Privacy Policy

Lumion Technology Limited (“Lumion”, “we”, “us”, or “our”), incorporated in Nigeria in September 2025, operates the SMEbuddy cloud-based business management platform available at sme-buddy.com (the “Platform”). SMEbuddy is designed specifically for Nigerian small and medium enterprises, including bakeries, supermarkets, make-up artists, and catering services.

This Privacy Policy (“Policy”) explains what personal data we collect, why we collect it, the lawful bases on which we process it, who we share it with, how we protect it, and what rights data subjects have in relation to it. This Policy is issued in accordance with the Nigeria Data Protection Act 2023 (“NDPA”) and the General Application and Implementation Directive 2025 (“GAID”).

This Policy forms part of our Terms of Service and is incorporated by reference therein. By registering an Account or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree to this Policy, you must not use the Platform.

1. Scope: Who This Policy Covers

1.1 Subscribers and Their Staff (Direct Users)

These are the business owners and their authorised staff members who register Accounts and use the Platform directly. Where this Policy addresses “you” or “your” in the context of rights and obligations, it is primarily directed at this group.

1.2 Third-Party Data Subjects (Indirect Data Subjects)

These are the customers, suppliers, and employees of subscribing businesses whose personal data is entered into the Platform by the business owner or their staff. These individuals have no direct relationship with Lumion and may not be aware that their data is held on our systems.

As explained in Section 5 of this Policy, Lumion acts as a data processor in respect of this data. The subscribing business is the data controller and bears primary legal responsibility for ensuring that data entry into the Platform is lawful under the NDPA 2023. Lumion handles all third-party personal data with the same standard of care as subscriber data. If you are an employee, customer, or supplier of a business that uses SMEbuddy and wish to exercise your data subject rights, please refer to Section 11.

2. Definitions

“Account” means a registered account created by a Subscriber to access the Platform.
“Business Data” means all operational data entered into the Platform by a Subscriber, including sales records, expenses, invoices, inventory data, payroll records, and any personal data relating to third parties entered by the Subscriber.
“CAMA 2020” means the Companies and Allied Matters Act 2020.
“Data Controller” means the entity that determines the purposes and means of processing personal data.
“Data Processor” means the entity that processes personal data on behalf of a data controller.
“Data Subject” means any identified or identifiable individual whose personal data is processed.
“GAID” means the General Application and Implementation Directive 2025 issued under the NDPA.
“NDPA” means the Nigeria Data Protection Act 2023.
“NDPC” means the Nigeria Data Protection Commission.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under the NDPA 2023.
“Processing” means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
“Subscriber” means the business owner or authorised representative who registers an Account on the Platform.
“Third-Party Processors” means the external service providers engaged by Lumion to deliver the Platform, as listed in Section 8.

3. Personal Data We Collect

3.1 Data Collected from Subscribers and Their Staff

Phone number: collected at registration and used solely for OTP identity verification. Phone numbers are shared with Termii (our Nigerian SMS provider) strictly for this purpose. Any hashed OTP data is transient and automatically purged within 30 minutes of generation.
Business owner’s name, business name, business address, and branch details: collected to configure and personalise the Platform for the Subscriber’s operations.
Business logo and product images: uploaded by the Subscriber for internal inventory display and branding within the Platform only. Lumion does not distribute, publish, or use uploaded images for any other purpose. Images are currently hosted on Cloudinary (USA), pending migration to Supabase Storage.
Usage data: including IP addresses, session identifiers, device type, browser type, features accessed, and interaction timestamps, collected through PostHog (analytics) and Sentry (error monitoring) where consent has been given or legitimate interests apply.
Payment data: subscription billing information processed through Paystack for Standard and Premium plan subscribers.
Audit log data: a permanent record of all actions taken within a Subscriber’s Account on the Platform.

3.2 Data Entered by Subscribers About Third Parties

Customer data: names, phone numbers, and transaction histories.
Supplier data: names, phone numbers, and transaction histories.
Employee data (via the Payroll module): names, salaries, attendance records, and other employment-related personal data.

Employee payroll data is of a sensitive financial nature. Lumion processes it strictly on the documented instruction of the subscribing business and applies enhanced safeguards accordingly. Subscribing businesses are responsible for ensuring that they have a lawful basis under the NDPA 2023 for entering their employees’, customers’, and suppliers’ data into the Platform, and for informing those individuals accordingly.

3.3 Data We Do Not Collect

Data from advertising networks or third-party data brokers. Lumion does not purchase marketing data or consumer classification data from external sources.
Biometric data.
Data from individuals under the age of 18. SMEbuddy is a business platform; all users must be adults with the legal capacity to enter contracts under Nigerian law.

