pending legal matters handled by your firm.
2. How We Use Your Information
We process your personal data for the following specific, documented purposes only. We do not use your data for any purpose not listed here.
a) Application Qualification
Your application data is used to assess whether your firm meets the eligibility criteria for our founding client engagement — specifically, whether your current matter portfolio and operational infrastructure can reasonably support the 90-day ROI outcomes backed by our Dual Guarantee. This assessment is conducted exclusively and personally by the Chief Strategist. No automated decision-making or algorithmic scoring is applied.
b) Direct Communication
Your contact details are used to communicate the outcome of your application and, where your firm qualifies, to coordinate your 30-minute Strategy Call. All communication is handled directly by the Chief Strategist. No communication on behalf of Gravio Digital will ever originate from an automated drip system, marketing platform, or third-party representative.
c) Service Delivery & Onboarding
If your firm is accepted as a founding client and a service agreement is executed, your data is used to construct a bespoke client acquisition strategy. This includes configuring your target client avatar, determining your practice area positioning, and setting your minimum dispute value threshold for the Pre-Qualification Gate (Component 03 of the Client Acquisition Engine). All data processed at this stage is governed by the terms of your signed service agreement.
d) Contractual & Legal Compliance
We maintain records of application submissions and engagement decisions to honour our contractual obligations, to respond to any future disputes, and to demonstrate our compliance with applicable data protection and commercial regulations under Nigerian law.
e) Site Performance Analytics
Aggregated, anonymised technical data is used to understand how visitors interact with the Site and to improve its performance and conversion architecture. This data is never linked to your personal identity and is not used to profile individual visitors.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on any individual or firm.
3. Strict Confidentiality & Law Firm Data
Gravio Digital operates in a professional environment where information confidentiality is not optional — it is the operating standard. We make the following unqualified commitments regarding your data:
- We do not sell, lease, rent, or otherwise transfer your personal data to any third party for commercial purposes — ever.
- We do not share your firm's identity, matter value brackets, contact details, or any other application data with any competitor, partner agency, referral partner, or affiliated entity.
- We do not use your application data to build advertising audiences, retargeting lists, or lookalike segments on any advertising platform.
- We do not disclose the identity of any firm that has submitted an application to us, regardless of whether that application was successful.
We further recognise that law firms are subject to professional confidentiality obligations under the Nigerian Bar Association Rules of Professional Conduct, and that a law firm's inquiry into our services may itself carry commercial sensitivity — for example, as an indication of a firm's growth ambitions, competitive positioning, or investment appetite. We treat the fact of your application, and its contents, with the same standard of discretion we would expect from any professional engaged in a privileged relationship.
The only circumstances under which we would disclose your data to any external party are:
- With your explicit, documented written consent;
- As required by a valid court order, regulatory directive, or a specific legal obligation imposed on us by Nigerian law; or
- To the named data processors listed in Section 10 of this Policy, solely to the extent technically necessary for the delivery of our services, and subject to binding data processing obligations.
4. Legal Basis for Processing
The Nigeria Data Protection Act 2023 requires that every processing activity be carried out on a recognised lawful basis. Our processing activities and their corresponding bases are as follows:
Consent
When you submit our application form and tick the consent checkbox, you expressly consent to the processing of your personal data for the purposes stated in this Policy. Consent is the primary lawful basis for processing your application data. You may withdraw your consent at any time by contacting us as described in Section 12. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to withdrawal.
Contractual Necessity
Where processing is necessary to enter into or perform a contract with your firm — specifically during client onboarding and service delivery — we rely on contractual necessity as our lawful basis. The details of such processing are set out in your signed service agreement.
Legitimate Interests
For the collection of technical data and aggregated analytics, we rely on our legitimate interest in understanding how our Site is used and improving its performance. We have assessed that this interest does not override your fundamental rights and freedoms, given that the data is collected in aggregate and cannot reasonably be used to identify you.
Legal Obligation
Where processing is necessary to comply with a specific legal obligation under Nigerian law — for example, financial record-keeping requirements — we rely on legal obligation as our lawful basis.
5. Cookies & Tracking Technologies
We use a minimal and deliberate set of cookies and similar technologies. We do not use advertising cookies, behavioural tracking pixels, remarketing tags, or any third-party surveillance technology of any kind.
a) Strictly Necessary Cookies
These cookies are essential for the Site to function correctly. They maintain session state across page navigation and do not store any personally identifiable information. These cookies are automatically deleted when you close your browser. You cannot opt out of strictly necessary cookies without disabling core Site functionality.
b) Performance Cookies
We may use anonymised, first-party analytics to understand how visitors interact with the Site — including which pages are visited most frequently, approximate session durations, and referral sources. All such data is aggregated and no individual visitor is identified. You may opt out of performance cookies by adjusting your browser settings.
c) Third-Party Embed Cookies — Vimeo
Our Site embeds a Vimeo video player for our video presentation. When you interact with this video, Vimeo may set its own cookies and collect data about your viewing activity in accordance with Vimeo's Privacy Policy. We have no control over Vimeo's cookies. You may block third-party cookies through your browser settings without affecting your ability to access the Site's core content.
d) Google Fonts
Our Site loads typography assets from Google Fonts (fonts.googleapis.com). This request may cause Google's servers to log your IP address and browser agent. This is a standard technical operation and no personally identifiable information from our application form is transmitted to Google as a result. For further information, refer to Google's Privacy Policy.
In summary: we do not track you across the web, we do not build advertising profiles from your visit, and we do not share cookie data with any third-party advertiser.
6. Data Retention & Deletion
We apply a differentiated retention schedule based on the outcome of your application. We retain your data for no longer than is necessary for the purpose for which it was collected.
a) Non-Qualifying Applications
If your firm does not meet our founding client eligibility criteria, your application data is retained for a maximum of 60 days from the date of our written communication confirming this outcome. This window exists solely to accommodate a brief follow-up discussion should your circumstances change within that period. Upon expiry of 60 days, all personal data relating to non-qualifying applications — including name, firm name, contact details, and matter value selection — is permanently deleted from our systems and from the delivery records of our form processing provider, Web3Forms.
b) Qualifying Applications — Pre-Engagement
If your firm qualifies but does not proceed to a signed engagement, your data is retained for 90 days from the date of the Strategy Call. After this period, all associated personal data is permanently deleted.
c) Engaged Clients
Where a service agreement is executed, we retain all client engagement data — including signed agreements, onboarding materials, and correspondence — for a period of 5 years from the date of formal engagement termination. This retention period is required for contractual record-keeping, financial compliance under Nigerian commercial law, and potential dispute resolution. Upon expiry, all records are securely and irreversibly destroyed.
d) Technical & Cookie Data
Anonymised technical data collected automatically through website access is purged or permanently anonymised on a rolling basis, with no individual data point retained for longer than 12 months.
You may request early deletion of your data at any time by contacting us as described in Section 12. We will fulfil verified deletion requests within 14 days, subject only to any legal obligation that requires us to retain specific records for a minimum statutory period.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, disclosure, or destruction. Our specific security practices include the following:
- Encrypted transmission: All data transmitted between your browser and our Site is encrypted using TLS (Transport Layer Security) protocols. Any browser displaying a valid HTTPS connection indicator when visiting graviodigital.com confirms this encryption is active.
- Secure form processing: Our application form is processed via Web3Forms, which transmits submitted data to our designated secure email address over encrypted API connections. Web3Forms does not permanently store your form submissions in its own database beyond the delivery event.
- Restricted access: Access to application data is strictly limited to the Chief Strategist. There are no junior staff members, shared team inboxes, subcontractors, or third-party account managers with access to applicant information. This is a structural guarantee, not merely a policy commitment.
- No centralised data storage: We do not store raw application data in any cloud CRM, shared spreadsheet environment, or marketing platform accessible by multiple parties. Application data exists only in the Chief Strategist's secure, access-controlled email environment.
- No third-party data processors beyond those named: Your data is not passed to any analytics platform, sales tool, or business intelligence system that retains your personal identity.
No method of electronic transmission or storage is completely immune to attack. While we take every reasonable precaution, we cannot provide an absolute guarantee of security. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, in accordance with our obligations under the NDPA 2023.
