Skip to main content

Privacy Policy

How Trustaige collects, uses, and protects your personal data under the Nigeria Data Protection Act 2023.

Effective Date: February 28, 2026

1. About Us (Data Controller)

Trustaige Limited (“we”, “our”, “us”) is the data controller responsible for your personal data.

  • Legal Name: Trustaige Limited
  • Address: Spacepad Building, KM 18 Lekki-Epe Expressway, Lagos, Nigeria
  • Email: shield@trustaige.com
  • Phone: 0816 381 6789

We operate the Trustaige Identity Platform (“Platform”) and the website at trustaige.com. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services, in compliance with the Nigeria Data Protection Act 2023 (NDPA) and the General Application and Implementation Directive (GAID) 2025.

2. Information We Collect

Website Visitors

When you visit trustaige.com, we may collect:

  • Browser and device information such as browser type, operating system, and screen resolution
  • Usage data such as pages visited and time spent on site

Trial Sign-Up

When you request a trial through our website, we collect:

  • Contact information: your name and business email address
  • Organization information: organization name

Platform Users

When your organization uses the Trustaige Identity Platform, we process:

  • Account information: email address, display name, and organizational role
  • Authentication data: WebAuthn public key credentials (public keys only — private keys never leave your device)
  • Session data: device type, browser, operating system, IP address, geographic location (derived from IP), and session timestamps
  • Audit logs: authentication events, profile changes, administrative actions, and security events

Device Trust Agent

When your organization enables device trust and you install the Trustaige agent on your device, the agent collects and reports the following to your organization’s Trustaige instance:

At enrollment (one-time):

  • Device hostname and hardware serial number
  • Operating system platform and version
  • An Ed25519 public key generated locally for device attestation (the private key never leaves your device)

At regular intervals:

  • Disk encryption status (enabled or disabled)
  • Firewall status (enabled or disabled)
  • Screen lock status (enabled or disabled)
  • Operating system version and update status
  • Agent software version

What the agent does NOT collect:

  • Personal files, documents, or media
  • Browsing history or web activity
  • Application usage or installed software lists
  • Keystrokes or screen content
  • Location data (beyond IP-derived geolocation on the server side)
  • Biometric data

The agent displays a consent notice before enrollment and provides in-app transparency about what data is reported. You can view this at any time via the “What We Collect” menu item in the agent’s tray menu.

3. How We Use Your Information

We use collected information to:

  • Provide and maintain the Trustaige Identity Platform
  • Process trial requests and communicate with prospective customers
  • Authenticate users and manage sessions
  • Generate audit logs for security and compliance purposes
  • Detect and prevent unauthorized access and security threats
  • Improve our services and user experience
  • Respond to support requests
  • Comply with legal obligations

Under the NDPA (Sections 25–26), we process your personal data on the following lawful bases:

Processing ActivityLawful BasisReference
Platform authentication and session managementPerformance of contractNDPA s.25(a)
Trial sign-up and onboardingConsent / Pre-contractual stepsNDPA s.25(a), s.25(b)
Audit logging and security monitoringLegitimate interest (security)NDPA s.25(d)
Threat detection (new device, impossible travel)Legitimate interest (security)NDPA s.25(d)
Device trust posture collection and compliance evaluationLegitimate interest (security) / ConsentNDPA s.25(b), s.25(d)
Compliance reporting and data retentionLegal obligationNDPA s.25(c)
Service improvement and analyticsLegitimate interestNDPA s.25(d)
Responding to data subject rights requestsLegal obligationNDPA s.34–38

Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your rights and freedoms.

5. What We Never Collect

Trustaige is designed with privacy at its core:

  • Private keys: WebAuthn private keys are generated and stored on your device’s secure element. They never leave the device and are never transmitted to our servers.
  • Biometric data: Biometric verification happens locally on your device. We never receive, store, or process biometric data.
  • Passwords: Trustaige is a passwordless platform. We do not store passwords or shared secrets.
  • Personal files or activity: The Trustaige device agent does not access, scan, or transmit personal files, browsing history, keystrokes, or screen content.

