Legal
Privacy Policy
Zionstand Digital Technologies | Staxis
This Privacy Policy ("Policy") explains how Zionstand Digital Technologies Limited ("ZDT", "we", "us", or "our") collects, processes, stores, and protects personal data when you use our Staxis managed digital-support service ("Service"). We are committed to protecting your privacy and handling your data transparently, lawfully, and in accordance with the Nigeria Data Protection Act 2023 ("NDPA") and any other applicable data protection laws.
1. About This Policy
This Policy applies to all individuals whose personal data we process in connection with Staxis , including:
- Clients — organisations and businesses that subscribe to the Service.
- Authorised Users — employees, agents, or contractors of a Client who access Staxis on the Client's behalf.
- Visitors — individuals who visit our website (staxis.zionstand.com) without subscribing.
By using the Service or our website, you acknowledge that you have read and understood this Policy.
2. Who We Are
Data Controller:
Zionstand Digital Technologies Limited
RC Number: 7676055
Nigeria
For all data-protection enquiries, contact our Data Protection Officer (DPO) at: staxis@zionstand.com
3. Data Protection Roles
| Role | Who | Responsibility |
|---|---|---|
| Data Controller | ZDT | Determines the purposes and means of processing personal data collected directly by ZDT (account management, billing, communications). |
| Data Processor | ZDT | Processes Client System Data strictly on the Client's instructions under a Data Processing Agreement ("DPA"). |
| Data Controller | Client | Retains control over personal data held in the Client's own systems; responsible for its own compliance. |
Where we act as a Processor, a separate DPA governs our obligations and is incorporated into the Staxis subscription agreement.
4. What Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identity Data | Full name, job title, company name, business registration number | Provided by you during onboarding |
| Contact Data | Business email address, business phone number, business address | Provided by you during onboarding or support requests |
| Account Data | Username, hashed password, subscription plan, payment status | Generated on account creation |
| Financial Data | Paystack customer code, subscription code, transaction reference, amount paid | Paystack payment gateway |
| Usage Data | Log-in timestamps, support ticket history, service usage metrics | Automatically collected via the platform |
| Technical Data | IP address, browser type, device identifiers, cookies | Automatically collected via the website |
| Communications Data | Support messages, emails, chat logs | Provided by you when contacting support |
We do not intentionally collect special categories of personal data (e.g. health, biometric, political, or religious data). If you inadvertently submit such data, please notify us immediately.
5. Client System Data
As part of delivering Staxis managed services (e.g. website maintenance, IT support, data intelligence), our technical staff may access systems, databases, or files that contain personal data belonging to a Client's own end-users ("Client System Data").
- We access Client System Data only to the extent necessary to provide the contracted service.
- We act solely as a Data Processor; the Client remains the Data Controller.
- We do not use Client System Data for our own purposes, share it with third parties (except sub-processors listed in Section 8), or retain it beyond the service engagement.
- All access is logged and subject to our security controls (Section 9).
6. How We Use Your Data
| Purpose | Legal Basis (NDPA) |
|---|---|
| Create and manage your Staxis account | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Deliver managed digital support services | Contract performance |
| Send service-related communications (tickets, invoices) | Contract performance / Legitimate interest |
| Send marketing communications (new features, offers) opt-out available | Legitimate interest / Consent (where required) |
| Comply with legal obligations (tax, audit) | Legal obligation |
| Prevent fraud and secure the platform | Legitimate interest |
| Improve the Service through analytics | Legitimate interest |
| Resolve disputes and enforce our Terms of Service | Legitimate interest / Legal obligation |
We will not use your personal data in a manner that is incompatible with the purposes set out above.
7. Legal Bases for Processing
Under the NDPA, we rely on the following legal bases:
- Contract: Processing is necessary to perform the Staxis subscription agreement.
- Legal Obligation: Processing is required to comply with Nigerian law (e.g. FIRS tax records, CAMA obligations).
- Legitimate Interests: We process data for fraud prevention, platform security, and service improvement, provided our interests are not overridden by your rights.
