Privacy Policy

1. Introduction and Scope

Kua HR ("Kua HR," "we," "us" or "our") provides cloud‑based human resources (HR) and payroll solutions to companies in Nigeria, other African jurisdictions and clients globally. This Privacy Policy explains how we collect, use, share, store and protect your personal data when you interact with our websites, applications, APIs, dashboards, mobile applications or any products and services controlled by Kua HR (collectively, the "Services").

This Policy is intended to meet the requirements of the Nigeria Data Protection Regulation 2019 (NDPR), the Nigeria Data Protection Act 2023 (NDPA) and the General Data Protection Regulation (GDPR), and is designed to be consistent with other data‑protection laws across Africa (such as South Africa's POPIA, Kenya's Data Protection Act 2021 and Ghana's Data Protection Act 2012) as well as applicable laws of other jurisdictions in which we operate.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to the practices described herein. If you do not agree with this Policy, please do not use our Services.

2. Definitions

Personal Data: information relating to an identified or identifiable natural person. Examples include names, contact details, identification numbers, financial information, employment records, device identifiers, IP addresses, and any other data that can be linked to a specific individual.

Data Subject: the individual to whom the Personal Data relates.

Controller: the entity that determines the purposes and means of processing Personal Data. Kua HR typically acts as a Data Controller for personal data relating to prospects, clients and visitors to our sites, and as a Data Processor when we process employee data on behalf of our business customers.

Processor: an entity that processes Personal Data on behalf of a Data Controller.

Processing: any operation performed on Personal Data, whether or not by automated means, including collection, storage, use, disclosure, analysis, transfer or deletion.

Sensitive Personal Data: categories of Personal Data considered sensitive under applicable law, such as biometric data, health or medical information, religious or philosophical beliefs, sexual orientation, political opinions, trade‑union membership, genetic data, criminal convictions and national‑identity numbers.

3. Legal Bases and Governing Principles

Our processing of Personal Data is grounded in one or more of the following legal bases (which may vary by jurisdiction):

• Consent – when you provide us with clear permission to process your data for a specific purpose (e.g., marketing communications). The NDPA requires that consent be informed, specific, freely given and revocable.
• Contractual Necessity – to perform a contract with you or take steps at your request prior to entering a contract. For example, we need employee details to process payroll and remit taxes.
• Legal Obligation – to comply with legal or regulatory requirements (e.g., NDPA/NDPR, tax laws, labour laws). NDPA obliges controllers to retain Personal Data only for as long as necessary and to implement security safeguards.
• Legitimate Interests – when necessary for our legitimate business interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Examples include fraud prevention, security monitoring, and improving our Services. Where we rely on legitimate interests, we consider the impact on individuals and implement safeguards.
• Vital Interests – to protect someone's life or physical integrity (e.g., emergency contacts for employees).
• Public Interest / Official Authority – when processing is necessary to perform a task carried out in the public interest or in exercise of official authority (e.g., requests from law‑enforcement agencies).

We adhere to the core data‑processing principles set out in NDPA, NDPR and GDPR, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.

4. Categories of Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of Personal Data:

4.1 Business and Organization Information

• Company details: business name, trade name, corporate registration number (e.g., RC number), place of incorporation, tax‑identification numbers, regulatory licences, sector classification and registered address.
• Authorized representatives: names, job titles, emails, phone numbers and identification details of individuals authorised to represent the company.
• Corporate bank details: bank name, account numbers, branch codes or sort codes, SWIFT/BIC codes, IBANs and payment‑provider information.
• Ownership and directors: names and shareholdings of beneficial owners, directors, shareholders or trustees when legally required (e.g., Know‑Your‑Customer/Know‑Your‑Business (KYC/KYB) checks).

