Privacy Policy
Last Updated: June 2026 · Effective from: 1 June 2026
This Privacy Policy explains how Quantum Leap AI International Limited collects, uses, and protects your personal and institutional data when you use the ComplianceIQ platform. We are committed to protecting your privacy and processing your data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and other applicable data protection laws.
1. Introduction and Data Controller
Quantum Leap AI International Limited (RC No. [Registration Number]), Lagos, Nigeria, is the data controller of personal data collected through the ComplianceIQ platform. We are registered with the Nigeria Data Protection Commission (NDPC) as a data controller of major importance.
Our Data Protection Officer (DPO) can be contacted at: dpo@quantumleapai.com
This Policy applies to all individuals who access or use the ComplianceIQ platform, including compliance officers, administrators, assessors, and analysts employed by our institutional clients.
2. Information We Collect
Account and Identity Information
- Full name and work email address
- Job title and professional role
- Password (stored as a one-way cryptographic hash — never in plain text)
- Date and time of account creation and terms acceptance
Institutional Information
- Organisation name, registration details, and regulatory licence type
- Primary jurisdiction and country of operation
- Regulatory identifiers (e.g. CBN licence numbers, FRC registration)
- Subscription tier and billing information (payment details processed by our payment processor)
Compliance and Assessment Data
- Responses to compliance framework questionnaires and control assessments
- Evidence documents uploaded to support compliance assertions
- AI-generated compliance scores, gap analyses, and recommendations
- Assessment history and certificate records
- Notes, comments, and annotations made within the platform
Technical and Usage Data
- IP address, browser type, device type, and operating system
- Pages accessed, features used, and session duration
- Log data including timestamps of logins, logouts, and API calls
- Security events including failed login attempts and account lockout events
3. Legal Basis for Processing
We process your personal data on the following legal bases under the NDPA 2023 and, where applicable, the UK GDPR and EU GDPR:
- Contract performance: processing necessary to deliver the ComplianceIQ services you have subscribed to
- Legitimate interests: platform security, fraud prevention, service improvement, and business analytics — balanced against your privacy rights
- Consent: where you have given specific consent, such as for marketing communications or AI model improvement (you may withdraw consent at any time)
- Legal obligation: where we are required to process data to comply with applicable laws, including anti-money laundering obligations and regulatory enquiries
4. How We Use Your Information
We use the information we collect to:
- Create and manage your account and provide access to the ComplianceIQ platform
- Deliver compliance assessments, scoring, gap analysis, and certification services
- Power ARIA, our AI Compliance Advisor, to generate personalised recommendations and insights
- Process subscription payments and maintain billing records
- Send transactional communications (account verification, security alerts, assessment notifications)
- Enforce our Terms of Service and detect and prevent fraud, abuse, or security threats
- Maintain comprehensive audit logs for your institution's compliance governance and regulatory evidence requirements
- Conduct aggregated, anonymised analytics to improve platform performance and compliance intelligence
- Respond to your support requests and provide technical assistance
- Comply with our legal and regulatory obligations
5. AI Technology and Data Processing
ComplianceIQ uses artificial intelligence technology, including machine learning and natural language processing, to analyse compliance assessment responses, generate maturity scores, identify control gaps, and deliver recommendations through ARIA, our AI Compliance Advisor.
How your data is used by AI systems:
- Assessment responses and institutional context are submitted to our AI processing infrastructure to generate analysis, scores, and recommendations
- AI processing occurs within our secure, contracted cloud environment with data processing agreements in place
- Sessions are logged for quality assurance, security monitoring, and cost tracking
What we do NOT do:
- We do not use your confidential institutional data to train, fine-tune, or improve AI models without your explicit written consent
- We do not sell your compliance data or AI-generated analysis to third parties
- We do not use your data for advertising purposes
AI-generated outputs are produced by automated systems and may not always be accurate. We encourage all users to apply professional judgement and seek qualified legal or compliance advice before relying on AI-generated analysis for material compliance decisions.
6. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We may share data in the following limited circumstances:
Service providers and sub-processors
We engage carefully selected third-party service providers who process data on our behalf, including cloud infrastructure providers, email delivery services, and payment processors. All sub-processors are contractually bound to process data only as instructed and to implement appropriate security measures.
