Tailored to meet every industry use case effortlessly50% off

LEGAL

Data Protection Policy

Last updated: April 2026

Home/Data Protection Policy

1. Policy Statement & Scope

Sendar Technologies Ltd. ("Sendar", "we", "our") is committed to protecting the personal data of all individuals whose data we process, including our customers, their message recipients, employees, contractors, and website visitors. This Data Protection Policy ("Policy") sets out the principles, standards, and procedures that govern how Sendar collects, processes, stores, and protects personal data.

This Policy applies to all personal data processed by Sendar in connection with the operation of our messaging platform (SMS, WhatsApp, Email, Voice), whether in digital or physical form. It applies to all employees, contractors, third-party processors, and any person who has access to personal data held by Sendar.

This Policy is established in compliance with the Nigeria Data Protection Act 2023 ("NDPA"), the Nigeria Data Protection Commission ("NDPC") Implementation Framework, guidelines issued by the National Information Technology Development Agency ("NITDA"), and the Nigerian Communications Commission ("NCC") regulations on telecommunications data handling.

2. NDPC Registration & Regulatory Compliance

Sendar Technologies Ltd. is registered with the Nigeria Data Protection Commission (NDPC) as required under Section 7 of the NDPA 2023. Our registration encompasses our roles as both a Data Controller (for data we collect about our customers) and a Data Processor (for data our customers process through our Platform).

We maintain compliance with the following regulatory frameworks:

  • Nigeria Data Protection Act 2023 (NDPA): The primary legislation governing data protection in Nigeria, establishing the NDPC and the rights of data subjects.
  • NDPC Implementation Framework: Supplementary regulations issued by the NDPC, including the Data Protection Implementation Framework and audit requirements.
  • NCC Consumer Code of Practice: Regulations governing telecommunications service providers, including requirements for handling subscriber data, DND compliance, and sender ID registration.
  • NCC Type Approval Regulations: Requirements for messaging platforms interfacing with Nigerian telecommunications networks.
  • NITDA Guidelines: Applicable guidelines on information technology governance and data management.
  • GAID Framework: Requirements relating to the Government-Assigned Identifier Database, including the handling of National Identification Numbers (NIN) and other government-assigned identifiers in compliance with NIMC regulations.

Sendar undergoes annual data protection audits conducted by an NDPC-licensed Data Protection Compliance Organisation (DPCO) and files annual audit reports with the NDPC as required.

3. Data Protection Principles

Sendar adheres to the following data protection principles as established by the NDPA 2023 (Section 24):

  • Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes.
  • Data Minimisation: Only personal data that is adequate, relevant, and limited to what is necessary is collected.
  • Accuracy: Personal data is kept accurate and up to date.
  • Storage Limitation: Personal data is retained only for as long as necessary.
  • Integrity and Confidentiality: Personal data is processed with appropriate security.
  • Accountability: Sendar is responsible for and able to demonstrate compliance.

4. Categories of Personal Data

Sendar processes the following categories of personal data in connection with our messaging platform:

  • Customer Account Data: Name, email, phone number, business name, CAC registration number, job title, billing address, and login credentials (hashed).
  • Recipient Data (processed on behalf of customers): Phone numbers, email addresses, names, and any personal data included in message content.
  • Payment Data: Card details (tokenised), bank account information, transaction records, and wallet balance history.
  • Messaging Metadata: Timestamps, delivery reports, carrier network codes, message IDs, sender IDs, channel type, and DND status.
  • Technical Data: IP addresses, API keys (hashed), user agent strings, access logs, and error logs.
  • Identity Verification Data: Government-issued ID documents, BVN verification status, NIN, and business registration documents.
  • Employee and Contractor Data: Employment records, payroll data, performance records, and access credentials.

Sendar does not intentionally process special categories of personal data (sensitive data such as health data, biometric data, religious beliefs, political opinions, or sexual orientation) unless required by law or with explicit consent.