4.2 Employee and Workforce Data (Processed on behalf of clients)

When companies use our Services to manage payroll and HR operations, we process employees' Personal Data as a Processor. This may include:

• Identity data: full name, maiden name, date and place of birth, gender, signature, photograph, nationality, marital status, residential and mailing addresses, government‑issued identifiers (Bank Verification Number, national identification number, passport number, tax identification number, national insurance number, driver's license details) and work‑permit/immigration information.
• Employment details: employee ID, role, department, job description, employment status (full‑time, part‑time, contract), start/end dates, probation status, promotion/demotion history, performance evaluations, disciplinary records, training and certification records, and termination details.
• Financial and payroll information: bank account details (account number, bank name, branch), salary and wage amounts, bonuses, allowances, benefits, deductions, overtime records, tax codes, pension scheme details, health insurance contributions, National Housing Fund (NHF) contributions, payroll frequency and historical payslips.
• Statutory and compliance data: pension plan enrollment, health insurance, social security contributions, Pay‑As‑You‑Earn (PAYE) tax information, union dues, and any statutory declarations required under Nigerian labour law and other applicable laws.
• Contact details: personal phone numbers, personal email addresses, emergency contacts and next‑of‑kin information.
• Biometric and health data (where permitted): fingerprint scans, facial recognition data or other biometric identifiers used for timekeeping or access control, as well as medical information related to workplace health and safety (e.g., pre‑employment medicals), only when strictly necessary and with explicit consent or another lawful basis.

4.3 Identity Verification and Compliance Data

• KYC/KYB documentation: copies of identification documents, proof of address, incorporation documents and shareholder registers.
• Screening data: results of anti‑money laundering (AML), counter‑terrorism financing (CTF) and sanctions screenings; politically exposed person (PEP) status; credit‑worthiness checks (where allowed by law); and risk assessments.
• Audit logs: records of access to data, user activity logs, geolocation data derived from IP addresses, and system events necessary for fraud prevention, dispute resolution and regulatory compliance.

4.4 Technical and Usage Data

• Device and connection information: IP addresses, device identifiers, hardware model, operating system and version, browser type and version, mobile network information and language settings.
• Usage data: log data (date/time stamps of access, actions performed, pages visited), navigation paths, session duration, referral URL, and interactions with platform features.
• Cookies and similar technologies: information collected via cookies, pixels, web beacons and local storage when you visit our websites or use our Services. These technologies enable us to remember preferences, measure engagement, perform analytics and display targeted content. See Section 14 for more details.

4.5 Communications and Support Data

• Records of emails, live chats, phone calls (including call recordings where permitted by law), service‑desk tickets, survey responses, complaints and other communications with our support, sales or compliance teams.
• Marketing preferences (opt‑in/opt‑out status), event attendance and participation in promotional activities.

4.6 Special Circumstances Data

In limited circumstances and only with a lawful basis, we may process:

• Sensitive personal data: such as race or ethnicity, religious or philosophical beliefs, trade‑union membership, health information and sexual orientation (e.g., for diversity and inclusion programmes, health insurance or accommodations). Where required by local law (e.g., NDPA sections on sensitive data processing), we will obtain explicit consent or rely on another lawful basis and implement heightened safeguards.
• Children's data: information about individuals under the age of 18 (such as interns or trainees) is processed only for legitimate HR purposes and with parental/guardian consent where applicable.

5. How We Collect Personal Data

We collect Personal Data from various sources, including:

• Directly from you or your organization – when you register an account, fill out forms, sign contracts, request our Services, submit payroll information, upload documents, engage with customer support, respond to surveys, participate in marketing activities or otherwise communicate with us.
• From third parties – such as employers, recruitment agencies, professional advisers, background‑check providers, bank verification services, identity‑verification services, sanctions‑screening providers, tax authorities and government agencies. When we receive data from third parties, we provide required notices to data subjects and specify the categories of data obtained, as per Article 14 of the GDPR.
• Automatically through our platforms – via cookies, logs and analytics tools that collect usage information and device identifiers.

6. How We Use Personal Data

We process Personal Data for the purposes outlined below. We do not use Personal Data for purposes incompatible with these uses.

