๐Tailored to meet every industry use case effortlessly50% off
Privacy Policy
Last updated: April 2026
1. Introduction
This Privacy Policy ("Policy") explains how Sendar Technologies Ltd. ("Sendar", "we", "our", "us"), a company incorporated under the laws of the Federal Republic of Nigeria with its registered office at No 14, Ben Okagbue, Mba Street, Lekki Phase 1, Lagos, collects, uses, stores, discloses, and protects your personal data when you access or use the Sendar messaging platform ("Platform"), including our website, dashboard, APIs, and mobile applications.
This Policy is issued in compliance with the Nigeria Data Protection Act 2023 ("NDPA"), regulations issued by the Nigeria Data Protection Commission ("NDPC"), and applicable guidelines from the National Information Technology Development Agency ("NITDA") and the Nigerian Communications Commission ("NCC"). Where you process personal data of third parties (e.g., message recipients) through our Platform, you act as a Data Controller and Sendar acts as a Data Processor under the NDPA 2023.
By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, you must discontinue use of the Platform immediately.
2. Data Controller & Data Protection Officer
For the purposes of the NDPA 2023, the Data Controller for personal data collected directly by Sendar (e.g., your account information) is:
- Data Controller: Sendar Technologies Ltd., No 14, Ben Okagbue, Mba Street, Lekki Phase 1, Lagos, Nigeria
- Registration Number: Registered with the Nigeria Data Protection Commission (NDPC) as a Data Controller and Data Processor
Sendar has appointed a Data Protection Officer ("DPO") as required under the NDPA 2023. For any data protection enquiries, requests, or complaints, contact:
- Data Protection Officer, Sendar Technologies Ltd.
- Email: support@sendar.io
- Address: No 14, Ben Okagbue, Mba Street, Lekki Phase 1, Lagos, Nigeria
You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
3. Personal Data We Collect
We collect and process the following categories of personal data:
- Account Data: Full name, email address, phone number, business name, business registration number (CAC number), job title, and password (hashed).
- Identity Verification Data: Government-issued identification documents, Bank Verification Number (BVN) verification status, and business incorporation documents as may be required for sender ID registration or regulatory compliance under the GAID (Government-Assigned Identifier Database) framework.
- Payment Data: Billing address, payment card details (tokenised by our payment processor), bank account details, transaction history, and wallet balance records.
- Messaging Data: Recipient phone numbers, email addresses, message templates, message content (retained for the applicable retention period), delivery status, timestamps, sender IDs, and channel metadata.
- Technical Data: IP address, browser type and version, operating system, device identifiers, access timestamps, referral URLs, pages visited, and API request logs.
- Usage Data: Features used, message volumes, campaign performance metrics, login frequency, and dashboard interaction patterns.
- Communications Data: Records of correspondence with our support team, feedback submitted, and survey responses.
4. How We Collect Data
We collect personal data through the following methods:
- Directly from you: When you register an account, complete your profile, make payments, configure messaging campaigns, submit support requests, or communicate with us.
- Automatically: Through cookies, server logs, API request logs, and analytics tools when you interact with our Platform.
- From third parties: Payment processors (Paystack, Flutterwave), identity verification services, telecommunications carriers (MTN, Airtel, Glo, 9Mobile), WhatsApp Business API, and publicly available business registries.
- Via our API: When your applications or systems interact with the Sendar API, we collect API keys, request payloads (including recipient data), response logs, webhook configurations, and error logs.
5. Lawful Bases for Processing
Under Section 25 of the NDPA 2023, we process your personal data on the following lawful bases:
- Contractual Necessity (Section 25(1)(b)): Processing necessary to perform our contract with you, including delivering messages, managing your account, processing payments, and providing customer support.
- Consent (Section 25(1)(a)): Where you have given explicit consent, such as for marketing communications, non-essential cookies, and optional analytics. You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legitimate Interest (Section 25(1)(f)): Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement, and aggregate analytics, provided these interests are not overridden by your fundamental rights.
- Legal Obligation (Section 25(1)(c)): Processing necessary to comply with Nigerian law, including NCC telecommunications regulations, anti-money laundering requirements, tax obligations (FIRS), and NDPC regulatory requests.
- Vital Interest (Section 25(1)(d)): In exceptional circumstances, processing necessary to protect the vital interests of a data subject or another person (e.g., emergency alert messaging).
6. How We Use Your Data
We use your personal data for the following purposes:
- Providing, operating, and maintaining the Platform and messaging services (SMS, WhatsApp, Email, Voice)
- Processing and delivering your messages across carrier networks and messaging channels
- Managing your account, wallet balance, and billing
- Verifying your identity and sender IDs in compliance with NCC regulations
- Detecting, preventing, and investigating fraud, spam, and platform abuse
- Enforcing our Terms & Conditions, Acceptable Use Policy, and other legal agreements
- Providing customer support and responding to your enquiries
- Sending transactional communications (account alerts, billing notifications, service updates)
- Sending marketing communications (with your consent) about new features, promotions, and industry insights
- Generating aggregate, anonymised analytics to improve our services
- Complying with legal, regulatory, and law enforcement obligations
- Conducting internal audits and maintaining security logs
7. Cookies & Tracking Technologies
Our Platform uses cookies and similar tracking technologies to enhance your experience. Categories of cookies we use include:
- Strictly Necessary Cookies: Essential for Platform operation, including session management, authentication, and security. These cannot be disabled.
- Functional Cookies: Remember your preferences (language, dashboard layout, timezone) to provide a personalised experience.
- Analytics Cookies: Help us understand how users interact with the Platform using tools such as Google Analytics and Mixpanel. These cookies collect anonymised data.
- Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness across platforms. Only set with your explicit consent.
You can manage cookie preferences through your browser settings or our cookie consent banner. Disabling certain cookies may limit Platform functionality. For detailed information, see our Cookies Policy.
8. Data Sharing & Third-Party Disclosure
We do not sell your personal data. We share personal data only with the following categories of recipients, and only to the extent necessary:
- Telecommunications Carriers: MTN Nigeria, Airtel Nigeria, Globacom, and 9Mobile receive recipient phone numbers and message content to deliver SMS and voice messages. This sharing is governed by NCC regulations.
- WhatsApp / Meta: Recipient data and message content are shared with Meta Platforms to deliver WhatsApp Business API messages, subject to Meta's data processing terms.
- Payment Processors: Paystack and Flutterwave process your payment data. They are independent data controllers for payment processing under their own privacy policies.
- Cloud Infrastructure Providers: We use cloud hosting services to store and process data securely. All providers are contractually bound by data processing agreements.
- Email Delivery Partners: Third-party email infrastructure providers assist with email message routing and delivery.
- Identity Verification Services: For KYC and sender ID verification purposes as required by NCC and GAID framework requirements.
- Regulatory & Law Enforcement Authorities: We may disclose data to the NDPC, NCC, NITDA, EFCC, Nigeria Police Force, or other authorities when required by law, court order, or to protect our legal rights.
- Professional Advisors: Auditors, lawyers, and consultants who are bound by professional confidentiality obligations.
All third-party processors are required to provide adequate data protection safeguards under Section 30 of the NDPA 2023, including written data processing agreements, appropriate security measures, and data breach notification obligations.
9. International Data Transfers
Sendar primarily stores and processes data on servers located within Nigeria and West Africa. Where international transfers are necessary (e.g., cloud infrastructure, WhatsApp API, analytics tools), we ensure compliance with Section 41 of the NDPA 2023 by implementing:
- Transfers only to countries or organisations that provide an adequate level of data protection as determined by the NDPC
- Standard Contractual Clauses (SCCs) approved by the NDPC
- Binding Corporate Rules where applicable
- Explicit consent where no other safeguard is available and you have been informed of the risks
A record of all international data transfers, including recipient countries and safeguards applied, is maintained and available for inspection by the NDPC upon request.
10. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods:
- Account Data: Duration of active account plus 90 days after account closure
- Message Content: 90 days from date of sending (configurable for Enterprise plans)
- Message Metadata (delivery logs, timestamps): 12 months
- Payment & Billing Records: 7 years (as required by Nigerian tax law and FIRS regulations)
- API Logs: 12 months
- Audit & Security Logs: 3 years
- Marketing Consent Records: Duration of consent plus 3 years
- Support Correspondence: 2 years from resolution
After the applicable retention period, data is securely deleted or irreversibly anonymised. You may request earlier deletion of non-legally-required data by contacting our DPO.
