Privacy Policy

Last Updated: November 28, 2025

At Ekogni, we are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our computer-based testing (CBT) platform.

This policy complies with the Nigeria Data Protection Regulation (NDPR) 2019 and other applicable data protection laws. By using our Service, you consent to the data practices described in this policy.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account:

• Personal Information: First name, middle name (optional), last name, email address
• Account Credentials: Password (encrypted and hashed using industry-standard bcrypt encryption)
• Role Information: Your role (student, teacher/instructor)
• Identification: Student ID or staff ID number
• Profile Picture (Optional): Image file converted to base64 format (maximum 5MB)

For institutional accounts:

• Organization Information: School/organization name, organization email domain (e.g., schoolname.edu.ng)
• Contact Information: Phone number (optional)
• Billing Contact: Name and email of the person responsible for payments

Payment Information:

• Payment information (credit/debit card details, bank account information) is collected and processed by Paystack, our third-party payment processor. We do NOT store your payment card details on our servers.
• We receive and store transaction references, payment status, amounts paid, and Paystack customer IDs.

1.2 Information Collected Automatically

Technical Data:

• Device Information: Browser type, operating system, device type
• Usage Data: Pages visited, features used, time spent on platform, exam activity
• IP Address: Your Internet Protocol (IP) address (logged by our hosting provider)
• Session Data: Authentication tokens (JWT tokens managed by Supabase, short-lived and automatically expired)
• Cookies: Session cookies to maintain your login state (essential for platform functionality)

Exam Activity Data:

• Exams you create or take
• Questions and answers submitted
• Exam scores and grading results
• Anti-cheating event logs (e.g., blur detection triggers)

1.3 Information from Third Parties

• hCaptcha: CAPTCHA verification tokens to prevent automated bot access (subject to hCaptcha's Privacy Policy)
• Paystack: Payment confirmation data, transaction status, customer identifiers

2. How We Use Your Information

We use your personal information for the following purposes:

2.1 To Provide and Improve Our Service

• Create and manage your account
• Authenticate your identity when you log in
• Enable you to create, store, and administer exams
• Provide offline exam functionality
• Grade exams automatically
• Display your profile information (name, profile picture)
• Track exam history and performance

2.2 To Manage Subscriptions and Billing

• Process payments through Paystack
• Track subscription status and expiration dates
• Send billing receipts and payment confirmations via email
• Send payment failure notifications
• Manage organizational licenses, seat usage, and billing events
• Process refund requests (if applicable)

2.3 To Communicate with You

• Send account verification emails
• Send password reset emails
• Send billing receipts and payment reminders
• Notify you of subscription expiration or renewal
• Send join request notifications (for institutional accounts)
• Respond to support inquiries (support@ekogni.com)
• Send important service updates or policy changes

2.4 To Ensure Security and Prevent Abuse

• Detect and prevent cheating during exams (blur detection, suspicious activity monitoring)
• Prevent unauthorized access, fraud, and abuse
• Monitor for violations of our Terms of Service and Acceptable Use Policy
• Maintain audit logs of organizational activity (for institutional accounts)
• Verify CAPTCHA challenges to prevent bot access

2.5 To Comply with Legal Obligations

• Respond to legal requests from law enforcement or government authorities
• Comply with Nigerian tax and financial regulations (billing records retained for 6 years as required by the Companies Income Tax Act)
• Enforce our legal rights and Terms of Service

3. How We Store and Protect Your Information

3.1 Data Storage Location

Your personal data is stored in the European Union (EU-West-1 region - Ireland) using Supabase's PostgreSQL database infrastructure. This constitutes a cross-border data transfer from Nigeria to the EU.

NDPR Compliance: We rely on the following safeguards for cross-border data transfer:

• Supabase complies with industry-standard data protection practices
• Data is encrypted in transit (HTTPS/TLS) and at rest
• We implement Row-Level Security (RLS) policies to restrict data access
• Your data is only transferred to the EU for the purpose of providing the Service to you

3.2 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption: All data transmitted between your device and our servers is encrypted using HTTPS/TLS
• Password Protection: Passwords are hashed using bcrypt and never stored in plain text
• Access Controls: Database access is restricted using Row-Level Security (RLS) policies and authentication tokens
• Regular Backups: We maintain regular database backups to prevent data loss
• Monitoring: We monitor for suspicious activity and unauthorized access attempts

3.3 Data Retention

Active Accounts: We retain your personal data for as long as your account is active and you continue to use the Service.

Closed Accounts: If you close your account or your subscription expires, we will delete your personal data within 90 days, except where we are legally required to retain it.

Legal Retention Requirements:

• Billing Records: Retained for 6 years to comply with Nigerian tax and financial regulations (Companies Income Tax Act Section 55)
• Audit Logs (Institutional): Retained for 2 years for security and compliance purposes
• Transaction History: Retained for 6 years for financial record-keeping and tax compliance

4. How We Share Your Information

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes. We only share your data with the following trusted service providers:

4.1 Third-Party Service Providers

Paystack (Payment Processing):

• Processes all subscription payments
• Receives payment card details, billing information, and transaction data
• Subject to Paystack's Terms and Privacy Policy

Postmark (Email Delivery):

• Sends transactional emails (billing receipts, password resets, account notifications)
• Receives your email address and name for email delivery purposes
• Subject to Postmark's Privacy Policy

Supabase (Database and Authentication):

• Hosts our database in the EU (Ireland)
• Manages user authentication (login/logout)
• Stores all user data, exams, and organizational information
• Subject to Supabase's Privacy Policy

hCaptcha (CAPTCHA Verification):

For the current and always-up-to-date list of our subprocessors, please see our Subprocessors page.