4. Lawful Bases for Processing

Processing Activity	Lawful Basis
Account registration & OTP verification	Performance of contract
Platform delivery (inventory, invoicing, payroll, reporting)	Performance of contract
Loan Readiness Report generation	Performance of contract; legitimate interests
AI Manager feature (anonymised data only)	Legitimate interests
Permanent audit trail	Legitimate interests; legal obligation
Error monitoring & security rate limiting	Legitimate interests (platform safety and integrity)
Usage analytics (PostHog)	Consent (opt-out available)
Subscription billing	Performance of contract
Transactional email delivery	Performance of contract
Legal compliance and defence of claims	Legal obligation; legitimate interests

5. SMEbuddy’s Dual Legal Role Under Data Law

5.1 Data Controller (in respect of Subscriber data)

Lumion is the data controller in respect of personal data collected directly from Subscribers and their staff during account registration, onboarding, and platform use. In this role, Lumion determines the purposes and means of processing, and is directly responsible for compliance with the NDPA 2023 in relation to that data.

5.2 Data Processor (in respect of third-party personal data)

Where a Subscriber enters personal data about their own customers, suppliers, or employees into the Platform, the subscribing business is the data controller and Lumion acts as a data processor, holding and processing that data solely on the Subscriber’s instruction.

Processes the relevant personal data only on documented instructions from the Subscriber.
Implements appropriate technical and organisational security measures.
Assists the Subscriber in responding to data subject rights requests where the data held by Lumion is relevant.
Deletes or returns such personal data upon termination of the subscription, subject to legal retention obligations.
Does not engage any sub-processor in relation to that data without appropriate contractual protections.

It is the Subscriber’s responsibility, as data controller, to ensure that their customers, suppliers, and employees are informed that their personal data is being processed through a third-party platform, and that a lawful basis exists for that processing under the NDPA 2023.

6. Loan Readiness Report — Automated Processing Disclosure

The Platform includes a Loan Readiness Report feature that automatically calculates a creditworthiness indicator derived from the Subscriber’s own business transaction history and generates a report the Subscriber may choose to present to a financial institution.

The indicator is produced by automated calculation applied to the Subscriber’s own transaction data entered into the Platform. No external credit bureau or third-party financial data is used.
The report is a financial intelligence tool designed to support the Subscriber’s own decision-making. It does not constitute a credit decision, credit assessment, or financial recommendation by Lumion.
Lumion is not a licensed financial institution and has no authority to approve or decline credit applications.
The accuracy of the report depends entirely on the completeness and accuracy of the Business Data entered into the Platform.
No human review of the Subscriber’s business profile is conducted by Lumion in generating the report.

You may request a review of the calculation methodology applied to your data by contacting us at support@sme-buddy.com.

7. AI Manager Feature — Third-Party AI Processing

The AI Manager feature generates daily business performance summaries by transmitting data to the Anthropic Claude API, an artificial intelligence service operated by Anthropic, Inc. (USA).

Only anonymised and aggregated business performance data is transmitted to the Anthropic API.
No personally identifiable information about named customers, named employees, or named suppliers is included in any transmission to Anthropic.
Lumion has entered into data processing terms with Anthropic and has assessed this transfer arrangement against the cross-border transfer requirements of the NDPA 2023.
Anthropic’s infrastructure is located in the United States. Appropriate safeguards apply as described in Section 9.

By using the AI Manager feature, you consent to this processing arrangement.

8. Third-Party Service Providers (Data Processors)

Lumion engages third-party service providers to deliver the Platform. Each provider acts as a data processor under a Data Processing Agreement that requires them to process data only on Lumion’s documented instructions; maintain appropriate technical and organisational security measures; not engage sub-processors without authorisation; and comply with applicable data protection law.

Provider	Data Processed	Location	Nature
Supabase	User accounts, authentication, all business and operational data	USA (AWS)	Core — mandatory
Vercel	Frontend application hosting; server-side request processing	USA	Core — mandatory
Termii	Phone numbers for OTP delivery; hashed OTP data (transient — 30 min max)	Nigeria	Core — mandatory
Paystack	Payment card data for Standard and Premium subscription billing	Nigeria / USA	Core — mandatory
Anthropic	Anonymised business performance data for AI Manager summaries (no personal data transmitted)	USA	Feature-dependent
Sentry	Error and crash data; request context and session identifiers	USA	Optional / configurable
PostHog	User ID, business ID, plan, role, feature interactions; usage analytics	USA	Optional / configurable
Upstash	Request metadata and IP addresses for rate limiting	USA	Optional / configurable
Resend	Email address and account details for transactional email delivery	USA	Core — mandatory
Cloudinary	Product images and business logos uploaded by subscribers (pending migration to Supabase)	USA	Mandatory for image upload feature

SMEbuddy is entirely advertisement-free. Lumion does not share personal data with advertising networks, marketing platforms, or third-party data brokers, and does not permit any processor to use data for their own commercial purposes beyond delivering the contracted service.