6.1 Provision of Payroll and HR Services

• Payroll processing: calculating wages and salaries, deductions, taxes, pensions and benefits; generating payslips; preparing payroll reports; and facilitating salary disbursements into employees' bank accounts.
• Tax and statutory compliance: computing and remitting PAYE taxes, National Housing Fund contributions, pension contributions, health‑insurance premiums, social‑security levies and other statutory deductions to relevant government agencies and regulators (e.g., Federal Inland Revenue Service (FIRS), State Boards of Internal Revenue (SBIRs), National Pension Commission (PENCOM)).
• Human resources management: maintaining employee records, tracking attendance and leave, evaluating performance, administering benefits, onboarding and offboarding employees, managing training programmes, and ensuring compliance with employment laws and labour regulations.
• Identity verification and fraud prevention: verifying the identities of clients and employees, conducting AML/CTF checks, screening for sanctions or politically exposed persons, detecting and preventing fraudulent activities and money laundering, and enforcing our Terms of Service.
• Customer support and account management: responding to inquiries, troubleshooting issues, providing training and product information, sending updates and announcements, managing subscriptions and billing, and notifying users of system changes.

6.2 Improvement and Development of the Services

• Service analytics: monitoring system performance, usage trends and user behaviour to understand how our Services are used; measuring the effectiveness of features; and improving functionality, user experience and scalability.
• Research and development: using aggregated and anonymised data to develop new products, features and models, including predictive analytics to improve payroll accuracy, employee‑engagement tools and HR reporting. We do not use personal data to profile individuals or make automated decisions that have legal or significant effects without human intervention.

6.3 Security, Fraud Detection and Compliance

• Security monitoring: logging and analysing access activities, monitoring for suspicious behaviour, performing vulnerability assessments and penetration testing, and applying security patches.
• Audit and compliance: maintaining audit trails, performing data protection impact assessments (DPIAs), meeting record‑keeping obligations and demonstrating compliance to auditors and regulators.
• Incident response: detecting, investigating and responding to breaches or suspected incidents; mitigating harm; notifying affected users and authorities in accordance with NDPA/NDPR requirements; and documenting response actions.

6.4 Marketing and Communications

• Service communications: sending transactional messages, system alerts, changes to terms or policies and information required to perform our contract with you.
• Marketing: providing information about our services, promotions, events or research relevant to HR and payroll. We will only send marketing communications where permitted by law and you can opt out at any time. We do not sell personal data to third parties.

6.5 Legal and Regulatory Compliance

• Legal obligations: meeting obligations under labour laws, tax laws, anti‑corruption laws, anti‑money laundering and counter‑terrorism laws, and data‑protection regulations.
• Regulatory reporting: responding to lawful requests from regulators (e.g., NDPC, PENCOM, FIRS, SBIRs) and cooperating with law‑enforcement investigations or court orders.
• Risk management: protecting our rights and interests, enforcing contracts, recovering debts, investigating disputes, preventing misuse of our Services and establishing, exercising or defending legal claims.

7. Data Sharing and Disclosure

We do not sell personal data. We may share personal data with the following categories of recipients when necessary, lawful and subject to appropriate safeguards:

• Your Employer or Organisation – for employees or contractors of our clients, we share relevant HR and payroll information with the employer to fulfil our contract.
• Financial Institutions and Payment Partners – banks, payment processors and fintech providers (e.g., remittance partners) to execute salary payments, refunds, subscription billing and related financial transactions.
• Government and Regulatory Bodies – tax authorities, pension regulators, labour ministries, law‑enforcement agencies and courts when required to comply with legal obligations or court orders. For example, NDPA requires controllers to report data breaches to the Commission and inform data subjects when high risk is present, and cross‑border transfers require NDPC approvals or appropriate safeguards.
• Service Providers and Vendors – third‑party vendors who provide infrastructure, IT, cloud hosting, security services, analytics, communications, background‑check services, mail services and other support functions. All such providers are bound by contractual data‑protection obligations and must implement adequate technical and organisational measures (including confidentiality).
• Professional Advisors – auditors, lawyers, consultants, insurers and accountants who provide professional services to Kua HR under confidentiality obligations.
• Corporate Transactions – in connection with a merger, acquisition, divestiture, restructuring or sale of all or part of our business, in which case personal data may be transferred to a successor entity subject to this Policy and any required approvals.
• Others with Consent or as Directed – any other third party with your consent or where you direct us to share your data (e.g., integration partners in an HR ecosystem).

