Innov8 Hub

Facebook-f Instagram Linkedin Youtube

Privacy Policy

1

Introduction

At Innov8 Technology Hub Ltd/Gte (“Innov8 Hub”, “we”, “our”, or “us”), your privacy is at the core of everything we do. This Privacy Policy explains how we collect, use, share, and protect your personal data when you interact with us through our website, innovation programs, services, and events.

We recognize that the trust of our users, partners, startups, employees, and the general public is fundamental to our mission of empowering individuals, organizations and communities to localise innovation and scale homegrown solutions. Protecting personal information is therefore not only a legal obligation but also an ethical responsibility that underpins our operations, programs, and collaborations.

To ensure that your rights and freedoms are respected at all times, we align our practices with international best standards and applicable laws and regulations. Our compliance framework is guided by the following legal instruments: 

  1.  Nigeria Data Protection Act (NDPA) 2023
    • This Act establishes the principal legal framework for the protection of personal data in Nigeria.
    • It sets out the obligations of data controllers and processors, the rights of data subjects, and the role of the Nigeria Data Protection Commission (NDPC) in ensuring compliance.

Innov8 Hub is committed to full compliance with the NDPA by adopting lawful bases for data processing, ensuring data minimization, maintaining transparency, and upholding data subjects’ rights such as access, rectification, and erasure.

2.  Nigeria Data Protection Regulation (NDPR) 2019 (as amended)

    • As the precursor to the NDPA, the NDPR laid the foundation for structured data protection practices in Nigeria.
    • We continue to integrate the principles of the NDPR into our operations, including privacy by design, consent management, and secure data handling practices.

3.  Cybercrimes (Prohibition, Prevention, etc.) Act 2015

    • This legislation provides a framework for addressing cybercrimes, protecting critical national information infrastructure, and ensuring the safe use of digital technologies.

At Innov8 Hub, we adopt security measures consistent with this Act, including encryption, access controls, and proactive monitoring to prevent unauthorized access, data breaches, and cyber threats.

4.  General Data Protection Regulation (GDPR) – where applicable

    • As an innovation hub with international collaborations, we recognize that some of our activities may involve interactions with partners, startups, or stakeholders within the European Union (EU).

In such cases, we apply the provisions of the GDPR, particularly in cross-border data transfers, ensuring that the same level of protection guaranteed within the EU is extended to affected data subjects.

By adhering to these laws and frameworks, Innov8 Hub demonstrates its commitment to accountability, transparency, and responsibility in data protection. We not only comply with legal requirements but also proactively work to embed privacy into the culture of our organization through continuous staff training, policy reviews, and technological safeguards.

Your personal data is handled with the utmost care, and our compliance with these laws reinforces our pledge to safeguard your information while supporting innovation, creativity, and entrepreneurship in Nigeria and beyond.

2

Information We Collect

We collect information to deliver our services effectively, improve user experience, enhance security, and fulfill our legal and contractual obligations. The nature and scope of information we collect depend on the specific ways you engage with Innov8 Hub, whether through our website, programs, innovation challenges, training initiatives, funding applications, or partnership activities.

a. Information You Provide

You may voluntarily provide us with personal data in the course of engaging with our services. This happens when you:

  • Apply for a program, training, or innovation challenge.

  • Contact us via online forms, emails, or physical correspondence.

  • Register or attend our physical and virtual events, seminars, or workshops.

  • Apply for a job, internship, fellowship, or partnership with Innov8 Hub.

  • Submit applications for funding, incubation, or acceleration support.

  • Make payments for services, certifications, or program-related fees.

The types of personal data you may provide include, but are not limited to:

 

  • Personal Identifiers: Full name, date of birth, gender, nationality.

  • Contact Information: Email address, phone number, residential or business address.

  • Identity Verification Data: National Identification Number (NIN), passport number, driver’s license, or other government-issued ID where required.

  • Professional & Business Information: Employment history, CVs/resumes, professional qualifications, and references.

  • Startup & Innovation Details: Company or startup name, pitch decks, business plans, intellectual property details, registration documents, and funding history.

  • Financial & Transactional Data: Payment details (bank account, debit/credit card information), billing address, and records of transactions made with us.

  • Multimedia Data: Photographs, videos, or recordings submitted during events, programs, or media engagements.

This information is collected to process your applications, evaluate eligibility, personalize your experience, facilitate communication, and fulfill regulatory obligations.

b. Automatically Collected Information

When you visit or interact with our website, digital platforms, or online services, we automatically collect technical and usage-related data through cookies, log files, and analytics tools. This data helps us analyze trends, secure our systems, optimize user experience, and monitor engagement.

Examples of automatically collected data include:

 

  • Device and Technical Information: Internet Protocol (IP) address, browser type and version, device type (desktop, tablet, mobile), operating system, and network provider.

  • Usage Data: Pages or sections of our website visited, time and duration of sessions, clickstream patterns, search queries, navigation paths, and referring/exit pages.

  • Performance Data: Loading times, error logs, system crashes, and performance statistics.

  • Location Data: Approximate geographic location inferred from your IP address, subject to your device and browser settings.

  • Cookies & Tracking Technologies: Information stored via cookies, beacons, and pixels that help remember preferences, improve personalization, and deliver targeted content.

While this data does not always directly identify you, it may be combined with other information to create a clearer understanding of your interaction with Innov8 Hub’s digital platforms.

c. Third-Party Data

In certain circumstances, we receive personal information about you from trusted third parties to verify your details, process applications, or support collaborative programs. This may include:

  • Program Partners & Collaborators: Data shared by universities, accelerators, incubators, NGOs, or corporate partners when you are nominated or enrolled in joint programs.

