Privacy Policy
This privacy policy explains how Efuafinex Hair Ltd (collectively referred to as “Hair Flex”, “Company”, “we”, “us” or “our”) collects, uses, discloses and safeguards personal data when you interact with our Hair Flex mobile application, website (https://efuafinexhair.com/), or when you purchase products or services from us (collectively, the “Service”). We take your privacy seriously and comply with applicable data‑protection laws in Nigeria, specifically the Nigeria Data Protection Act 2023 (NDPA) and its General Application and Implementation Directive (GAID) iclg.com.
Because our company operates in Nigeria and serves customers located in Nigeria, this policy focuses solely on Nigerian privacy law. If you access the Service from another jurisdiction, you acknowledge that Nigerian law governs our privacy practices.
By using the Service, you consent to the collection and use of your information as described in this Privacy Policy.
1. Definitions
To make this policy easier to understand, we use certain defined terms:
Account – a unique account created for you to access parts of our Service.
Device – any device that can access the Service (computer, mobile phone or tablet).
Personal Data – information relating to an identified or identifiable person. Under Nigeria’s NDPA, an identifiable person includes anyone who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data or an online identifiericlg.com.
Service Provider – any natural or legal person that processes data on our behalf.
Usage Data – data collected automatically via your Device, such as IP address, browser type, pages visited, time spent on pages and diagnostic data.
You – the individual accessing or using the Service, or the company or other legal entity on whose behalf that individual is acting.
2. Scope of this Policy and Applicable Law
The Nigeria Data Protection Act 2023 (NDPA) is Nigeria’s principal data‑protection legislation. It establishes rights for data subjects, such as the right of access, rectification, erasure, and portability, and imposes obligations on data controllers and processors. In March 2025, the Nigeria Data Protection Commission (NDPC) issued the General Application and Implementation Directive (GAID), which takes effect on 19 September 2025 and supersedes the earlier Nigeria Data Protection Regulation (NDPR). Our privacy practices are designed to comply with the NDPA and GAID.
We do not target customers outside Nigeria and therefore do not reference other jurisdictions’ privacy laws in this policy. If our operations expand internationally, we will update this policy accordingly.
3. What Personal Information We Collect
We collect the categories of personal data described below. We only collect data that is necessary for the purposes explained in this policy.
| Category | Examples of information collected and why | Legal basis under NDPA |
|---|---|---|
| Identifiers | Name, email address, telephone number, address, state, province, ZIP/postal code and city. These are collected when you create an Account, place an order or contact us. | Necessary for contract performance and legitimate interests (providing services and communicating with you). |
| Login credentials | Username and password, or single‑sign‑on credentials via social‑media profiles (e.g., “Sign in with Facebook” or “Log in with Twitter”). When you use social‑media login, we may collect your public profile (name, profile picture, email) provided by the third‑party platform. | Necessary to provide secure access to your Account and facilitate login; legitimate interests. |
| Payment information | We provide products and services for purchase. If you buy through our Service, you will provide payment card details (card number, expiration date, CVV) and billing information. Hair Flex does not store full payment card numbers; they are processed by third‑party payment processors that are PCI‑DSS compliant. | Necessary for performing contracts (fulfilling orders). |
| Marketing and communication preferences | If you opt in to receive emails, newsletters or promotions, we record your marketing preferences. | Legitimate interests (marketing) and your consent. |
| Usage Data and Device information | IP address, browser type, operating system, device identifiers, time and date of visit, pages viewed, time spent on each page and diagnostic data. When you access the Service via mobile, we also collect mobile device ID, operating system and mobile browser type. | Legitimate interests (security, analytics). |
| Cookies and similar tracking technologies | We use session and persistent cookies, web beacons and scripts to remember your preferences and analyse how the Service is used. See our Cookie Notice for details. | Consent (where required) and legitimate interests. |
4. How We Use Your Information
We process personal data for the purposes listed below, based on lawful grounds defined under the NDPA:
Providing and maintaining the Service – to register you as a user, process orders, provide customer support and deliver goods or services. This includes monitoring usage and resolving technical issues.
Account management – to manage your Account, including verifying your identity, facilitating log‑ins through social media and communicating with you regarding your Account.
Performance of contracts – to deliver products or services you purchase and manage payment transactions. We use third‑party payment processors and do not store full credit‑card numbers.
Communications and marketing – to contact you by email, SMS, push notifications or phone about orders, updates and promotional offers you have opted to receive. You can opt out of marketing emails at any time.
Targeted advertising and remarketing – to show advertisements to you on other websites after you have visited our Service. This involves third‑party advertising partners who use cookies or device identifiers. Where required, we will obtain consent for these cookies.
Analytics, research and service improvement – to analyse trends, measure effectiveness of marketing campaigns, improve functionality and develop new features.
Legal compliance and protection – to comply with applicable laws (e.g., NDPA/GAID), respond to lawful requests, enforce our agreements, prevent fraud and ensure the safety of our users.
Business transfers – to evaluate or carry out a merger, acquisition or asset sale. If our company is involved in such a transaction, personal information may be transferred, subject to this Policy.
We do not sell your personal information. We may share hashed identifiers for remarketing, but you can opt out (see section 7).
5. Legal Bases for Processing (NDPA)
Under the NDPA, we rely on the following lawful bases to process your personal data:
Consent – you give us consent to process your data for a specific purpose, such as receiving marketing emails or certain cookies. You may withdraw consent at any time.
Contract – processing is necessary to perform a contract or to take steps at your request before entering into a contract (e.g., fulfilling an order or creating an account).
Legitimate interests – processing is necessary for our legitimate interests (or those of a third party) except where your rights override those interests. For example, we use analytics to understand how our Service is used and to improve our products, and we use remarketing to promote our business. You have the right to object to processing based on legitimate interests.
Legal obligation – processing is necessary to comply with a legal obligation (e.g., tax or accounting rules, consumer protection laws, NDPA requirements).
6. Disclosure of Your Information
We may share your personal information in the circumstances described below:
Service Providers – We share data with third‑party service providers who perform functions on our behalf, such as payment processing, hosting, analytics, customer support, email delivery and advertising partners. They have access only to the information necessary to perform their functions and are bound by confidentiality obligations.
Remarketing and advertising partners – We use remarketing services (e.g., Google Ads, Facebook Ads) to advertise our products to you on third‑party websites. These partners may use cookies and device identifiers to show ads tailored to your interests. Where required, we will obtain consent for these cookies. You can opt out of remarketing in section 7.
Legal requirements – We may disclose information if required by law or in response to valid requests by public authorities. For example, the NDPA allows disclosure when necessary for law enforcement or to prevent fraud.
Business transfers – If we are involved in a merger, acquisition or asset sale, your data may be transferred. We will notify you and honour your rights.
With your consent – We may disclose personal information for any other purpose with your explicit consent.
We do not knowingly disclose children’s personal information (under age 13) without parental consent. The NDPA defines a child as anyone under 18 and requires verification of age
7. Your Privacy Rights (NDPA)
As a data subject in Nigeria, you have the following rights under the NDPA and GAID:
Right of access – to request copies of your personal data.
Right to rectification – to correct inaccurate or incomplete personal data.
Right to deletion (erasure) – to request deletion of your personal data when it is no longer needed or where processing is unlawful.
Right to object – to object to processing, including direct marketing; once you object, we must stop processing for marketing purposes.
Right to restrict processing – to request that processing be restricted under certain conditions (e.g., contested accuracy, unlawful processing).
Right to data portability – to obtain your data in a structured, commonly used electronic format and transmit it to another controller where technically feasible.
Right to withdraw consent – to withdraw any consent you previously gave, without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint – to complain to the Nigeria Data Protection Commission (NDPC) if you believe our processing violates the NDPA
Exercising Your Rights
To exercise any of the rights described above, please contact us using the details in section 11. We may ask you to verify your identity before fulfilling your request. We will respond to your request without undue delay and in any event within 30 days as required by the NDPA, with the possibility of an extension if the request is complex. If we deny your request, we will explain our reasons and inform you of your right to lodge a complaint with the NDPC.
You may also opt out of targeted advertising by contacting us or adjusting your cookie preferences. We will respect your choices regarding marketing and remarketing.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy, comply with legal obligations, resolve disputes and enforce our agreements. The NDPA requires data controllers to erase personal data without undue delay when it is no longer necessary or when the data subject withdraws consent. We determine retention periods based on the type of data, the purpose of processing, and legal requirements. When the retention period expires, we securely delete or anonymise the data.
9. International Data Transfers
Hair Flex is based in Nigeria, but we may process your information in countries other than Nigeria. This may involve transferring your data to jurisdictions whose data‑protection laws differ from those in Nigeria. We will ensure that such transfers comply with applicable laws by implementing safeguards, such as:
entering into data‑transfer agreements that ensure adequate protection;
working with service providers that adopt recognised data‑protection certifications; and
assessing the adequacy of the destination country’s legal framework before transferring data.
By using the Service, you consent to the transfer of your information to countries outside Nigeria, as permitted by law.
10. Security of Your Personal Data
We employ technical and organisational measures to protect personal data from unauthorised access, alteration, disclosure or destruction. However, no method of transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. If you suspect that your data has been compromised, please contact us immediately.
11. Children’s Privacy
Our Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and become aware that a child has provided us with personal data without consent, please contact us. In accordance with the NDPA, a child is any person under 18 years. We may require proof of age and parental consent before collecting personal data from minors, and we will make our policies child‑friendly when targeting children.
12. Changes to This Privacy Policy
13. Contact Us
If you have any questions or concerns about this Privacy Policy or our data‑handling practices, or if you would like to exercise your privacy rights, you can contact us using the details below:
Email: support@efuafinexhair.com
Phone: 07064443133