6. Who We Share Data With (Third-Party Recipients)

We do not sell, rent, or share your personal information with third parties for marketing purposes.

We may share data with the following categories of third-party service providers, solely for the purposes described:

Recipient CategoryPurposeData Shared
Cloud infrastructure providerHosting the Platform and storing dataAll Platform data (encrypted)
Payment processor (Paystack)Processing subscription paymentsBilling contact name, email, payment details
Email delivery serviceSending transactional emails (onboarding, notifications)Email address, name
FIDO Metadata Service (FIDO Alliance)Verifying authenticator security statusAuthenticator AAGUID (device model identifier)

All third-party processors are bound by data processing agreements that require them to process personal data only on our instructions and implement appropriate security measures.

7. International Data Transfers

Your data may be processed outside Nigeria by our cloud infrastructure and service providers. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with the NDPA (Section 45), including:

  • Data processing agreements with all sub-processors
  • Verification that the receiving jurisdiction provides adequate data protection, or
  • Implementation of appropriate safeguards such as standard contractual clauses

8. Data Storage and Security

  • All data is encrypted in transit using TLS 1.2 or higher
  • Data at rest is encrypted using industry-standard encryption
  • Sessions are managed through secure, server-side session stores (Redis)
  • Content Security Policy (CSP) with per-request nonces protects against injection attacks
  • HTTP Strict Transport Security (HSTS) is enforced in production
  • Access to production systems is restricted and audited
  • We conduct regular security reviews of our infrastructure and application

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with NDPA Section 49:

Data CategoryRetention PeriodBasis
Trial sign-up dataDuration of evaluation + 6 monthsNDPA s.49(3) default
Platform identity dataDuration of active subscription + 6 months after terminationContractual + legal obligation
Audit logs and security eventsPer organization’s configured retention policy (default: 6 months)NDPA s.49(3)
Device trust posture reportsPer organization’s configured retention policy (default: 6 months)NDPA s.49(3)
Device enrollment dataDuration of device enrollment + 30 days after removalContractual + operational necessity
Session dataAutomatically purged upon session expiration or revocationOperational necessity
Payment records7 yearsTax and legal obligations

When data is no longer required, it is securely deleted or anonymized.

10. Your Rights

Under the NDPA (Sections 34–38), you have the following rights regarding your personal data:

  • Right of Access (s.34): You may request a copy of the personal data we hold about you.
  • Right to Rectification (s.35): You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure (s.38): You may request deletion of your personal data, subject to legitimate retention requirements and a 30-day grace period.
  • Right to Data Portability (s.37): You may request your data in a structured, commonly used, machine-readable format (JSON).
  • Right to Object (s.36): You may object to processing based on legitimate interest.

How to Exercise Your Rights

You can exercise your data subject rights through:

  1. Self-service: Use the data export and identity management features in the Platform settings.
  2. Email: Send your request to dpo@trustaige.com with the subject line “Data Subject Request”.
  3. Response time: We will acknowledge your request within 72 hours and fulfill it within 30 days, or inform you if an extension is necessary.

We may need to verify your identity before processing your request. We will not charge a fee for processing reasonable requests.

11. Data Protection Officer

We have designated a Data Protection Officer (DPO) in accordance with NDPA Sections 11–12. You may contact the DPO for any inquiries regarding data protection:

The DPO is responsible for monitoring our compliance with the NDPA, advising on data protection obligations, and serving as the point of contact for data subjects and the Nigeria Data Protection Commission.

12. Right to Complain to the NDPC

If you believe that our processing of your personal data infringes the NDPA, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) under NDPA Section 39:

We encourage you to contact our DPO first so we can attempt to resolve your concern directly.

13. Cookies

Trustaige uses strictly necessary session cookies to maintain authenticated sessions. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. For full details, see our Cookie Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on this page with a revised effective date. Where required by law, we will seek your consent to material changes.

15. Contact

For privacy-related inquiries: