Book a Consultation

PRIVACY POLICY

Table of Contents

Last updated: 19 November 2025

 

Proten International LTD (“Proten”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal information we collect about visitors to our website (https://protenintl.com), our customers, job applicants, partners, event attendees and other persons who interact with our services (“you”, “your”, “Data Subject”). This Privacy Policy explains how and why we collect, use, disclose, transfer, and retain Personal Data, and describes the rights available to Data Subjects under the Nigeria Data Protection Act 2023 (NDPA), the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Introduction & scope

This Privacy Policy applies to the Processing of information by Proten International LTD (company registration: Proten International LTD) in connection with (a) our website at https://protenintl.com; (b) the products, solutions, subscriptions, events, training, recruitment and other services we provide (collectively, “Proten Services”); and (c) any offline interactions with our staff.

By accessing or using Proten services you consent to the Processing of your Personal Data in accordance with this Privacy Policy. If you do not agree with the terms of this Policy, please do not use the website or provide Personal Data to us.

This policy describes:

  • what information we collect and why;
  • how we use, disclose and protect your information;
  • your rights and choices; and
  • how you can contact us, raise concerns and exercise your rights.

Where the law requires a separate or shorter Notice at Collection (for example for particular marketing channels, promotions, employment recruiting or when dealing with California residents), we will provide a supplemental notice at the point of collection. Proten’s approach is to comply with the NDPA and GDPR as applicable and to adopt best practice internationally.

Key legal point: The NDPA was enacted in 2023 and creates enforceable data subject rights and obligations for controllers and processors in Nigeria. The Nigeria Data Protection Commission (NDPC) is the supervising authority for the NDPA.

2. Interpretation — key definitions

For the purposes of this Privacy Policy:

  • Personal Data / Personal Information — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on Personal Data (collection, use, disclosure, storage, transfer, erasure etc.).
  • Controller — the person or entity that determines the purposes and means of Processing (Proten is the Controller for data collected in connection with our Services unless otherwise stated).
  • Processor — an entity that processes Personal Data on behalf of a Controller.
  • Data Subject — the natural person whose Personal Data is Processed.
  • Sensitive Personal Data / Special Category Data — data that requires higher protection under law (e.g., health, biometric, political opinions, depending on local law). Under NDPA and GDPR these categories attract additional protection.
  • Third Party Services — third-party platforms (payment processors, hosting/CDN, analytics, social login providers etc.).
  • DCPMI (NDPA term) — “Data Controller or Processor of Major Importance” — organisations meeting thresholds set by NDPC that are subject to additional obligations (e.g., appointing a DPO). (See Section 18.)

Where we use any other legal term in this Policy (e.g., “consent”, “legitimate interest”, “adequacy”, “standard contractual clauses”), we use those terms as they are defined or interpreted under the NDPA and GDPR.

3. Who we are — contact, DPO, EU Representative

Controller: Proten International LTD (PROTEN)
Registered address: 6B, Rosenje Street, Soluyi, Gbagada, Lagos, Nigeria.
Website: https://protenintl.com
General enquiries: info@protenintl.com
Phone: +234 901 278 1155

Data Protection Officer (DPO) / Privacy contact:
We have designated a person responsible for privacy and compliance. To contact our DPO or privacy team, email: privacy@protenintl.com. If privacy@ is not available, use info@protenintl.com. (If you want to escalate, see Section 19.)

EU Representative:
Where required by Article 27 of the GDPR for organisations not established in the EU who process EU residents’ data, we have appointed or will appoint an EU Representative. You can request the contact details of our EU Representative from privacy@protenintl.com. (Article 27 provides the rules and role of such a representative).

4. Information we collect

We collect information necessary to provide and improve our services. The type of information depends on the interaction you have with us.

A. Information you voluntarily provide (examples)

  • Account & registration: name, contact email, phone number, organisation name, username, password (securely stored), and billing address.
  • Authentication & identity documents: where required (e.g., recruitment, KYC), we may collect identity numbers (e.g., NIN), passport details, or scanned ID for verification.
  • Financial & transactional data: card/bank details are handled by our payment processors; we receive transaction IDs and payment confirmation (we do not store raw card full PANs unless contractually required and stored by a certified processor).
  • Communications & support records: messages, emails, chat transcripts, notes from phone calls and support tickets.
  • Content & submissions: files, CVs, portfolio items, training submissions, feedback, survey responses, contest entries and event registration information.
  • Marketing preferences: consent choices for newsletters and promotional communications.
  • Recruitment data: CVs, cover letters, interview notes, referees, assessment results.
  • Event & attendance data: desk registration, ticketing, dietary preferences (if given), photos we are permitted to publish.

B. Data collected automatically (technical & usage)

  • Device & browser: type, OS, browser version, screen resolution, language settings.
  • Network & access: IP address, approximate location by IP, mobile carrier (if applicable), time zone.
  • Usage & telemetry: pages visited, duration, click paths, errors, HTTP status codes, referring site, search queries on our site.
  • Identifiers: cookie IDs, advertising IDs, UUIDs assigned to devices or browser instances.
  • Performance & diagnostics: crash logs, load times, telemetry for product improvement.

C. Data collected via cookies and similar technologies

  • See Section 10 for a full description — examples include session cookies (authentication), persistent cookies (preferences) and analytics cookies (behavioural metrics). Tracking pixels and local storage may also be used.

D. Data from Third Parties

We may collect data from:

  • Third Party Services you use to access our Services (e.g., LinkedIn login, Google Sign-in).
  • Partners & affiliates (company directory information, corporate contacts).
  • Public sources & data brokers where lawfully permitted (for example to verify business details).
  • Recruitment platforms (e.g., job portals if you apply through them).
     When we collect data from third parties, we will record the source and, where required by law, inform you of that source.

5. How we collect information

We collect data:

  • when you create or update an account;
  • when you use or browse our website and services;
  • when you register for an event, webinar or training;
  • when you apply for a job or respond to recruitment outreach;
  • when you contact customer support or otherwise communicate with us;
  • when third parties (with your permission) share data with us; and
  • through publicly available sources where permitted by law.

We store automatically collected data with identifiers tied to the browser, application or device you use, to provide a consistent experience and for fraud-prevention and analytics.

6. Purposes of Processing — why we use Personal Data 

We Process Personal Data for the specific purposes below. For each purpose we indicate typical categories of personal data used and the legal basis relied upon (see Section 9 for more on legal bases).

  • User registration, authentication & account management

    • Data used: identity, contact, credentials.
    • Why: to create and manage accounts, authenticate users, manage subscriptions and deliver contracted services.

  • Provision of services / delivery of products
    • Data used: transactional data, service usage, support logs.
    • Why: to provide, operate and improve our products and services (e.g., training delivery, hosting of content, customer portals).

  • Customer support & service operations
    • Data used: communications, support tickets, technical logs.
    • Why: to respond to queries, resolve incidents, maintain SLA.

  • Billing, payments & fraud prevention
    • Data used: billing & payment records, transaction IDs, device and network identifiers.
    • Why: invoice customers, reconcile payments, detect and prevent fraudulent activity.

  • Marketing, advertising & communications
    • Data used: contact info, preferences, engagement data.
    • Why: to send newsletters, updates and promotional materials (only where lawful, and based on your consent or our legitimate interest subject to your right to object).

  • Analytics, product development & performance monitoring
    • Data used: usage metrics, diagnostic logs.
    • Why: to understand how our services are used, to analyze and improve features, to run A/B tests and for capacity planning.

  • Event management and logistics
    • Data used: attendee registration, ticketing info, access control logs.
    • Why: to register participants, arrange seating, manage access and evaluate event performance.

  • Recruitment & HR processes
    • Data used: CVs, interview records, references.
    • Why: to evaluate candidates, manage hiring, and comply with employment law.

  • Security, compliance and law enforcement requests
    • Data used: relevant records and logs.
    • Why: to protect our systems, investigate abuse, comply with legal processes and respond to lawful requests from authorities.

  • Research, aggregated reporting & anonymised datasets
    • Data used: de-identified or aggregated data derived from personal data.
    • Why: to compile industry reports and internal research that cannot be used to identify individuals.

  • Legal obligations & dispute resolution
    • Data used: transactional and contractual records.
    • Why: to meet tax, corporate governance, regulatory and litigation requirements.

We will not Process your Personal Data for any other purpose without first informing you (or obtaining your consent where required).

7. Disclosure & transfer of information

A. Categories of recipients

We will only disclose Personal Data to third parties when necessary for the purposes listed above. Typical recipients include:

  • Service providers / data processors — IT hosting, cloud providers, payment processors, CRM and email platforms, analytics providers, customer support platforms and other vendors who process data on our behalf under contract.
  • Affiliates / group companies — for internal administration and where a group company provides services on our behalf.
  • Business partners / recruitment partners — for joint events, hiring, or co-branded services (with your consent if required).
  • Professional advisers & auditors — legal counsel, auditors and consultants who assist with compliance or investigations.
  • Government, supervisory or law enforcement authorities — where necessary to comply with a legal obligation, court order or to protect the public interest.
  • Purchasers / investors — in the event of a corporate transaction (merger, acquisition, asset sale); we will ensure contractual protections and notify you where required by law.

