Legal
Cybervol Privacy Policy
This Privacy Policy explains how Cybervol by Rotvol Solutions collects, uses, stores, secures, and discloses personal data in connection with our services and website, in line with the Nigeria Data Protection Act (NDPA) 2023 and other applicable regulations.
01 — Introduction
Cybervol by Rotvol Solutions ("Cybervol", "we", "us", or "our") is a cybersecurity and digital risk management company. We provide a range of services including offensive security, governance, risk and compliance (GRC), managed cybersecurity services, awareness and training programmes, and digital security solutions to organizations and individuals.
In the course of delivering our services, operating our website, and engaging with clients, partners, and employees, Cybervol collects and processes personal data. We are fully committed to handling that data in a lawful, fair, transparent, and secure manner in accordance with the Nigeria Data Protection Act (NDPA) 2023 and other applicable data protection regulations.
This Privacy Policy describes how we collect, use, store, secure, and disclose personal data — and explains the rights available to you.
02 — Data We Collect & How We Use It
The personal data we process depends on the nature of your interaction with Cybervol, the services requested, and applicable legal or contractual obligations. We may also process personal data to protect our legal rights, prevent fraud, and comply with applicable laws.
Website (Contact Form)
Data categories: Names, email addresses, phone numbers, enquiry messages.
Purpose: Responding to enquiries; providing service information; business development.
Client Onboarding & Service Delivery
Data categories: Names, email, phone, job titles, business contact details.
Purpose: Account management; contract execution; service communication.
Client Systems (Cybersecurity Operations)
Data categories: User identifiers, IP addresses, system logs, security event data.
Purpose: Monitoring and assessments; threat detection; incident response.
Training & Awareness Participants
Data categories: Names, email, organizational affiliation, attendance and certification records.
Purpose: Programme delivery; certificate issuance; training communication.
Employees, Contractors & Interns
Data categories: Names, contact details, ID documents, bank details, employment records, CVs.
Purpose: HR management; payroll & benefits; legal compliance.
Vendors & Partners
Data categories: Names, contact details, business correspondence.
Purpose: Vendor management; contract administration; operational coordination.
Third-Party Data: Where you provide personal data relating to third parties (e.g. client representatives or employees), you confirm that you have the necessary consent or lawful basis to share it with us.
03 — Sharing of Personal Data
Cybervol shares personal data with third parties strictly on a need-to-know basis, and only for legitimate business, operational, contractual, or legal purposes. We contractually restrict third parties from using personal data for any purpose other than what it was shared for. We do not sell personal data to third parties.
Legal & Regulatory Disclosures
We may disclose personal data to authorities, regulators, or law enforcement where required to comply with applicable laws, respond to lawful requests, or protect the rights and safety of Cybervol, its clients, or the public.
Service Providers & Technology Partners
We work with trusted third-party providers to support our operations — including cloud hosting, CRM, cybersecurity platforms, and IT support. These providers process data solely on our behalf and are bound by confidentiality and data protection obligations.
Client Service Delivery
In delivering our services, we may share personal data with authorised client representatives in accordance with contractual agreements. Where Cybervol acts as a Data Processor, data is handled solely on the documented instructions of the client (the Data Controller).
Internal Access
Personal data may be accessed internally by Cybervol employees or contractors who require it to perform their duties. Access is role-limited and subject to confidentiality obligations.
04 — Lawful Basis for Processing
We only process personal data where at least one of the following lawful conditions applies under the NDPA 2023:
- Consent — where you have provided freely given, specific, and informed consent — for example, when submitting a website enquiry, registering for training, or subscribing to communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Contractual Necessity — where processing is necessary to perform a contract with you, or to take pre-contractual steps — such as client onboarding, service delivery, and operational communication.
- Legal Obligation — where processing is required to comply with Nigerian law — including employment, tax, labour, and regulatory obligations.
- Vital Interests — in limited circumstances, where processing is necessary to protect the vital interests of an individual in situations involving health, safety, or security emergencies.
- Public Interest — where processing is necessary for tasks in the public interest, such as cooperation with authorities on cybersecurity incidents or regulatory obligations.
- Legitimate Interests — where processing is necessary for our legitimate business interests — such as securing our systems, preventing fraud, improving our services, or managing business relationships — provided those interests are not overridden by your rights and freedoms.
