This page is based on the Nukodes Privacy Policy for customers, users, business contacts, and people whose data may be included in customer business records.
Who We Are
NUKODES LIMITED, RC/CAC 9537506, provides Nukodes, a business-management SaaS and mobile app for Nigerian SMEs. In this Privacy Policy, "Nukodes", "we", "us" and "our" refer to that company.
This Privacy Policy explains how we collect, use, store, disclose, transfer, retain, and protect personal data when customers, administrators, authorised users, business contacts, suppliers, end customers, and website or app visitors use or are included in the Service.
For account administration, billing, product security, analytics, marketing, legal compliance, and support records, Nukodes may act as a controller. For business records uploaded, synced, imported, or configured by a customer, the customer is usually the controller and Nukodes usually acts as a processor or service provider.
Personal Data We Process
The Service is intended for business users and is not directed to children. Customers should not intentionally submit children’s personal data unless they have a lawful basis and written authorisation from Nukodes where required.
Customers should not submit special-category data, biometric data, health data, passwords, CVV/PAN data, government identifiers, private keys, or other high-risk personal data unless a feature expressly requires it and a lawful basis exists.
| Category | Examples |
|---|---|
| Account and identity data | Name, email, phone number, role, login identifiers, organisation membership, support contact details, administrator settings. |
| Organisation and business profile | Business name, branch or location, industry, tax settings, billing details, subscription status, staff roles, settings, and preferences. |
| Contacts and CRM data | Customer, supplier, vendor, contact-person names, phone numbers, emails, addresses, notes, balances, tags, and relationship records. |
| Sales, POS, invoices and inventory | Products, SKUs, prices, stock, batches, discounts, sales, invoices, receipts, returns, payments, and transaction references. |
| Expenses, receipts, imports and OCR | Receipts, images, extracted text, vendor details, expense categories, payables, uploaded files, import rows, and parse status. |
| Treasury, transfers and provider data | Bank/POS provider metadata, account names or numbers where enabled, transaction references, balances, reauthorisation links, transfer records, and connection metadata. |
| Communications and support | Messages, email/SMS/WhatsApp delivery data where enabled, support tickets, diagnostic details, complaints, and data-rights records. |
| Device, usage and security data | Device identifiers, app version, operating system, logs, analytics events, crash details, session records, IP address, user agent, timestamps, and security signals. |
Purposes and Lawful Bases
We process personal data to provide and protect the Service, support customers, operate provider integrations, comply with legal obligations, improve product reliability, and handle data-rights requests.
Where we rely on consent, the person may withdraw consent at any time. Where we rely on legitimate interests, we balance our interests, customer interests, individual rights, processing context, and safeguards.
| Purpose | Examples |
|---|---|
| Provide the Service | Create accounts, authenticate users, sync data, process transactions, generate invoices and reports, manage inventory, and operate customer workspaces. |
| Support and communications | Respond to support requests, send service notices, assist onboarding, and handle account administration. |
| Security and fraud prevention | Detect misuse, unauthorised access, provider abuse, sync anomalies, data-integrity issues, and suspicious transactions. |
| Provider integrations | Connect banking, POS, payment, logistics, communications, tax, OCR, AI, and file-storage providers where configured. |
| Tax, accounting and legal compliance | Maintain invoices, transaction records, audit logs, tax-relevant data, legal holds, and regulator or court responses. |
| Analytics and improvement | Measure feature usage, troubleshoot, improve workflows, prioritise fixes, and create aggregated or de-identified insights. |
| Marketing and product updates | Send product updates, surveys, and commercial communications to business contacts, with opt-out where required. |
| Data rights and complaints | Verify identity, process access, export, deletion, correction, objection requests, and keep request records. |
Local Storage, Offline Sync and Permissions
The mobile app may store selected personal data and business records locally on the device to support offline workflows and faster access. Local data may remain on a device until sync, logout, account removal, app deletion, device reset, or technical cleanup occurs.
PowerSync and related sync infrastructure may synchronise records by user, role, organisation, branch, feature bucket, and permissions. Sync may include profiles, notification preferences, contacts, CRM, inventory, imports, POS, expenses, receipts, invoices, treasury, transfers, reports, provider administration, and reference tax data.
The app may request camera access for scanning receipts or documents, contacts access to help create customer or vendor records where enabled, notifications for operational alerts, and file or media access for uploads.
AI, OCR and Automated Assistance
Where configured, we may use OCR, AI models, parsing tools, rules engines, and automation to extract receipt data, classify records, suggest categories, reconcile imports, generate reports, and improve workflows.
AI/OCR processing may involve providers such as JsonReceipt, Google Gemini, or successors enabled by Nukodes. Data sent to such providers is limited to what is reasonably needed for the feature, subject to provider configuration and applicable data-processing terms.
The Service is intended to assist business operations. Customers and users should review automated outputs before relying on them for financial, tax, employment, legal, lending, or other consequential decisions.
Sharing and Sub-Processors
We may share personal data with recipients where configured, instructed, legally required, or necessary to provide and protect the Service. Actual sub-processors depend on the customer’s plan, enabled features, geography, and current provider configuration.
If a customer connects a provider, invites users, exports data, sends communications, or configures an integration, the customer instructs or authorises the sharing needed for that feature.
- Hosting, database, storage, backups, logs, infrastructure and security services.
- PowerSync and sync infrastructure for offline sync and role or organisation-scoped access.
- Upload, file-storage, automation, analytics, communications, OCR/AI, banking/POS, payment, logistics, tax, app-platform, professional-adviser, regulator, court, and authority recipients where applicable.
Cross-Border Transfers
Some providers, systems, support personnel, or infrastructure may process personal data outside Nigeria. Where we transfer personal data internationally, we aim to use a lawful transfer basis and appropriate safeguards.
Actual transfer locations may vary by provider, hosting region, support location, customer configuration, and feature use. Customers with strict data-residency requirements should obtain a written order form or data-processing agreement before using the affected feature.
Retention, Export and Deletion
We retain personal data for as long as needed for the purposes described in this Policy, customer instructions, active accounts, legal obligations, tax/accounting/audit records, provider obligations, dispute resolution, security, fraud prevention, backups, and legitimate business needs.
When an account-deletion request is verified and accepted, access may be deactivated promptly and deletion or minimisation scheduled, currently using a 30-day operational due-date target, subject to legal holds, security investigations, provider retention, billing records, and statutory record obligations.
Data-export features may provide available account data in a structured format. Security-sensitive, provider-confidential, or high-risk fields may be masked or excluded, including tokens, secrets, passwords, raw provider payloads, OCR text, IP addresses, user agents, signatures, cookies, device contexts, and similar data.
Your Data Protection Rights
Subject to applicable law, identity verification, customer-controller instructions, and permitted limitations, individuals may have rights to make the requests below.
Send requests to admin@nukodes.com. We may need to verify identity, confirm the relevant customer organisation, and route requests about customer-controlled business records to that customer as controller.
- Be informed about personal-data processing.
- Access personal data and receive a copy where applicable.
- Correct inaccurate or incomplete personal data.
- Request deletion or erasure where lawful.
- Object to processing or restrict processing in certain circumstances.
- Withdraw consent where processing is based on consent.
- Request portability where applicable.
- Complain to the Nigeria Data Protection Commission or another competent authority.
Security and Breach Notification
We use commercially reasonable technical and organisational safeguards designed to protect personal data, including access controls, role-based permissions, provider controls, secure development practices, monitoring, backups, incident review, and data-minimisation practices appropriate to the processing risk.
No system can guarantee perfect security, especially where data is processed on customer devices, synced offline, transmitted through providers, or accessed by multiple authorised users. Customers should maintain device security, user governance, staff training, and internal access controls.
Where we become aware of a personal-data breach requiring notification under Nigerian data-protection law, we will take reasonable steps to investigate, mitigate, document, and notify the NDPC within 72 hours where required, and notify affected data subjects without undue delay where the breach is likely to result in high risk.
Marketing, Cookies and Analytics
We may send service notices, security alerts, billing messages, feature updates, product education, surveys, or marketing communications to business contacts. Recipients can opt out of non-essential marketing where required.
Web interfaces and websites may use cookies, local storage, pixels, SDKs, analytics tools, and similar technologies for authentication, preferences, security, analytics, and service improvement.
Mobile analytics, crash reporting, logs, and diagnostics may collect app version, device information, usage events, crash details, and performance data to keep the Service reliable and improve features.
Customer Duties
Customers that use the Service as controllers for their own employees, customers, suppliers, or other contacts should take the steps below.
- Give appropriate privacy notices to individuals whose data is entered, imported, scanned, synced, or connected to the Service.
- Ensure a lawful basis for collecting and processing personal data through the Service.
- Configure roles, permissions, provider connections, exports, and device use according to least-privilege principles.
- Avoid uploading unnecessary, excessive, special-category, child, payment-card, password, or secret data.
- Notify Nukodes promptly of lost devices, unauthorised users, provider compromise, mistaken uploads, or suspected personal-data breaches affecting the Service.
Complaints, Changes and Contact
Individuals may contact us at admin@nukodes.com. They may also complain to the Nigeria Data Protection Commission or another competent authority if they believe their rights have been infringed.
We may update this Privacy Policy to reflect legal, regulatory, provider, operational, or product changes. Material changes will be notified by reasonable means, such as in-product notice, email, website notice, or updated effective date.