Privacy Policy
This Privacy Policy explains how Neuragrid Technologies Ltd ("Taxly", "we", "us", "our"), operating the Taxly platform at taxlytech.com, collects, uses, stores, and protects your personal data. This policy is issued in compliance with the Nigeria Data Protection Act 2023 (NDPA) and the regulations of the Nigeria Data Protection Commission (NDPC).
We process your personal data on the lawful bases set out in Section 3 below. Where processing is based on consent, you may withdraw it at any time. Creating an account does not by itself constitute consent to all processing — each processing activity has its own lawful basis as described in this policy.
1. Data Controller
Neuragrid Technologies Ltd (in partnership with Boldmind Elite Solutions) is the data controller responsible for your personal data.
- Email: privacy@taxlytech.com
- Website: https://taxlytech.com
- Data Protection Officer: dpo@taxlytech.com
2. Personal Data We Collect
We collect the following categories of personal data:
| Category | Data Collected | Purpose |
|---|---|---|
| Identity Data | Full name, Tax Identification Number (TIN) | Tax filing, identity verification |
| Contact Data | Email address, phone number, state, LGA, filer type (individual or business) | Account management, notifications, filing |
| Tax Data | TIN (Tax Identification Number), income figures, deductions, tax computations | Preparing and submitting tax returns to NRS |
| Financial Documents | Bank statements, payslips, employment letters, invoices, audited financial statements (PDF uploads) | Supporting tax filings, audit compliance |
| Third-Party Credentials | TaxProMax username and password | Filing tax returns on your behalf via the NRS TaxProMax portal |
| Payment Data | Transaction references, subscription tier, payment status | Processing subscription payments via Monnify |
| Technical Data | IP address, browser type, device information | Security, fraud prevention, service improvement |
3. Lawful Basis for Processing
Under Section 25 of the NDPA 2023, we process your personal data on the following lawful bases:
- Consent (Section 25(1)(a)): You provide explicit consent when creating your account and agreeing to these terms. You may withdraw consent at any time (see Section 10 below).
- Performance of a Contract (Section 25(1)(b)): Processing is necessary to provide the tax filing services you have subscribed to.
- Legal Obligation (Section 25(1)(c)): We are required to maintain certain records for tax compliance and regulatory purposes.
- Legitimate Interest (Section 25(1)(f)): Fraud prevention, security monitoring, and service improvement, where such interests are not overridden by your rights.
4. How We Use Your Data
- Preparing and submitting your tax returns (PIT, CIT, VAT, WHT) to the Nigeria Revenue Service via TaxProMax
- Processing subscription payments through Monnify
- Sending transactional emails: verification codes, password resets, filing status notifications
- Providing audited financial statement services
- Maintaining audit trails for regulatory compliance
- Preventing fraud and ensuring platform security
- Improving our services based on aggregated, anonymised usage patterns
5. Third Parties We Share Data With
| Third Party | Data Shared | Purpose | Safeguards |
|---|---|---|---|
| Nigeria Revenue Service (NRS) via TaxProMax | Tax returns, TIN, income data, supporting documents | Filing your tax returns as instructed by you | Government system; data shared only on your instruction |
| Monnify (payment processor) | Name, email, payment amount, transaction reference | Processing subscription payments | PCI-DSS compliant; Monnify's own privacy policy applies |
| Amazon Web Services (infrastructure) | All data (as data processor) | Cloud hosting, storage, encryption | AWS Data Processing Addendum; SOC 2 Type II certified; encryption at rest and in transit |
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
6. Cross-Border Data Transfer
Your data is stored on Amazon Web Services infrastructure in the United States (us-east-1 region). Under Section 43 of the NDPA 2023, cross-border transfers are permitted where adequate safeguards exist. Our safeguards include:
- AWS Data Processing Addendum with Standard Contractual Clauses
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- AWS SOC 2 Type II and ISO 27001 certifications
- Partition-level access isolation (users cannot access other users' data)
- KMS encryption with per-user encryption context for sensitive credentials
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data (name, email, phone) | Duration of account + 6 months after deletion request | Service provision; allow account recovery |
| Tax filings and supporting documents | 7 years from filing date | Nigerian tax law requires retention of tax records for 6 years; we add 1 year buffer |
| Payment records | 7 years | Financial record-keeping obligations |
| TaxProMax credentials | Duration of account; deleted immediately on account closure | Required only while actively filing on your behalf |
| Audit logs | 3 years | Security and compliance monitoring |
| Technical logs | 90 days | Debugging and security incident investigation |
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption at rest for all stored data (AWS-managed encryption keys)
- KMS encryption with per-user context for TaxProMax credentials
- TLS 1.2+ encryption for all data in transit
- IAM-enforced tenant isolation — each user can only access their own data partition
- Content Security Policy (CSP) headers preventing cross-site scripting
- WAF rate limiting to prevent abuse
- Input sanitisation to prevent stored XSS attacks
- Regular security assessments of our infrastructure
For full details, see our Security page.
9. Your Rights Under the NDPA 2023
Under the Nigeria Data Protection Act 2023, you have the following rights:
- Right of Access (Section 34): Request a copy of all personal data we hold about you.
- Right to Rectification (Section 35): Request correction of inaccurate or incomplete data.
- Right to Erasure (Section 36): Request deletion of your personal data, subject to legal retention obligations (e.g., tax records must be kept for 7 years).
- Right to Data Portability (Section 37): Receive your data in a structured, machine-readable format.
- Right to Object (Section 38): Object to processing based on legitimate interest.
- Right to Restrict Processing (Section 39): Request that we limit how we use your data.
- Right to Withdraw Consent: Withdraw your consent at any time by contacting us or deleting your account.
- Right against Automated Decision-Making: Object to decisions made solely by automated means that have a significant legal or similar effect on you, and request human review.
To exercise any of these rights, email privacy@taxlytech.com. We will respond within 30 days as required by the NDPA.
10. Withdrawal of Consent
You may withdraw your consent to data processing at any time by:
- Deleting your account from the Profile & Settings page
- Emailing privacy@taxlytech.com with your request
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Note that certain data (completed tax filings) must be retained under Nigerian tax law regardless of consent withdrawal.
11. Children's Data
Taxly is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will delete it promptly.
12. Cookies and Tracking
Taxly uses only essential cookies required for authentication and session management. We do not use advertising cookies, analytics trackers, or third-party tracking pixels. No data is shared with advertising networks.
13. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required by Section 40 of the NDPA 2023
- Notify affected data subjects without undue delay where the breach is likely to result in high risk
- Document the breach, its effects, and remedial actions taken
14. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
- Nigeria Data Protection Commission (NDPC)
Website: https://ndpc.gov.ng
We encourage you to contact us first at privacy@taxlytech.com so we can resolve your concern directly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address at least 14 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
16. Contact Us
For any questions about this Privacy Policy or your personal data:
- General enquiries: hello@taxlytech.com
- Privacy & data requests: privacy@taxlytech.com
- Data Protection Officer: dpo@taxlytech.com