9. Cross-Border Data Transfers

The majority of Lumion’s third-party processors are located in the United States. Transfers of personal data from Nigeria to these providers constitute cross-border transfers regulated under Part VI of the NDPA 2023 and the GAID 2025. Lumion ensures that all such transfers are conducted under appropriate safeguards, primarily through Standard Contractual Clauses incorporated into Data Processing Agreements.

Supabase (AWS), Vercel, Anthropic, Sentry, PostHog, Upstash, Resend, Cloudinary, and Paystack’s US infrastructure: transfers governed by Standard Contractual Clauses within Data Processing Agreements.
Termii: data processed within Nigeria; no cross-border transfer applies.
Paystack’s Nigerian operations: processed within Nigeria; cross-border provisions apply only to international infrastructure.

Lumion reviews all transfer arrangements periodically to ensure ongoing compliance with the NDPA 2023 and GAID. To obtain information about the specific safeguards applicable to any processor, contact us at support@sme-buddy.com.

10. Permanent Audit Trail

Every action performed on the Platform — including data entries, edits, deletions, login events, and system changes — is recorded in a permanent, tamper-proof audit trail.

The audit trail cannot be deleted. This applies even where a data subject exercises a valid right to erasure. Permanent retention of audit logs is justified on the following grounds:

Security: to detect, investigate, and respond to unauthorised access, fraud, and system breaches.
Accountability: to maintain a reliable record of all transactions and Platform actions for business governance purposes.
Legal compliance: to meet obligations under Nigerian law including the NDPA 2023, CAMA 2020, and applicable tax and financial reporting legislation.

Where a right to erasure request is validly made and granted, Lumion will delete or anonymise the relevant personal data in the Platform’s operational records. Audit log references to system events involving that data will be retained in anonymised form where technically feasible.

11. Your Rights as a Data Subject

Under the NDPA 2023 and GAID 2025, all data subjects — including Subscribers, their staff, and the customers, suppliers, and employees of subscribing businesses — have the following rights:

Right of Access: obtain a copy of the personal data we hold about you and details of how it is processed.
Right to Rectification: request correction of inaccurate or incomplete personal data.
Right to Erasure: request deletion where it is no longer necessary, consent is withdrawn, or processing was unlawful, subject to Section 10 and legal retention obligations.
Right to Restriction of Processing: request restriction of processing in applicable cases.
Right to Data Portability: request personal data in a structured, commonly used, and machine-readable format. Subscribers may export Business Data using the Platform’s export tools.
Right to Object: object to processing carried out on the basis of legitimate interests.
Rights Regarding Automated Decision-Making: request human review, express your point of view, and contest a decision, where applicable (see Section 6).
Right to Withdraw Consent: where we rely on consent (including PostHog analytics and the AI Manager feature), you may withdraw consent at any time.

How to Exercise Your Rights: submit your request by email to support@sme-buddy.com. We will acknowledge within 72 hours and respond within the timeframe prescribed by the NDPA 2023. We may request proof of identity before processing requests. Third-party data subjects (employees, customers, or suppliers of subscribing businesses): Lumion will direct your request to the relevant Subscriber as data controller while cooperating with the process to the extent of our obligations.

12. Security Measures

Lumion implements the following technical and organisational measures to protect personal data:

Row Level Security (RLS) on the Supabase database: each Subscriber’s data is logically isolated so that no business can access another’s data.
TLS encryption for all data in transit between the Platform and users’ devices and between the Platform and its processors.
Automatic session expiry after 30 minutes of inactivity.
API rate limiting via Upstash to protect against abuse, credential stuffing, and denial-of-service attempts.
Restricted access to service role keys: privileged database credentials are never exposed in client-facing code.
Permanent audit trail logging all data access and modification events.
Staff training on data protection and information security obligations.

No system is completely immune from security incidents. In the event of a breach, Lumion will follow the procedure in Section 13.

13. Data Breach Response

In the event of a personal data breach, meaning any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Lumion will act as follows:

Regulatory notification: where the breach is likely to result in a risk to the rights and freedoms of data subjects, Lumion will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, in accordance with the NDPA 2023.
Data subject notification: where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, Lumion will notify those data subjects without undue delay, as required by the NDPA 2023. Notification will describe the nature and scope of the breach; the categories of personal data affected; the likely consequences; and the remedial steps being taken.
Containment and remediation: Lumion will take immediate steps to contain and address the breach, including engaging technical specialists where necessary.
Internal documentation: all breaches will be recorded in Lumion’s internal breach register, whether or not they meet the threshold for regulatory notification, in accordance with accountability obligations under the NDPA 2023.

