A. LEGAL FOUNDATION, STATUS AND APPLICABILITY

• This Data Privacy Policy (“Policy”) is issued by Whot Studios Ltd, an online gaming service provider operating within and targeting the Nigerian market, pursuant to the provisions of the Nigeria Data Protection Act 2023 and theNigeria Data Protection Act (General Application and Implementation Directive) 2025, issued by the Nigeria Data Protection Commission in exercise of its statutory powers.
• This Policy gives practical effect to the fundamental right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) and shall apply to all personal data processed by the Company through its websites, mobile applications, gaming platforms, payment systems, verification interfaces, customer support channels, and any other digital or physical medium deployed in the course of its operations.
• This Policy binds the Company as a data controller and, where applicable, as a data processor, and applies to all data subjects whose personal data is processed by the Company, irrespective of nationality or physical location, where such processing falls within the territorial or material scope of the Nigeria Data Protection Act.

B. DEFINITIONS

• In this Data Privacy Policy, unless the context otherwise requires or unless expressly stated to the contrary, words and expressions used herein shall have the meanings assigned to them in this clause, and cognate expressions shall be construed accordingly.
• Words importing the singular shall include the plural and vice versa, words importing any gender shall include all genders, and references to statutes shall include all amendments, reenactments, subsidiary legislation, regulations, directives, and guidelines made there under from time to time.
• “Act” or “NDPA” means the Nigeria Data Protection Act 2023, being the principal legislation governing the protection of personal data, the regulation of data processing, and the establishment, powers, and functions of the Nigeria Data Protection Commission within the Federal Republic of Nigeria.
• “GAID” means the Nigeria Data Protection Act (General Application and Implementation Directive) 2025, issued by the Nigeria Data Protection Commission pursuant to its statutory powers under the NDPA, providing binding interpretative guidance, implementation standards, and compliance obligations applicable to data controllers and data processors.
• “Commission” means the Nigeria Data Protection Commission, being the independent regulatory authority established under the NDPA with powers to regulate, supervise, enforce, and ensure compliance with data protection and privacy obligations in Nigeria.
• “Company” means Whot Studios Ltd, an online gaming service provider duly incorporated or registered under the laws of the Federal Republic of Nigeria, together with its subsidiaries, affiliates, successors, permitted assigns, and any entity acting on its behalf in relation to the processing of personal data.
• “Data Subject” means any identified or identifiable natural person to whom personal data relates and whose personal data is processed by the Company, whether directly or indirectly, and irrespective of nationality, residence, or location, provided that such processing falls within the material or territorial scope of the NDPA.
• “Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to information by which a person can be identified directly or indirectly by reference to a name, identification number, location data, online identifier, gaming identifier, financial data, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person, as recognised under the NDPA.
• Sensitive Personal Data
  “Sensitive Personal Data” refers to personal data that reveals or concerns the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation. Under this Policy, this also includes financial records and other data designated as sensitive under applicable law.
• “Processing” or “Process” means any operation or set of operations performed on personal data, whether or not by automated means, including but not limited to the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, destruction, or any other form of handling of personal data.
• “Controller” or “Data Controller” means the Company, which alone or jointly with others determines the purposes, legal basis, and means of the processing of personal data and bears primary responsibility for ensuring compliance with the NDPA and GAID.
• “Third Party” refers to any person or organisation other than the data subject, the data controller, or persons who, under the direct authority of the controller or processor, are authorised to process personal data. Third parties may include regulators, auditors, and system service providers.
• “Consent” means the voluntary, specific, informed, and unambiguous expression of a user’s agreement, given by a clear affirmative action or explicit statement, authorising the Online Gaming Platform to collect, use, store, and otherwise process the user’s Personal Data for defined and lawful purposes. Consent shall be obtained in a manner that is transparent and distinguishable from other terms, shall be appropriately recorded and verifiable, and may be withdrawn by the user at any time through available platform controls or written notice, without prejudice to the lawfulness of any processing carried out prior to such withdrawal.
• “Processor” or “Data Processor” means any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Company pursuant to documented instructions, including but not limited to payment service providers, hosting providers, analytics vendors, verification partners, and other outsourced service providers.
• “Platform” means all digital and technological environments owned, operated, or controlled by the Company through which personal data is processed, including but not limited to websites, mobile applications, online gaming portals, betting systems, payment gateways, customer support channels, application programming interfaces (APIs), databases, servers, and associated digital infrastructure.
• “Policy” means this Data Privacy Policy, including all schedules, annexures, notices, updates, revisions, and amendments thereto, as may be adopted, published, or modified by the Company from time to time in accordance with applicable law.