• Verifies that users are human (not bots) during signup and sensitive actions
• May collect browser information and IP address
• Subject to hCaptcha's Privacy Policy

4.2 Legal Disclosures

We may disclose your information if required by law or in response to:

• Valid legal requests from Nigerian law enforcement or government agencies
• Court orders or subpoenas
• Protection of our legal rights, safety, or property
• Prevention or investigation of fraud, security incidents, or illegal activities

4.3 Organizational Data Sharing (Institutional Accounts)

If you are part of an institutional (school) account:

• Your profile information (name, email, role, student/staff ID) is visible to Organization Owners and Admins
• Organization Owners and Admins can view your membership status and activity logs
• Exams and content created by teachers under institutional licenses belong to the institution, not the individual teacher

5. Your Rights Under Nigerian Data Protection Regulation (NDPR)

Under the NDPR, you have the following rights regarding your personal data:

5.1 Right to Access

You have the right to request a copy of all personal data we hold about you. To request your data, contact us at support@ekogni.com with the subject line "Data Access Request."

5.2 Right to Correction

You can update your account information (name, email, profile picture, student ID) at any time by logging into your account and visiting the Account Settings page. If you need assistance, contact support@ekogni.com.

5.3 Right to Deletion (Right to be Forgotten)

You can request deletion of your account and personal data by contacting support@ekogni.com with the subject line "Account Deletion Request." We will delete your data within 90 days, except where we are legally required to retain it (e.g., billing records for tax purposes).

5.4 Right to Data Portability

You have the right to export your data in a structured, machine-readable format (JSON). To request a data export, contact support@ekogni.com.

5.5 Right to Object

You may object to the processing of your personal data for certain purposes. However, if you object to essential processing (e.g., authentication, billing), we may not be able to provide the Service to you.

5.6 Right to Withdraw Consent

You may withdraw your consent to data processing at any time by closing your account or contacting support@ekogni.com. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

5.7 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) or the National Information Technology Development Agency (NITDA).

6. Children's Privacy

Our Service is used by students, some of whom may be under 18 years of age. If you are under 18, you must have permission from a parent, guardian, or your educational institution to use the Service.

We do not knowingly collect personal information from children under 13 without parental or school consent. If we become aware that we have collected data from a child under 13 without proper consent, we will delete the information immediately.

Institutional Account Consent Responsibilities: For students using Ekogni under an institutional (school) license, the school is responsible for obtaining all necessary parental or guardian consent before creating student accounts. By approving student accounts, the school certifies that:

• They have obtained proper consent from parents/guardians as required by the Nigeria Data Protection Regulation (NDPR)
• They have authority to act on behalf of parents/guardians for educational data processing
• They will maintain records of obtained consents
• They will notify parents/guardians about data collection and usage through our platform

Ekogni relies on schools to fulfill this consent obligation and is not responsible for a school's failure to obtain proper parental consent.

7. Cookies and Tracking Technologies

7.1 Cookies We Use

We use cookies to provide essential functionality:

• Authentication Cookies: Session cookies (managed by Supabase) to keep you logged in
• Security Cookies: CAPTCHA cookies (managed by hCaptcha) to prevent bot access

7.2 Third-Party Cookies

Third-party services (Supabase, hCaptcha) may set their own cookies. Refer to their privacy policies for details.

7.3 Managing Cookies

You can disable cookies in your browser settings, but doing so may prevent you from using the Service.

8. International Data Transfers

As mentioned in Section 3.1, your data is stored in the EU (Ireland). If you access our Service from Nigeria, your data will be transferred across borders.

We ensure that data transfers comply with NDPR requirements by:

• Using secure, encrypted connections (HTTPS/TLS)
• Working with service providers (Supabase) that implement strong data protection measures
• Limiting data transfers to what is necessary to provide the Service

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you by email (if you have an active account)
• Post a notice on our website or in the Service

Your continued use of the Service after such notification constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Service and request account deletion.

10. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify the Nigeria Data Protection Commission (NDPC) within 72 hours (as required by NDPR)
• Notify affected users via email within 7 days
• Provide details about the breach, data affected, and steps we are taking to address it

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Ekogni Support
Email: support@ekogni.com
Phone: +234 810 248 6199
Hours: Monday-Friday, 8:00 AM - 6:00 PM WAT

Data Protection Inquiries: support@ekogni.com

---

By using the Ekogni Service, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy.

12. Platform-Specific Notes

12.1 Desktop App (Windows/macOS)

• The desktop app supports offline exam administration. Certain data is stored locally on your device and synchronized when you reconnect.
• Local storage in the desktop app uses encrypted storage mechanisms. No web cookies are used by the desktop app itself.
• hCaptcha is not used in the desktop app. CAPTCHA challenges apply to website signup and sensitive web actions only.
• The desktop app does not process payments. All purchases are completed on our website via Paystack.

12.2 Website

• Essential session cookies and hCaptcha may be used for authentication and security on the website.
• Payments are processed on the website through Paystack; we do not store your payment card details.