Privacy & Data Protection Policy

Last Updated: October 2025

At FlexiSAF UK, we value your privacy and are committed to protecting your personal data. This Privacy & Data Protection Policy explains how we collect, use, store, and safeguard your information in compliance with applicable data protection laws, including the UK GDPR, California Consumer Privacy Act (CCPA), and the NDPR.

This policy applies to all visitors, customers, and users of our products and services — including SAFRecords, SAFSIMS, SAFapply, and Distinction — as well as visitors to our websites.

1. Scope and Purpose

This policy outlines our global approach to data protection. It applies to all personal data processing carried out by FlexiSAF UK and its subsidiaries.

We are guided by the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, security, and accountability.

2. Data We Collect

We collect personal data necessary for product delivery, customer support, analytics, and compliance.

Examples include:

• Identity Data: Name, title, and organization.
  
  
• Contact Data: Email address, phone number, postal address.
  
  
• Technical Data: IP address, browser type, device identifiers, and usage logs.
  
  
• Student and Applicant Data: Academic records, attendance, assessment data, and guardian details (collected and managed by institutions using our platforms).
  
  
• Financial Data: Payment records, billing information, and transaction details.
  
  
• Communication Data: Emails, support messages, and service feedback.
  
  

We may collect data directly from you, from your institution, or automatically via our applications and websites.

3. Lawful Bases for Processing

We process personal data based on one or more of the following legal grounds:

• Consent: When you have given explicit permission.
  
  
• Contractual Necessity: To fulfil our agreement with you or your institution.
  
  
• Legitimate Interests: For product improvement, analytics, and fraud prevention, provided these do not override your rights.
  
  
• Legal Obligation: To comply with regulatory, tax, or compliance requirements.
  
  

4. Purpose of Processing

We process data to:

• Deliver, maintain, and support our products: SAFRecords, SAFSIMS, SAFApply, and Distinction.
  
  
• Manage customer relationships and provide technical support.
  
  
• Facilitate academic and administrative functions for schools and institutions.
  
  
• Process and confirm financial transactions.
  
  
• Communicate updates, product improvements, and promotional offers (with consent).
  
  
• Comply with applicable legal and regulatory requirements.
  
  

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law.

In practice:

• Customer and Contract Data is retained for the duration of your relationship with FlexiSAF and for a reasonable period thereafter (typically up to six years) to meet legal, tax, and audit obligations.
  
  
• Student and Applicant Data within platforms such as SAFRecords, SAFSIMS, and SAFApply is retained only for as long as your institution requires it. Once the data is no longer needed or upon termination of contract, it is securely deleted or anonymised.
  
  
• Financial Data is retained as required by accounting and regulatory standards (usually six years).
  
  
• Support Logs and Communication Records are retained for a limited period, generally up to 24 months, to resolve issues and improve service.
  
  

We conduct periodic reviews to ensure data is accurate, up-to-date, and not retained longer than necessary. When data is no longer needed, it is securely deleted or anonymised beyond recovery.

6. Data Security

We implement strict organisational and technical measures to protect your information, including:

• Encryption of data in transit and at rest.
  
  
• Access control with authentication and role-based permissions.
  
  
• Secure cloud infrastructure hosted with GDPR-compliant providers.
  
  
• Regular audits, monitoring, and vulnerability assessments.
  
  
• Staff training on information security and data protection.
  
  

7. Your Data Protection Rights

You have the right to:

• Access the personal data we hold about you.
  
  
• Request correction of inaccurate or incomplete data.
  
  
• Request deletion of your data (subject to legal or contractual constraints).
  
  
• Restrict or object to the processing of your data.
  
  
• Request the transfer (portability) of your data to another provider.
  
  
• Withdraw consent at any time, where applicable.
  
  

To exercise any of these rights, contact us at info@flexisaf.com. We will respond within one month of receiving a verified request.

8. Data Sharing & Third Parties

We do not sell your personal data. However, we may share it with trusted third parties strictly under contract for purposes such as:

• Hosting and IT infrastructure.
  
  
• Payment processing.
  
  
• Legal, accounting, and compliance support.
  
  
• Customer communication and analytics.
  
  

All third-party processors are bound by confidentiality and data protection obligations consistent with applicable laws.

9. International Data Transfers

If we transfer your personal data outside your jurisdiction (e.g., UK, EEA), we ensure that:

• The destination country offers an adequate level of data protection; or
  
  
• We use approved safeguards such as Standard Contractual Clauses (SCCs) or Data Transfer Agreements (DTAs); and
  
  
• Your data remains protected under the same standards applied locally.
  
  

10. Data Breach Management

We have robust procedures to identify, contain, and assess data breaches.
If a breach poses a high risk to your rights and freedoms, we will notify the appropriate authority — such as the ICO (UK) or NDPC — within 72 hours and inform affected individuals where necessary.

11. Cookies and Analytics

Our websites use cookies and tracking technologies to improve user experience, personalize content, and analyse site traffic.
You may control cookie preferences through your browser settings or opt out where applicable.
Please refer to our Cookie Policy for details.

12. Children’s Data

Some of our platforms (like SAFSIMS) are used by educational institutions serving minors.

• Institutions act as data controllers for student data.
  
  
• FlexiSAF acts as data processor, handling such data on their behalf and in accordance with their instructions.
  Institutions are responsible for obtaining parental or guardian consent when required by law.
  
  

13. Policy Updates

We may revise this policy periodically to reflect changes in legal requirements or our data practices. Updated versions will be posted on our website, and material changes will be communicated directly to our customers.

Regional Data Protection Frameworks

A. United Kingdom (UK GDPR & Data Protection Act 2018)

FlexiSAF UK complies fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
UK data subjects may contact the Information Commissioner’s Office (ICO) if they believe their rights have been infringed.
Visit www.ico.org.uk for more information or to submit a complaint.

B. California (CCPA & CPRA)

For users located in California, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Under these regulations, you have the right to:

• Know what categories of personal data we collect, use, or disclose.
  
  
• Request the deletion of your personal information.
  
  
• Request details of the personal information collected over the past 12 months.
  
  
• Opt out of the “sale” or “sharing” of personal data (we do not sell data).
  
  
• Exercise your rights without discrimination.
  
  

Requests may be submitted to info@flexisaf.com, subject to verification requirements.

C. Nigeria (NDPR 2019)

For users and customers in Nigeria, we comply with the Nigeria Data Protection Regulation (NDPR) and related guidelines of the Nigeria Data Protection Commission (NDPC).

Under the NDPR, you have the right to:

• Receive clear information about how your data is used.
  
  
• Provide consent before personal data is processed.
  
  
• Access, correct, or delete your personal information.
  
  
• Restrict transfer of your data outside Nigeria except with adequate safeguards.
  
  

You may contact the NDPC or email info@flexisaf.com to exercise your rights or lodge a complaint.

14. Contact Information

Data Protection Officer (DPO)
📧 Email: info@flexisaf.com
📍 Address: 167–169, 5th Floor, Great Portland Street, London, England, W1W 5PF
🌐 Website: www.flexisaf.com