  • Government Agencies & Regulators: Data for compliance, due diligence, or verification of identity, tax status, corporate registration, or intellectual property rights.

  • Payment Service Providers: Information confirming successful transactions, billing details, and fraud-prevention checks.

  • Recruitment Platforms & Employers: Data related to your professional history or qualifications during job applications.

  • Social Media & Professional Platforms: Publicly available or shared data from platforms like LinkedIn, Twitter, or GitHub, particularly when evaluating applicants’ professional profiles or innovation projects.

We only process third-party data in accordance with applicable laws, contractual obligations, and this Privacy Policy, ensuring that the integrity and confidentiality of your personal information are preserved at all times.

3

How We Use Your Information

We use the personal data we collect to deliver our services effectively, enhance user experience, fulfill contractual obligations, comply with legal requirements, and strengthen our innovation ecosystem. Each category of data is processed lawfully, fairly, and transparently, in line with our commitment to protecting your privacy.

Specifically, we use your information for the following purposes:

1. Processing Applications and Onboarding Participants

  • Reviewing applications for programs, challenges, incubation, acceleration, or funding opportunities.

  • Verifying identity and eligibility through submitted documents and third-party checks.

  • Assessing startups’ business models, market potential, and team capacity.

  • Managing enrollment, registration, and attendance for events, workshops, and training sessions.

  • Facilitating smooth onboarding processes by creating participant profiles, granting access to resources, and assigning mentors or support staff.

2. Communicating with You About Programs and Updates

  • Sending confirmation emails, reminders, and updates about applications, selection processes, and program milestones.

  • Notifying you about upcoming events, workshops, deadlines, and partnership opportunities.

  • Responding to inquiries, requests for information, and customer support issues.

  • Providing feedback or evaluation results after participation in a program or innovation challenge.

  • Maintaining open communication channels to build trust and engagement with startups, partners, and stakeholders.

3.  Improving Our Website and Services

  • Analyzing website traffic, navigation patterns, and user behavior to improve functionality and user experience.

  • Testing new features, tools, or service improvements based on collected feedback and usage data.

  • Identifying and resolving technical issues, errors, or security vulnerabilities.

  • Personalizing website content, recommendations, and navigation based on your interaction history.

  • Ensuring compatibility across multiple devices, browsers, and operating systems.

4. Sending Newsletters, Promotions, and Relevant Content

  • Sharing newsletters, reports, case studies, and industry insights to keep you informed.

  • Delivering targeted communications about innovation opportunities, competitions, and grants.

  • Promoting events, training sessions, and partnership programs aligned with your interests.

  • Offering special deals, sponsorships, or funding opportunities available through Innov8 Hub or its partners.

  • Allowing you to opt in or out of marketing communications in accordance with data protection regulations.

5. Conducting Monitoring and Evaluation

  • Tracking participant performance, engagement, and outcomes during and after programs.

  • Measuring the effectiveness and impact of programs, services, and interventions.

  • Compiling reports and statistics for internal use, donors, investors, and stakeholders.

  • Conducting surveys, focus groups, and feedback sessions to understand user satisfaction and areas of improvement.

  • Benchmarking progress across startups, teams, and cohorts to inform future program design.

6. Enforcing Our Policies and Complying with Legal Obligations

  • Ensuring compliance with Innov8 Hub’s terms of service, code of conduct, and program rules.

  • Detecting, investigating, and preventing fraudulent or unauthorized activities.

  • Protecting intellectual property rights, confidentiality, and contractual agreements.

  • Responding to lawful requests from government authorities, regulators, or courts.

  • Fulfilling obligations under applicable laws such as the Nigeria Data Protection Act (NDPA 2023), NDPR 2019, Cybercrimes Act 2015, and where applicable, the GDPR.

7. Analyzing Aggregated Usage Patterns

  • Collecting and analyzing anonymized or aggregated data to identify trends in innovation, entrepreneurship, and ecosystem growth.

  • Understanding how different user groups interact with our services to refine engagement strategies.

  • Measuring the reach, accessibility, and inclusivity of our programs across different demographics and regions.

  • Supporting evidence-based decision-making, research, and policy advocacy in the innovation ecosystem.

  • Sharing high-level insights (without identifying individuals) with partners, funders, and stakeholders to demonstrate program impact.

In line with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019 (as amended), and, where applicable, the General Data Protection Regulation (GDPR), Innov8 Hub ensures that all personal data is processed on a lawful, fair, and transparent basis. We do not collect or process personal data without a clearly defined legal ground. Depending on the context, our legal bases include the following:

1. Consent

We may process your personal data where you have freely, knowingly, and explicitly given us permission to do so. Consent is typically obtained through digital or physical forms, opt-in mechanisms, or written agreements.

 

Examples:

  • Submitting an application form for participation in an innovation program or competition.

  • Registering for our newsletter, email updates, or event notifications.

  • Granting us permission to use photos, videos, or testimonials for promotional or educational purposes.

    Your Rights:

  • You may withdraw your consent at any time, without affecting the lawfulness of processing already carried out.

  • Withdrawal can be done by contacting us through the communication channels provided in this Policy.

2. Contract

We process your data when it is necessary to perform a contract or fulfill obligations tied to agreements you enter with us. This includes both formal contracts and program participation agreements.

 

Examples:

  • Managing your registration and participation in incubation, acceleration, or innovation challenges.

  • Providing mentorship, training, facilities, and resources agreed upon in the program.

  • Processing payments, reimbursements, or funding support tied to program participation.

  • Sharing relevant information with mentors, trainers, or partners to ensure the delivery of services promised under the agreement.

