Privacy Policy

This Privacy Policy explains how Merge2own Ltd(referred to in this document as "merge2own", "we", "us", or "our"), a company incorporated in Nigeria with its registered office at Road 1, Block D Office 224 Ikota, Off Chevron Lekki, Lagos State, Nigeria, collects, uses, shares, and protects personal information relating to individuals who visit our website, register for an account, submit a pre-qualification or mortgage application, request a credit memo, list a property, or otherwise interact with the merge2own platform (the "Platform").

We are committed to handling personal data lawfully and transparently. Different sections of this Policy apply depending on the jurisdiction in which you reside. The universal sections (Sections 1–12) apply to everyone; the country-specific addenda (Sections 13–16) apply additionally to data subjects in the named jurisdictions.

1. Who we are

merge2own is a technology platform that helps members of the Nigerian diaspora identify residential property opportunities in Nigeria and connect with licensed Nigerian banks for mortgage financing. We operate as a marketplace facilitator and technology intermediary. We are not a bank, lender, licensed mortgage broker, mortgage adviser, or property agent. Final lending decisions are made solely by partner banks, and property transactions occur between you and the relevant property developer or seller.

For the purposes of applicable data-protection law, Merge2own Ltd is the data controller of personal data processed through the Platform. In limited circumstances we also act as a processor on behalf of partner banks (when forwarding application packages and credit memos at their direction); in those cases the relevant bank is the controller for that processing.

Our Data Protection Officer can be reached at [DPO EMAIL] or by post at the address above. For general privacy enquiries, contact privacy@merge2own.com.

2. Scope

This Policy covers personal data we process in connection with:

• Account registration, identity verification, and authentication;
• Pre-qualification calculators and eligibility checks;
• Mortgage applications and the supporting document checklist;
• The Credit Memo Only flow and credit-bureau enquiries;
• Property browsing, enquiries, and developer interactions;
• Payments processed through Stripe (in USD/GBP/CAD/EUR) and Paystack (in NGN);
• Communications with our partner banks, lawyers, valuers, and service providers;
• Customer support, fraud prevention, and platform analytics.

This Policy does not apply to third-party websites, services, or applications linked from the Platform (including partner banks' own portals and payment-processor pages), each of which has its own privacy practices.

3. Personal data we collect

We collect and process the following categories of personal data:

3.1 Identity and contact data

• Full name, date of birth, gender, marital status;
• Postal address (current and prior), country of residence, nationality;
• Email address and telephone number;
• Government-issued identifiers, which may include:
  • Nigeria: Bank Verification Number (BVN), National Identification Number (NIN), International Passport number;
  • United States: Social Security Number (SSN), state ID, passport;
  • United Kingdom: National Insurance (NI) number, passport;
  • Canada: Social Insurance Number (SIN), permanent-residence card number, passport;
  • Other countries: equivalent national identifiers as required by our partner banks.
• Photographic identification documents and proof-of-address documents.

3.2 Employment and financial data

• Employer name, job title, employment start date, profession;
• Gross and net income, supporting payslips and employment letters;
• Bank statements (typically three to six months);
• Tax documents (e.g., W-2 in the US, P60 in the UK, T4 in Canada);
• Existing debts, monthly obligations, assets and liabilities;
• Co-applicant data (where applicable) — collected with the co-applicant's consent.

3.3 Property and transaction data

• Property of interest, intended use, equity contribution, requested loan amount and tenor;
• Title and search documents, valuation reports;
• Payment records (transaction IDs, amounts, currencies, dates) — note: full card numbers and bank account credentials are processed by Stripe and Paystack and are not stored on our servers.

3.4 Credit data

• Consumer credit reports obtained from a credit bureau in your country of residence;
• Credit scores, account histories, public-record items, and credit-related notes prepared by our underwriters or bank partners.

3.5 Communications and support data

• Records of correspondence (email, in-platform messages, support tickets);
• Recordings of customer-support calls where notice has been given;
• Reference letters submitted by individuals who agree to act as personal references.

3.6 Device and usage data

• IP address, device identifier, browser type and version, operating system, language;
• Pages visited, features used, timestamps, referring URLs;
• Cookies and similar technologies (see Section 12);
• Approximate geolocation derived from IP address.

3.7 Sensitive or special-category data

Certain identifiers we collect — BVN, NIN, SSN, NI, SIN, financial account information, and credit-bureau data — are treated as sensitive personal data under Nigerian (NDPA 2023), EU/UK (UK GDPR / GDPR), Californian (CCPA/CPRA), and Canadian (PIPEDA, Quebec Law 25) law. We apply enhanced safeguards described in Section 9.

