Flow by NBSBack to app →

Privacy Policy

Effective date: 16 April 2026

1. Introduction

This Privacy Policy explains how Numero Business Solutions ("NBS", "we", "us", or "our") collects, uses, stores, and protects your information when you use Flow by NBS ("the Service"). This policy applies to all users of the Service, regardless of location.

NBS is committed to protecting your privacy in compliance with the Nigeria Data Protection Act 2023 (NDPA) and the EU General Data Protection Regulation (GDPR), where applicable.

2. Information We Collect

Account data: When you register, we collect your name, email address, and company information (company name, industry, contact details).

Usage data: We automatically collect information about how you interact with the Service, including server logs, device information, browser type, and access times.

Content data: We store the business data you create within the Service, including invoices, inventory records, revenue entries, expenses, orders, and workflow configurations.

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Process subscription payments and manage billing
  • Respond to customer support requests
  • Improve and develop new features for the Service
  • Ensure security and prevent fraud or abuse
  • Comply with legal obligations and regulatory requirements

4. Legal Basis for Processing

Under the NDPA: We process your personal data based on your consent (provided during registration), the performance of our contract with you (your subscription), our legitimate interests in operating and improving the Service, and our legal obligations under Nigerian law.

Under the GDPR (Article 6): Where applicable, our processing relies on contractual necessity (Article 6(1)(b)), legitimate interests (Article 6(1)(f)), legal obligations (Article 6(1)(c)), and your consent (Article 6(1)(a)).

5. Data Sharing

We do not sell your personal data. We share your information only in the following circumstances:

  • Service providers: We use third-party services to host and operate the platform, including Supabase (database and authentication), Vercel (hosting), and Resend (transactional email). These providers process data on our behalf under appropriate data processing agreements.
  • Legal compliance: We may disclose your information if required by law, regulation, legal process, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Row-Level Security (RLS) at the database level to enforce strict data isolation between companies
  • Role-based access controls within the application
  • Regular security reviews and monitoring

While we take reasonable precautions, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

7. Data Retention

  • Active accounts: Your data is retained for as long as your account remains active and your subscription is in good standing.
  • Deleted accounts: Upon account termination, your data is retained for 30 days to allow for recovery or data export, after which it is permanently deleted.
  • Backups: Backup copies of your data may be retained for up to 90 days after deletion for disaster-recovery purposes, after which they are purged.

8. Your Rights Under NDPA and GDPR

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Request your data in a structured, commonly used, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Complaint: Lodge a complaint with the Nigeria Data Protection Commission (NDPC) or your local Data Protection Authority (DPA) under GDPR.

To exercise any of these rights, contact us at info@numerosolutions.com.ng.

9. International Data Transfers

Your data may be stored and processed outside Nigeria through our service providers (Supabase and Vercel operate infrastructure globally). These providers maintain compliance with GDPR through Standard Contractual Clauses (SCCs) and other appropriate safeguards. We ensure that any international transfer of your data is subject to adequate protections as required by the NDPA and GDPR.

10. Cookies and Tracking

We use essential session cookies solely for authentication and maintaining your logged-in state. We do not use advertising trackers, third-party marketing cookies, or behavioural tracking technologies. No cookie consent banner is required as we only use strictly necessary cookies.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with NDPA and GDPR requirements. Notification will include the nature of the breach, the data affected, and the measures taken to address it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or through the Service. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact

For any questions or concerns about this Privacy Policy or our data practices, please contact our Data Protection Officer:

Numero Business Solutions
Allen Avenue, Ikeja, Lagos
Email: info@numerosolutions.com.ng