C. NATURE AND SCOPE OF PERSONAL DATA PROCESSING

• In the course of providing online gaming and related digital services, the Company processes Personal Data strictly to the extent that such data is adequate, relevant, and limited to what is reasonably necessary for the lawful conduct of its operational, contractual, regulatory, risk management, and security functions. Such processing encompasses, without limitation, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise, alignment or combination, restriction, erasure, destruction, or any other lawful handling of Personal Data, whether carried out by automated means, semi-automated systems, or manual processes forming part of a structured filing system.
• All processing activities undertaken by the Company shall at all times comply with the fundamental data protection principles of fairness, lawfulness, and transparency; purpose limitation; data minimisation and ethical processing; accuracy; storage limitation; confidentiality, integrity, and availability; accountability; and duty of care, as expressly mandated under section 24 of the Nigeria Data Protection Act 2023 and Article 15 of the Nigeria Data Protection Act (General Application and Implementation Directive) 2025.
• The Company shall ensure that Personal Data is processed in a manner that respects the dignity, autonomy, and legitimate expectations of Data Subjects and that no processing activity is undertaken in a manner that is arbitrary, excessive, misleading, or incompatible with the lawful purposes for which the data was collected.
• This Policy applies to all Personal Data processed by the Company in connection with the provision, administration, and management of online gaming, betting, promotional activities, identity and age verification, payment processing, withdrawals, customer support, complaints handling, fraud prevention, compliance monitoring, and all ancillary or incidental services connected thereto.
• The application of this Policy shall not be affected by whether the processing takes place wholly or partly within the territory of the Federal Republic of Nigeria, nor by whether the infrastructure, servers, or technical systems used for such processing are located within or outside Nigeria.
• Accordingly, this Policy applies to all Data Subjects whose Personal Data is processed by the Company, irrespective of nationality, citizenship, domicile, residence, or physical location, provided that such processing falls within the material or territorial scope of the Nigeria Data Protection Act and the GAID.
• For the avoidance of doubt, this includes processing activities that target Data Subjects in Nigeria through digital platforms, online interfaces, mobile applications, or other electronic means, as well as processing activities that have a substantial or intended effect within Nigeria, in accordance with the extraterritorial application of the NDPA.

D. LAWFUL BASIS FOR PROCESSING

• All processing of personal data by the Company shall be grounded in at least one lawful basis recognised under section 25 of the Nigeria Data Protection Act. Where processing is necessary for the performance of a contract to which the data subject is a party, including account creation, gameplay participation, betting activities, payment of winnings, or withdrawal of funds, such processing shall be deemed lawful without the need for additional consent.
• Where processing is required to comply with a legal obligation imposed on the Company, including obligations arising under gaming regulation, anti-money laundering laws, taxation statutes, or lawful directives of courts or regulatory authorities, such processing shall proceed strictly within the scope of the enabling law.
• Where consent is relied upon, the Company shall ensure that such consent is freely given, informed, specific, unambiguous, and capable of withdrawal at any time without detriment to the data subject, and shall maintain auditable records evidencing such consent.
• Where legitimate interest is relied upon, including for fraud prevention, platform security, or service integrity, the Company shall conduct and document a Legitimate Interest Assessment in accordance with Article 26 of the GAID, ensuring that such interest does not override the fundamental rights and freedoms of the data subject.

E. PURPOSE LIMITATION AND USE OF PERSONAL DATA

• Personal data processed by the Company shall be used strictly for purposes that are lawful, explicit, and legitimate, and shall not be further processed in a manner incompatible with those purposes.
• Such purposes include enabling access to and participation in online gaming services, verifying identity and age eligibility, processing financial transactions and payouts, ensuring compliance with regulatory and legal obligations, preventing fraud and unlawful conduct, maintaining platform security, resolving disputes, responding to customer enquiries, and improving service quality.
• Any processing for direct marketing or promotional communication shall be undertaken only where the data subject has expressly consented or where otherwise permitted by law, and such consent may be withdrawn at any time.

F. COOKIES, TRACKING TECHNOLOGIES AND ONLINE IDENTIFIERS

• The Company deploys cookies and similar tracking technologies solely in compliance with Article 19 of the GAID.
• Necessary cookies required to ensure platform security, network stability, and core functionality shall be deployed by default, while all other cookies, including analytics, behavioural, and marketing cookies, shall only be activated upon the explicit consent of the data subject through a conspicuous and accessible cookie interface.
• The Company shall provide clear information regarding the nature, purpose, and duration of cookies used, as well as the mechanism for withdrawing consent at any time, without impairing the data subject’s statutory rights.

