Privacy Policy

The data controller responsible for your personal information collected through the Votar platform is Konzi Tech Ltd, trading as Votar, reachable at konzitech@gmail.com. For privacy and data protection enquiries, you may also contact our Data Protection Officer at Okonirene1@gmail.com.

Your personal data is stored and processed within the Federal Republic of Nigeria on Oracle Cloud Infrastructure (OCI Nigeria Region). We operate in accordance with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR).

This Privacy Policy applies to all personal data collected, processed, and stored by Konzi Tech Ltd through the Votar platform. It covers:

• All visitors to www.votar.ng
• Registered voters using the Votar platform to cast votes in any election
• Election organisers who create and manage elections on the platform
• Candidates nominated in elections managed through Votar
• Individuals who contact us through any official Votar channel

This policy applies to both service tiers — Votar Pro (for verified, closed elections) and Free Votar (for open community voting) — and covers data collected via our web application, mobile-responsive interface, API integrations, and all associated communication channels.

This policy does not apply to third-party websites or services you may access via links on the Votar platform. Those services are governed by their own privacy policies.

We collect the minimum personal data necessary to deliver a secure, reliable, and transparent e-voting experience.

We process your personal data only for specific, documented purposes. For each purpose, we rely on a lawful basis under the Nigeria Data Protection Act 2023 (NDPA).

1. Account creation & authentication

   To create your Votar account, verify your identity, and securely log you in using password + OTP / TOTP multi-factor authentication.

   Lawful basis: Performance of contract; Legitimate interest

2. Election access & voter verification

   To confirm your eligibility to vote, issue your ballot, record your participation, and prevent duplicate votes.

   Lawful basis: Performance of contract; Legitimate interest

3. OTP & transactional communications

   To send one-time passwords, election access codes, registration confirmations, results notifications, and security alerts via SMS and email.

   Lawful basis: Performance of contract; Legitimate interest

4. Election management

   To enable organisers to configure elections, manage voter rolls, monitor participation, and publish certified results.

   Lawful basis: Performance of contract

5. Platform security & fraud prevention

   To detect and prevent unauthorised access, abuse, duplicate voting, bot activity, and other fraudulent behaviour.

   Lawful basis: Legitimate interest; Legal obligation

6. Technical operation & improvement

   To maintain uptime, diagnose errors, improve platform performance, and resolve technical issues.

   Lawful basis: Legitimate interest

7. Audit trail maintenance

   To maintain a tamper-evident, append-only log of all election system events for integrity verification and post-election review.

   Lawful basis: Legal obligation; Legitimate interest

8. Legal compliance

   To comply with applicable Nigerian laws, respond to lawful regulatory or law enforcement requests, and maintain required records.

   Lawful basis: Legal obligation

9. Customer support

   To respond to your enquiries, resolve disputes, and provide technical assistance.

   Lawful basis: Performance of contract; Legitimate interest

10. Payment processing (organisers)

    To facilitate payment for election services via Paystack and bank transfers.

    Lawful basis: Performance of contract

We do not use your personal data for advertising, marketing profiling, or sale to data brokers.

This is the most fundamental privacy guarantee of any voting platform. Votar is architecturally designed so that no person — including Votar's own engineers, the election organiser, or any system administrator — can determine how any individual voter voted. This is not a policy statement alone; it is a technical guarantee built into the platform's architecture.

We do not sell, rent, trade, or otherwise commercially transfer your personal data to any third party. We share data only in the following limited circumstances:

1. With Election Organisers

   When you participate in an election, the organiser can access the information described in Section 5. By participating, you acknowledge that the organiser has access to your registration details and participation status. Organisers are themselves bound by applicable data protection obligations.

2. With Third-Party Service Providers

   We engage carefully selected technology providers who act as data processors under our instruction. They are contractually bound by data processing agreements that restrict their use of your data to the specific purpose for which it is shared. See Section 7 for the full list.