We require all recipients to implement adequate security and privacy measures and to process Personal Data only for the intended purpose. If a recipient is located outside the jurisdiction in which the Personal Data originated, we ensure that cross‑border transfer mechanisms and safeguards are applied (see Section 8).

8. Cross‑Border Data Transfers

Kua HR is headquartered in Nigeria but uses cloud infrastructure and service providers around the world. Personal Data may therefore be processed and stored in countries outside your home jurisdiction.

We transfer personal data internationally in compliance with applicable laws. Specifically:

• Under the NDPA, cross‑border transfers of personal data are permissible only if the recipient is subject to a law, binding corporate rules, contractual clauses, codes of conduct or certification mechanisms ensuring an adequate level of protection. The NDPA allows transfers based on Standard Contractual Clauses, binding corporate rules or other approved instruments when the recipient's country is not on the NDPC adequacy list.
• NDPA removed the NDPR's requirement for Attorney General review and vested the adequacy decision authority in the Nigeria Data Protection Commission. Where no adequate protection exists, the transfer is permitted only under specific conditions (e.g., explicit consent, contract performance, public interest, vital interests).
• We rely on standard contractual clauses (SCCs) and data‑processing agreements to ensure that recipients outside Nigeria or the EU provide adequate protection.
• For EU/UK data subjects, we implement transfer mechanisms recognised under the GDPR (e.g., SCCs, UK addendum, International Data Transfer Agreements).
• For other African countries, we comply with local transfer restrictions (e.g., restrictions under South Africa's POPIA and Kenya's Data Protection Act) and ensure similar safeguards.
• We will obtain explicit consent for cross‑border transfers only where other transfer mechanisms are not viable and where consent is legally acceptable, noting that NDPA warns that consent alone may not be a scalable solution for enterprise processing.

9. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal and regulatory requirements, to resolve disputes, to enforce agreements and to protect our legal interests. In determining retention periods, we consider the amount, nature and sensitivity of the data; the potential risk of harm from unauthorised use or disclosure; the purposes of processing; and applicable legal requirements.

• Employee records: Under Nigerian labour and tax laws, employers must retain payroll and employment records for specified periods (typically six years or longer depending on the statutory requirement). We align our retention periods with these obligations and with NDPA's requirement that data not be retained beyond the necessary period.
• KYC/KYB documents: NDPC guidance requires that KYC records and transaction logs be kept for a minimum period to support AML/CTF compliance and audit obligations.
• Marketing data: contact information for marketing is retained until you opt out or the information becomes outdated.
• Logs and security data: security and audit logs are retained for a reasonable period (often three years or as required by law) to investigate incidents and demonstrate compliance.

When retention periods expire or data is no longer needed, we securely destroy or anonymise personal data. We also provide mechanisms for clients to remove or extract employee records at the end of their contracts.

10. Data Security

Kua HR employs technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration or destruction, as required by NDPA, NDPR and GDPR. Our security framework aligns with industry best practices, including:

10.1 Encryption

• Data at rest: sensitive data stored in our databases, backups and file systems are encrypted using AES‑256 encryption. Database encryption keys are stored and managed using key‑management systems with role‑based access controls.
• Data in transit: we use Transport Layer Security (TLS) (e.g., TLS 1.2 or higher) for all network communications between our servers, clients and third parties to protect data from interception or tampering.
• Encryption of backups: backups are encrypted before storage and retained in secure off‑site or cloud locations with logical segregation.

10.2 Access Controls

• Authentication: we implement multi‑factor authentication (MFA) for administrative access and require strong password policies across our systems.
• Role‑based access control (RBAC): employees and contractors are granted access only to the data necessary for their functions, following the principle of least privilege.
• Logging and monitoring: we maintain comprehensive logs of user access and system activity and use intrusion‑detection and anomaly‑detection tools to identify suspicious behaviour.

10.3 Vulnerability Management and Patching

We regularly update and patch our operating systems, applications and databases to address security vulnerabilities. Automated patching helps ensure timely implementation.

Security assessments, penetration tests and audits are performed periodically by internal teams and external experts. Findings are reviewed, prioritised and remediated.