We do not intentionally collect data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning sexual orientation, unless you voluntarily provide such information and we have a lawful basis to process it.

4. How we collect personal data

• Directly from you — when you create an account, complete forms (pre-qualification, mortgage application, account-opening wizard, credit-memo request), upload documents, communicate with our staff, or submit references on behalf of another person.
• From your devices — automatically via cookies and analytics technologies.
• From third parties, including:
  • Credit credit bureaus (with your written consent);
  • Our partner banks, who may share information from their own onboarding and decisioning processes;
  • Identity-verification providers and fraud-prevention databases;
  • Property developers and listing partners;
  • Payment processors (Stripe, Paystack) confirming transaction status;
  • Public registries (sanctions and politically-exposed-person lists).

5. Purposes and lawful bases

We process personal data only where we have a lawful basis under applicable law. The table below summarises the main purposes and the lawful bases on which we rely. Where we rely on consent, you may withdraw it at any time (see Section 10) without affecting the lawfulness of processing carried out before withdrawal.

Our "legitimate interests" include operating and protecting the Platform, preventing fraud and money laundering, recovering monies owed, ensuring product quality, and pursuing routine business administration. We balance these against your rights and freedoms; you may object to processing based on legitimate interests (see Section 10).

6. Sharing personal data

We share personal data only as described below. We do not sell personal data.

6.1 Partner banks

When you submit a mortgage application or credit memo, we forward your application package to the relevant partner bank's mortgage desk (currently Access Bank Nigeria; additional banks may be added and named in the in-platform bank directory). This is essential to the service you have requested. The bank is an independent data controller and will process your data in accordance with its own privacy notice and the laws applicable to it.

6.2 Credit bureaus

With your separate written consent (which we treat as a Fair Credit Reporting Act "permissible purpose" for US data subjects and an explicit lawful basis under UK GDPR, GDPR, and NDPA), we instruct the credit bureau for your country to provide a consumer credit report. The bureau may record the enquiry on your credit file. Credit bureaus are independent data controllers, and the specific bureau used in each country may change from time to time.

What we share with the partner bank. We do not onward-disclose, forward, or transfer the raw consumer credit report we receive from the credit bureau. Instead, we analyse it together with your application and produce a credit memo — our own analytical work product that summarises the findings relevant to the lending assessment — which is included in the application package shared with the partner bank. The bank may, in its own discretion and under its own consent framework, obtain a further consumer credit report directly from a credit bureau for its underwriting purposes.

6.3 Payment processors

Payments are processed by Stripe, Inc. (and its UK/EU affiliates) for card payments in USD/GBP/EUR/CAD, and by Paystack Payments Limited for transactions in Nigerian naira. These providers are independent data controllers for the payment data they process. Their privacy notices are at stripe.com/privacy and paystack.com/privacy.

6.4 Service providers and processors

We use vetted service providers acting under written data-processing agreements to deliver the Platform:

• Cloud hosting and database infrastructure ([HOSTING PROVIDER — counsel to confirm region and DPA]);
• Email delivery and customer-communications infrastructure;
• Identity-verification and fraud-prevention providers;
• Analytics and error-reporting providers;
• Professional advisers (lawyers, accountants, auditors);
• Property valuers and search agents (instructed only with your knowledge during the application).

6.5 Property developers

When you enquire about a property, we share only the information necessary for the developer to respond (typically your name, country, contact preference, and high-level enquiry). We do not share government identifiers, financial documents, or credit data with developers.

6.6 Regulators, law enforcement, and legal proceedings

We may disclose personal data where required by law, regulation, or valid legal process — including in response to a court order, subpoena, regulator request, or investigation of fraud or breach of our Terms.

6.7 Business transfers

If merge2own is involved in a merger, acquisition, reorganisation, or sale of all or part of its business, personal data may be transferred to the relevant counterparty subject to the same protections described in this Policy.

7. International data transfers

Because we serve customers across multiple countries and work with partner banks in Nigeria, personal data is necessarily transferred across borders. Transfers may include:

• From your country of residence to Nigeria (for property and mortgage processing);
• From Nigeria to the United States, the United Kingdom, the European Union/EEA, and Canada (for hosting and support);
• Between affiliates and processors located in any of the above jurisdictions.

