Irorun | Terms of Service

1.0 Introduction

Irorun is committed to protecting the personal data of its customers, partners, employees, and other stakeholders. This policy sets out our approach to data subject access requests and explains how individuals may exercise their rights under applicable data protection laws. It also describes the procedures for opting out of any of our services.

The NDPR establishes a comprehensive framework to safeguard the privacy rights of natural persons, promote safe digital transactions, and strengthen information management practices across both public and private sectors in Nigeria.

Irorun, as a registered Data Controller under the NDPR, recognizes its duty to comply with the Regulation's core principles of lawfulness, data minimization, accuracy, storage limitation, confidentiality, and accountability. To that end, Irorun has:

Appointed a Data Protection Officer (DPO) within the required six‑month timeframe (Art. 4.1(2) NDPR).
Conducted a full NDPR audit through a licensed Data Protection Compliance Organisation (DPCO).
Established retention schedules in our Data Retention Policy to ensure personal data is stored only as long as necessary.
Implemented robust consent management aligned with our Data Subject Consent Policy to record, review, and allow withdrawal of consent at any time.

2.0 Policy Objectives

This policy applies to all personal data processed by Irorun, regardless of the medium or platform.

The purpose is to:

Inform data subjects of their rights concerning their personal data.
Establish clear procedures for making and processing data subject access requests.
Explain the process for opting out of our services.
Ensure that all requests are handled promptly, securely, and in compliance with applicable law.

3.0 Scope

Data Subject: Any natural person whose personal data is collected, held, or processed by Irorun.
Personal Data: Any information relating to an identified or identifiable natural person.
Data Controller: The entity (Irorun) that determines the purposes and means of processing personal data.
Data Subject Access Request (DSAR): A request from a data subject to access, correct, delete, or restrict the processing of their personal data.
Opt-Out: The process by which a data subject may withdraw consent or otherwise refuse the continued use of their personal data for specific services or marketing communications.

4.0 Legal and Regulatory Compliance

In accordance with the NDPR and other relevant Nigerian laws, Irorun recognizes that the Data subjects have a right to:

Right to Access: Data subjects can request confirmation of whether their personal data is being processed and, if so, access to that data.
Right to Rectification: Data subjects can request that inaccurate or incomplete personal data be corrected.
Right to Erasure: Also known as the "right to be forgotten," data subjects may request deletion of their personal data under certain circumstances.
Right to Restrict Processing: Data subjects can request that processing of their personal data be restricted under certain conditions.
Right to Data Portability: Data subjects may request their data in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller where technically feasible.
Right to Object: Data subjects have the right to object to processing of their personal data on grounds relating to their particular situation, including processing for direct marketing.
Right to Not Be Subject to Automated Decision-Making: Data subjects have the right to request human intervention in any decision-making process that is based solely on automated processing.

5.0 Procedures for Data Subject Access Requests

5.1 How to Submit a Request

Data subjects can submit a DSAR by one of the following methods:

Email: Send a detailed request to our Data Protection Officer at [support@irorun.com].
Mail: Write to our Data Protection Office at the address provided on our website with subject "Data Subject Access Request || {{Full Name}} {{Phone number}}"

5.2 Information Required in a DSAR

To help us process your request efficiently, please include the following information:

Your full name, Email and Phone number used in registering for the Irorun Account.
A clear description of the personal data you are requesting access to or wish to have corrected, deleted, or otherwise modified.
Proof of identity (such as a scanned copy of a government-issued ID) to ensure your request is processed securely.
A sworn affidavit depending on the type of data you are requesting for.
A police report depending on the circumstance surrounding the request for change in data (i.e. if requesting for change of Phone number, and Phone number was lost or stolen, a police report will be needed)
Any additional context that might assist in locating the relevant data.

5.3 Verification and Processing

Verification: Upon receipt of a DSAR, Irorun will verify your identity. If we are unable to verify your identity with the information provided, we may ask for additional evidence.
Acknowledgment: Once your request is received, you will receive an acknowledgment within [10] business days.
Response Time: We aim to respond to your request within [30] calendar days. If your request is complex or numerous, we may extend this period by an additional [60] days. In such cases, you will be informed and provided with the reasons for the delay.

5.4 How We Process Your Request

Review: Our Data Protection Office will review your request and determine the appropriate course of action.
Access/Correction/Deletion: If your request is approved, we will provide you with the requested access to your personal data, or will make the necessary corrections, deletions, or restrictions.
Refusal: In the event that a request is refused, you will be provided with a detailed explanation including any legal basis for refusal and information on your right to seek redress through supervisory authorities.

6. Opting Out of Services

Irorun respects your choice to opt out of any of our services. The following options are available:

Marketing Communications: You may unsubscribe from marketing emails by clicking the "unsubscribe" link in the communication or by contacting us directly at [Support@irorun.com].
Service Withdrawal: If you wish to withdraw your consent for processing or to opt out of specific services, please contact our customer support team or our Data Protection Officer with clear instructions. Upon verification, your personal data will be processed in accordance with your opt-out request.

7. Data Retention and Security

Retention Period: Personal data will be retained for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.
Security Measures: Irorun employs industry-standard security measures to protect your personal data against unauthorized access, alteration, or disclosure.

8. Further Information and Complaints

If you have any questions regarding this policy or wish to raise a complaint regarding the processing of your personal data, please contact our Data Protection Officer at [support@irorun.com]. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority.

9. Policy Updates

This policy is subject to periodic review and updates. Any changes will be posted on our website and, where appropriate, communicated directly to data subjects.

By implementing and adhering to this policy, Irorun demonstrates its commitment to the rights and protections of data subjects and ensures that all access requests are handled efficiently and in full compliance with applicable data protection laws.