All processors and third-party recipients are contractually required to implement appropriate technical and organisational measures and to process Personal Data only on our documented instructions.

B. Cross-border transfers and safeguards

Transfers of Personal Data may occur between Nigeria, the EU/EEA, the UK, and other jurisdictions where our processors and service providers maintain infrastructure.

Under the NDPA, cross-border transfers from Nigeria are restricted: a data controller/processor must not transfer Personal Data out of Nigeria unless certain conditions are met (for example: the recipient jurisdiction provides an adequate level of protection, or one of the statutory exceptions applies). Organisations must record the legal basis for transfer and may be required to notify the NDPC.

Under the GDPR, transfers from the EU/EEA to countries outside the EEA require an adequate level of protection. Adequacy decisions and approved transfer mechanisms (for example Standard Contractual Clauses — SCCs) are recognised safeguards. We use the European Commission’s SCCs where applicable and will implement other appropriate safeguards (binding corporate rules, approved codes, certifications) or transfer only where an adequacy decision covers the recipient country.

When transferring data internationally we implement one or more of the following measures (as appropriate):

  • rely on an adequacy decision issued by the European Commission or NDPC;
  • execute Standard Contractual Clauses (SCCs) approved by the EU Commission (and any additional safeguards required by supervisory authorities);
  • rely on explicit consent (where permitted and appropriate);
  • implement Binding Corporate Rules (BCRs) or NDPA-recognised cross-border instruments; or
  • rely on other legal bases permitted by the NDPA or GDPR.

If you request details of specific transfers, the safeguards in place, or copies of executed SCCs or transfer addenda, contact privacy@protenintl.com.

8. Storage and retention of information (how long we keep data)

We retain Personal Data only as long as necessary for the purposes for which it was collected and processed, unless a longer retention period is required by law.

Typical retention approaches:

  • Account data & basic profile: retained while account is active and for a period after account closure to allow for re-activation or to meet contractual obligations.
  • Transactional & billing records: retained as required by applicable tax and corporate law or contractual obligations (for example to support audits).
  • Support & communications logs: retained for a period necessary to resolve issues, enforce terms, or for record-keeping (commonly 1–3 years, depending on the record type and applicable law).
  • Recruitment data: if you are not hired we may retain your application for a defined time (e.g., up to 12 months) subject to consent or legitimate interest; where we keep data longer we will notify you.
  • Analytics & aggregated data: de-identified datasets may be retained indefinitely for statistical and product improvement purposes provided the data is not re-identifiable.

When Personal Data is no longer required we will securely delete it, or where deletion is not feasible we will anonymise it so you cannot be identified.

9. Legal basis for Processing (NDPA & GDPR) 

Under NDPA and GDPR we must have a lawful basis for Processing Personal Data. The principal legal bases we rely on are:

  • Contract — Processing necessary to perform our contract with you (e.g., to provide services you requested, billing, fulfil orders).
  • Legal obligation — Processing necessary to comply with a statutory requirement or official order (e.g., tax, regulatory reporting).
  • Consent — where you have given freely informed and specific consent (e.g., for marketing emails, certain cookies). You can withdraw consent at any time; withdrawal does not affect processing carried out before withdrawal.
  • Legitimate interests — where Processing is necessary for our legitimate business interests (for example fraud prevention, improving products, system security) and those interests are not overridden by your rights (we conduct balancing tests to ensure protection of your rights).
  • Vital interests / public interest — where required to protect life, public health or similar important interests.

For sensitive personal data (special categories), we will identify and document a specific lawful basis and any extra safeguards required under the NDPA and GDPR.

10. Cookies, tracking technologies & analytics 

We use cookies and similar technologies to provide, secure and improve our Services. This section explains how we use them and your choices.

What are cookies?

Cookies are small text files placed on your device by your browser. They enable websites to remember your session, preferences and provide analytics and advertising support.

Categories of cookies we may use

  • Strictly necessary / essential cookies: required for website basic operation (e.g., authentication,. These cannot be disabled without affecting site functionality.
  • Preferences / functional cookies: remember preferences such as language, font size and display settings.
  • Performance / analytics cookies: collect anonymous usage information (pages visited, time spent) to help us improve. We may process aggregated analytics for performance improvement.
  • Marketing / advertising cookies: used by us and third parties to deliver targeted advertising and measure ad performance. These require consent in many jurisdictions.

Third-party trackers

We use reputable analytics providers and advertising platforms. These third parties may place cookies on your device and collect information according to their policies. We encourage you to consult their privacy policies.

Microsoft Clarity

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement

Managing cookies

Most browsers allow you to control cookie settings (block, delete, accept). Blocking cookies may prevent some features from working correctly. We provide cookie controls (consent banners) on our website to manage your preferences.

If you wish to opt out of targeted advertising, you may use browser or device controls, or visit industry opt-out pages (for example, for advertising industry opt-outs). If you need help, contact privacy@protenintl.com.

11. Data security — our measures

We take a risk-based and layered approach to security. Measures include:

  • Encryption: TLS/HTTPS in transit; encryption at rest where applicable.
  • Access control: role-based access, least privilege, multi-factor authentication for privileged accounts.
  • Network & infrastructure security: firewalls, IDS/IPS, vulnerability scanning and regular patching.
  • Secure development lifecycle: code reviews, secure coding standards and penetration testing.
  • Operational controls: logging, retention of logs, regular backups and disaster recovery plans.
  • Vendor controls: due diligence, security assessments and contractual obligations for processors.
  • Organisational measures: staff privacy training, policies, incident response playbooks and periodic audits.
  • Pseudonymisation & minimisation: where possible we pseudonymise identifiers when using data for analytics or development.

Limitations: no transmission or storage of data is 100% secure. We endeavour to apply reasonable and industry-standard safeguards, but cannot guarantee absolute security. In the event of a breach we follow the steps in Section 12 below.

12. Personal data breach — detection, notification & remediation

We maintain an incident response plan and legal/compliance processes to manage breaches.

What we do on discovering a breach:

  1. Contain and assess — take immediate steps to contain the incident and assess scope and severity.
  2. Notify authorities — where the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Nigeria Data Protection Commission (NDPC) without undue delay, and in any event within the timeframes required by the NDPA (as applicable). Under the NDPA the NDPC must be notified of such a breach within 72 hours of becoming aware (where required).
  3. Notify Data Subjects — where the breach is likely to result in a high risk to Data Subjects’ rights and freedoms, we will communicate to affected individuals in clear language describing the nature of the breach and recommended mitigation steps.
  4. Remediate — implement measures to prevent re-occurrence, support affected users, and update security controls and incident reports.
  5. Document — keep records of the breach, actions taken and communications for accountability and regulatory review.

We will cooperate with any lawful regulatory investigation and with affected parties to the extent required by law.

13. Rights of Data Subjects — full explanation & how to exercise (NDPA & GDPR)

Under NDPA, GDPR and other applicable laws, Data Subjects have rights. Below we explain each right and how to exercise it.

Data Subject Rights

  • Right of access: request confirmation of whether we Process your Personal Data and obtain a copy of the data and certain information about processing (purposes, recipients, retention, legal basis).
  • Right to rectification: request correction of inaccurate or incomplete Personal Data.
  • Right to erasure (“right to be forgotten”) — request deletion where processing is no longer necessary or consent withdrawn and no overriding lawful basis exists.
  • Right to restriction of processing: request restriction in certain circumstances (while a dispute is resolved, where data accuracy is contested).
  • Right to data portability: receive Personal Data in a structured, commonly used, machine-readable format and transmit to another controller (where processing is based on consent or contract and processed by automated means).
  • Right to object: object to processing based on legitimate interests or direct marketing; where objected, we will stop unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent: where processing is based on consent you may withdraw at any time. Withdrawal does not affect the lawfulness of prior processing.
  • Right not to be subject to solely automated decisions: where a decision is based solely on automated processing (including profiling) that produces legal or similarly significant effects you generally have the right to human intervention, to express your viewpoint and to contest the decision. (GDPR Art. 22 and NDPA Part VI).
  • Right to lodge a complaint: with the NDPC (for Nigerian residents) or the relevant EU supervisory authority (for EU residents). See Section 19.

How to submit a request

Send an email to privacy@protenintl.com with:

  • your full name and contact details;
  • a clear description of the request (e.g., “Right of access — please provide my personal data and processing details”);
  • any relevant account or reference numbers; and
  • a copy of a valid ID or other information to verify your identity (we will only request the minimum necessary to verify).

Verification: to protect your privacy we verify identity before fulfilling requests. Verification may require government ID, recent invoice or other documentation linking you to the account. We will only use verification data to confirm identity.

