Privacy Policy

Who we are

Satoo Foundation (“we,” “us,” “our”) is a non-governmental organization committed to protecting personal information—including images—collected during outreach, events, programmes, or via this website. This policy is in compliance with applicable data protection laws for Nigerians.

Your Personal Data

Under Nigerian law, images of an identifiable individual are included within the definition of personal data. We treat all images, including photographs, as personal data subject to data protection principles. Other forms of personal data that may be used by Us includes name, email address, phone number, State of Origin, home address, nationality, gender, etc.

Lawful Bases for Processing

  1. Consent
    We will obtain explicit, freely‐given consent before capturing or using an individual’s photograph or other personal data for archival, reporting, or promotional purposes. Consent may be provided via registration forms, consent checkboxes, or written release forms. Individuals will also be able to withdraw consent at any time.
  2. Other bases (where consent is not applicable)
    If required for contractual performance, legal obligation, vital interests, public interest or legitimate interests—and provided it does not infringe the data subject’s rights—we may process data under these bases, but only where clearly necessary and disclosed.
  3. Purpose Limitation and Use of Images.
     We collect and use personal data and images only for specified, explicit, and legitimate purposes—such as reporting on foundation work, documenting events, or sharing stories— and will not reuse or repurpose them in ways incompatible with those purposes .
  4. Consent Withdrawal and Deletion Requests.
     Individuals may withdraw their consent at any time. Upon withdrawal, we will promptly cease usage and remove the photo or personal information from public channels within a reasonable timeframe.
  5. Data Subject Rights:
    In line with NDPR, data subjects have the right to:
      • Be informed about data processing;
      • Access their data;
      • Correct inaccurate data;
      • Request deletion (“right to be forgotten”);
      • Object to or restrict processing;
      • Data portability (where applicable).
        Requests will be handled within 7 days as required by law.

6.  Data Minimization and Retention

We only collect and store personal data and images that are necessary for the stated purpose. Data and photos will be retained only for as long as required—typically no more than one year—unless lawful archiving or public‐interest justification exists .

7. Security Measures

We implement appropriate physical, technical and organisational safeguards to protect personal data and images against unauthorized access, alteration, loss or breach. Personnel training, periodic risk assessments and security audits are conducted to ensure data integrity and confidentiality.

8. Third‐Party Sharing and Transfers

We may share personal data and images with third-party service providers (e.g., printers, website hosts, media partners) only when necessary. Such transfers will comply with NDPA/NDPR transfer rules, ensuring that adequate protections are in place—including agreements or assurances of NDPA-level standards.

9. Cookies and Technical Logs

Our website may collect non‐personal technical data (e.g., IP addresses, device/browser type, cookies) for analytics or website functionality. Such use is limited, secured, and does not compromise personal privacy .

10. Appointment of Data Protection Officer

Where required (e.g. Satoo Foundation qualifies as a controller of major importance), we will appoint a Data Protection Officer (DPO) or engage a licensed Data Protection Compliance Organization (DPCO) to oversee compliance, registration and reporting to the Nigerian Data Protection Commission (NDPC).

11. Compliance, Registration, and Audits

If classified as a “Controller or Processor of Major Importance” under NDPA thresholds, we will register with the NDPC via their portal and conduct annual audits via a licensed DPCO, including submission of audited compliance returns by 30 June following each data year.

12. Breach Notification

In the event of a personal data breach (e.g. unauthorized access or loss), we will notify both the affected data subjects and the NDPC within 72 hours of becoming aware of the breach, as required under Section 38 of the NDPA.

13. Changes to this Policy

We may update this policy to reflect legislative changes, operational adjustments, or to improve compliance with the NDPA or NDPR. Updates will be communicated on our website.

14. Contact Us

Questions, complaints, or requests relating to this policy or personal data processing may be addressed to our DPO or Data Protection Contact at:

Email: info@satoofoundation.org

Get involved
Get involved
Scroll to Top