8. Your Rights Under the NDPA 2023
The Nigeria Data Protection Act 2023 affords you the following rights with respect to personal data we hold about you. All rights are exercisable without prejudicing the lawfulness of processing carried out prior to your request.
Right of Access
You may request a copy of the personal data we hold about you, along with information about how it is being processed. We will provide this within 30 days of a verified request.
Right to Rectification
If any personal data we hold about you is inaccurate or incomplete, you may request that we correct it promptly.
Right to Erasure ("Right to be Forgotten")
You may request that we permanently delete your personal data. We will comply with verified erasure requests within 14 days, unless we are subject to a legal obligation that requires us to retain specific records for a minimum period.
Right to Restriction of Processing
You may request that we restrict how we process your data — for example, while a dispute about the accuracy of your data is being resolved — without requiring full deletion.
Right to Data Portability
You may request that we provide your personal data in a structured, commonly used, machine-readable format so that you can transfer it to another data controller.
Right to Object
Where we rely on legitimate interests as our lawful basis for processing, you have the right to object to that processing at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent
Where processing is based on your consent (as is the case for your application data), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to your withdrawal.
Right to Lodge a Complaint
If you believe that we have violated your data protection rights under the NDPA 2023, you have the right to lodge a formal complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng. We would, however, appreciate the opportunity to address your concern directly before any regulatory escalation.
To exercise any of the above rights, please contact us using the details set out in Section 12. We will acknowledge your request within 2 business days and respond in full within 30 days, as required by the NDPA 2023.
9. Third-Party Services
Our Site uses the following third-party services which may process limited technical data as part of their operation. We have selected these providers on the basis of their data protection standards. None of them receive the personal application data you submit through our intake form, except Web3Forms, which acts solely as a data processor under our instruction.
Web3Forms — Form Processing
Our application form is processed by Web3Forms (web3forms.com). When you submit the form, Web3Forms' API receives the submitted fields and forwards them to our designated email address via an encrypted connection. Web3Forms does not retain submitted data in a persistent database after delivery. We encourage you to review Web3Forms' privacy policy for details of their own data handling practices.
Vimeo — Video Hosting
Our video presentation is hosted by Vimeo, Inc. (United States). The embedded player may collect data about your interactions with the video in accordance with Vimeo's Privacy Policy. This processing is outside our control. No personal data from our application form is transmitted to Vimeo.
Google Fonts — Typography
Typography is loaded from Google Fonts (fonts.googleapis.com), a service operated by Google LLC (United States). Google may log your IP address and browser agent when serving font files. This data is subject to Google's Privacy Policy and is entirely separate from any application data you submit to us.
Unsplash — Image Delivery
Some visual assets on our Site are served from Unsplash's content delivery network (images.unsplash.com). Unsplash may log standard CDN access data. This is a standard technical operation with no impact on your personal data submitted through our form.
We do not use, and have never used, any of the following on this Site: Facebook Pixel, Google Ads tracking, TikTok Pixel, LinkedIn Insight Tag, HubSpot, Salesforce, Intercom, or any equivalent third-party tracking or CRM platform that would receive your personal identity data.
10. Changes to This Policy
We reserve the right to update or amend this Privacy Policy at any time to reflect changes in our data practices, the services we offer, or applicable law. When we make material changes — meaning changes that significantly affect how we collect, use, or protect your data — we will update the "Last Reviewed" date at the top of this page.
Where we hold your contact details and the changes are sufficiently material to warrant direct notification, we will contact you by email or WhatsApp to inform you of the update before it takes effect, giving you a reasonable opportunity to review the revised Policy and, where applicable, withdraw your consent.
Your continued use of the Site following the publication of an updated Policy constitutes your acknowledgement of its terms. We encourage you to review this page periodically. The most current version of this Policy always supersedes any prior versions.
11. Contact & Data Controller
Gravio Digital is the Data Controller for all personal data processed under this Policy, as defined by the Nigeria Data Protection Act 2023.
If you have questions about this Policy, wish to exercise any of your data rights, or need to report a concern, please contact us directly. We respond to all data-related enquiries within 2 business days.
Gravio Digital — Data Controller
For complaints that you have not been able to resolve directly with us, you may escalate to the supervisory authority: