Klari Technologies Limited
Privacy notice
Effective 11 May 2026 · Issued under the Nigeria Data Protection Act 2023 and the General Application and Implementation Directive 2025.
1. Who we are
Klari Technologies Limited (“Klari”, “we”, “us”) is a private company incorporated in Nigeria. We are the Data Controller for personal data we collect via the Klari marketing website (klari.ng) and the Data Processor for personal data our customers (Nigerian organisations classified under the NDPC Major Importance regime) entrust to Klari when using our product.
For privacy enquiries write to privacy@klari.ng.
2. What we collect and why
2.1 Marketing site visitors
- “Request access” form: name, work email, organisation, role, free-text message, submission IP address. We use this to evaluate prospective design partners and reply to enquiries. Lawful basis: legitimate interest in business development (NDPA s.25(c)).
- Operational logs: request paths, response codes, IP address, user-agent. Used for security and abuse prevention only; retained 90 days. Lawful basis: legitimate interest in service security.
2.2 Authenticated users
- Account data: email address (for sign-in), display name, organisation membership, role. Lawful basis: performance of a contract (NDPA s.25(b)).
- Audit log: every state-changing action in your tenant produces an append-only event: actor email, action, resource, timestamp, IP, user-agent, request ID. This is part of the product, not analytics. Lawful basis: compliance with a legal obligation (NDPA s.25(d)) — audit trails are required for NDPA s.34 audits.
2.3 What we do not collect
We do not run third-party analytics, advertising trackers, or session-replay tools on klari.ng. We do not sell personal data. We do not profile users for marketing.
3. Where the data lives
All tenant data — your organisation, records, evidence, audit log — is stored exclusively in Frankfurt, Germany (eu-central-1) on Supabase Postgres + Storage. Application compute runs on Vercel functions pinned to the same region. No tenant data is held by a US- or non-EU CDN.
Cross-border data flows to a non-Nigerian jurisdiction (Germany) are conducted under standard data protection clauses with our infrastructure providers, as contemplated by NDPA s.43, and rely on the recognition under NDPA s.41 that the European Economic Area provides an adequate level of protection. We can produce the current clause sets on request for NDPC submission.
4. How long we keep it
- “Request access” submissions: 12 months from submission, then destroyed unless converted to a customer relationship.
- Account data: for the life of the contract plus the retention window required by Nigerian financial-services law for related business records (currently six years; superseded by sector-specific requirements where stricter).
- Audit log: retained for the life of the tenant plus seven years, as standard for NDPA s.34 audit defensibility. Customers may export their log at any time.
- Operational logs: 90 days.
5. Your rights
Under the NDPA you may:
- request a copy of personal data we hold about you (s.36);
- request correction of inaccurate or incomplete data (s.36);
- request deletion where retention is no longer lawful (s.37);
- object to processing based on legitimate interest (s.36);
- withdraw consent at any time, where consent is the lawful basis (s.26);
- lodge a complaint with the Nigeria Data Protection Commission at ndpc.gov.ng.
We respond to verified rights requests within 30 days. Send them to privacy@klari.ng.
6. Security
Klari is built around five hardening rules documented in our architecture: tenant- scoped row-level security on every table; an append-only audit log enforced at the database layer; private storage with signed URLs and short download TTLs; signed PDF exports; and a single mutation chokepoint that re-checks authentication on every state-changing call. Secret keys are server-only and never shipped to the browser.
7. Sub-processors
We use a small, EU-resident set of sub-processors. The current list is available on request to privacy@klari.ng. We will notify customers of any addition that materially changes data location or category of access at least 14 days in advance.
8. Changes to this notice
We will post a revised effective date when this notice changes. The previous version remains available on request for audit purposes.
9. Contact
Klari Technologies Limited
Privacy enquiries: privacy@klari.ng
General: hello@klari.ng