11. Your Data Subject Rights
Under the NDPA 2023 (Part IV), you have the following rights in relation to your personal data:
- Right of Access (Section 34): Request a copy of the personal data we hold about you and information about how it is processed.
- Right to Rectification (Section 35): Request correction of inaccurate or incomplete personal data.
- Right to Erasure (Section 36): Request deletion of your personal data where it is no longer necessary, you withdraw consent, or processing is unlawful. Subject to legal retention requirements.
- Right to Data Portability (Section 39): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
- Right to Restrict Processing (Section 37): Request restriction of processing in certain circumstances, such as while we verify the accuracy of contested data.
- Right to Object (Section 38): Object to processing based on legitimate interest or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to Withdraw Consent: Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: File a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated.
To exercise any of these rights, contact our Data Protection Officer at support@sendar.io. We will respond within 30 days of receiving your request. We may request identity verification before processing your request. Requests are free of charge unless manifestly unfounded or excessive.
12. Data Security
Sendar implements comprehensive technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
- Encryption at Rest: All personal data stored on our servers and databases is encrypted using AES-256 encryption.
- Access Controls: Role-based access control (RBAC) limits data access to authorised personnel on a need-to-know basis.
- Multi-Factor Authentication: MFA is required for all staff accessing production systems and is available for all user accounts.
- API Security: API keys are hashed, rate-limited, and can be IP-whitelisted. Webhook payloads are signed for verification.
- Audit Logging: All access to personal data is logged and monitored. Logs are retained for 3 years.
- Vulnerability Management: Regular penetration testing, dependency scanning, and security audits are conducted.
- Incident Response: A documented incident response plan is maintained and tested regularly.
- Infrastructure: Our infrastructure is hosted on ISO 27001-certified cloud platforms with physical security controls.
Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you acknowledge that you transmit data at your own risk.
13. Children's Data
The Sendar Platform is not directed at, and is not intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact our DPO at support@sendar.io immediately. If we become aware that we have collected personal data from a child without verified parental consent, we will take steps to delete that data promptly in accordance with the NDPA 2023.
14. Automated Decision-Making
Sendar uses automated systems for the following purposes:
- Spam & Fraud Detection: Automated analysis of message patterns, content, and sending behaviour to detect and block spam, phishing, and fraudulent activity.
- DND Filtering: Automated checking of recipient numbers against the NCC Do-Not-Disturb (DND) registry to prevent messages to opted-out numbers.
- Credit Deduction: Automated wallet deductions based on message type, channel, and destination.
These automated processes do not produce legal effects or similarly significantly affect you. Where automated decisions significantly impact your account (e.g., suspension for suspected abuse), you have the right to request human review by contacting support@sendar.io.
15. API & Developer Data
If you use the Sendar API, the following additional data processing applies:
- API keys and secret tokens are generated upon request and stored in hashed form. You are responsible for securing your API credentials.
- API request and response payloads are logged for debugging and audit purposes and retained for 12 months.
- Webhook endpoint URLs and delivery logs are retained for the duration of your account.
- Rate-limiting data (request counts, timestamps) is processed in real-time and retained for 30 days.
- Sandbox/test environment data is retained for 30 days and then automatically purged.
You are the Data Controller for any personal data of third parties (e.g., message recipients) that you process through the Sendar API. You must ensure you have obtained appropriate lawful bases under the NDPA 2023 before submitting such data to our Platform.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes:
- We will update the "Last updated" date at the top of this page.
- We will notify you via email and/or a prominent notice on the Platform at least 14 days before the changes take effect.
- For significant changes affecting your rights, we may require you to re-acknowledge the updated Policy.
Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Policy. If you do not agree with the changes, you must stop using the Platform and close your account.
17. Governing Law & Jurisdiction
This Privacy Policy is governed by the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act 2023, regulations issued by the Nigeria Data Protection Commission, and applicable NCC telecommunications regulations. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts of Lagos State, Nigeria.
18. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
- Data Protection Officer: support@sendar.io
- General Enquiries: support@sendar.io
- Phone: +234 707 893 1282
- Address: Sendar Technologies Ltd., No 14, Ben Okagbue, Mba Street, Lekki Phase 1, Lagos, Nigeria
We aim to respond to all enquiries within 2 business days, and to data subject rights requests within 30 days.
Privacy Policy FAQ
Common questions about how we handle your data.
(replace with privacy-faq-image.webp)