3. Legal Obligation

We may process your personal data where required to comply with a legal or regulatory requirement. Compliance ensures that Innov8 Hub operates within the law while safeguarding the rights and interests of stakeholders.

 

Examples:

  • Responding to valid requests from law enforcement, regulators, or government authorities.

  • Maintaining accurate records for tax, auditing, and statutory reporting purposes.

  • Complying with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations when handling funding or investment-related transactions.

  • Meeting requirements under Nigerian laws such as the NDPA 2023, NDPR 2019, and Cybercrimes Act 2015.

4. Legitimate Interest

We may process your data where it is reasonably necessary to pursue our legitimate business interests, provided these interests are not overridden by your fundamental rights and freedoms. This ground allows us to improve, secure, and sustain our services for the benefit of startups, partners, and the broader innovation ecosystem.

 

Examples:

  • Improving user experience on our website through analytics and feedback.

  • Securing our digital platforms against fraud, cyberattacks, and unauthorized access.

  • Developing new services, features, or opportunities that align with your interests.

  • Engaging with alumni, investors, and partners to foster long-term ecosystem relationships.

    Safeguards:

  • Where legitimate interest is relied upon, we always assess the potential impact on your privacy and put measures in place to minimize risks.

5. Public Interest

We may process personal data where it is necessary to carry out tasks that serve the public interest or support national development, innovation, and technological advancement.

 

Examples:

  • Partnering with government institutions, universities, and international organizations to promote research, innovation, and entrepreneurship.

  • Using aggregated, anonymized data to inform policy recommendations, ecosystem reports, and development strategies.

  • Conducting training, workshops, and initiatives that contribute to national capacity-building in science, technology, and innovation.

  • Supporting initiatives aligned with the United Nations Sustainable Development Goals (SDGs), especially in education, innovation, and economic development.
5

Sharing Your Information

At Innov8 Hub, we recognize that your personal data is sensitive and valuable, and we are committed to handling it responsibly. We do not, under any circumstances, sell, trade, or rent your personal data to third parties for marketing or commercial purposes. However, in certain circumstances, we may share your information with trusted parties, always under strict confidentiality obligations and in accordance with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019 (as amended), the Cybercrimes Act 2015, and other applicable data protection laws.

When sharing your personal data, we ensure that appropriate Data Processing Agreements (DPAs) or equivalent legal safeguards are in place. These agreements impose strict duties on third parties to use the information solely for the specified purpose, implement robust security measures, and respect your rights.

We may share your information with the following categories of recipients:

1. Service Providers

We engage carefully selected third-party service providers to support our operations, deliver our programs, and improve our services. These providers are given access only to the information necessary to perform their functions and are prohibited from using it for any other purpose.

 

Examples include:

  • Cloud hosting and storage providers (for secure data storage and backup).

  • Customer Relationship Management (CRM) platforms (for managing applications, communication, and participant engagement).

  • Analytics providers (for monitoring website traffic, performance, and usage trends).

  • IT support, cybersecurity firms, and technical consultants.

Safeguards:

  • Providers are vetted for compliance with NDPA and NDPR.

  • Data shared is often pseudonymized or minimized to protect your identity.

2. Program Partners   

As an innovation hub, collaboration is central to our mission. We may share limited personal data with program partners who co-host, fund, or support our initiatives, but only to the extent necessary to fulfill program objectives.

 

Examples include:

  • Universities collaborating on research, incubation, or training programs.

  • Accelerators, investors, and venture capital firms evaluating startups for funding opportunities.

International development organizations supporting national innovation projects.

Purpose of Sharing:

  • To evaluate eligibility for grants, investments, or program placements.

  • To provide mentorship, exposure, and access to resources.

  • To strengthen partnerships that benefit startups and participants.

Safeguards:

  • Data is shared under Memoranda of Understanding (MoUs), Partnership Agreements, and DPAs.

  • Partners must uphold strict confidentiality and data protection standards.

3. Government and Regulatory Authorities

We may be legally required to share certain personal data with government agencies, regulators, or law enforcement authorities. Such disclosures are made strictly in line with the law and only when necessary.

 

Examples include:

  • Submitting reports to regulatory agencies such as the Nigeria Data Protection Commission (NDPC).

  • Responding to lawful requests from courts, tax authorities, or security agencies.

  • Verifying the identity of participants under anti-money laundering (AML) and counter-terrorism financing (CTF) requirements.

Safeguards:

  • Only the minimum required data is disclosed.

  • Disclosures are documented and reviewed to ensure legal compliance.

4. Legal Advisors, Auditors, and Professional Consultants

We may share information with our legal counsel, auditors, and consultants for the purposes of legal compliance, dispute resolution, financial auditing, and risk management.

 

Examples include:

  • Engaging auditors to verify compliance with financial and statutory reporting obligations.

  • Consulting with lawyers to resolve disputes, enforce our rights, or protect against legal liability.

  • Engaging compliance experts to review and strengthen our data protection framework.

Safeguards:

  • All professional advisors are bound by confidentiality obligations under law and contract.

5. International Transfers

In certain cases, your personal data may be transferred to third parties or partners located outside Nigeria. Where such transfers occur, we ensure compliance with the NDPA 2023, NDPR 2019, and (where applicable) GDPR, by:

  • Using countries that provide an adequate level of protection, or

  • Putting in place appropriate safeguards such as Standard Contractual Clauses (SCCs), DPAs, or binding agreements.
6

Data Transfers

At Innov8 Hub, we recognize that personal data may sometimes need to be transferred beyond Nigeria’s borders, particularly as we collaborate with international partners, investors, universities, and technology providers. However, we treat cross-border data transfers with the highest level of caution and diligence, ensuring that your data remains secure and protected regardless of where it is processed.