We rely on the following safeguards, applied based on origin:

• For transfers from the UK or EU/EEA: the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or the EU SCCs (2021) as applicable, supplemented by a transfer-impact assessment;
• For transfers from Canada: comparable level of protection under PIPEDA Principle 4.1.3 and (for Quebec residents) Law 25 transfer-impact assessment;
• For transfers from Nigeria: written instrument under NDPA 2023 Section 41 incorporating model contract clauses approved by the Nigeria Data Protection Commission (NDPC), where the destination is not the subject of an adequacy decision; [COUNSEL TO CONFIRM NDPC mechanism in force as of deployment date];
• For transfers from the United States: contractual safeguards, where required by state law.

You may request a copy of the transfer safeguards (with commercial terms redacted) by emailing privacy@merge2own.com. For completeness, merge2own does not itself transfer consumer credit reports across international borders.

8. Data retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, including to meet legal, accounting, and reporting obligations. Indicative retention periods:

• Pre-qualification data without account creation — 90 days from last interaction;
• Account data and dormant accounts — until account closure plus the longest of: (a) 7 years for financial-services records, (b) the period required by applicable banking, AML, and tax law in Nigeria and your country of residence;
• Submitted but rejected applications — 2 years from rejection;
• Approved mortgage applications — 7 years from completion of the mortgage or such longer period required by Nigerian banking-records law;
• Credit-bureau reports — 12 months from issuance, or as required by FCRA / equivalent;
• Payment records — 7 years (tax and financial-services retention);
• Marketing-consent records — until you withdraw consent plus a short period to demonstrate withdrawal;
• Server access logs and security data — 12 months;
• Anonymised, aggregated data — indefinitely.

When retention expires, we delete personal data or irreversibly anonymise it. Where deletion is not technically feasible (for example, in encrypted backups), we isolate the data and prevent further processing until deletion is possible. [COUNSEL TO CONFIRM all retention durations align with Nigerian Banks and Other Financial Institutions Act, NDIC Act, FCRA, and any applicable consumer-credit regulations].

9. How we protect personal data

We implement technical and organisational measures appropriate to the risk, including:

• Encryption of ultra-sensitive identifiers (BVN, NIN, SSN, SIN, NI) at rest using AES-256-GCM;
• TLS 1.2+ in transit for all connections;
• Row-level-security policies on database tables containing personal data;
• Strict role-based access controls; bank-side data scoped to the relevant bank;
• Time-limited audit logging of every access to unmasked sensitive identifiers;
• Signed and verified webhooks from payment processors;
• Multi-factor authentication for administrator accounts;
• Background checks and confidentiality undertakings for personnel with access to personal data;
• Vulnerability scanning, dependency management, and periodic penetration testing;
• A documented incident-response plan and breach-notification workflow.

No security measure is perfect. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (the NDPC in Nigeria, the ICO in the UK, the competent EU/EEA supervisory authority, the OPC in Canada, the CAI in Quebec, and US state attorneys general where required) within the timeframes prescribed by law (72 hours under NDPA and GDPR), and will notify you without undue delay where the breach is likely to result in a high risk to your rights.

10. Your rights

Subject to the law applicable to you, you have the following rights in relation to personal data we hold about you:

• Right of access — a copy of the personal data we hold about you;
• Right to rectification — correction of inaccurate or incomplete data;
• Right to erasure ("right to be forgotten") — deletion, subject to overriding legal-retention obligations;
• Right to restrict processing — in certain circumstances;
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format;
• Right to object — to processing based on legitimate interests or for direct marketing;
• Right to withdraw consent — at any time, without affecting prior lawfulness;
• Right not to be subject to automated decision-making — that produces legal or similarly significant effects, except as permitted by law (see Section 10.1);
• Right to lodge a complaint — with the supervisory authority for your country (see country-specific addenda).

To exercise any of these rights, email privacy@merge2own.com with a description of your request and identity-verification information. We will respond within the timeframes prescribed by law (one month under UK GDPR and GDPR, extendable by two further months for complex requests; thirty days under NDPA; forty-five days under CCPA, extendable by forty-five days; thirty days under PIPEDA).

10.1 Automated decision-making

Our pre-qualification calculator performs deterministic eligibility checks (debt-service ratio against 33.3% of net income; age plus tenor against the bank's retirement-age cap; loan amount against the bank's maximum). These checks indicate whether you are likely to qualify but do not constitute the final lending decision. All final lending decisions are made by the partner bank's human underwriters; no fully automated decision producing legal or similarly significant effect is made by merge2own.Partner banks may use their own automated processes — please refer to the relevant bank's privacy notice for details.

11. Children

The Platform is not directed at and not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it without undue delay. Parents or guardians who believe their child has provided personal data should contact privacy@merge2own.com.