10.4 Data Back‑ups and Recovery

We perform regular automated backups, retain multiple backup copies in secure locations and test restoration procedures.

Disaster‑recovery and business‑continuity plans ensure that critical services remain available during an outage or catastrophic event.

10.5 Incident Response and Breach Notification

We maintain an incident response plan that outlines roles, responsibilities and procedures for detecting, containing, investigating and reporting security incidents.

In the event of a breach, we will notify affected clients and individuals and the relevant supervisory authority within the timeframe required by applicable law (e.g., NDPA requires prompt notification to the Commission when breaches pose high risk). Notifications include a description of the incident, likely consequences and measures taken to mitigate harm.

10.6 Employee Training and Awareness

All personnel undergo regular data‑protection and security training and are bound by confidentiality obligations.

We educate staff to recognise phishing attempts, handle sensitive data properly and report potential incidents.

10.7 Data Minimisation and Privacy by Design

We collect only the Personal Data necessary for the specified purposes and design our systems to minimise data exposure.

Privacy and security controls are integrated into product development and operational processes from the outset.

10.8 Third‑Party Risk Management

Before engaging vendors or partners who will process Personal Data on our behalf, we conduct due diligence and risk assessments to evaluate their security posture and privacy practices.

We require data‑processing agreements that mandate compliance with NDPA, NDPR, GDPR and other applicable regulations, and we monitor ongoing compliance.

11. Data Subject Rights and Choices

We respect the rights of data subjects under applicable laws. Depending on your jurisdiction, you may have some or all of the following rights:

• Right to Information/Transparency – to be informed about how your Personal Data is collected, used, stored and shared (privacy notices). Businesses must provide this information before processing.
• Right of Access – to obtain confirmation whether we hold Personal Data about you and to receive a copy of that data in a commonly used electronic format.
• Right to Rectification – to request correction of inaccurate or incomplete data.
• Right to Deletion ("Right to Erasure") – to request that your Personal Data be erased when it is no longer needed for the purpose for which it was collected, you withdraw consent, or processing is unlawful.
• Right to Restrict Processing / Object – to oppose processing of your data in certain circumstances (e.g., direct marketing, processing based on legitimate interests).
• Right to Data Portability – to receive your Personal Data in a structured, commonly used and machine‑readable format and to transfer it to another service provider.
• Rights related to Automated Decision‑Making and Profiling – to be protected against decisions based solely on automated processing that produce legal or similarly significant effects and to obtain human intervention.
• Right to Withdraw Consent – if we process your data based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
• Right to Complain – to lodge a complaint with the Nigeria Data Protection Commission (NDPC), the relevant data‑protection authority in your country (e.g., the Information Commissioner's Office (ICO) in the UK), or a supervisory authority where you live or work.
• Right to Object to Direct Marketing – to request that we stop using your data for direct marketing purposes.

11.1 How to Exercise Your Rights

To exercise any of the above rights, please contact us using the information in Section 16. We may need to verify your identity (e.g., by requesting additional information) to protect your personal data. We will respond to requests within applicable legal timeframes (e.g., NDPA/GDPR generally require responses within one month). In some cases, we may refuse or limit a request if we have a legal obligation or overriding legitimate interest (e.g., legal retention requirements) that prevents us from fulfilling it.

12. Children's Data

Our Services are not intended for use by individuals under 18 years of age except as part of an employment relationship (e.g., interns). We do not knowingly collect or process Personal Data of minors without parental or guardian consent. Where we process children's data for legitimate HR purposes (e.g., interns, trainees, dependants), we apply additional safeguards and comply with NDPA provisions regarding parental consent and age verification.

13. Automated Decision‑Making and Profiling

Kua HR does not make decisions that produce legal or similarly significant effects on individuals solely based on automated processing of personal data. Where we use automated tools to support decision‑making (e.g., payroll calculations, eligibility for statutory deductions), human review and oversight are always involved. We will provide meaningful information about the logic involved and the potential consequences of automated processing upon request.