- Consent: Where we rely on consent (e.g. optional marketing emails), you may withdraw it at any time without affecting the lawfulness of prior processing.
8. Sharing & Sub-Processors
We share personal data only where necessary. Current sub-processors and recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Paystack | Payment processing and subscription management | Nigeria / Global |
| Neon (PostgreSQL) | Cloud database hosting | USA (AWS us-east-1) |
| Amazon Web Services (S3) | File and media storage (e.g. company logos) | USA / Global |
| Mailjet | Transactional email delivery | France / EU |
| Jotform | In-app support chat agent | USA |
| Legal / regulatory authorities | Compliance with court orders or statutory requests | Nigeria |
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
9. Security Measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 where applicable)
- HTTP-only, secure JWT cookies with short expiry (access tokens: 15 minutes)
- Bcrypt hashing for all stored passwords (no plaintext passwords stored)
- Role-based access control (RBAC) limiting staff access
- Regular dependency and vulnerability scanning
- All third-party sub-processors vetted for their own security certifications
Despite these measures, no internet transmission is 100% secure. If you suspect a data breach, contact us immediately at staxis@zionstand.com.
10. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and identity data | Duration of subscription + 12 months after closure | Contract / Legitimate interest |
| Financial / transaction records | 7 years from transaction date | Legal obligation (FIRS, CAMA) |
| Support communications | 3 years from last interaction | Legitimate interest (dispute resolution) |
| Usage and technical logs | 90 days rolling | Legitimate interest (security) |
| Client System Data (as Processor) | Deleted or returned within 30 days of service termination | Contractual obligation (DPA) |
| Marketing consent records | Until consent withdrawn + 12 months | Consent |
Where we are required by law to retain data beyond these periods, we will do so and inform you accordingly.
11. International Data Transfers
Some of our sub-processors (e.g. Neon, AWS, Mailjet, Jotform) are located outside Nigeria. Where personal data is transferred internationally, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) or equivalent contractual safeguards
- Transfers only to jurisdictions recognised as adequate by the Nigerian Data Protection Commission ("NDPC"), or
- Explicit consent where the above mechanisms are unavailable
Details of the safeguards applied to each transfer are available on request.
12. Your Rights
Under the NDPA, you have the following rights regarding your personal data:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Ask us to correct inaccurate or incomplete data. |
| Erasure | Request deletion of your data where there is no lawful reason to retain it. |
| Restriction | Ask us to restrict processing while a dispute is being resolved. |
| Portability | Receive your data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw Consent | Withdraw consent at any time where processing relies on consent. |
| Complaint | Lodge a complaint with the NDPC (ndpb.gov.ng) if you believe your rights have been violated. |
To exercise any of these rights, email staxis@zionstand.com with the subject line "Data Subject Request". We will respond within 30 days. We may ask you to verify your identity before processing the request.
13. Data Subjects of Clients
If you are an individual whose personal data has been processed by ZDT on behalf of a Client (i.e. you are a customer or employee of one of our subscribers), please contact that Client directly as they are the Data Controller for your data.
We will cooperate with Clients to fulfil data subject requests under the terms of our DPA.
14. Cookies & Tracking Technologies
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication tokens (HTTP-only JWT access & refresh cookies) — required for platform functionality | Session / 30 days |
| Functional | Remembering preferences (e.g. theme) | Persistent (1 year) |
| Analytics | Measuring site usage and performance (anonymised where possible) | Up to 2 years |
Strictly necessary cookies are set without consent as they are essential to the Service. You can manage optional cookies through your browser settings; however, disabling certain cookies may affect platform functionality.
15. Changes to This Policy
We may update this Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
- Update the "Last Reviewed" date at the top of this page
- Notify subscribed users via email at least 14 days before changes take effect (for material changes)
- Display a notice on the Staxis dashboard
Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
16. Contact & Complaints
For all privacy-related queries, requests, or complaints, please contact:
Data Protection Officer
Zionstand Digital Technologies Limited
RC Number: 7676055, Nigeria
staxis@zionstand.comIf you are unsatisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpb.gov.ng.
This Policy is governed by the laws of the Federal Republic of Nigeria.