In line with the Nigeria Data Protection Act (NDPA) 2023, the NDPR 2019 (as amended), and (where applicable) the General Data Protection Regulation (GDPR), we only transfer data outside Nigeria under strict legal and technical safeguards.

We ensure that your data may only be transferred outside Nigeria under the following circumstances:

1. Adequacy Decisions

  • Your personal data may be transferred to countries or regions that the Nigeria Data Protection Commission (NDPC), or other recognized authorities, have determined to provide an “adequate” level of protection comparable to Nigeria’s data protection framework.

  • Adequacy assessments typically consider whether the destination country has strong privacy laws, independent supervisory authorities, and enforceable rights for individuals.

  • Example: If Innov8 partners with an EU-based university, transfers may be made under the EU’s GDPR adequacy standard, which Nigeria aligns with through reciprocity.

2. Standard Contractual Clauses (SCCs)

Where the destination country does not have an adequacy decision, Innov8 Hub requires the use of Standard Contractual Clauses (SCCs) or equivalent legal agreements approved by regulators.

SCCs are legally binding agreements that compel the receiving party to:

  • Process data only for specified purposes.

  • Maintain the same level of protection as provided under Nigerian law.

  • Implement technical and organizational measures (e.g., encryption, limited access controls).

These clauses ensure that your personal data enjoys continuous protection, regardless of where it is transferred.

3. Explicit Consent

In certain circumstances, we may transfer your personal data outside Nigeria only when you have given clear, informed, and explicit consent.

Before obtaining such consent, we will inform you of:

  • The purpose of the transfer.

  • The risks involved (if the destination country lacks strong data protection safeguards).

  • Your right to withdraw consent at any time without affecting prior lawful transfers.

Example: If a startup participant applies to an international accelerator program, we may request their permission before sharing relevant details with the foreign organizers.

4. Compelling Public Interest

In rare cases, we may transfer data outside Nigeria if such transfer is deemed necessary for overriding public interest reasons, such as:

  • Advancing national development objectives.

  • Promoting education, research, and innovation in the tech ecosystem.

  • Responding to international legal obligations or emergencies (e.g., global cybersecurity threats).

  • Such transfers will only occur after careful review to ensure proportionality and compliance with applicable laws.

5. Technical and Contractual Safeguards

Regardless of the legal basis, all cross-border data transfers are accompanied by strong technical, organizational, and contractual safeguards, including:

  • Encryption of data in transit and at rest.

  • Access controls that restrict data to authorized personnel only.

  • Data minimization, ensuring only necessary information is shared.

  • Ongoing monitoring and audits of foreign partners to confirm compliance.

  • Binding Data Processing Agreements (DPAs) with all foreign processors.

These safeguards ensure that your personal data remains protected against unauthorized access, misuse, or breaches, even when processed abroad.

7

Your Rights and Controls

At Innov8 Hub, we believe that your personal data belongs to you, and we are committed to ensuring that you retain meaningful control over how it is collected, used, and shared. In line with the Nigeria Data Protection Act (NDPA) 2023, the NDPR 2019 (as amended), and applicable international standards such as the GDPR, you are entitled to exercise several rights over your personal information. These rights empower you to hold us accountable and make informed choices about your privacy.

Below are your rights and how they apply:

1. Right of Access

You have the right to request confirmation as to whether Innov8 Hub is processing your personal data.

 

If so, you may request access to a copy of the data we hold about you, as well as details of:

 

  • The categories of data collected.
  • The purposes for which the data is used.
  • The recipients (or categories of recipients) with whom the data may be shared.
  • The retention period for your data.

 

We will provide this information in a structured, transparent, and understandable format.

 

2. Right to Rectification (Correction of Data)

  • You have the right to request correction of any inaccurate, outdated, or incomplete personal data we hold about you.

  • For example, if your contact details or employment information change, you can ask us to update our records accordingly.

This ensures that the data Innov8 Hub uses is always accurate and relevant.

3. Right to Erasure (Right to be Forgotten)

  • You can request the deletion of your personal data under certain conditions, such as:

    • When the data is no longer necessary for the purposes it was collected.

    • If you withdraw your consent and there is no other legal basis for processing.

    • If the data has been unlawfully processed.

Exceptions: In some cases, we may need to retain data for compliance with legal obligations (e.g., tax or regulatory requirements), dispute resolution, or to enforce contracts.

4. Right to Withdraw Consent

  • Where processing is based on your consent (e.g., signing up for newsletters, sharing data with program partners), you have the right to withdraw that consent at any time.

  • Withdrawal will not affect the lawfulness of processing carried out prior to withdrawal.

  • After withdrawal, we will cease the specific processing activities unless another lawful basis applies.

5. Right to Object to Processing

  • You have the right to object to certain types of data processing, including:

    • Direct marketing (e.g., promotional emails or SMS).

    • Processing based on our legitimate interests where you believe your rights override those interests.

  • Once you object, we will stop the processing unless we demonstrate compelling legitimate grounds or where processing is required for legal claims.

6. Right to Restrict Processing

  • You may request that we temporarily restrict processing of your data in specific situations, such as:

    • While we verify the accuracy of your personal data.

    • Where you have objected to processing, and we are considering your request.

    • When the processing is unlawful but you prefer restriction to deletion.

  • During restriction, your data will only be stored but not actively processed except for legal or vital reasons.

7. Right to Data Portability

  • You have the right to request a copy of the personal data you provided to Innov8 Hub in a structured, commonly used, and machine-readable format (e.g., CSV, JSON).

  • You may also request that we transfer this data directly to another organization, where technically feasible.

  • This right is especially useful if you want to move between service providers or innovation programs.

8. Right to Lodge a Complaint

  • If you believe that your rights have been violated or that we are not handling your data lawfully, you have the right to file a complaint with the Nigeria Data Protection Commission (NDPC), the regulator responsible for enforcing data protection laws in Nigeria.

  • We encourage you to first contact us directly so we can resolve the issue promptly and transparently.

Exercising Your Rights

We have made it simple for you to exercise your rights. To make a request or lodge a concern:

 Email info@innov8hub.ng

 

 Visit our office: Innov8 Hub, Airport Road, Abuja

 Include: a clear description of the right you wish to exercise, any supporting documents, and proof of identity (to prevent unauthorized access to your data).

 

  • We will acknowledge your request promptly and provide a response within one month, extendable by an additional two months for complex cases (you will be informed if an extension is needed).

  • All requests are handled free of charge, except where manifestly excessive or unfounded, in which case we may charge a reasonable administrative fee or decline the request.
8

Security Practices

At Innov8 Hub, safeguarding your personal data is a top priority. We recognize that data is a valuable asset and a sensitive trust, and we adopt a multi-layered, defense-in-depth approach to ensure its confidentiality, integrity, and availability. Our security practices are designed in line with international standards (ISO 27001, NIST Cybersecurity Framework) as well as the Nigeria Data Protection Act (NDPA) 2023 and the Cybercrimes (Prohibition, Prevention, etc.) Act 2015.

1. Encryption and Secure Transmission

  • All data transmitted between your device and our systems is protected through Secure Socket Layer (SSL)/Transport Layer Security (TLS) encryption, ensuring that communications cannot be intercepted or altered by unauthorized parties.

  • Sensitive information such as login credentials, financial details, or identification numbers are stored using AES-256 encryption standards, making it unreadable without proper authorization.

  • For emails and file exchanges, we also employ encryption-at-rest and in-transit protocols to guarantee security end-to-end.

2. Access Control and Authentication

  • We enforce role-based access control (RBAC), ensuring that only authorized personnel can access personal data strictly on a need-to-know basis.

  • Employees, contractors, and program partners are granted minimum access privileges required for their duties.

  • Strong multi-factor authentication (MFA) mechanisms are required for staff and system administrators to prevent unauthorized account takeovers.

  • Regular reviews are carried out to revoke or update access rights when staff roles change or contracts end.

3. Data Minimization and Retention

  • We collect and retain only the personal data that is necessary for the purposes defined in this policy, in line with the principle of data minimization.

  • Data retention schedules are strictly followed, and unnecessary or outdated data is securely deleted or anonymized.

  • Storage is optimized to reduce exposure, with different sensitivity levels applied to personal data, confidential business information, and public-facing records.

4. Security Audits and Testing

  • Innov8 Hub conducts regular security audits, penetration tests, and vulnerability scans to detect and address weaknesses in our infrastructure.

  • Independent auditors may be engaged periodically to review our data protection framework for compliance with NDPA, NDPR, and international best practices.

  • All findings from audits are documented, remediated, and tracked for continuous improvement.

5. Employee Awareness and Training

  • Security is not just technical, it’s also human-centered. All Innov8 Hub employees undergo mandatory data protection and cybersecurity training at onboarding and on a recurring basis.

  • Training includes recognition of phishing attempts, proper data handling, incident reporting procedures, and secure communication practices.

  • Non-compliance with security policies by staff is subject to disciplinary measures, up to and including contract termination.

6. Incident Response and Breach Management

  • We maintain a comprehensive incident response protocol that includes:

    • Immediate detection and containment of potential breaches.

    • Investigation by a designated incident response team.

    • Root-cause analysis and remediation measures.

  • If a personal data breach likely to result in harm occurs, Innov8 Hub will:

    • Notify the Nigeria Data Protection Commission (NDPC) within 72 hours, as required by the NDPA.

    • Promptly inform all affected users of the nature of the breach, possible consequences, and remedial measures taken.

    • Provide guidance to affected individuals on steps to mitigate risks (e.g., changing passwords, monitoring accounts).

7. Physical and Network Security

  • Our servers and data centers are protected with 24/7 surveillance, biometric access, fire suppression systems, and backup power supply.

  • We deploy firewalls, intrusion detection and prevention systems (IDPS), and endpoint protection solutions to secure our networks.

  • Redundancy and disaster recovery measures ensure service continuity in the event of physical or cyber disruptions.

Continuous Monitoring and Improvement

  • Cyber threats evolve constantly, and so do our defenses. We continuously monitor our systems for anomalies, suspicious activity, and attempted intrusions.

  • Lessons learned from past incidents, industry advisories, and regulatory updates are incorporated into our evolving security strategy.

  • Innov8 Hub is committed to proactive, rather than reactive, security—anticipating risks before they materialize.
9

Retention of Data

At Innov8 Hub, we recognize that personal data should not be retained indefinitely. In line with the principles of accountability, purpose limitation, and storage limitation under the Nigeria Data Protection Act (NDPA) 2023, the NDPR 2019 (as amended), and relevant international best practices (e.g., GDPR), we only keep personal data for as long as it is strictly necessary to fulfill the purposes for which it was collected, or to meet legal, regulatory, and contractual obligations.

1. Purpose of Data Retention

We retain personal data for different reasons depending on the context of collection, including:

  • Legal Compliance: To comply with statutory requirements, such as tax, audit, labor, and corporate governance laws.

  • Program Reporting & Accountability: To generate accurate program reports for funders, government agencies, and stakeholders.

  • Business Operations: To maintain effective records of partnerships, contracts, innovations, and service delivery.

  • Dispute Resolution: To defend or establish legal claims, respond to regulatory investigations, or resolve user complaints.