Use of Subcontractors: Cybervol may engage subcontractors to support technical and operational functions. All subcontractors with access to personal data are subject to contractual data protection obligations and are restricted from processing personal data for any unauthorised purpose. Cybervol remains responsible for overseeing their compliance.
05 — Data Retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, and in line with applicable legal and contractual obligations. When data is no longer needed, we securely delete or anonymize it.
| Data Type | Retention Period |
|---|---|
| Account & service-related personal data | Duration of active relationship + up to 12 months after termination. |
| Financial, billing, system logs & audit trails | Up to 7 years (statutory, regulatory, and cybersecurity requirements). |
| Due diligence & compliance records | In line with internal retention policies and applicable regulations. |
06 — Cookies & Tracking
Cybervol does not intentionally deploy cookies or tracking technologies on its website. We do not use cookies for advertising, behavioural tracking, or analytics purposes. Basic technical data (such as IP addresses or server logs) may be automatically processed by our website hosting infrastructure for security, performance, and operational purposes. This information is not used to identify individuals or track browsing behaviour.
07 — Data Security
We implement appropriate technical and organizational measures to safeguard personal data against destruction, loss, alteration, unauthorized disclosure, or access — in accordance with the NDPA and industry best practices.
Technical Measures
- Industry-standard encryption for data in transit and at rest.
- Strict, role-based access controls and strong authentication.
- Firewalls, endpoint security, intrusion detection, and continuous monitoring.
- Vulnerability management, timely patching, and system hardening.
Organisational Measures
- Documented information security policies governing the data lifecycle.
- Role-appropriate data protection training for all personnel.
- Incident management procedures aligned with NDPA requirements.
- Due diligence and contractual controls for third-party service providers.
While no system can be guaranteed completely secure, Cybervol continually assesses risks and improves its security posture to protect personal data.
08 — Personal Data Breach Management
In the event of a personal data breach that is likely to result in a high risk to individuals' rights and freedoms, Cybervol will notify the relevant regulatory authority — and where required, affected data subjects — within 72 hours of becoming aware of the breach, as prescribed under the NDPA.
Upon becoming aware of a breach, Cybervol will investigate the incident, contain and mitigate its impact, recover affected data where possible, and review security controls to prevent recurrence. A personal data breach refers to any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
09 — Your Rights
Subject to applicable legal and contractual limitations, you have the following rights under the NDPA:
- Right of Access — request confirmation that we process your data and obtain a copy of it.
- Right to Rectification — request correction of inaccurate or incomplete personal data.
- Right to Erasure — request deletion of your data where there is no lawful basis for continued processing.
- Right to Restriction — request limits on how we process your data in certain circumstances.
- Right to Object — object to processing based on legitimate interests, unless we have compelling grounds.
- Right to Withdraw Consent — withdraw consent at any time, without affecting prior lawful processing.
- Right to Data Portability — request transfer of your data to another controller in a machine-readable format.
To exercise any of these rights, contact us at the details provided below. We may verify your identity before processing requests and will respond within NDPA-prescribed timeframes.
10 — Changes to This Policy
Cybervol may periodically update this Privacy Policy to reflect changes in our services, operations, legal requirements, or regulatory guidance. Each version will be dated to indicate the most recent update. When material changes occur, we will notify users by email (where applicable) and/or by posting a notice on our website. Continued use of our services following an update constitutes acceptance of the revised policy. We encourage you to review this page periodically to stay informed.
11 — Contact Us
For questions, concerns, or to exercise your data protection rights, please reach out to us:
Privacy Enquiries: support@cybervol.com
General Enquiries: info@cybervol.com
Cybervol will use reasonable efforts to respond promptly to all privacy-related requests and concerns.
12 — Key Terms
- Personal Data — any information relating to an identified or identifiable individual, including names, email addresses, contact details, identification documents, etc.
- Relevant Authority — any independent public authority responsible for supervising and enforcing the NDPA or other applicable data protection laws.
- Services — the range of cybersecurity services provided by Cybervol, including Offensive Security, Governance, Risk & Compliance, CyberShield Solutions, Awareness & Training, MCaaS, and Autonomous Digital Enterprise.