Privacy Policy
Effective 12 May 2026 · Last reviewed 18 May 2026
The Diaspora Together Trust and Support Association ("DTTASA", "we", "our") operates the DTTASA Portal at portal.dttasa.org and its iOS / Android apps. This policy explains what personal data we collect, why, how long we keep it, who we share it with, and the rights you have over it. It is written to comply with the Nigeria Data Protection Act 2023 (NDPA), the EU/UK GDPR where applicable, and the Apple App Store Review Guidelines.
1. Who this policy applies to
It applies to anyone who creates a DTTASA Portal account — including staff, volunteers, interns, governance members, prospective applicants, and contractors. It also applies to people who interact with the Portal without an account (for example, a candidate signing a conditional offer letter via an email link).
2. Data we collect
| Category | Examples | Why |
|---|
| Identity | Full name, email, phone, date of birth, photograph | Account creation, identification, internal directory |
| Employment | Role, department, contract type, start date, line manager, working hours | HR operations, rota planning, leave entitlement |
| Compliance | NIN/BVN where required, right-to-work documents, references, qualifications, disciplinary records | Statutory record-keeping under NDPA 2023 and Nigerian labour law |
| Operational | Shift logs, leave requests, sickness records, performance reviews, training records, appraisals | Running day-to-day people operations |
| Device & technical | IP address, device type, browser, country (from IP), push notification token, biometric flag (Face ID / Touch ID on/off — the biometric itself never leaves the device) | Security, abuse prevention, push delivery |
| Location (iOS / Android app only) | Approximate GPS at the moment you clock in or out of a shift | Verifying shift location while clocked in. Only captured during an active shift action; never in the background. |
| Camera / Photo Library (iOS / Android app only) | Photographs you choose to attach to a profile, leave request or HR case | Only when you explicitly tap to attach a photo |
| Microphone (iOS / Android app only) | Voice notes you choose to attach to an HR case | Only when you explicitly tap to record |
3. How we collect it
- Directly from you when you register, edit your profile, apply for a role or submit any form.
- Automatically when you use the Portal (shift logs, audit events, IP, device).
- From your line manager or HR when they record contractual data, performance reviews, or disciplinary action.
4. Legal bases (NDPA / GDPR)
- Contract — we need the data to perform your employment, volunteer or contractor agreement.
- Legal obligation — Nigerian labour, tax and statutory reporting law.
- Legitimate interests — internal directory, security, abuse prevention.
- Consent — push notifications, biometric unlock, location-tagged shift clock-in, photo/microphone attachments. You can withdraw any of these at any time without affecting your account.
5. Who we share data with
We do not sell personal data. We share only with the following processors, who act under written agreements:
- Google Firebase (Authentication, Firestore, Cloud Functions, Storage, App Check, Hosting, Cloud Messaging) — our core infrastructure provider. Data is stored in Google's europe-west1 region.
- Google Workspace (Gmail) — for staff
@dttasa.org email accounts and shared drives. - Apple — only for push notifications via APNs when you use the iOS app.
- Our auditors, legal advisors and regulators — only when legally required.
We never share your data with advertisers, data brokers, or analytics platforms. The Portal does not use Google Analytics, Meta/Facebook Pixel, Mixpanel, or any third-party tracking SDK.
6. International transfers
Where data is transferred outside Nigeria (for example, to Google's EU data centres), the transfer is covered by Standard Contractual Clauses with the processor and an equivalent level of protection under NDPA 2023 §41.
7. How long we keep it
- Active staff records — for the duration of your engagement.
- After offboarding — 7 years (statutory retention for tax, pension and disciplinary records under Nigerian labour law).
- Unsuccessful applicant records — 12 months from final decision, then permanently deleted.
- Audit logs — 7 years.
- Push notification tokens — replaced on each device install; deleted when you sign out or revoke the app.
8. Your rights
Under the NDPA 2023 and GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccuracies.
- Erasure ("right to be forgotten") — subject to our statutory retention obligations.
- Portability — request a copy in a machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent for optional features (push, biometric, location) at any time from the Portal Settings.
- Lodge a complaint with the Nigeria Data Protection Commission (NDPC).
Deleting your account
You can request account deletion at any time from My Hub → Settings → Delete My Account, or by emailing privacy@dttasa.org. Your authentication record, personal profile and chat history are removed within 30 days. Records we are required to retain by law (e.g. payroll, statutory disciplinary records) are placed in a locked archive and access-restricted to the Data Protection Officer for the remainder of the statutory period.
9. Security
- All traffic is encrypted in transit (TLS 1.2+).
- All data at rest in Firebase is encrypted with AES-256.
- Authentication uses Firebase Auth with PIN and optional Face ID / Touch ID. Biometric data never leaves your device.
- Firestore and Storage access is governed by per-collection security rules and Firebase App Check on production reads.
- We log every privileged action to an audit trail kept for 7 years.
10. Children
The DTTASA Portal is for users aged 18 and above. We do not knowingly collect data from anyone under 18. If you believe we have, please contact us and we will delete it.
11. Location services — detailed disclosure (iOS / Android apps)
Location data on the DTTASA Portal mobile applications is treated with the highest level of restriction. This section sets out exactly what is collected, when, why, and how you can control it.
- What is collected — a latitude and longitude coordinate (precise to within a few metres) at the moment you tap "Clock In" or "Clock Out" on the timer feature, and a periodic presence ping (every few minutes) while you have an active shift open.
- When it is collected — only while the app is in the foreground and only while a shift action is in progress. The app never accesses location while it is closed or in the background.
- Why it is collected — to verify that staff and volunteers are clocking in at the expected workplace, to allow line managers to confirm attendance, and to support fair pay and rota compliance.
- Who can see it — only your line manager, the HR department, and the Operations dashboard, all of whom are bound by Section 4 (Confidentiality) of our Terms of Service. The data is never visible to other colleagues or to anyone outside your DTTASA reporting line.
- Who it is shared with — no one. Location is not shared with advertisers, analytics platforms, data brokers, or any third party. It is stored only inside DTTASA's Firestore database in Google's europe-west1 region under the same Standard Contractual Clauses described in Section 6.
- Retention — location coordinates are stored alongside the shift log they verify. They are retained for the same period as the shift log itself (see Section 7), and are deleted in the same operation when the shift log is deleted.
- How to revoke — at any time you can deny or withdraw location permission via your device's system Settings (iOS: Settings → Privacy & Security → Location Services → DTTASA Portal; Android: Settings → Apps → DTTASA Portal → Permissions). Revoking location permission does not affect any other Portal feature. Your manager will simply confirm attendance manually.
- What we do not do — we do not draw routes, we do not store location history outside the per-shift point captures, we do not infer your home address from location data, we do not run geofenced advertising, and we do not use location data to make any automated decision that affects you.
12. Apple App Store disclosures
If you use the iOS app, the following permissions are requested only when needed and may be denied without affecting other features:
- Face ID / Touch ID — optional unlock; toggle from Settings.
- Camera — only when you attach a photo.
- Photo Library — only when you attach a photo.
- Microphone — only when you record a voice note.
- Location (when in use) — only at clock-in/clock-out, never in the background.
- Push Notifications — for announcements, leave decisions and HR alerts.
None of this data is used for advertising, tracking, or any purpose outside the DTTASA Portal.
13. Changes to this policy
We will notify you in-app and by email at least 14 days before any material change. The "Last reviewed" date at the top of this page is always current.
14. Contact
Data Protection Officer
Diaspora Together Trust and Support Association
Email: privacy@dttasa.org
General queries: info@dttasa.org