14. Data Retention

Lumion retains personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable Nigerian law including CAMA 2020. The following retention schedule applies:

Category of Data	Retention Period
Subscriber account data	Active subscription + 6 years post-closure (CAMA 2020)
Business operational data (invoices, sales, expenses, inventory, production batches)	Minimum 6 years from date of record (CAMA 2020 record-keeping requirements)
Staff and payroll data	5 years from date of last payroll record
OTP session data (Termii)	Transient — maximum 30 minutes; not stored after verification
Generated PDF reports	Generated on-demand and delivered immediately; not stored on Lumion servers
Product images (Cloudinary)	Tied to the life of the product listing; deleted when the subscriber deletes the product
Audit trail logs	Permanent — cannot be deleted (see Section 10)
Analytics data (PostHog)	13 months from collection
Error monitoring data (Sentry)	13 months from collection
Payment records (Paystack)	As required by Nigerian financial and tax law

Account Closure: on closure of a Subscriber’s Account, Lumion will delete or anonymise all Business Data within 90 days of closure, subject to applicable legal retention obligations. Subscribers may export their data at any time during the active subscription and for 30 days following account closure.

Audit Trail Exception: as described in Section 10, audit trail logs are retained permanently and are not subject to the account closure deletion window.

15. Cookies

A summary of our cookie and tracking technology usage is set out below.

15.1 Strictly Necessary: Supabase authentication tokens are stored in local storage to maintain login sessions and preserve onboarding state. The Platform cannot function without these. No consent is required.

15.2 Analytics Cookies (Consent Required): PostHog sets cookies to track feature usage and user interactions for product improvement purposes. These require consent. You may opt out at any time through the cookie preferences panel without losing access to any Platform functionality.

15.3 Error Monitoring: Sentry may set session identifiers to support application diagnostics and crash reporting. These are used for technical debugging only.

15.4 No Advertising Cookies: SMEbuddy does not use advertising cookies and does not serve third-party advertisements. We do not share user data with any advertising network or digital marketing platform. This is a firm commitment.

16. Intellectual Property

Lumion Technology Limited owns all intellectual property rights in and to the Platform, including the source code, algorithms, visual design, trade marks, and all content produced by Lumion.

Subscribers retain all ownership rights in their Business Data, including uploaded product images. The limited licence granted to Lumion to store and process that data is described in the Terms of Service. Lumion does not claim ownership of, and will not distribute or commercialise, any content uploaded by Subscribers.

Lumion respects the intellectual property rights of third parties. If you believe that content on the Platform infringes your rights under Nigerian law, please contact us via support@sme-buddy.com with a written description of the alleged infringement, your contact details, proof, and a statement that your claim is made in good faith.

17. Minimum Age

SMEbuddy is a business management platform intended exclusively for use by adults. All Subscribers and Users must be at least 18 years of age and must have the legal capacity to enter contracts under Nigerian law. By registering an Account, you confirm that you meet this requirement.

Lumion does not knowingly collect personal data from individuals under 18. If we become aware that data from a minor has been submitted to the Platform, we will take immediate steps to delete it. To report such a concern, contact support@sme-buddy.com.

18. Changes to This Policy

Lumion may update this Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. Material changes will be communicated to Subscribers by email and by posting the updated Policy at sme-buddy.com at least 14 days before the changes take effect. Your continued use of the Platform following notification constitutes acceptance of the revised Policy.

This Privacy Policy was last updated in 2026.

19. Complaints and Regulatory Authority

If you are dissatisfied with how Lumion has handled your personal data, you have the right to lodge a complaint with:

Nigeria Data Protection Commission (NDPC)

Website: ndpc.gov.ng • Email: info@ndpc.gov.ng

We encourage you to contact us first so that we may attempt to resolve the matter before escalation to the NDPC.

20. Contact and Data Protection Compliance Organisation

Lumion Technology Limited has appointed an external DPCO, Data Protection Officer and compliance representative for all matters arising under the NDPA 2023 and the GAID 2025.

For data protection enquiries, rights requests, or to report a concern: support@sme-buddy.com

For general Platform support and account queries: Support: support@sme-buddy.com

Legal: Legal@sme-buddy.com

We will acknowledge all data protection enquiries within 72 hours and provide a substantive response within the period prescribed by the NDPA 2023.