Compliance

NDPA compliance.

Last updated: 8 May 2026

Therasafety Limited is committed to upholding the rights of every data subject under the Nigeria Data Protection Act 2023 (NDPA). This page sets out how to exercise those rights, our response commitments, and the regulator you can escalate to if we fall short.

1. Who we are, in NDPA terms

For the purposes of the NDPA, Therasafety Limited is a data controller in respect of the personal data we collect through therasafety.com. Where our individual products process additional personal data, the relevant Therasafety entity is the controller for that product, as identified in that product’s own privacy notice.

2. Data Protection Officer

Our Data Protection Officer can be reached at:

3. Your rights as a data subject

Sections 34–40 of the NDPA grant you the following rights in relation to personal data we hold about you:

  • Right of access — obtain a copy of your data and information about how we process it.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure — have your data deleted, where no overriding legal obligation requires us to retain it.
  • Right to restriction of processing — pause our processing of your data while a dispute is resolved.
  • Right to data portability — receive your data in a structured, commonly used, machine-readable format.
  • Right to object — object to processing based on legitimate interest, including for direct marketing.
  • Right to withdraw consent — where consent is the lawful basis, withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right not to be subject to automated decisions — in matters that produce legal or similarly significant effects on you.

4. How to make a data subject request

  1. Email dpo@therasafety.com with the subject line Data Subject Request.
  2. State which right(s) you are exercising (e.g. “access”, “erasure”).
  3. Provide enough detail to identify your data — typically the email address you used when contacting us. We may ask for additional verification only where necessary to confirm your identity.

We respond within 30 calendar days, free of charge. If the request is exceptionally complex, we may extend this by a further 30 days and will notify you in writing within the original window.

5. International transfers

Some of our sub-processors (for example Vercel, Supabase, Resend, Upstash) operate from outside Nigeria. We rely on the following safeguards under NDPA s.41:

  • Adequacy decisions issued by the NDPC, where available.
  • Contractual protections substantially equivalent to the Standard Contractual Clauses.
  • Vendor security commitments (encryption in transit and at rest, ISO 27001 / SOC 2 attestations where applicable).

6. Right to lodge a complaint

If you believe we have processed your personal data in a way that contravenes the NDPA, you have the right to lodge a complaint directly with the regulator:

  • Nigeria Data Protection Commission (NDPC)
  • Website: ndpc.gov.ng

We would appreciate the chance to address your concern first — please contact our DPO before escalating to the NDPC, but you are not required to do so.

7. Security incident notification

If we become aware of a personal data breach that is likely to result in a risk to your rights or freedoms, we will notify the NDPC within 72 hours as required by NDPA s.40, and we will notify you directly without undue delay where the risk is high.

8. Related documents