Data Protection Policy

This Data Policy was last updated on the 5th of February 2024.

While we have not made any material changes to the way we collect and process data about our users, we have updated this policy to make it shorter, easier to read, and to comply with the Nigerian Data Protection Law 2023 and the EU General Data Protection Regulation.

Unless we link to a different policy or state otherwise, this Data Protection Policy applies when you visit or use the Company’s website, mobile applications, APIs, or related services (the “Services”).

By using the Services, you agree to the terms of this Data Protection Policy. You shouldn’t use the Services if you don’t agree with this Policy or any other agreement that governs your use of the Services.




Legum Limited (‘Legum’, ‘Company’) collects and processes certain personal information about individuals with whom it has a relationship including but not limited to current, past and prospective employees, customers, users of our infrastructure, subscribers and other stakeholders in its daily business operations.


This framework seeks to introduce the Data Protection Policy Principles covering data subjects of Legum Limited.The Policy seeks to achieve the following:

  • Disclose how Legum collects,stores and processes an individual's personal data.
  • Protect the Legum from the risks associated with data breach.
  • Protect the rights of staff, members and stakeholders.
  • Comply with Data Protection Laws and International best practices.


The scope of this policy covers all rights of data subjects regarding the collection, use, and retention of Personal Data.

This policy makes reference to the Privacy Policy, Consumer Protection and Recourse Mechanism Policy, and Dispute Resolution Policy which when combined together provide for a coordinated recourse mechanism recovery and reduce chaos.


“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Data” means characters, symbols, and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or on any device.

“Database” means a collection of data organized in a manner that allows access, retrieval, deletion, and procession of that data; it includes but is not limited to structured, unstructured, cached, and file system-type databases.

“Data Administrator” means a person or organization that processes data.

“Data Controller” means a person who either alone, jointly with other persons, or in common with other persons, or as a statutory body, determines the purposes for and the manner in which personal data is processed or is to be processed.

“Data Portability” means the ability for data to be transferred easily from one IT system or computer to another through a safe and secure means, in a standard format.

“Data Subject” means an identifiable person; one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.

“Personal Data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, and others.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

“Record” means public records and reports in credible news media.

“Sensitive Personal Data” means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political views, trade union membership, criminal records, or any other sensitive personal information.

“Third Party” means any natural or legal person, public authority, establishment, or any other body other than the Data Subject, the Data Controller, the Data Administrator, and the persons who are engaged by the Data Controller or the Data Administrator to process personal data.

“User” means any person or entity who uses our products or services.


The Law, which came into force on the 12th of June, 2023, regulates the gathering, storing, and processing of personal data (regardless of whether the data is stored electronically, on paper, or on other materials) and protects the rights and privacy of all living individuals (including children). The law applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent.


Legum Limited will be the data controller under the terms of the Data Protection Law. This means that the Company is responsible for controlling the use and processing of personal data. Legum Limited shall appoint a Data Protection Officer (DPO) for the purpose of ensuring adherence to this Law, relevant data privacy statements, and data protection directives of the Company.


Legum Limited commits to processing Personal Data in accordance with the Data protection policy Principles as follows:

  1. Notice: Prior to collecting Personal Data the Company notifies Users about the categories of Personal Data that Legum collects and the purposes for collection and use of their Personal Data. Legum will only process Personal Data in ways that are compatible with the purpose for which the Company collected it or for purposes later authorized.
    Before Legum uses Personal Data for a purpose that is materially different from the purpose for which the Company collected it or that was later authorized Legum will provide Users with the opportunity to opt-out.
  2. Choice: If Legum collects Sensitive Personal Data we will obtain explicit opt-in consent whenever the Data protection policy requires. Legum Limited will obtain opt-in consent before Personal Data is disclosed to third parties other than those described in this Privacy Policy before Personal Data is used for a different purpose than that purpose for which it was collected or later authorized and whenever Data protection policy requires.
  3. Accountability for Onward Transfer: If the Company transfers Personal Data to a third party Legum takes reasonable and appropriate steps to ensure that each third-party transferee processes Personal Data transferred in a manner consistent with the Company’s obligations under the Data Protection Policy. Legum will ensure that each transfer is consistent with any notice provided to Users and any consent they have given. Legum requires a written contract with any third party receiving Personal Data that ensures that the third party
    (i) processes the Personal Data for limited and specified purposes consistent with any consent provided by Users,
    (ii) provides at least the same level of protection as is required by the Data protection policy,
    (iii) notifies Legum if it cannot comply with Data protection policy; and
    (iv) ceases processing Personal Data or takes other reasonable and appropriate steps to remediate.
    Under certain circumstances, Legum may be required to disclose Personal Data in response to valid requests by public authorities including for national security or law enforcement requirements.
    Legum remains liable under the Data Protection Policy Principles if an agent processes Personal Data in a manner inconsistent with the Principles unless the Company is not responsible for the event giving rise to the damage.
  4. Security: Legum Limited has adequate security measures in place to prevent your personal data from being lost, misused, accessed in an unauthorized manner, disclosed, or changed. We will notify you and any applicable regulator of a breach where we are legally required to do so.
    Furthermore, we restrict access to your personal data to just those employees, contractors, and third parties who require it for the reasons stated above. They are only allowed to process your data if we permit them, and they are bound to a duty of confidentiality.
  5. Data Integrity and Purpose Limitation: The Company takes reasonable steps to ensure that such Personal Data is reliable for its intended use, accurate, complete, and current. Legum adheres to the Data Protection Policy for as long as it retains Personal Data in identifiable form. Legum takes reasonable and appropriate measures, in compliance with the Data Protection Policy, to retain Personal Data in identifiable form only for as long as it serves the purpose of processing.
    The Company limits the collection of Personal Data to information that is relevant for processing. Legum does not process Personal Data in a way that is incompatible with the purpose for which it was collected or subsequently authorized by a User.
  6. Access: A User has the right to access his or her Personal Data and to correct, amend, limit the use of, or delete the Personal Data if the Personal Data is inaccurate or processed in violation of the Data protection policy. Legum is not required to grant the rights to access, correct, amend, and delete Personal Data if the burden or expense of providing access, correction, amendment, or deletion is disproportionate to the risks to the User’s privacy or if the rights of persons other than the Users are or could be violated.
  7. Recourse, Enforcement, and Liability: In compliance with this Data Protection Policy, Legum Limited commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to Foreign Countries pursuant to their Data Protection Laws. Individuals with Data protection policy inquiries or complaints should first contact Legum at
    If your Data protection policy complaint cannot be resolved by other redress mechanisms, Legum has further committed to refer such unresolved complaints under this policy to the Alternative Dispute Resolution mechanism.
    Legum commits to periodically review and verify its compliance with the Data Protection Policy and to remedy any issues arising out of failure to comply with the Data Protection Policy.


  • Consumer Protection and Recourse Mechanism Policy Framework
  • Privacy Policy
  • Dispute Resolution Policy