NDPA Compliance
This page sets out how Neuragrid Technologies Ltd ("Taxly") meets its obligations under the Nigeria Data Protection Act 2023 (NDPA) and its implementing instrument, the General Application and Implementation Directive (GAID) issued by the Nigeria Data Protection Commission (NDPC) on 20 March 2025 (effective 19 September 2025). The NDPA is the primary data protection law in Nigeria, replacing the Nigeria Data Protection Regulation (NDPR) 2019 which ceased to have effect upon the GAID's commencement.
1. Who We Are
Taxly is operated by Neuragrid Technologies Ltd, incorporated in Nigeria. As a Data Controller and, where we engage service providers, a Data Controller-Processor, we determine the purposes and means of processing your personal data in connection with our tax filing services.
- Company: Neuragrid Technologies Ltd
- Platform: Taxly — taxlytech.com
- Data Protection Officer: dpo@taxlytech.com
- Privacy enquiries: privacy@taxlytech.com
2. Lawful Basis for Processing
Under the NDPA 2023, we must have a lawful basis for each processing activity. We rely on the following bases:
| Processing Activity | Lawful Basis (NDPA 2023) |
|---|---|
| Account creation and identity verification | Contract — necessary to provide the service |
| Tax filing and NRS submission | Contract; Legal Obligation (tax law compliance) |
| Processing TaxProMax credentials | Contract — explicit consent at account setup, with clear disclosure |
| Financial records and payslips | Contract; Legal Obligation |
| Service communications and notifications | Contract; Legitimate Interest |
| Security monitoring and audit logs | Legitimate Interest; Legal Obligation |
| Marketing and product updates | Consent — opt-in only, revocable at any time |
3. Categories of Personal Data Processed
- Identity data: Full name, Tax Identification Number (TIN)
- Contact data: Email address, phone number
- Financial data: Income details, bank statements, payslips, VAT records
- Government portal credentials: TaxProMax username and password (encrypted at rest using AWS KMS — see our Security page)
- Filing records: Submitted tax returns, NRS document IDs, filing history
- Technical data: IP address, browser type, access logs (for security monitoring only)
4. Your Rights Under the NDPA 2023
The NDPA 2023 grants you the following rights over your personal data. To exercise any right, contact us at privacy@taxlytech.com — we will respond within 30 days.
- Right of Access — Request a copy of all personal data we hold about you.
- Right to Rectification — Request correction of inaccurate or incomplete data.
- Right to Erasure — Request deletion of your data, subject to legal retention obligations (we are required to retain certain tax records for 6 years under Nigerian tax law).
- Right to Restrict Processing — Ask us to limit how we use your data while a dispute is resolved.
- Right to Data Portability — Receive your data in a structured, machine-readable format.
- Right to Object — Object to processing based on legitimate interest, including direct marketing.
- Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
- Right against Automated Decision-Making — Object to decisions made solely by automated means that produce a legal or similarly significant effect on you, and request human review of such decisions.
You also have the right to lodge a complaint with the NDPC at ndpc.gov.ng if you believe your rights have been violated. We encourage you to contact us first at privacy@taxlytech.com.
5. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by Nigerian law:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account and identity data | Duration of account + 2 years after closure | Contract; legal obligation |
| Tax filing records and NRS documents | 6 years from filing date | FIRS record-keeping requirements |
| Financial documents (payslips, statements) | 6 years from filing date | Nigerian tax law |
| TaxProMax credentials | Until account deletion or credential removal | Service delivery |
| Security and audit logs | 2 years | Security monitoring; legal obligation |
| Marketing consent records | 5 years from last interaction | Proof of consent |
6. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the NDPC within 72 hours of becoming aware of the breach
- Notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights
- Document the breach, its nature, the categories and number of affected individuals, likely consequences, and remedial measures taken
7. Our DCMI Status and Regulatory Obligations
Under the NDPA 2023 and GAID, organisations that process personal data of more than 200 data subjects within any 6-month period qualify as a Data Controller of Major Importance (DCMI). Taxly meets this threshold.
As a DCMI, we are obligated to:
- Register with the Nigeria Data Protection Commission (NDPC)
- Appoint a qualified Data Protection Officer (DPO) — our DPO is reachable at dpo@taxlytech.com
- File annual Compliance Audit Returns (CAR) with the NDPC by 31 March each year covering the prior year's data processing activities
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities
- Maintain a record of processing activities
8. Data Transfers and Third Parties
We process your data on Amazon Web Services (AWS) infrastructure, hosted in the us-east-1 (N. Virginia) region. This constitutes a cross-border data transfer under Section 43 of the NDPA 2023. Our transfer mechanism is an AWS Data Processing Addendum incorporating Standard Contractual Clauses, which provides an NDPA-compliant safeguard. AWS is additionally certified under ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II.
We share data with the following categories of third parties, under data processing agreements:
- NRS / TaxProMax — for submission of tax returns on your behalf (our core service)
- Boldmind Elite Solutions — our certified accounting partner, for filing review and audited financial statements
- Monnify — for payment processing (subject to Monnify's own NDPC compliance)
- AWS SES — for transactional email delivery (filing confirmations, notifications)
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
9. Security Measures
We implement technical and organisational measures to protect your data. Key measures include:
- TaxProMax credentials encrypted at rest using AWS KMS with annual automatic key rotation
- All data in transit protected by TLS 1.2+
- DynamoDB tables encrypted at rest using AES-256
- Row-level access control via AWS IAM — each user can only access their own data
- Admin decryption of credentials logged with full audit trail (who accessed, when)
- AWS CloudTrail enabled for all API activity
Full details are available on our Security page.
10. Cookies and Tracking
We use strictly necessary cookies only — session tokens required for authentication. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that collect personally identifiable information. No cookie consent banner is shown because no non-essential cookies are set.
11. Children's Data
Our services are intended for adults (18 and over). We do not knowingly collect personal data from persons under 18. If you believe a minor has provided us with their data, contact us at privacy@taxlytech.com and we will delete it promptly.
12. Changes to This Page
We may update this page as our practices evolve or as the NDPC issues new guidance. Material changes will be communicated by email to registered users at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
13. Contact Us
- Data Protection Officer: dpo@taxlytech.com
- Privacy enquiries: privacy@taxlytech.com
- General: hello@taxlytech.com
- Regulator: Nigeria Data Protection Commission — ndpc.gov.ng