12. Cookies and similar technologies

We use cookies and similar technologies to operate the Platform, remember preferences, secure your session, and understand how the service is used. The categories we use are:

• Strictly necessary — session cookies, authentication tokens, CSRF protection. These cannot be disabled.
• Functional — remember language and country preference, form progress.
• Analytics — aggregated, pseudonymous insight into Platform usage. Where required by law (UK / EU / EEA / Quebec / California where applicable), we ask for your prior consent.
• Marketing — only with your prior consent.

For UK, EU/EEA, and Quebec users, our cookie banner offers granular consent and a "reject all non-essential" option. You can change your cookie preferences at any time via the cookie banner or by emailing us. For US users in jurisdictions with opt-out rights (California, Colorado, Connecticut, Virginia, and others as applicable), we honour the Global Privacy Control browser signal as a valid opt-out of any "sale" or "sharing". [COUNSEL TO CONFIRM cookie classification and consent UI before launch.]

Country-specific addenda

Our customers are predominantly Nigerian citizens residing in their countries of habitual residence (currently the United States, the United Kingdom, the European Union/EEA, and Canada). Data-protection law applies on the basis of residency rather than citizenship, so the following addenda apply in addition to the universal sections above, depending on where you reside. In the event of conflict between an addendum and the universal sections, the addendum prevails for residents of the named jurisdiction.

13. Nigeria — NDPA 2023 addendum

This addendum applies if you reside in Nigeria.

• Data controller: Merge2own Ltd, a company incorporated in Nigeria.
• DPCO / DPO contact: [DPO NAME], [DPO EMAIL]. We are registered as a Data Controller of Major Importance with the Nigeria Data Protection Commission (NDPC) — registration number [NDPC REG NO — counsel/operations to confirm].
• Lawful bases under NDPA Section 25: as described in Section 5 above. Where we rely on consent (e.g., credit-bureau enquiries), consent is freely given, specific, informed, and unambiguous; you may withdraw it at any time.
• Sensitive personal data (NDPA Section 30): we process BVN, NIN, financial information, and credit data with appropriate safeguards. We do not process biometric or health data without separate explicit consent.
• Cross-border transfers (NDPA Section 41): transfers outside Nigeria are made under adequacy decisions or, where none exists, under written contractual safeguards approved by the NDPC.
• Your rights under NDPA include access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. To exercise them, email privacy@merge2own.com. If unresolved, you may lodge a complaint with the NDPC at ndpc.gov.ng.
• Retention: as set out in Section 8, with banking-records retention durations aligning with the Banks and Other Financial Institutions Act (BOFIA) 2020 and CBN guidelines applicable to credit-related data.
• Data Protection Impact Assessments (DPIAs) have been conducted in respect of high-risk processing activities including credit-bureau access and large-scale processing of sensitive identifiers. [COUNSEL/DPO TO CONFIRM DPIA on file and update reference here.]
• Breach notification: we notify the NDPC within 72 hours of becoming aware of a personal-data breach likely to result in a risk to your rights, and notify you without undue delay where the risk is high.

14. United Kingdom and European Union / EEA addendum

This addendum applies if you reside in the United Kingdom or in a Member State of the European Union or European Economic Area. References to "UK GDPR" are to the Data Protection Act 2018 read with the UK GDPR; references to "GDPR" are to Regulation (EU) 2016/679.

• UK / EU representative (where required under Article 27 GDPR / UK GDPR): [ARTICLE 27 REPRESENTATIVE NAME AND ADDRESS — counsel to confirm appointment if our offering meets the 'regular and systematic monitoring' or large-scale processing thresholds in respect of UK or EU data subjects].
• Supervisory authorities:
  • UK — the Information Commissioner's Office (ICO), ico.org.uk;
  • Republic of Ireland — Data Protection Commission, dataprotection.ie;
  • Other EU/EEA Member States — your national supervisory authority. The list is published at edpb.europa.eu.
• Right to lodge a complaint: you may complain to the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.
• International transfers: transfers from the UK rely on the UK IDTA / UK Addendum to the EU SCCs; transfers from the EU/EEA rely on the EU SCCs (Commission Implementing Decision (EU) 2021/914). Supplementary measures and transfer-impact assessments are conducted as required by case law (Schrems II).
• Children: the age of consent for information-society services is 13 in the UK; 13–16 across EU Member States. We do not direct services at minors (see Section 11).
• Direct-marketing consent is collected separately and is opt-in for new customers in the UK and EU/EEA. The "soft opt-in" under PECR may apply to existing customers for similar products; an unsubscribe link is included in every marketing email.
• Automated decision-making: as described in Section 10.1, no fully automated decision producing legal or similarly significant effect is made by merge2own.
• Right to compensation: Article 82 UK GDPR / GDPR gives you a right to material and non-material damages for unlawful processing. This right is not excluded by any limitation of liability in our Terms.

