Privacy Policy

1. Introduction

CiroStack (“Company,” “we,” “us,” or “our”), operated by Jessy Onah, is committed to protecting the privacy and security of your personal information. This Privacy Policy (“Policy”) describes how we collect, use, disclose, store, and protect information when you:

• Visit our website at cirostack.com (the “Site”)
• Engage with us through contact forms, email, phone, WhatsApp, or social media
• Use our software development services
• Subscribe to our newsletter or marketing communications

This Policy should be read together with our Terms of Service. By accessing the Site or providing us with your information, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Site or provide us with your information.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Contact Information: Name, email address, phone number, company name, job title, and physical address when you fill out a contact form, request a quote, or initiate a project inquiry.
• Project Information: Business requirements, technical specifications, project briefs, design assets, content, credentials, and other materials you provide in the course of a project engagement.
• Communication Data: The content of emails, WhatsApp messages, chat conversations, and other communications you send to us.
• Payment Information: Billing address, payment method details, and transaction history. Note: We do not directly store credit card numbers or bank account details; payment processing is handled by third-party payment processors.
• Newsletter & Marketing: Your email address and communication preferences when you subscribe to our newsletter or opt in to marketing communications.
• Feedback & Surveys: Responses to surveys, testimonials, reviews, and feedback you provide.

2.2 Information Collected Automatically

When you visit our Site, we may automatically collect certain technical and usage information, including:

• Device Information: Browser type and version, operating system, device type (desktop, mobile, tablet), screen resolution, and device identifiers.
• Usage Data: Pages visited, time spent on pages, click patterns, referring/exit pages, navigation paths, and interaction with Site features.
• Network Information: IP address, approximate geographic location (city/country level, derived from IP), internet service provider, and connection type.
• Cookies & Similar Technologies: Data collected through cookies, web beacons, pixels, and similar tracking technologies (see Section 8 for details).

2.3 Information from Third Parties

We may receive information about you from third-party sources, including:

• Analytics Providers: Aggregated website usage data from analytics services.
• Social Media: Publicly available information from social media profiles if you interact with our social media accounts.
• Referrals: Your name and contact information from business partners, existing clients, or professional networks who refer you to us.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• To respond to your inquiries and provide project quotes
• To perform our software development and consulting services
• To communicate project updates, milestones, and deliverables
• To process payments and manage billing
• To provide post-project support and maintenance

3.2 Site Operation & Improvement

• To operate, maintain, and improve the Site
• To analyse usage patterns and optimize user experience
• To diagnose technical problems and ensure Site security
• To personalize your experience on the Site

3.3 Communication

• To send you service-related notices (e.g., project updates, invoices, security alerts)
• To send marketing communications, newsletters, and promotional materials (only with your consent or where permitted by law)
• To respond to your comments, questions, and requests

3.4 Legal & Compliance

• To comply with applicable laws, regulations, and legal processes
• To enforce our Terms of Service and other agreements
• To protect the rights, property, and safety of CiroStack, our clients, and others
• To detect, prevent, and address fraud, security issues, or technical problems

4. Legal Basis for Processing (GDPR & NDPR)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Nigeria, we process your personal data under the following legal bases as required by the General Data Protection Regulation (GDPR), UK GDPR, and the Nigeria Data Protection Regulation (NDPR):

• Contractual Necessity: Processing necessary for the performance of a contract with you or to take steps at your request before entering into a contract (e.g., providing Services, processing payments).
• Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications, newsletter subscriptions). You may withdraw your consent at any time.
• Legitimate Interests: Processing necessary for our legitimate business interests, provided these interests are not overridden by your rights and freedoms (e.g., improving our Site, fraud prevention, business analytics).
• Legal Obligation: Processing necessary to comply with a legal obligation to which we are subject (e.g., tax reporting, responding to lawful data access requests).

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information only in the following circumstances:

5.1 Service Providers

We may share your information with trusted third-party service providers who perform services on our behalf, including:

• Cloud hosting and infrastructure providers
• Payment processors
• Email delivery services
• Analytics providers
• Customer relationship management (CRM) tools
• Communication platforms (e.g., WhatsApp Business API)

These providers are contractually obligated to use your information only for the purposes for which we disclose it to them and are required to maintain the confidentiality and security of your data.

5.2 Contractors & Collaborators

In the course of delivering Services, we may share project-related information with contractors, freelancers, or partner agencies who are engaged to assist with your project. All such parties are bound by confidentiality agreements.

5.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to: (a) comply with applicable law or a court order; (b) protect the rights, property, or safety of CiroStack, our clients, or the public; (c) detect, prevent, or address fraud, security issues, or technical problems; or (d) enforce our Terms of Service.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.5 With Your Consent

We may share your information for other purposes with your explicit consent.

6. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Specific retention periods are as follows:

• Client project data: Retained for the duration of the project engagement and for five (5) years after project completion, to support warranty obligations, potential disputes, and ongoing client relationships.
• Contact and inquiry data: Retained for two (2) years from the date of last interaction if no project engagement follows.
• Payment and billing records: Retained for seven (7) years as required by applicable tax and accounting laws.
• Marketing and newsletter data: Retained until you unsubscribe or request deletion.
• Website analytics data: Retained in anonymized or aggregated form for up to twenty-six (26) months.

When personal information is no longer needed, we will securely delete or anonymize it. Anonymized data that can no longer be associated with an individual may be retained indefinitely for statistical and analytical purposes.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest
• Access controls and authentication requirements for systems containing personal data
• Regular security assessments and vulnerability testing
• Confidentiality agreements with all employees, contractors, and service providers who access personal data
• Secure disposal of data when no longer needed

While we take reasonable precautions to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

8. Cookies & Tracking Technologies

Our Site may use cookies and similar tracking technologies to enhance your experience and collect information about how the Site is used.

8.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the Site to function properly. These cookies enable core functionalities such as page navigation and access to secure areas. The Site cannot function properly without these cookies, and they cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with the Site by collecting and reporting information anonymously. This helps us improve the Site’s structure and content.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences (e.g., language, region) and providing more relevant features.
• Marketing Cookies: Used to track visitors across websites to display relevant advertisements. These are only set with your consent.

8.2 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling cookies may affect the functionality of certain parts of the Site. For more information on managing cookies, visit your browser’s help documentation.

8.3 Do Not Track

Some browsers offer a “Do Not Track” (“DNT”) signal. There is currently no industry standard for recognizing or honouring DNT signals. At this time, we do not respond to DNT signals. If a standard is established in the future, we will revisit this practice.

9. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information under applicable data protection laws, including the GDPR, UK GDPR, NDPR, CCPA/CPRA, and other applicable legislation.

9.1 Rights Under GDPR, UK GDPR & NDPR

If you are located in the EEA, UK, or Nigeria, you have the following rights:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure (“Right to Be Forgotten”): You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.
• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Nigeria, this is the National Information Technology Development Agency (NITDA).

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. If this practice changes, we will provide a “Do Not Sell or Share My Personal Information” link.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

9.3 Exercising Your Rights

To exercise any of the above rights, please contact us using the information provided in Section 14 below. We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR/NDPR and 45 days for CCPA/CPRA). We may need to verify your identity before processing your request.

If you have authorized an agent to submit a request on your behalf, we may require the agent to demonstrate that they have been validly authorized to act on your behalf.

10. International Data Transfers

CiroStack operates primarily from Nigeria and may process data in, or transfer data to, other countries where our service providers are located. If you are located outside Nigeria, please be aware that your information may be transferred to, stored, and processed in Nigeria or other jurisdictions that may have different data protection laws than your country of residence.

Where we transfer personal data from the EEA or UK to a country that has not been deemed to provide an adequate level of data protection, we will implement appropriate safeguards as required by applicable law, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner’s Office
• Binding Corporate Rules (where applicable)
• Your explicit consent to the transfer, after being informed of the possible risks

You may request a copy of the safeguards in place by contacting us using the information in Section 14.

11. Children’s Privacy

Our Site and Services are not directed to individuals under the age of sixteen (16), or under the age of thirteen (13) in jurisdictions where that threshold applies (such as the United States under COPPA). We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete such information promptly. If you believe that we have inadvertently collected information from a child, please contact us immediately using the information in Section 14.

12. Third-Party Links & Services

Our Site may contain links to third-party websites, services, or applications (e.g., social media profiles, partner websites, payment platforms). This Privacy Policy does not apply to those third-party services. We encourage you to read the privacy policies of any third-party services you visit or use.

We are not responsible for the privacy practices, content, or security of any third-party websites or services linked from our Site. The inclusion of a link does not imply our endorsement of the linked site.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes, we will:

• Update the “Last Updated” date at the top of this Policy
• Post the updated Policy on the Site
• Where required by law or where changes are significant, provide additional notice (e.g., a prominent notice on the Site or an email notification)

We encourage you to review this Policy periodically. Your continued use of the Site or Services after the posting of changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should stop using the Site and contact us to request deletion of your data.

14. Contact Information & Data Controller

CiroStack is the data controller responsible for your personal information. For any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us at:

We will endeavour to respond to all legitimate requests within thirty (30) days. In certain circumstances, it may take us longer if your request is particularly complex or you have made multiple requests, in which case we will notify you and keep you updated on progress.

15. Supplemental Notices for Specific Jurisdictions

15.1 Nigeria (NDPR/NDPA)

This Policy complies with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023. As a data controller, CiroStack processes personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. Nigerian data subjects may exercise their rights under the NDPR/NDPA by contacting us at the details above or by filing a complaint with NITDA.

15.2 European Economic Area & United Kingdom

If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws. A list of EEA supervisory authorities is available at ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. For the UK, you may contact the Information Commissioner’s Office (ICO) at ico.org.uk.

15.3 California, USA

Under the CCPA/CPRA, California residents are entitled to the disclosures set forth in Section 9.2. In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2 for the business purposes described in Section 3. We have not sold personal information. For the “right to know” or “right to delete,” contact us at the details in Section 14.

15.4 Other Jurisdictions

If you are located in a jurisdiction with specific data protection requirements not addressed above (e.g., Brazil’s LGPD, South Africa’s POPIA, Canada’s PIPEDA), we will comply with the applicable local requirements to the extent they apply to our processing of your data. Please contact us if you have jurisdiction-specific questions or requests.