NDPR Compliance
How UpNepa complies with the Nigeria Data Protection Regulation
Last updated: April 2026
UpNepa is built with data protection at its core. This page details our compliance with the Nigeria Data Protection Regulation (NDPR 2019) issued by NITDA and the Nigeria Data Protection Act 2023 (NDPA) enacted by the National Assembly. We are committed to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability.
Regulatory Framework
UpNepa's data protection practices are guided by:
- Nigeria Data Protection Regulation (NDPR) 2019 -- issued by NITDA under the NITDA Act
- Nigeria Data Protection Act (NDPA) 2023 -- comprehensive data protection law signed by the President
- Nigeria Data Protection Commission (NDPC) -- the supervisory authority
NDPR Principles and Our Implementation
1. Lawfulness, Fairness, and Consent
NDPR Requirement: Personal data shall be collected and processed in accordance with specific, legitimate, and lawful purpose consented to by the data subject.
How we comply:
- Users explicitly consent to Terms of Service and Privacy Policy during registration
- Location data collection requires user action (clicking the map or granting GPS permission)
- Notification preferences are opt-in and fully controllable by the user
- Users can withdraw consent by disabling features or deleting their account
2. Purpose Limitation
NDPR Requirement: Data collected shall be adequate, accurate, and limited to the purposes for which it was collected.
How we comply:
- Data is collected solely for power status tracking and community awareness
- We do not use data for advertising, profiling, or any unrelated purpose
- Location data is used only for placing reports on the map and notifications
3. Data Minimization
NDPR Requirement: Personal data collected should be adequate, relevant, and limited to what is necessary.
How we comply:
- Registration requires only email and name (phone is optional)
- Location coordinates are fuzzed with 100m of random noise before storage -- we deliberately discard precise location data
- Usernames are masked on public display (e.g., "Ade*****")
- IP addresses are not stored permanently
4. Accuracy
NDPR Requirement: Personal data shall be accurate and kept up to date.
How we comply:
- Users can update their profile information at any time via Settings
- Power reports expire automatically (inactive reports are cleaned up)
- Trust scoring system reduces the impact of inaccurate reports
5. Storage Limitation
NDPR Requirement: Data should be kept only for as long as necessary.
How we comply:
- Account data is deleted upon user request
- Report data is retained for historical power analytics (with fuzzed coordinates)
- Users can request complete data deletion by contacting us
6. Integrity and Confidentiality (Security)
NDPR Requirement: Data shall be secured against unauthorized access, alteration, or destruction.
How we comply:
- Passwords hashed with bcrypt (irreversible)
- HTTPS encryption on all connections (TLS 1.2+)
- JWT authentication with automatic token expiry and refresh
- CSRF protection on all form submissions
- Rate limiting to prevent brute-force attacks
- Secure cloud hosting on Google Cloud Platform
- Database access restricted by firewall rules
7. Accountability
NDPR Requirement: The data controller must demonstrate compliance.
How we comply:
- This NDPR compliance page is publicly accessible
- Privacy Policy and Terms of Service are clearly linked throughout the platform
- Data protection is built into the system architecture (privacy by design)
- Location fuzzing, username masking, and feature flags are technical enforcement of privacy principles
Technical Privacy Measures
| Measure | Description | NDPR Principle |
|---|---|---|
| Coordinate Fuzzing | 100m random noise added to all report locations before storage | Data Minimization |
| Username Masking | Only first 3 characters shown publicly (e.g., Ade*****) | Data Minimization |
| Privacy Feature Flag | Admin can disable all masked name display instantly | Accountability |
| Password Hashing | bcrypt with salt -- passwords are never stored in plaintext | Security |
| JWT Token Auth | Short-lived access tokens with automatic refresh | Security |
| HTTPS Only | All data in transit is encrypted via TLS | Security |
| Consent Checkboxes | Required before registration completes | Consent |
| Notification Preferences | Users control all notification channels and timing | Consent |
Your Rights as a Data Subject
Under NDPR and NDPA, Nigerian data subjects have the following rights:
Right of Access
Request a copy of all personal data we hold about you
Right to Rectification
Correct inaccurate data via your profile settings
Right to Erasure
Request deletion of your account and personal data
Right to Data Portability
Receive your data in a machine-readable format
Right to Object
Object to processing based on legitimate interest
Right to Withdraw Consent
Disable notifications, delete account, or contact us
How to Exercise Your Rights
To exercise any of your data protection rights, you may:
- Update your profile in Account Settings
- Manage notifications in Notification Settings
- Email our Data Protection Officer at [email protected]
We will respond to all data subject requests within 30 days as required by NDPR.
If you are unsatisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.