Authorised agents: you may appoint an authorised agent (e.g., lawyer) to submit a request on your behalf. We may require written authorisation and verify both identities.

Response time & fees:

  • GDPR timeframe: under GDPR we will respond without undue delay and in any event within one month of receipt of the request (extensions for complex or numerous requests are possible up to two additional months with notice).
  • NDPA practice: we will respond in accordance with timelines required by the NDPA and NDPC guidance; where NDPA or NDPC guidance prescribes a particular timeframe we will comply (NDPA and NDPC materials indicate timely responses consistent with one-month practice and related guidance).
  • Fees: we provide one free copy or one free response in a 12-month period; for manifestly unfounded or excessive requests we may charge a reasonable fee covering administrative costs or refuse the request, with reasons.

If we refuse in whole or in part, we will explain our reasons and inform you of your right to appeal to a supervisory authority (NDPC or EU DPA).

14. Automated decision-making, profiling & AI systems

We may use automated systems for:

  • analytics and personalization (recommendations, content suggestions);
  • security and fraud detection; and
  • product features (for example, automated tagging, search ranking).

Important safeguards: we do not make decisions that produce legal or similarly significant effects solely on automated processing without appropriate safeguards (GDPR Article 22 / NDPA Part VI). If you are subject to an automated decision with significant effects, you may request human review, contest the decision, and obtain an explanation of the logic involved. 

Where we train models on Personal Data we apply minimisation, pseudonymisation and conduct Data Protection Impact Assessments (DPIAs) when required (see Section 18).

15. Special categories of data (sensitive data)

We generally avoid collecting sensitive data (health, race, religion, sexual life, political opinions) unless necessary (e.g., to provide specific services, legal obligations, or where you have given explicit consent). When we process such data we:

  • obtain explicit consent where required;
  • apply heightened security and limited access controls; and
  • record our lawful basis and implement additional safeguards as required by law.

16. Children’s privacy

Proten Services are not directed at children under 18 years of age. We do not knowingly collect Personal Data from children for marketing or account creation. If we become aware we hold Personal Data of a child in contravention of this policy we will delete it unless retention is required by law. If you believe we have collected data of a child, contact privacy@protenintl.com.

17. Data processors, sub-processors and third-party vendors (DPAs)

Where we engage processors to perform services (hosting, payments, analytics), we execute written Data Processing Agreements (DPAs) or equivalent contracts that:

  • define the subject matter, duration, nature and purpose of processing;
  • describe categories of data and Data Subjects;
  • require processors to implement appropriate technical and organisational measures;
  • prohibit processors from engaging sub-processors without prior written authorisation (or require notification so you can object where required); and
  • require assistance with data subject requests, breach notifications and audits.

If you require a copy of our DPA template or wish to negotiate an agreement (for B2B customers), contact privacy@protenintl.com.

18. Registration, audits, DPIAs and accountability (NDPA obligations)

NDPA obligations: the NDPA requires increased accountability measures including registration of certain controllers, appointing DPOs for DCPMIs, conducting DPIAs for high-risk processing, and permitting NDPC audits and compliance checks. We implement a privacy governance framework with records of processing activities (RoPA), periodic risk assessments, staff training and incident response procedures. We will complete a DPIA where processing is likely to result in high risk to individuals and consult the NDPC if necessary.

19. Complaints, supervisory authority and dispute resolution

Contact us first: If you have a privacy concern, please contact our DPO at privacy@protenintl.com. We aim to acknowledge and resolve queries promptly.

Escalation / Supervisory authority: If you remain dissatisfied you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) (https://ndpc.gov.ng/) — the NDPC is the supervisory authority for NDPA matters. For EU residents, you may contact your local data protection authority (e.g., an EU member state DPA). 

Dispute resolution: We will attempt to resolve disputes amicably. If legal action is necessary, claimants may pursue available remedies under NDPA, GDPR or local law as applicable.

20. Changes to this Privacy Policy

We keep this Policy under regular review and may revise it as our services or legal requirements change. When we make material changes we will post a prominent notice on our website and update the “Last updated” date. Continued use of our Services after a change constitutes acceptance of the updated Policy.

21. Contact us

For general enquiries, or to exercise your rights:

Proten International LTD (PROTEN)
 Address: 6B, Rosenje Street, Soluyi, Gbagada, Lagos, Nigeria
 General email: info@protenintl.com
 Privacy / DPO email: privacy@protenintl.com
 Phone: +234 901 278 1155
 Website: https://protenintl.com