G. DISCLOSURE AND THIRD-PARTY ACCESS

• The Company shall not sell or commercially trade personal data. Disclosure of personal data shall occur only where necessary and lawful, including disclosure to payment service providers, financial institutions, cloud hosting providers, technology vendors, professional advisers, regulators, law enforcement agencies, or courts of competent jurisdiction.
• All third-party disclosures shall be governed by written data processing agreements imposing obligations equivalent to those under the Nigeria Data Protection Act, including confidentiality, security, and limitation of purpose.

I. CROSS-BORDER TRANSFERS

• Where personal data is transferred outside the Federal Republic of Nigeria, such transfer shall be conducted strictly in accordance with Part VIII of the Nigeria Data Protection Act and Article 45 of the GAID.
• The Company shall ensure that adequate safeguards are in place, including adequacy decisions, standard contractual clauses, or other legally recognised transfer mechanisms, and shall obtain explicit consent from the data subject where required by law.

J. DATA RETENTION AND STORAGE LIMITATION

• Personal data shall be retained only for as long as is necessary to fulfil the lawful purposes for which it was collected or to comply with statutory or regulatory obligations.
• Upon the expiration of applicable retention periods, personal data shall be securely deleted, anonymised, or archived in a manner that prevents unauthorised access or re-identification, in accordance with the storage limitation principle under the Nigeria Data Protection Act.

K. SECURITY MEASURES AND RISK MANAGEMENT

• The Company shall implement and continuously maintain appropriate technical and organisational measures to safeguard personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
• Such measures shall reflect the state of the art, the nature and volume of data processed, and the risks inherent in online gaming operations, and shall be subject to periodic monitoring, evaluation, and maintenance as required under Articles 29 and 30 of the GAID.

L. RIGHTS OF DATA SUBJECTS

• Every data subject whose personal data is processed by the Company is entitled to exercise the rights guaranteed under Part VI of the Nigeria Data Protection Act, including the right of access, rectification, erasure, data portability, restriction, objection, and withdrawal of consent.
• The Company shall provide accessible and effective mechanisms for the exercise of such rights and shall not subject the data subject to retaliation or disadvantage for asserting those rights.

M. DATA CONTROLLER AND CONTACT INFORMATION

• The Company is the Data Controller in respect of all Personal Data processed in the course of its online gaming operations. The Company determines the purposes and means of such processing and bears primary responsibility for compliance with the NDPA.
• All communications relating to this Policy, data protection compliance, or the exercise of data subject rights shall be directed to the Company through its designated Data Protection Officer at whotStudiossdpo@gmail.com, or such other contact details as may be published on the Platform from time to time.

N. CATEGORIES OF PERSONAL DATA COLLECTED

• In the course of carrying out its online gaming and related operations, the Company processes Personal Data that is necessary, relevant, and proportionate to the lawful purposes for which such data is collected and used.
• Such Personal Data may include identity and verification information required to establish the identity, age eligibility, and regulatory compliance status of Data Subjects; contact information used for account administration, communication, notifications, and customer support; gaming, betting, and behavioural data generated through participation in games, transactions, promotions, or platform interactions; financial and transaction data necessary for the processing of stakes, winnings, withdrawals, refunds, and related payment activities; technical identifiers and device-related information associated with access to and use of the Platform; security logs and audit trails maintained for fraud prevention, system integrity, and regulatory accountability; and any other information that is reasonably required for the lawful provision, administration, security, and improvement of the Company’s gaming services.
• The Company shall ensure that the collection of Personal Data is conducted in a transparent and lawful manner and is limited to what is adequate, relevant, and necessary for clearly defined and legitimate purposes.
• Personal Data shall not be collected indiscriminately, excessively, or for purposes that are incompatible with the original reasons for collection, and the Company shall take reasonable steps to ensure that Data Subjects are informed of the nature and purpose of Personal Data collected at or before the point of collection.
• Where additional categories of Personal Data are required for new or materially different processing activities, the Company shall ensure that such collection is supported by an appropriate lawful basis under the Nigeria Data Protection Act and, where required, that Data Subjects are provided with updated information or notices and afforded the opportunity to exercise their statutory rights.
• The Company shall periodically review the categories of Personal Data collected to ensure ongoing compliance with the principles of data minimisation, purpose limitation, and accountability under applicable data protection law.

O. CHILDREN AND AGE-RESTRICTED GAMING

• The Company’s services are strictly restricted to persons who have attained the legally permissible age for participation in online gaming and betting activities under applicable Nigerian law.
• The Company shall not offer, market, or knowingly provide access to its Platform or services to any person who does not meet the minimum age requirement, and shall implement reasonable and proportionate measures to prevent minors from accessing age-restricted gaming content or functionalities.
• In furtherance of this obligation, the Company shall not knowingly collect, use, or otherwise process the Personal Data of children for any purpose connected with its gaming operations.
• The Company shall deploy appropriate age-verification and access-control mechanisms, commensurate with the nature and risk profile of its services, to minimise the risk of inadvertent access by minors and the unlawful processing of children’s Personal Data.
• Where the Company becomes aware, or has reasonable grounds to believe, that it has inadvertently collected or processed the Personal Data of a child in contravention of applicable law, the Company shall take immediate and appropriate remedial action.
• Such action shall include the prompt restriction of further processing, secure deletion or anonymisation of the affected Personal Data, and the implementation of corrective measures designed to prevent a recurrence of such processing, in accordance with section 31 of the Nigeria Data Protection Act 2023 and relevant provisions of the GAID 2025.
• Nothing in this clause shall preclude the Company from processing limited information strictly necessary to determine age eligibility or to comply with a legal or regulatory obligation, provided that such processing is carried out lawfully, proportionately, and with appropriate safeguards.
• The Company shall document all incidents involving the inadvertent processing of children’s Personal Data and the remedial actions taken, in order to demonstrate compliance with its statutory duties under the Nigeria Data Protection Act.

P. PURPOSE OF DATA PROCESSING

• Personal Data is processed by the Company strictly for purposes that are lawful, specific, explicit, and legitimate within the meaning of the Nigeria Data Protection Act 2023, and only to the extent that such processing is necessary and proportionate to the attainment of those purposes.
• The Company processes Personal Data primarily to enable Data Subjects to access, register on, and participate in online gaming and betting services offered through the Platform; to verify identity, age eligibility, and regulatory compliance status; to administer gameplay, betting activities, promotions, and rewards; and to process financial transactions, including the receipt of stakes, payment of winnings, withdrawals, refunds, and related account activities.
• Personal Data is further processed for the purposes of complying with applicable legal, regulatory, and supervisory obligations, including obligations relating to gaming regulation, taxation, anti-money laundering, fraud detection, and lawful requests from courts or competent authorities.
• The Company also processes Personal Data as reasonably necessary to prevent, detect, investigate, and respond to fraud, cheating, security incidents, abuse of the Platform, or other unlawful or prohibited conduct, and to maintain the integrity, availability, and security of its systems, networks, and services.
• In addition, Personal Data may be processed for the purpose of providing customer support, handling enquiries, complaints, and disputes, enforcing contractual rights, and improving the quality, functionality, and user experience of the Company’s services, including through analytics and service optimisation, provided that such processing is carried out in a manner consistent with applicable lawful bases and data protection principles.
• Where Personal Data is processed for direct marketing, promotional communications, or similar activities, such processing shall be undertaken only where permitted by law and, where required, on the basis of the Data Subject’s prior consent.
• The Company shall not process Personal Data for purposes that are incompatible with the purposes for which the data was originally collected, except where such further processing is expressly permitted or required by law, or where appropriate safeguards are in place in accordance with the Nigeria Data Protection Act.
• Where a material change in purpose is contemplated, the Company shall assess the compatibility of the new purpose, identify an appropriate lawful basis, and, where required, provide Data Subjects with updated information or obtain additional consent prior to commencing such processing.

Q. CONSENT MECHANISM

• Where the processing of Personal Data by the Company is based on the consent of the Data Subject as the applicable lawful basis, the Company shall ensure that such consent is freely given, specific, informed, and unambiguous, and is obtained through a clear affirmative act demonstrating the Data Subject’s agreement to the proposed processing.
• Prior to obtaining consent, the Company shall provide the Data Subject with clear, concise, and intelligible information regarding the nature of the Personal Data to be processed, the specific purposes of the processing, the lawful implications of granting or refusing consent, and any material consequences that may arise from such processing, in accordance with the transparency requirements of the Nigeria Data Protection Act 2023.
• Consent shall not be obtained through silence, inactivity, pre-ticked boxes, bundled agreements, or any mechanism that undermines the voluntariness or informed nature of the Data Subject’s decision.
• Where consent is required for distinct processing activities, including direct marketing, the processing of sensitive personal data, the personal data of children, or cross-border data transfers to non-adequate jurisdictions, such consent shall be obtained separately and shall be clearly distinguishable from other terms, conditions, or contractual provisions.
• The Company shall implement and maintain appropriate systems and procedures to record, manage, and demonstrate valid consent, including the time, method, scope, and content of the consent provided, in order to satisfy its accountability obligations under the Nigeria Data Protection Act and the GAID. Such records shall be retained only for as long as is necessary to demonstrate compliance or for as long as the relevant processing activity continues.
• A Data Subject shall have the right to withdraw consent at any time, and the Company shall ensure that the mechanism for withdrawing consent is as simple, accessible, and effective as the mechanism through which consent was originally given.
• Withdrawal of consent shall not affect the lawfulness of any processing carried out prior to the withdrawal, nor shall it result in any penalty, discrimination, or undue disadvantage to the Data Subject, except to the extent that such processing is strictly necessary for the provision of a service expressly requested by the Data Subject.
• Upon withdrawal of consent, the Company shall promptly cease any processing activities that rely solely on such consent as their lawful basis, unless another lawful basis exists under the Nigeria Data Protection Act for the continued processing of the Personal Data.
• Where consent is withdrawn and no alternative lawful basis applies, the Company shall take appropriate steps to restrict or erase the affected Personal Data in accordance with applicable data retention and disposal obligations.

R. DATA RETENTION AND DISPOSAL

• The Company shall retain Personal Data only for such period as is strictly necessary and proportionate to achieve the lawful purposes for which the data was collected or otherwise processed, including the performance of contractual obligations, compliance with applicable legal and regulatory requirements, the establishment, exercise, or defence of legal claims, and the fulfilment of legitimate operational or security needs.
• In determining appropriate retention periods, the Company shall take into account the nature and sensitivity of the Personal Data, the purposes of processing, applicable statutory limitation periods, regulatory record-keeping requirements, and the potential risks to the rights and freedoms of Data Subjects associated with prolonged retention.
• Personal Data that is no longer required for the purposes for which it was collected or processed, and for which no lawful basis for continued retention exists, shall be securely and permanently disposed of without undue delay.
• Such disposal shall be carried out through secure deletion, anonymisation, pseudonymisation where appropriate, or irreversible destruction, using technical and organisational measures designed to prevent unauthorised access, accidental loss, recovery, reconstruction, or re-identification of the data.
• The Company shall ensure that disposal methods applied are commensurate with the sensitivity of the Personal Data and consistent with recognised information security standards.
• The Company shall establish, document, and implement data retention schedules and disposal procedures governing all categories of Personal Data processed, including Personal Data stored in electronic systems, physical records, backups, archives, logs, and third-party systems.
• Compliance with such schedules and procedures shall be subject to periodic review and monitoring under the supervision of the Data Protection Officer, and disposal activities shall be appropriately documented to demonstrate compliance with the storage limitation and accountability principles under the Nigeria Data Protection Act 2023.
• Where Personal Data is required to be retained beyond the original processing purpose by reason of legal obligation, regulatory requirement, or pending legal proceedings, such data shall be restricted from further processing except as strictly necessary for the purpose of such retention, and shall be subject to enhanced security and access controls for the duration of the retention period.
• Upon the expiry of such extended retention period, the Company shall ensure that the Personal Data is promptly and securely disposed of in accordance with this Policy.

S. DATA SUBJECT RIGHTS

• Pursuant to Chapter III of the Nigeria Data Protection Act 2023, every Data Subject whose Personal Data is processed by the Company is entitled to exercise the full spectrum of data protection rights guaranteed under applicable law. These rights are fundamental, enforceable, and exercisable without discrimination, retaliation, or undue burden, and the Company acknowledges its statutory obligation to respect, protect, and facilitate the effective exercise of such rights.
• Accordingly, a Data Subject shall have the right to obtain confirmation as to whether or not Personal Data relating to him or her is being processed by the Company and, where that is the case, to request access to such Personal Data and to receive meaningful information regarding the nature of the processing, the purposes for which the data is processed, the categories of data concerned, and any recipients or categories of recipients to whom the data has been disclosed.
• Where Personal Data held by the Company is inaccurate, misleading, incomplete, or outdated, the Data Subject shall have the right to request rectification or completion of such data without undue delay.
• A Data Subject shall further have the right, subject to the conditions prescribed by law, to request the erasure of Personal Data where such data is no longer necessary for the purposes for which it was collected or processed, where consent has been withdrawn and no other lawful basis for processing exists, or where the processing is otherwise unlawful.
• In circumstances where immediate erasure is not required or is legally restricted, the Data Subject shall have the right to request the restriction of processing of Personal Data, such that the data is retained but no longer actively processed except as permitted by law.
• Where processing is based on legitimate interest or carried out for direct marketing or similar purposes, a Data Subject shall have the right to object to such processing on grounds relating to his or her particular situation, and the Company shall cease such processing unless it demonstrates compelling legitimate grounds that override the interests, rights, and freedoms of the Data Subject.
• A Data Subject shall also have the right to receive Personal Data provided to the Company in a structured, commonly used, and machine-readable format and, where technically feasible, to have such data transmitted directly to another data controller, in accordance with the right to data portability.
• Where the processing of Personal Data is based on consent, the Data Subject shall have the right to withdraw such consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal. In addition, a Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except where such processing is permitted by law and accompanied by appropriate safeguards.
• The Company shall establish and maintain clear, accessible, and user-friendly mechanisms through which Data Subjects may exercise their rights, including electronic and other practicable means of submitting requests.
• All requests shall be handled under the supervision of the Data Protection Officer and shall be acknowledged, assessed, and responded to within the timelines prescribed by the Nigeria Data Protection Act and applicable regulatory directives.
• In responding to Data Subject requests, the Company shall act transparently, promptly, and in good faith, and shall provide reasons where a request is refused or restricted, without prejudice to the Data Subject’s right to seek redress before the Nigeria Data Protection Commission or a court of competent jurisdiction.

T. DATA TRANSFERS

• Where Personal Data processed by the Company is transferred, accessed, stored, or otherwise made available outside the territory of the Federal Republic of Nigeria, whether by electronic transmission, remote access, cloud storage, outsourcing, or any other means, the Company shall ensure that such transfer is carried out strictly in accordance with the provisions of the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Act (General Application and Implementation Directive) 2025.
• No cross-border transfer of Personal Data shall be undertaken unless the Company has first satisfied itself that the transfer is lawful, necessary, proportionate, and supported by adequate safeguards for the protection of the rights and freedoms of Data Subjects.
• The Company shall ensure that Personal Data is transferred only to jurisdictions, entities, or recipients that provide an adequate level of data protection comparable to that guaranteed under Nigerian law, as may be recognised by the Nigeria Data Protection Commission or otherwise demonstrated through legally acceptable safeguards.
• Where an adequacy determination has not been made in respect of the destination jurisdiction or recipient, the Company shall implement appropriate transfer mechanisms recognised under applicable law, including but not limited to binding contractual safeguards, standard contractual clauses, or other legally enforceable instruments that impose data protection obligations equivalent to those under the NDPA.
• In circumstances where reliance on contractual or other safeguards is not feasible or sufficient, and where permitted by law, the Company may transfer Personal Data on the basis of the explicit, informed, and freely given consent of the Data Subject, provided that the Data Subject has been clearly informed of the nature of the transfer, the destination of the data, and any potential risks associated with such transfer.
• The Company shall maintain verifiable records evidencing such consent and shall ensure that the withdrawal of consent is respected in accordance with applicable law.
• The Company shall take all reasonable steps to ensure that cross-border transfers of Personal Data do not result in diminished protection, unlawful access, or exposure of Personal Data to practices that undermine the principles of lawfulness, fairness, transparency, security, accountability, or data subject rights.
• Where required, the Company shall conduct appropriate risk assessments or data privacy impact assessments in relation to cross-border transfers and shall implement supplementary technical or organisational measures to mitigate identified risks.
• Notwithstanding any cross-border transfer of Personal Data, the Company shall remain fully accountable for ensuring compliance with the Nigeria Data Protection Act and shall not, by reason only of such transfer, be relieved of its statutory obligations or liabilities to Data Subjects under applicable law.

U. DATA SHARING AND THIRD PARTIES

• The Company shall not sell, lease, trade, or otherwise commercially exploit Personal Data, nor shall it disclose Personal Data to any third party except where such disclosure is lawful, necessary, and proportionate for the purposes of carrying out its legitimate business operations, complying with a legal or regulatory obligation, enforcing contractual rights, or facilitating the provision of services requested or authorised by the Data Subject.
• Any disclosure or sharing of Personal Data shall be limited strictly to the minimum amount of data required to achieve the specific lawful purpose for which the disclosure is made.
• Where the Company engages third parties to process Personal Data on its behalf, including but not limited to payment service providers, identity verification partners, cloud hosting providers, customer support vendors, analytics service providers, or professional advisers, such third parties shall be engaged strictly as Data Processors and only pursuant to written and binding contractual arrangements.
• Such contracts shall expressly impose data protection, confidentiality, security, and accountability obligations that are no less protective than those imposed on the Company under the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Act (General Application and Implementation Directive) 2025, and shall prohibit the third party from processing Personal Data for any purpose other than as expressly instructed by the Company.
• The Company shall, prior to and during the engagement of any third-party Data Processor, exercise appropriate due diligence to assess the processor’s technical and organisational measures, data security standards, compliance history, and capacity to safeguard Personal Data in accordance with applicable law.
• The Company shall further ensure that such third parties implement adequate measures to prevent unauthorised access, disclosure, alteration, or loss of Personal Data and shall reserve the right to audit, monitor, or otherwise verify compliance with agreed data protection obligations, where reasonable and lawful.
• Notwithstanding any disclosure of Personal Data to third parties, the Company shall remain fully accountable and responsible for ensuring that Personal Data processed on its behalf is handled in compliance with the NDPA and GAID.
• Any failure, breach, or unlawful processing of Personal Data by a third-party processor shall not relieve the Company of its statutory obligations to Data Subjects or its liability under applicable data protection law, without prejudice to the Company’s right to seek contractual or legal remedies against such third parties.

W. SECURITY OF PERSONAL DATA

• The Company shall implement, document, and continuously maintain appropriate technical and organisational measures designed to ensure the confidentiality, integrity, and availability of Personal Data processed in the course of its online gaming and related digital operations.
• In determining the nature and scope of such measures, the Company shall take into account the state of technological development, the costs of implementation, the nature, scope, context, and purposes of processing, the volume and sensitivity of Personal Data involved, and the likelihood and severity of risks to the rights and freedoms of Data Subjects, including risks arising from unauthorised access, accidental or unlawful loss, destruction, alteration, disclosure, or misuse of Personal Data.
• Without prejudice to the generality of the foregoing, the Company shall deploy layered security safeguards proportionate to the identified risks, including but not limited to logical and physical access controls, authentication and authorisation mechanisms, encryption and pseudonymisation where appropriate, secure configuration of systems and networks, continuous monitoring and logging of access and activity, and periodic testing, assessment, and evaluation of the effectiveness of technical and organisational security measures.
• The Company shall further ensure that security considerations are embedded into the design and operation of its platforms and systems in accordance with the principles of privacy by design and privacy by default.
• The Company shall implement organisational measures to support data security, including the adoption of internal policies and procedures, the assignment of responsibility for information security, the conduct of regular staff training and awareness programmes on data protection and cybersecurity, and the enforcement of confidentiality obligations on employees, agents, and contractors who have access to Personal Data.
• Security measures shall be subject to regular review, audit, and updating in response to identified vulnerabilities, technological developments, changes in processing activities, or emerging threats, in order to ensure their continued adequacy and effectiveness.
• In the event of a suspected or actual compromise of Personal Data, the Company shall activate its incident response and breach management procedures, take immediate steps to contain and mitigate the impact of the incident, and comply with all applicable notification and remediation obligations under the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Act (General Application and Implementation Directive) 2025, without prejudice to the rights of affected Data Subjects.

X. DATA PROTECTION OFFICER (DPO)

• Where required pursuant to section 32 of the Nigeria Data Protection Act 2023 and the applicable provisions of the Nigeria Data Protection Act (General Application and Implementation Directive) 2025, the Company has designated a Data Protection Officer, who may be an employee of the Company or an external professional engaged under a service contract.
• The designation of the Data Protection Officer, together with the relevant contact details, shall be communicated to the Nigeria Data Protection Commission in the prescribed manner and shall be made readily accessible to Data Subjects through the Company’s Platform.
• The Data Protection Officer shall have primary responsibility for overseeing, advising on, and monitoring the Company’s compliance with the Nigeria Data Protection Act, the GAID, and all subsidiary regulations, directives, codes of practice, and guidance issued by the Nigeria Data Protection Commission. In furtherance of this mandate, the Data Protection Officer shall advise the Company on the identification and application of lawful bases for processing, the implementation of data protection principles, the development and review of privacy policies and notices, and the integration of privacy by design and privacy by default into the Company’s systems, platforms, and operational processes.
• The Data Protection Officer shall monitor internal compliance through periodic assessments, audits, and reporting, including the review of records of processing activities, data retention practices, security controls, and third-party processing arrangements.
• The Data Protection Officer shall further advise on, oversee, and where required validate the conduct of Data Privacy Impact Assessments, Legitimate Interest Assessments, and other risk-based compliance measures mandated under the NDPA and GAID, and shall provide written opinions to management on identified risks and recommended mitigation measures.
• The Data Protection Officer shall be responsible for establishing and supervising procedures for the handling of Data Subject requests, including requests for access, rectification, erasure, restriction, portability, objection, and withdrawal of consent, and shall ensure that such requests are addressed within the timelines and standards prescribed by law.
• The Data Protection Officer shall also serve as the primary contact point for Data Subjects in respect of all matters relating to the processing of Personal Data and the exercise of data protection rights.
• In addition, the Data Protection Officer shall act as the principal liaison between the Company and the Nigeria Data Protection Commission, including in relation to regulatory enquiries, inspections, investigations, compliance audit returns, breach notifications, and remedial actions.
• The Data Protection Officer shall advise the Company on its obligations in the event of a personal data breach and shall oversee the activation and implementation of incident response and notification procedures in accordance with applicable law.
• The Company shall ensure that the Data Protection Officer is involved, in a timely and meaningful manner, in all matters relating to the protection of Personal Data and shall provide the Data Protection Officer with adequate authority, independence, resources, access to information, and organisational support necessary for the effective performance of statutory functions.
• The Data Protection Officer shall report directly to senior management and shall perform duties free from undue influence, interference, coercion, or conflict of interest.
• The Data Protection Officer shall not be dismissed, penalised, or subjected to adverse treatment for carrying out functions in compliance with the Nigeria Data Protection Act, and any additional responsibilities assigned to the Data Protection Officer shall not result in a conflict with data protection obligations.
• In the performance of duties, the Data Protection Officer shall be bound by appropriate confidentiality and professional secrecy obligations, without prejudice to statutory reporting duties owed to the Nigeria Data Protection Commission.

Y. COMPLAINTS AND REMEDIES

• Any Data Subject who believes that his or her Personal Data has been processed in a manner that is unlawful, unfair, excessive, inaccurate, insecure, or otherwise inconsistent with this Policy or the provisions of the Nigeria Data Protection Act 2023 shall be entitled to lodge a complaint with the Company using the contact details of the Data Protection Officer provided in this Policy.
• The Company shall maintain an accessible, transparent, and effective internal complaints and redress mechanism designed to receive, acknowledge, investigate, and resolve complaints relating to the processing of Personal Data in a timely and accountable manner.
• Upon receipt of a complaint from a Data Subject, the Company shall promptly acknowledge such complaint and shall cause the matter to be reviewed by the appropriate internal unit under the supervision of the Data Protection Officer.
• The Company shall investigate the complaint diligently, taking into account the nature of the alleged infringement, the categories of Personal Data involved, the processing activities complained of, and the potential impact on the rights and freedoms of the Data Subject.
• Where the complaint is found to be justified, the Company shall take appropriate remedial measures, which may include rectification, restriction, erasure of Personal Data, modification of processing practices, or other corrective actions necessary to ensure compliance with applicable law.
• The outcome of the investigation and any remedial action taken shall be communicated to the Data Subject within a reasonable time and in clear and intelligible terms.
• Where a Data Subject is dissatisfied with the outcome of the Company’s internal complaints process, or where the Company fails to address a complaint within a reasonable period, the Data Subject shall have the right to escalate the matter to the Nigeria Data Protection Commission, without prejudice to any other rights or remedies available under law.
• Such escalation may be made in accordance with the procedures prescribed by the Commission, including the submission of a formal complaint setting out the nature of the alleged violation, the steps already taken to seek internal redress, and any supporting documentation relevant to the complaint.
• A Data Subject may lodge a complaint with the Nigeria Data Protection Commission through any lawful mode recognised by the Commission, including electronic submission via the Commission’s official website or designated complaint portal, written correspondence addressed to the Commission, or such other channels as may be notified by the Commission from time to time.
• The Company acknowledges that the Commission is empowered to investigate complaints, issue compliance directives, impose administrative sanctions, and take enforcement actions as provided under the Nigeria Data Protection Act.
• For the purpose of external complaints, the current contact details of the Nigeria Data Protection Commission are as follows: the Commission may be contacted through its official website at https://ndpc.gov.ng, or through such official email addresses, telephone numbers, or physical office addresses as are published by the Commission and updated from time to time.
• Nothing in this Policy shall be construed as limiting or excluding the right of a Data Subject to seek judicial redress before a court of competent jurisdiction in Nigeria in respect of any alleged violation of data protection rights having complied with internal dispute resolution provided herein.
• The existence and operation of the Company’s internal complaints mechanism shall not prejudice, delay, or condition the exercise of a Data Subject’s statutory right to lodge a complaint with the Nigeria Data Protection Commission or to pursue any other remedy available under applicable law

Z. POLICY REVIEW AND UPDATES

• This Policy shall be subject to periodic review by the Company in order to ensure continuous alignment with applicable laws, regulatory directives, guidance notes, enforcement decisions, and best practices issued pursuant to the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Act (General Application and Implementation Directive) 2025, as well as to accommodate technological developments, evolving data processing risks, and changes in the Company’s business models, platforms, or operational practices.
• Any amendment, modification, or update to this Policy shall become effective upon its publication on the Company’s Platform or through such other communication channels as the Company may reasonably determine, provided that such publication is made in a manner that is accessible and reasonably capable of being brought to the attention of Data Subjects.
• Where an amendment materially affects the rights or obligations of Data Subjects, the Company shall, to the extent required by law, take reasonable steps to notify affected Data Subjects of such changes.
• Continued access to or use of the Company’s Platform or services after the effective date of any revised Policy shall constitute acknowledgment of the updated Policy by the Data Subject, without prejudice to the Data Subject’s statutory rights under the Nigeria Data Protection Act, including the right to withdraw consent, object to processing, or seek redress in accordance with applicable law.

Dated October 10, 2025