5. Data Protection Officer

Sendar has appointed a Data Protection Officer (DPO) as required under Section 31 of the NDPA 2023. The DPO is responsible for:

  • Advising Sendar on compliance with the NDPA 2023 and all applicable data protection regulations
  • Monitoring internal compliance, including conducting internal audits and staff training
  • Acting as the primary contact point for the NDPC and data subjects
  • Overseeing Data Protection Impact Assessments (DPIAs)
  • Managing data subject rights requests and complaints
  • Reviewing and approving data processing agreements with third-party processors
  • Reporting directly to senior management on data protection matters

Contact the DPO:

  • Title: Data Protection Officer, Sendar Technologies Ltd.
  • Email: support@sendar.io
  • Address: No 14, Ben Okagbue, Mba Street, Lekki Phase 1, Lagos, Nigeria

6. Technical Security Measures

Sendar implements comprehensive technical security measures to protect personal data throughout its lifecycle:

  • Encryption at Rest: All personal data stored in databases and file systems is encrypted using AES-256 encryption.
  • Encryption in Transit: All data transmitted between clients and Sendar servers uses TLS 1.2 or higher.
  • Access Controls: Role-Based Access Control (RBAC) ensures that personnel only access data necessary for their role.
  • Audit Logging: All access to personal data is logged with timestamps, user identities, and actions performed.
  • Network Security: Web Application Firewalls (WAF), intrusion detection/prevention systems (IDS/IPS), and DDoS mitigation are deployed.
  • Vulnerability Management: Regular automated vulnerability scanning and annual penetration testing by independent third-party security firms.
  • API Security: API keys are hashed using bcrypt and stored securely. Rate limiting, IP whitelisting, and webhook signature verification protect against abuse.
  • Backup & Recovery: Automated daily encrypted backups with geographic redundancy. Recovery procedures are tested quarterly.

7. Organisational Security Measures

In addition to technical measures, Sendar maintains the following organisational controls:

  • Information Security Policy: A comprehensive information security policy aligned with ISO 27001 standards.
  • Staff Vetting: Background checks are conducted on all employees and contractors who will have access to personal data.
  • Confidentiality Agreements: All employees and contractors sign binding confidentiality and non-disclosure agreements.
  • Clean Desk Policy: Physical workspaces must be clear of personal data documents when unattended.
  • Acceptable Use Policy: Employees are bound by an internal acceptable use policy governing the use of company systems and data.
  • Physical Security: Office premises are secured with access controls, CCTV monitoring, and visitor management procedures.

8. Staff Training & Awareness

Sendar maintains a comprehensive data protection training programme:

  • Onboarding Training: All new employees and contractors complete mandatory data protection training within their first week.
  • Annual Refresher Training: All staff complete annual refresher training on data protection.
  • Role-Specific Training: Employees in high-risk roles receive specialised training on data handling, incident response, and secure coding practices.
  • Phishing Awareness: Regular simulated phishing exercises are conducted to test and reinforce staff awareness.
  • Training Records: All training completion records are maintained and available for audit.

9. Data Breach Notification

Sendar maintains a documented Data Breach Response Plan that is tested at least annually through tabletop exercises. In the event of a personal data breach:

  1. Detection & Containment (0-4 hours): The breach is identified, contained, and the incident response team is activated.
  2. Assessment (4-24 hours): The scope, severity, and impact of the breach are assessed.
  3. NDPC Notification (within 72 hours): Sendar will notify the Nigeria Data Protection Commission within 72 hours as required by the NDPA 2023.
  4. Data Subject Notification (without undue delay): Where the breach is likely to result in a high risk, affected individuals will be notified.
  5. Customer Notification: Where Sendar is acting as a Data Processor, affected customers will be notified.
  6. Documentation & Review: All breaches are documented and a post-incident review is conducted within 14 days.

10. Third-Party Processor Requirements

Sendar engages third-party processors only where necessary and subject to stringent contractual and security requirements. Before engaging any third-party processor:

  • Due Diligence: A thorough assessment of the processor's data protection practices is conducted.
  • Data Processing Agreement (DPA): A written DPA compliant with Section 30 of the NDPA 2023 is executed.
  • Security Requirements: Processors must maintain security measures at least equivalent to those described in this Policy.
  • Sub-processor Controls: Processors may not engage sub-processors without Sendar's prior written consent.
  • Audit Rights: Sendar retains the right to audit any third-party processor's compliance.
  • Breach Notification: Processors are contractually required to notify Sendar of any personal data breach without undue delay.
  • Termination & Data Return: Upon termination, the processor must return or securely delete all personal data.

11. Data Subject Rights

Sendar respects and facilitates the exercise of data subject rights as established by Part IV of the NDPA 2023:

  • Right of Access: Data subjects may request confirmation of whether their personal data is being processed and receive a copy.
  • Right to Rectification: Data subjects may request correction of inaccurate personal data.
  • Right to Erasure: Data subjects may request deletion of personal data where it is no longer necessary.
  • Right to Restriction: Data subjects may request restriction of processing while accuracy is contested.
  • Right to Object: Data subjects may object to processing based on legitimate interest or for direct marketing purposes.
  • Right to Data Portability: Data subjects may receive their data in a structured, machine-readable format.
  • Right Not to Be Subject to Automated Decision-Making: Data subjects may request human intervention for decisions made solely by automated processing.

Requests are handled by our DPO and responded to within 30 days. Where Sendar acts as a Data Processor, we will assist our customers in fulfilling data subject requests.

12. Cross-Border Data Transfers

Sendar primarily processes personal data within Nigeria. Where cross-border transfers are necessary, we ensure compliance with Section 41 of the NDPA 2023 by:

  • Transferring data only to jurisdictions deemed adequate by the NDPC
  • Implementing NDPC-approved Standard Contractual Clauses (SCCs)
  • Obtaining Binding Corporate Rules approval where applicable
  • Obtaining explicit, informed consent as a last resort
  • Conducting Transfer Impact Assessments (TIAs) for transfers to jurisdictions without adequacy determinations

A register of all cross-border data transfers is maintained and updated regularly.

13. Data Protection Impact Assessments

Sendar conducts Data Protection Impact Assessments (DPIAs) before commencing any processing activity that is likely to result in a high risk. DPIAs are mandatory for:

  • Introduction of new messaging channels or features involving personal data
  • Deployment of AI or machine learning systems that process personal data
  • Large-scale processing of sensitive personal data
  • Systematic monitoring of public areas or online behaviour
  • New data sharing arrangements with third parties
  • Changes to cross-border data transfer mechanisms
  • Implementation of new technologies that may affect privacy

DPIAs are reviewed and approved by the DPO before the processing activity commences.

14. NCC Telecommunications Data Compliance

As a platform that interfaces with Nigerian telecommunications networks, Sendar complies with NCC regulations governing the handling of telecommunications data:

  • Subscriber Data: Recipient phone numbers and network information are processed solely for delivery purposes.
  • DND Compliance: Sendar maintains an up-to-date copy of the NCC Do-Not-Disturb (DND) registry and filters all promotional messages against it.
  • Sender ID Registration: All sender IDs used on the Platform are registered with the relevant carriers in compliance with NCC guidelines.
  • Lawful Interception: Sendar cooperates with lawful interception requests from authorised law enforcement agencies.
  • Network Data Security: Carrier interconnection data is handled in accordance with NCC security guidelines.

15. Record of Processing Activities

Sendar maintains a comprehensive Record of Processing Activities (ROPA) as required by the NDPA 2023. The ROPA includes:

  • The name and contact details of the controller/processor and the DPO
  • The purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • Details of cross-border transfers and safeguards
  • Retention periods for each category of data
  • A general description of technical and organisational security measures

The ROPA is reviewed and updated quarterly, and is available for inspection by the NDPC upon request.

16. Policy Review & Updates

This Data Protection Policy is reviewed at least annually, or more frequently where required by changes in legislation, regulatory guidance, business operations, or following a significant data breach. Reviews are conducted by the DPO in consultation with senior management and legal counsel.

Material changes to this Policy will be communicated to all relevant stakeholders at least 14 days before they take effect. A version history log is maintained for all changes.

17. Contact & Complaints

For any questions, concerns, or complaints regarding this Policy or Sendar's data protection practices, contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

Data Protection FAQ

Common questions about our data protection practices.

Data Protection FAQ
(replace with data-protection-faq-image.webp)
Is Sendar registered with the NDPC?+
Yes. Sendar Technologies Ltd. is registered with the Nigeria Data Protection Commission (NDPC) as both a Data Controller and Data Processor in compliance with the Nigeria Data Protection Act 2023. Our registration details are available upon request.
How does Sendar protect my data?+
What happens if there is a data breach?+
Does Sendar conduct data protection impact assessments?+
How does Sendar handle telecom data?+

Ready to start messaging? Sign up and get your first credits today.

Subscribe to get our latest insights and news updates