Within your organisation
Data you submit is accessible to other authorised users within your organisation's account, subject to role-based access controls.
Legal and regulatory disclosure
We may disclose data where required by law, court order, or regulatory authority, including the NDPC, CBN, or other competent authorities. Where legally permissible, we will notify you of such requests.
Business transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections described here.
7. International Data Transfers
Your data is primarily stored and processed within Nigeria and the European Economic Area (EEA). Where data is transferred outside Nigeria or the EEA, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data processing agreements with all sub-processors
- Transfer Impact Assessments where required by applicable law
By using the Platform, you consent to data transfers as described in this section, subject to these safeguards.
8. Data Retention
We retain your personal and institutional data for the following periods:
- Account data (name, email, role): duration of active subscription plus 3 years after termination
- Compliance assessment data and responses: 7 years from assessment date, in line with financial regulatory record-keeping requirements
- Audit logs and security event records: 10 years (required for regulatory compliance evidence)
- Certificates issued: indefinitely, for public verification purposes
- Payment records: 7 years, as required by Nigerian tax law
- Terms acceptance records (terms_accepted_at): permanently, as NDPA consent audit evidence
After the applicable retention period, data is securely deleted or anonymised. You may request early deletion subject to our legal retention obligations.
9. Security Measures
We implement comprehensive technical and organisational security measures to protect your data, including:
- 256-bit AES encryption for all data at rest
- TLS 1.3 encryption for all data in transit
- Role-based access control (RBAC) limiting data access to authorised personnel only
- Account lockout after repeated failed authentication attempts (PCI DSS Req 8.3.4 compliant)
- Multi-factor authentication (MFA/TOTP) support
- Cryptographic audit log chaining (SHA-256 hash chain) to detect log tampering
- Regular security assessments and penetration testing
- Formal incident response procedures with regulatory notification protocols
While we implement industry-standard security controls, no system can guarantee absolute security. In the event of a data breach that is likely to result in a high risk to your rights, we will notify you and the NDPC within the timeframes required by law.
10. Your Rights
Under the NDPA 2023 and, where applicable, the GDPR, you have the following rights regarding your personal data:
- Right of access: to obtain confirmation of whether we process your data and receive a copy
- Right to rectification: to correct inaccurate or incomplete personal data
- Right to erasure: to request deletion of your data, subject to our legal retention obligations
- Right to data portability: to receive your data in a structured, machine-readable format
- Right to restriction: to request that we limit processing in certain circumstances
- Right to object: to object to processing based on legitimate interests
- Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing
- Right not to be subject to fully automated decisions that produce significant legal effects, without human review
To exercise any of these rights, contact our DPO at dpo@quantumleapai.com. We will respond within 30 days. We may require identity verification before actioning requests.
11. Cookies and Tracking
ComplianceIQ uses a minimal, privacy-first approach to cookies and browser storage:
- Authentication tokens: essential session management, stored in secure httpOnly cookies or browser memory
- Preference data: theme and language preferences stored in localStorage
- No advertising cookies, third-party tracking, or analytics fingerprinting
We do not use cookies to track your activity across other websites, serve targeted advertising, or build behavioural profiles. You can manage cookie settings through your browser, though disabling essential cookies may affect platform functionality.
12. Children's Privacy
ComplianceIQ is a professional enterprise platform intended exclusively for use by financial institutions and their employees. The Platform is not directed at persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately so we can delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by:
- Email notification to your registered address at least 30 days before changes take effect
- Prominent notice within the ComplianceIQ platform
Continued use of the Platform after the effective date of updated Terms constitutes acceptance. If you do not accept the changes, you may terminate your subscription before the effective date.
The "Last Updated" date at the top of this page indicates when this Policy was most recently revised.
14. Contact and Complaints
For any questions, concerns, or requests relating to your personal data or this Privacy Policy, please contact:
Data Protection Officer
Quantum Leap AI International Limited
Lagos, Nigeria
dpo@quantumleapai.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng, or with the supervisory authority in your country of residence if you are located outside Nigeria.
© 2026 Quantum Leap AI International Limited. All rights reserved.