  • Research & Development: To improve our programs and services through aggregated, anonymized data analysis.

2. Secure Deletion and Anonymization

When personal data is no longer needed for the purposes outlined above, Innov8 Hub ensures that it is securely disposed of in accordance with recognized industry standards.

  • Digital Records: Permanently erased using certified deletion tools that prevent recovery.

  • Paper Records: Destroyed through shredding, pulping, or incineration.

  • Anonymization: Where retention is required for research or statistical purposes, data is anonymized so individuals can no longer be identified.

3. Retention Periods

Different categories of data have different lifespans, determined by legal requirements, operational needs, and best practices:

  • Program Participants: Retained for 5 years post-program to enable reporting, tracking alumni progress, and responding to inquiries from stakeholders.

  • Job Applicants: Retained for 2 years to consider future employment opportunities and meet equal opportunity monitoring requirements. After this period, unless consent is renewed, records are securely deleted.

  • Financial Records: Retained for 6 years, in compliance with tax laws, audit requirements, and corporate record-keeping obligations under Nigerian law.

  • Website Analytics: Retained for 14 months, after which data is automatically anonymized or deleted to protect user privacy while still allowing us to monitor trends.

4. Special Categories of Data

Where sensitive personal data is collected (e.g., national IDs, health-related data for wellness programs, or IP ownership documents):

  • It is stored under stricter access controls.

  • Retention is limited strictly to legal or programmatic requirements.

  • Extended retention beyond the standard periods requires documented justification and approval by the Data Protection Officer (DPO).

5. Exceptions to Retention Limits

In certain cases, Innov8 Hub may need to retain personal data longer than the periods above:

  • Ongoing Investigations or Litigation: If the data is relevant to an ongoing dispute, regulatory investigation, or enforcement action.

  • Explicit Consent: Where individuals have consented to extended retention (e.g., alumni directories or long-term research collaborations).

  • Public Interest: Where retention serves a significant public interest in line with NDPA (e.g., innovation history, national development data).

6. Periodic Review of Data

  • Retention schedules are reviewed annually by the compliance officer  to ensure compliance with evolving laws and operational needs.

  • Data that exceeds its retention period is flagged for secure deletion.

  • Staff are trained to follow clear data archiving and deletion procedures.
10

Use of Cookies

At Innov8 Hub, we use cookies and similar tracking technologies to provide a seamless, secure, and personalized browsing experience. Cookies are small text files that are stored on your device (computer, tablet, or smartphone) when you visit our website. They allow us to recognize your device, remember your preferences, and improve how you interact with our digital platforms.

We value transparency and want you to fully understand how and why cookies are used. The categories of cookies we deploy include:

1. Website Functionality

These cookies are essential for the basic operation of our website and digital services.

  • They enable you to navigate between pages smoothly.

  • Allow proper display of forms, login authentication, and access to secure areas.

  • Without them, certain services such as program applications or account dashboards may not function correctly.

2. Performance and Analytics

Performance cookies help us measure and analyze how visitors use our website so we can continually improve user experience.

  • Track the number of visitors, most frequently viewed pages, and navigation patterns.

  • Identify where users may experience errors or broken links.

  • Provide insights into which content, services, or programs are most valuable to users.
     These cookies typically collect aggregated, anonymous data and do not directly identify individuals.

3. User Experience and Personalization

We use cookies to remember your preferences and improve your overall experience.

  • Store language settings, display preferences, or program categories you last viewed.

  • Enable us to recommend content relevant to your interests and prior interactions.

  • Help us personalize email campaigns and newsletters (where you have opted-in).

4. Security and Verification

Security cookies protect the integrity of our website and your data.

  • Detects and prevents fraudulent logins or unauthorized access attempts.

  • Assist in identifying suspicious behavior such as repeated failed login attempts.

  • Ensure compliance with cybersecurity obligations under the Cybercrimes (Prohibition, Prevention, etc.) Act 2015.

5. Third-Party Cookies

Some cookies are placed by trusted third-party service providers we partner with, such as:

  • Analytics Tools (e.g., Google Analytics) to measure site traffic.

  • Payment Providers to secure online transactions.

  • Social Media Integrations (e.g., LinkedIn, Twitter, Facebook) to allow content sharing and engagement.

All third-party providers are required to comply with Data Processing Agreements (DPAs) and relevant laws, ensuring your data is safeguarded.

6. Managing Your Cookie Preferences

You remain in full control of how cookies are used on your device.

  • You can accept, decline, or delete cookies through your browser settings at any time.

  • Most browsers (e.g., Chrome, Safari, Firefox, Edge) provide tools to block cookies or notify you when a site uses them.

  • Please note that disabling certain cookies may impact the functionality of our website, limiting your ability to participate in programs or access certain services.

For detailed information on specific cookies we use, their duration, and how they function, please refer to our Comprehensive Cookie Policy available on our website.

11

Children’s Privacy

At Innov8 Hub, we are firmly committed to protecting the privacy and rights of children. Our website, programs, and services are primarily designed for individuals aged 18 and above. We do not intentionally target or solicit personal data from minors under the age of 18, except where explicit parental or guardian consent is lawfully obtained.

1. Applicability of Children’s Data Protection

  • Under the Nigeria Data Protection Act (NDPA) 2023, children are recognized as a special category of data subjects who require additional safeguards.

  • Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) protects the right to privacy, which extends to minors.

  • Where applicable, we also align with international best practices, including the General Data Protection Regulation (GDPR) and the U.S. Children’s Online Privacy Protection Act (COPPA), both of which impose strict obligations for handling children’s data.

2. Age Restrictions

  • Our services are not designed for individuals below 18 years old without appropriate oversight.

  • Participation in innovation programs, funding applications, or employment opportunities requires that applicants confirm they are above 18, or, where younger, provide verifiable parental/guardian consent.

3. Our Policy on Data Collection from Children

  • We do not knowingly collect, process, or store personal information such as names, addresses, contact details, or other identifying data of children under 18.

  • In the unlikely event that such data is provided to us (e.g., through misrepresentation of age), we will:

    • Immediately review and verify the circumstances.

    • Delete such data securely from our systems without undue delay.

    • Notify the parent/guardian (where identifiable) and the Nigeria Data Protection Commission (NDPC) if the processing poses a risk to the child.

4. Parental/Guardian Responsibilities

We encourage parents and guardians to:

  • Monitor their children’s online activities.

  • Guide them in understanding safe data-sharing practices.

  • Contact us directly if they believe their child may have interacted with our services without authorization.

5. Reporting and Remediation

If you are a parent, guardian, or concerned individual and believe that we may have inadvertently collected or processed personal data belonging to a child under 18:

  • Please contact us immediately.

  • Upon verification, we will promptly delete the data, cease further processing, and put safeguards in place to prevent recurrence.

6. Exceptions for Educational Programs

In rare cases where Innov8 Hub may run educational outreach programs involving minors (e.g., secondary school innovation workshops), data may be collected strictly under the following conditions:

  • Prior written consent from parents/guardians.

  • Data collection is limited only to what is necessary (e.g., first name, school, age).

  • Information anonymized wherever possible.

  • Data automatically deleted once the program concludes.
12

Changes to This Privacy Policy

At Innov8 Hub, we recognize that data protection laws, industry standards, and our own internal practices are constantly evolving. To ensure continued transparency and compliance, this Privacy Policy may be updated, revised, or expanded from time to time.

1. Why We May Update This Policy

We may revise this Privacy Policy for several reasons, including but not limited to:

    • Legal and Regulatory Changes: To reflect updates to the Nigeria Data Protection Act (NDPA) 2023, the Cybercrimes Act 2015, or other relevant laws and regulations.

    • Operational Adjustments: When we introduce new services, programs, technologies, or security measures that affect how we collect and process data.

    • Industry Best Practices: To align with emerging global standards such as the General Data Protection Regulation (GDPR) or other regional frameworks where applicable.

    • Feedback and User Needs: Where stakeholders (users, partners, or regulators) recommend improvements for clarity, transparency, or accountability.

2. How Updates Will Be Communicated

  • Website Posting: All updates will be published on this page with a revised “Last Updated” date clearly displayed at the top.

  • Email Notifications: Where changes are significant for example, if they affect your rights, how your data is processed, or how we share data with third parties we may notify you directly by email or through the contact information you provided.

  • Program/Platform Notices: For participants actively enrolled in programs, we may issue notices via dashboards, online platforms, or physical announcements at events.

3. Your Responsibility to Stay Informed

While we are committed to providing timely notifications, we encourage all users to:

  • Review this Privacy Policy periodically to stay updated on how your personal data is managed.

  • Pay special attention to the “Effective Date” and “Last Updated” fields at the top of the policy to determine whether any modifications have occurred since your last review.

4. Consent to Continued Use

By continuing to use our website, services, and programs after changes to this Privacy Policy are published, you acknowledge and agree to the updated terms. Where legally required, we will request your renewed consent (e.g., for material changes in processing activities).

5. Archiving Previous Versions

For transparency, we maintain an internal record of prior versions of this Privacy Policy. Upon reasonable request, you may access these archived versions to understand how your data was handled at a specific point in time.

6. Contact for Clarification

If you have any concerns, require clarification about changes, or would like to understand how they affect your rights, you may contact Innov8 Hub through the following channel: info@innov8hub.ng

13

Contact Us

At Innov8 Hub, we are committed to transparency, accountability, and open communication with all stakeholders. If you have any questions, concerns, or requests regarding this Privacy Policy, or if you wish to exercise your data protection rights, you may reach us through the following dedicated channels:

Primary Contact

 Innov8 Technology Hub Ltd/Gte
 Office Address: Innov8 Hub, Airport Road, Abuja

 Email:info@innov8hub.ng

 Telephone: +234 906 5200 034

 Secondary Contact Channels

For general inquiries that are not directly related to personal data rights, you may also contact us through:

  •  General Inquiries Email: :info@innov8hub.ng
  •  Website Contact Form: www.innov8hub.ng/contact (available 24/7)

Response Timeline

  • We aim to acknowledge receipt of your request or complaint within 48 hours.

  • Substantive responses to data access, correction, or deletion requests will be provided within 30 calendar days, in line with the Nigeria Data Protection Act (NDPA) 2023.

  • For complex requests requiring extended processing time, we will notify you of the reason for the delay and provide an expected timeframe.

Confidentiality and Verification

To protect your privacy and prevent unauthorized disclosures, we may request proof of identity before processing your request (e.g., valid government-issued ID, company authorization letter where applicable). All inquiries and complaints will be handled with strict.

Innov8 Hub treats data protection as a core governance responsibility. Where this Privacy Policy or applicable data-protection laws are breached, the following legal, regulatory, civil and internal remedies may apply. We explain each remedy, how it’s imposed, and what it can mean in practice.

1) Regulatory enforcement by the NDPC (administrative fines & orders)

    • Scope of authority: The Nigeria Data Protection Commission (NDPC) can investigate complaints, conduct inspections, issue compliance notices and enforcement orders, and impose administrative fines or corrective measures against data controllers and processors. 
  • Typical sanctions: For serious breaches or non-compliance, fines under the NDPA may reach the amounts you referenced for data controllers/processors of major importance the Act contemplates penalties such as ₦10,000,000 or 2% of annual gross revenue (whichever is higher); smaller controllers face proportionately lower fines. These sums are indicative of the Act’s punitive regime for major contraventions.
  • Other regulatory tools: In addition to fines, the NDPC can issue enforcement orders requiring Innov8 Hub to take remedial steps (for example: halt certain processing activities, delete unlawfully-held data, or submit to independent audits). Failure to comply with an NDPC order can trigger escalated sanctions.

 

2) Criminal prosecution (Cybercrimes Act and related laws)

  • When criminal liability applies: Certain data incidents (e.g., unlawful access, fraudulent acquisition or dissemination of personal data, hacking, or other cyber offences) may amount to criminal offences under Nigeria’s Cybercrimes legislation and related statutes. In such cases, responsible individuals (or even corporate officers in some circumstances) can face criminal investigation and prosecution by law enforcement.
  • Consequences: Criminal penalties can include fines and/or imprisonment depending on the specific offence and the circumstances (the Cybercrimes Act and amendments set out variable penalties for offences such as unlawful access, identity theft, and computer-related fraud). Criminal proceedings are separate from NDPC administrative action and may be initiated by prosecutors following evidence collection.

 

3) Civil liability to affected data subjects

  • Compensation & civil remedies: Individuals whose rights have been harmed by unlawful processing can seek civil remedies, including compensation for loss, damage, or distress. The NDPA contemplates that enforcement orders may include payment of compensation to data subjects who suffered injury, loss or harm. Innov8 Hub may therefore face civil claims and enforcement orders compelling compensation.
  • Contractual & commercial consequences: Beyond regulatory fines and judicial awards, breaches often create contractual liabilities e.g., indemnities to partners, loss of public contracts, or termination of supplier/customer relationships  which can have material commercial impact. (Recent enforcement cases in Nigeria demonstrate regulatory decisions can quickly translate to commercial and reputational consequences.)

 

4) Internal sanctions for employee misconduct

  • Disciplinary measures: Where a breach results from employee negligence or deliberate misconduct (e.g., unauthorized disclosure, failure to follow security protocol, or fraudulent activity), Innov8 Hub will apply internal sanctions proportionate to the conduct. Sanctions may include written warnings, suspension, mandatory retraining, demotion, dismissal for gross misconduct, and where appropriate forwarding matters to law enforcement for criminal investigation.

  • Employment and contract remedies: Employment contracts and contractor agreements should contain clear data protection and confidentiality clauses (including disciplinary and termination provisions). These contractual clauses support internal sanctions and enable recovery of loss where the contract permits.

  • Deterrence & remediation: We couple sanctions with corrective actions: mandatory retraining, tightening of access controls, role changes, and (where needed) forensic review and third-party audits to prevent recurrence.

5) NDPC supervision, audits and compliance follow-through

  • Ongoing oversight: Innov8 Hub is subject to NDPC supervision. The Commission can require registration (where applicable), compliance audit filings, periodic reports, and may carry out inspections. Failure to register or file required returns may itself attract penalties under the NDPA
  • Cooperation & remediation: Where we are the subject of an NDPC inquiry, our posture is to cooperate fully: provide requested records, implement remedial measures, accept NDPC-mandated audits, and remediate any legal or technical gaps identified by the regulator.

6) Typical enforcement process (what to expect in practice)

  • Detection & internal review: Incident discovery → immediate internal containment and preliminary fact-finding.

  • Notification to NDPC (if applicable): If the breach is likely to risk individuals’ rights/freedoms, we notify the NDPC (and affected individuals where required) the NDPA expects prompt notification (see breach notification obligations). 
  • Regulatory investigation: NDPC may open an investigation, request documents, or issue compliance notices.

  • Remedial directions & enforcement: NDPC may issue compliance/enforcement orders, recommend compensation, and/or impose administrative fines. In parallel, law enforcement may investigate criminal aspects
  • Civil claims & commercial fallout: Affected individuals or counterparties may file civil suits; commercial partners may exercise contractual remedies.

7) Mitigation, remediation & our commitments if a breach occurs

  • Immediate actions: Innov8 Hub will contain the incident, run forensic analysis, notify NDPC and affected data subjects where required, and implement short-term remedies to stop further exposure. 
  • Longer-term remediation: remedial measures may include system hardening, mandatory staff retraining, renegotiation of supplier contracts, third-party security audits, and implementation of NDPC recommendations.
  • Transparency: We will be transparent with the NDPC and affected stakeholders about the nature of the breach, the categories of data involved, mitigation steps taken, and any practical steps individuals can take to protect themselves

8) Reputational & business impact (practical note)

  • Regulatory fines and criminal risk are only part of the picture: breaches frequently trigger reputational harm, investor and partner loss of confidence, suspension from procurement and grant processes, and long-term commercial damage. Recent high-profile enforcement actions in Nigeria underscore how reputational and financial costs can multiply.

9) Right of review and judicial recourse

  • Appeal & judicial review: Entities subject to NDPC enforcement may have statutory routes to seek review or judicial relief under the NDPA (including rights to challenge enforcement orders via the courts). Innov8 Hub will pursue lawful appeal routes where appropriate and will comply with court directions during any such process.

  • Nigeria Data Protection Act 2023 (NDPA) enforcement & civil remedies.

  • Practical summaries and commentary (KPMG, DLA Piper, ICLG) on penalties, breach notification and enforcement expectations.

  • Cybercrimes (Prohibition, Prevention, etc.) Act criminal offences & penalties.

  • Recent enforcement examples (NDPC actions / national news): Fidelity Bank fine; FCCPC/NDPC fine on Meta  illustrating real regulatory enforcement in Nigeria.