14. Cookies and Similar Technologies

We use cookies and similar technologies to enhance your experience, analyse usage and deliver tailored content. Cookies are small files stored on your device that allow us to recognise your browser or device. We use:

• Essential cookies – necessary to provide core functionality (e.g., authentication, session management).
• Preference cookies – to remember your settings and preferences (e.g., language, region).
• Analytics cookies – to collect information about how users interact with our sites and services (e.g., most visited pages, time spent) and to improve performance. We use first‑party analytics and third‑party tools such as Google Analytics (subject to its privacy policy).
• Marketing cookies – to deliver relevant advertisements based on your interests. We obtain consent where required by law.

You can manage cookie settings via your browser or device. Blocking some cookies may impact the functionality of the Services. For more information, see our separate Cookie Policy.

15. Changes to This Privacy Policy

We may update this Policy to reflect changes in our business, legal requirements or industry practices. The "Last updated" date at the top indicates when this Policy was last revised. We will notify you of material changes by posting the updated Policy on our website, via email or through a prominent notice within the Services. Continued use of our Services after updates constitutes acceptance of the revised Policy.

16. Contact Information and Data Protection Officer

If you have questions, concerns or requests regarding this Privacy Policy, our privacy practices or your Personal Data, please contact:

If you are a resident of the European Union, the European Economic Area, the United Kingdom or another jurisdiction with local representation requirements, you may also contact our EU/UK representative using the same email privacy@kuahr.com.

17. Regional Addenda

Because data‑protection requirements vary by jurisdiction, we may publish additional notices that apply to residents of specific countries or states (e.g., the California Consumer Privacy Act, Kenya Data Protection Act, South Africa POPIA, EU GDPR). In the event of a conflict between this Policy and a jurisdiction‑specific notice, the latter prevails to the extent of the conflict.

18. Accountability and Governance

Kua HR is committed to demonstrating accountability and compliance with applicable data protection laws. Our governance measures include:

• Data Protection Officer: appointment of a DPO responsible for advising on compliance, monitoring internal adherence, liaising with the NDPC and other regulators and acting as a point of contact.
• Data Protection Impact Assessments (DPIAs): conducting DPIAs for high‑risk processing activities (e.g., biometric data, children's data) as required by NDPA and GDPR.
• Records of Processing Activities: maintaining detailed records of data processing activities, including the purposes, categories of data, recipients, storage periods, security measures and cross‑border transfer mechanisms.
• Internal Policies and Procedures: implementing policies on data minimisation, retention, breach notification, incident response, vendor management, employee screening and training.
• Data Processing Agreements: executing data‑processing agreements with clients and vendors specifying roles, responsibilities and data‑protection obligations.
• Registration and Compliance with NDPC: registering with the NDPC if we meet the criteria for a Controller or Processor of Major Importance (e.g., processing data of more than 200 individuals within six months or operating in regulated sectors).
• Audits and Certifications: periodically undergoing internal and external audits of our privacy and security practices and pursuing relevant industry certifications (e.g., ISO/IEC 27001) to demonstrate compliance.

19. Additional Notes for African Jurisdictions

While this policy primarily references Nigerian law, Kua HR recognises the diverse data‑protection regimes across Africa. We commit to complying with the data‑protection and privacy laws of each country in which we operate, including but not limited to:

• South Africa – the Protection of Personal Information Act (POPIA), which requires responsible parties to obtain consent, process data lawfully and secure personal information. POPIA's conditions for lawful processing include accountability, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.
• Kenya – the Data Protection Act 2021, which mandates legal bases, clear purposes, rights to access, rectify and erase, restrictions on cross‑border transfers unless adequate safeguards are in place, and the appointment of Data Protection Officers for some controllers.
• Ghana – the Data Protection Act 2012, requiring registration of data controllers, adherence to data‑processing principles, security safeguards and cross‑border transfer restrictions.
• Other African Laws – we follow data‑protection principles and notification/consent requirements across jurisdictions such as the African Union's Malabo Convention, Uganda's Data Protection and Privacy Act, and laws in Egypt, Morocco, Ethiopia and Rwanda.

For cross‑border data transfers to or from African countries, we implement appropriate safeguards consistent with local regulations (e.g., adequacy, standard contractual clauses, codes of conduct) and consult with regulators where required.