Data Protection
GDPR does not cover Nigeria. If you are in Nigeria, the Nigeria Data Protection Act 2023 (NDPA) applies to you. If you are in the EU, EEA, or UK, the GDPR applies. This page explains both — and how Avenza supports your rights under each.
European Union, EEA & United Kingdom — GDPR
1. Our commitment (GDPR)
Avenza AI processes personal data in accordance with the GDPR (Regulation (EU) 2016/679) and the UK GDPR where applicable. We implement data protection by design in our platform architecture, access controls, and vendor selection.
This page supplements our Privacy Policy. The GDPR-specific guidance below applies to individuals in the EU, EEA, and UK.
2. Controller & processor roles
When Avenza is the controller
For account registration, billing, platform usage logs, and contact form submissions, Avenza acts as the data controller — we determine the purposes and means of processing your personal data.
When Avenza is the processor
When you publish surveys and collect responses, you (the researcher or institution) are typically the data controller for respondent data. Avenza acts as a processor, hosting and processing response data on your instructions through the platform.
3. Lawful bases for processing
We rely on the following legal bases under GDPR Article 6:
- Contract (Art. 6(1)(b)) — Processing necessary to provide the service you signed up for: parsing, hosting, collection, analytics, and payment fulfilment
- Legitimate interests (Art. 6(1)(f)) — Security monitoring, fraud prevention, platform improvement, and anonymised usage analytics — balanced against your rights
- Legal obligation (Art. 6(1)(c)) — Retaining payment records for tax and accounting requirements
- Consent (Art. 6(1)(a)) — Where explicitly requested, such as optional marketing communications (not required for core service)
4. Your data subject rights
If you are in the EU, EEA, or UK, you have the following rights (subject to conditions and exceptions in the GDPR):
5. How to exercise your rights
Submit a request through our contact form. Please include:
- Your full name and the email address associated with your Avenza account
- The specific right you wish to exercise
- Enough detail for us to locate your data (account email, survey titles if relevant)
We will verify your identity before processing requests and respond within one month, as required by GDPR. Complex requests may be extended by a further two months with notice.
Survey respondents: If you responded to a survey and want access or deletion, contact the researcher who published it first. They can export or delete data through Avenza. If you cannot reach them, contact us and we will assist.
6. Security & data minimisation
We implement appropriate technical and organisational measures including:
- Encryption in transit (HTTPS/TLS)
- Password hashing and secure authentication tokens
- Role-based access controls for internal systems
- Rate limiting and bot protection on public endpoints
- Data minimisation — collecting only what the service requires
- Retention limits — deleting or anonymising data when no longer needed
Details are in Section 7 of our Privacy Policy.
7. International data transfers
Avenza operates globally. Your data may be processed in countries outside the EU/EEA/UK where our infrastructure or subprocessors are located. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms approved under GDPR.
Subprocessors include cloud hosting, payment (Paystack), AI providers, and email delivery services — each bound by data protection obligations.
8. Personal data breach notification (GDPR)
We maintain procedures to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required, and affected individuals without undue delay when the risk is high.
Nigeria — NDPA 2023
9. Nigeria Data Protection Act (NDPA)
If you are in Nigeria, your personal data is primarily governed by the Nigeria Data Protection Act 2023 (NDPA), administered by the Nigeria Data Protection Commission (NDPC). The NDPA replaced the earlier Nigeria Data Protection Regulation (NDPR) and is Nigeria's main federal data protection law.
GDPR does not automatically protect Nigerian residents. However, many of the same principles apply: lawful processing, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
Who the NDPA applies to
- Individuals in Nigeria whose personal data is processed
- Organisations (including Avenza and researchers using our platform) that process the personal data of Nigerians
- Processing carried out in Nigeria or targeting Nigerian data subjects
Controller & processor roles (Nigeria)
The same role split applies under the NDPA as under GDPR:
- Avenza as controller — for your account, billing, platform logs, and contact form data
- You as controller / Avenza as processor — for survey respondent data you collect through published surveys
Researchers in Nigeria must ensure they have a lawful basis under the NDPA before collecting respondent data and must provide appropriate privacy notices and consent where required.
Lawful bases under the NDPA
Processing is permitted when at least one lawful basis applies, including:
- Consent — clear, informed, and freely given (common for survey participation)
- Contract — processing necessary to deliver the Avenza service you signed up for
- Legal obligation — compliance with applicable Nigerian law
- Legitimate interests — where balanced against the data subject's rights (e.g. security, fraud prevention)
- Vital interests, public interest, or legal claims — where applicable
Your rights under the NDPA
Nigerian data subjects have rights broadly aligned with international standards, including:
How to exercise NDPA rights
Use the same contact form as GDPR requests. State that your request is under the NDPA and include your name, account email, and the right you wish to exercise. We will verify your identity and respond within a reasonable timeframe consistent with NDPA requirements.
Data breach notification (Nigeria)
Where a personal data breach occurs and is likely to result in harm to data subjects, we will notify the Nigeria Data Protection Commission (NDPC) and affected individuals as required under the NDPA.
10. Contact & supervisory authorities
For all data protection requests — GDPR or NDPA — use our contact form.
EU / EEA: You may lodge a complaint with your local supervisory authority. Find EU authorities at edpb.europa.eu.
United Kingdom: Contact the Information Commissioner's Office (ICO) at ico.org.uk.
Nigeria: Contact the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe your NDPA rights have been violated and we have not resolved your concern.
Submit a data protection request
GDPR or NDPA — use the contact form and we will respond promptly.