1. Information we collect
We collect information you provide directly, including name, email address, company name, job title and any data you enter while using Permito. We also automatically collect usage data such as permit activity logs, device information, IP addresses, browser type and session logs to improve platform performance, security and reliability.
2. How we use your information
Your data is used to: operate and improve the Permito platform; send important system notifications and permit workflow alerts; provide customer support; generate anonymised platform analytics; and comply with applicable laws and regulations including the Nigerian Data Protection Regulation (NDPR), GDPR where applicable, and relevant industry regulatory requirements.
3. Data sharing
We do not sell your personal data. We share data only with: trusted service providers who help us operate the platform (e.g. cloud infrastructure, email delivery); your employer or facility operator as part of the permit workflow you participate in; regulatory or law enforcement authorities when required by applicable law; and successors in the event of a business merger or acquisition.
4. Data security
All data is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256. Access is strictly role-based and every action is logged with a full audit trail. We maintain SOC 2-aligned security practices and conduct regular security reviews and penetration testing. Once a permit is approved and active, its records and audit trail are immutable.
5. Data retention
Active permit records are retained for the duration of your subscription plus a minimum of 7 years to meet energy industry compliance and regulatory retention requirements. You may request deletion of personal profile data at any time; however, deletion is subject to mandatory legal and regulatory retention obligations which may require us to retain certain records regardless.
6. Your rights
Under NDPR and GDPR (where applicable), you have the right to: access a copy of all personal data we hold about you; correct inaccurate data; request deletion of personal data subject to retention obligations; object to or restrict certain processing; and data portability. To exercise these rights, contact us at privacy@permito.ng. We will respond within 30 calendar days.
7. Cookies
We use only strictly necessary cookies required for authentication (session tokens) and platform functionality. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You can disable cookies in your browser settings, though disabling session cookies will prevent login. We will always seek your consent before setting any non-essential cookies.
8. Third-party services
Our platform may use the following categories of third-party service providers: cloud infrastructure (data hosted in data centres with appropriate data processing agreements); email delivery services for notifications; error monitoring services (processing only anonymised error logs). All sub-processors are bound by data processing agreements consistent with applicable data protection law.
9. International transfers
Your data may be processed outside Nigeria. Where we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses approved by relevant supervisory authorities, or transfers to countries recognised as providing adequate protection.
10. Contact & DPO
If you have questions about this policy, concerns about how we handle your data, or wish to exercise your rights, contact our Data Protection Officer at: privacy@permito.ng. You may also write to: Data Protection Officer, Permito Technologies Ltd, Victoria Island, Lagos, Nigeria. If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Bureau (NDPB).