3. For Legal & Regulatory Compliance

   We may disclose your personal data to law enforcement agencies, regulatory authorities, or courts where required by applicable Nigerian law or a valid court order. In such cases, we will verify the legal validity of the request, disclose only the minimum data required, and notify you to the extent permitted by law.

4. Business Transfers

   In the event of a merger, acquisition, or sale of Konzi Tech Ltd or its assets, your personal data may be transferred to the successor entity. We will provide advance notice and any successor entity will be bound by the terms of this Privacy Policy.

5. With Your Consent

   We may share your personal data with any other third party where we have obtained your explicit, informed, and freely-given consent. You may withdraw this consent at any time by contacting konzitech@gmail.com.

The following third-party services are currently used to operate the Votar platform. Each provider acts as a data processor under our instruction and is bound by a data processing agreement.

• Oracle Cloud Infrastructure (OCI)

  Cloud hosting, database, object storage, backup, and secrets management. All data remains within Nigeria (OCI Nigeria Region).

• Termii (Primary SMS Gateway)

  Delivery of OTPs and voter notifications via SMS. NCC-registered Nigerian SMS provider.

• Twilio (Fallback SMS Gateway)

  Backup SMS delivery for OTPs if the primary gateway is unavailable. Governed by Standard Contractual Clauses.

• Zoho (Email Delivery)

  Delivery of transactional emails — confirmations, results, and security alerts. Encrypted in transit via TLS.

• Paystack (Payment Processing)

  Processing organiser subscription and election service payments. PCI-DSS Level 1 certified. No card data reaches Votar servers.

• GitHub Actions (CI/CD)

  Automated code testing, security scanning, and deployment pipeline. No production voter data is used in CI/CD environments.

We review our sub-processor list regularly. Any material changes will be reflected in an updated version of this Privacy Policy, and users will be notified as described in Section 16.

Your personal data is stored and processed within the Federal Republic of Nigeria on Oracle Cloud Infrastructure's Nigeria region. All voter and election data is subject to Nigerian law and remains within Nigerian territory.

Where sub-processors such as Twilio and Zoho may process limited technical data (such as an OTP delivery request or an email address) outside Nigeria, such transfers are governed by contractual data processing agreements, Standard Contractual Clauses (SCCs), and transmission exclusively over encrypted channels (TLS 1.3).

No electoral content data — vote records, ballot data, or election audit logs — ever leaves Nigerian territory.

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable Nigerian law.

• Account dataDuration of account + 12 months post-closure
• Voter participation records12 months after election close date
• Ballot data (anonymised vote records)36 months after election close date
• Audit event logs36 months after election close date
• OTP delivery logs6 months
• Transactional email logs6 months
• Support communications24 months after ticket closure
• Technical / server logs90 days (rolling)
• Payment records (organisers)7 years — as required by Nigerian financial record-keeping obligations under CAMA 2020

Upon expiry of the applicable retention period, personal data is securely and permanently deleted or irreversibly anonymised. You may request early deletion by exercising your Right to Erasure under Section 12.

Konzi Tech Ltd implements a comprehensive, layered security programme to protect your data against unauthorised access, disclosure, alteration, and destruction.

Despite our best efforts, no internet-based system can guarantee absolute security. If you suspect your Votar account has been compromised, please contact us immediately at konzitech@gmail.com.

Votar uses a small number of strictly necessary technical cookies and session tokens to operate the platform securely. We do not use advertising cookies, tracking pixels, or behavioural profiling technologies.

• Session Cookie Strictly Necessary

  Maintains your authenticated session while you are actively using the platform. Expires on browser close.

• Refresh Token Cookie Strictly Necessary

  An HTTP-only, SameSite=Strict cookie that allows session renewal without re-login. Rotates on every use. Expires after 7 days or on logout.

• CSRF Token Strictly Necessary

  Cross-Site Request Forgery protection token embedded in authenticated forms. Per-session duration.

• Preference Cookie Functional

  Stores your language and display preferences if you have set them. Expires after 12 months.

We do not use Google Analytics, Facebook Pixel, or any similar third-party tracking technology. Because we use only strictly necessary and functional cookies, we do not display a cookie consent banner — these are required for the platform to function. If we ever introduce optional cookies, we will obtain your prior consent.

Under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation (NDPR), you have the following rights with respect to your personal data:

1. Right to Information

   You have the right to be informed about how your personal data is collected, used, and shared — which this Privacy Policy fulfils.

2. Right of Access

   You may request a copy of all personal data we hold about you (a Subject Access Request). Email konzitech@gmail.com to submit a request.

3. Right to Rectification

   If any personal data we hold is inaccurate or incomplete, you may have it corrected via your account settings or by contacting us.

4. Right to Erasure

   You may request deletion of your personal data, subject to legal retention obligations (e.g. audit logs required by law).

5. Right to Restrict Processing

   You may request that we limit how we use your data while a dispute about its accuracy or our legitimate interests is being resolved.

6. Right to Data Portability

   You may request your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another service.

7. Right to Object

   You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling grounds.

8. Right to Withdraw Consent

   Where we rely on your consent as a legal basis, you may withdraw it at any time without affecting the lawfulness of prior processing.

9. Right to Lodge a Complaint

   If you believe we have violated your data protection rights, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpb.gov.ng.

We will respond to all verified data subject requests within 30 days of receipt. In complex cases, this may be extended by a further 60 days with prior notice. We will never charge a fee unless a request is manifestly unfounded or excessive.

The Votar platform is not intended for use by persons under the age of 18. We do not knowingly collect or process the personal data of minors. All users are required to confirm they are 18 years of age or older at the point of registration.

If you are a parent or guardian and believe your child has created a Votar account, please contact us immediately at konzitech@gmail.com. Upon verification, we will promptly delete the account and all associated personal data. Note that for elections conducted by student associations or educational institutions, the organising institution is responsible for ensuring appropriate voter age eligibility rules are applied.

Votar does not make any automated decisions about you that produce legal or similarly significant effects. We do not use profiling, machine learning, or artificial intelligence to evaluate, score, or classify individual users in ways that affect their rights, eligibility, or access to services.

Automated processes on the platform are limited to:

• Duplicate vote detection — a database-level constraint that prevents the same voter from casting more than one ballot in the same election.
• Brute-force lockout — automatic temporary account lockout after five consecutive failed login attempts. Contact support to unlock your account.
• Rate limiting — automatic throttling of API requests to prevent abuse.

If an automated security process incorrectly restricts your access, you have the right to request human review by contacting konzitech@gmail.com.

The Votar platform may contain links to external websites, election result pages hosted by organising bodies, or documentation resources. These external sites are not operated by Konzi Tech Ltd and are not governed by this Privacy Policy. We have no control over, and accept no responsibility for, their content, privacy practices, or data security. We encourage you to review the privacy policy of any external site you visit.

We review and update this Privacy Policy periodically to reflect changes in our data practices, legal requirements, and platform features. The version number and effective date at the top of this document will always reflect the most current version.

Where we make material changes — changes that significantly affect how we collect, use, or share your personal data — we will notify you by displaying a prominent notice on the platform at login, sending an email notification to the address associated with your account, and where required by law, obtaining your renewed consent before the changes take effect.

Your continued use of the Votar platform after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with any updates, you should discontinue use of the platform and contact us to delete your account. All previous versions of this Privacy Policy are archived and available upon request.

If you have any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please reach out to us. We are committed to responding promptly and resolving all data protection matters seriously and respectfully.

• General, Privacy & Security Enquirieskonzitech@gmail.com
• Data Protection OfficerOkonirene1@gmail.com
• Company Websitewww.votar.ng
• Response CommitmentWe acknowledge enquiries within 2 business days and aim to resolve them within 30 days.
• Nigeria Data Protection Commissionwww.ndpb.gov.ng (for escalated complaints)