15. United States addendum

This addendum applies if you reside in the United States. State-specific rights and processes are addressed below.

15.1 Fair Credit Reporting Act (FCRA)

When you request a credit memo or submit a mortgage application that requires one, you give us written instructions to obtain your consumer credit report from a credit bureau. This written instruction is your authorisation under the FCRA, 15 U.S.C. Section 1681b(a)(2). You may revoke the authorisation at any time, but revocation does not affect reports already obtained. merge2own analyses the consumer credit report to produce a credit memo for the partner bank; we do not make lending decisions and we do not onward-transfer the consumer credit report itself. If the partner bank takes "adverse action" (denial of credit) based wholly or partly on a consumer report, you have the right under 15 U.S.C. Section 1681m to receive a notice from the bank naming the credit bureau and explaining your rights, including to obtain a free copy of the report and to dispute inaccuracies.

15.2 California — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA") gives you additional rights.

• Categories of personal information collected in the preceding 12 months: identifiers (name, address, email, account ID, IP address, SSN), characteristics of protected classifications under California or federal law (age, marital status, national origin), commercial information (transaction history, properties of interest), Internet or other electronic network activity, geolocation data, professional or employment-related information, inferences drawn from the above. We also collect sensitive personal information in the categories of: SSN, financial-account information, precise geolocation (only when expressly provided), and contents of communications.
• Sources, purposes, and disclosures are described in Sections 3–6 of this Policy.
• Sale or sharing: we do not sell personal information. We do not "share" personal information for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) browser signal as a valid request to opt out of any "sale" or "sharing" that may occur.
• Your CCPA rights: right to know, right to delete, right to correct, right to opt out of sale/sharing, right to limit use of sensitive personal information, right to non-discrimination for exercising rights.
• How to submit a request: email privacy@merge2own.com with subject "California Privacy Request". We verify identity using account credentials and matching personal information. You may also use an authorised agent — we require proof of authorisation (signed permission and verification of the agent's identity).
• Response timeframe: 45 days, extendable by 45 days with notice.
• Retention: as set out in Section 8.
• Children under 16: we do not knowingly sell or share their personal information (we do not sell or share at all).
• Shine the Light (California Civil Code Section 1798.83): we do not disclose personal information to third parties for their direct-marketing purposes.
• Notice of financial incentive: we do not offer financial incentives in exchange for personal information.

15.3 Other US state laws

We extend rights comparable to the CCPA to residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, Indiana, Florida, New Hampshire, New Jersey, and Maryland, to the extent the laws of those states apply to our processing. Residents of those states may exercise rights using the contact details above. [COUNSEL TO CONFIRM list reflects statutes in force as of deployment date and that controller/processor distinctions are correctly drawn for each.]

15.4 Gramm-Leach-Bliley Act (GLBA)

merge2own may be classified as a financial-services provider under GLBA when processing nonpublic personal information for US data subjects in connection with a mortgage transaction. Where GLBA applies, we provide an initial privacy notice on account creation and annual privacy notices thereafter (this Policy serves as that notice). We do not share nonpublic personal information with non-affiliated third parties for marketing purposes; sharing for everyday business purposes (such as transmitting applications to partner banks at your request) is permitted under Section 502(b)(1) of the GLBA without opt-out. [COUNSEL TO CONFIRM whether GLBA classification applies to merge2own's precise role and ensure the proper GLBA model-privacy-notice form is provided if so.]

16. Canada addendum — PIPEDA & Quebec Law 25

This addendum applies if you reside in Canada, with supplementary provisions for Quebec residents.

16.1 PIPEDA — federal

• Ten Principles: we comply with the ten Fair Information Principles in PIPEDA Schedule 1 (Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use, Disclosure and Retention, Accuracy, Safeguards, Openness, Individual Access, Challenging Compliance).
• Privacy Officer: [PRIVACY OFFICER NAME], [DPO EMAIL].
• Consent: we obtain meaningful consent for the collection, use, and disclosure of personal information, with consent forms layered appropriately. Sensitive information requires express, opt-in consent.
• Access and challenge: you may request access to personal information and challenge our compliance with PIPEDA. We respond within 30 days.
• Complaints: you may complain to the Office of the Privacy Commissioner of Canada (OPC), priv.gc.ca.
• Breach reporting: we report breaches of security safeguards involving a real risk of significant harm to the OPC and to affected individuals.

16.2 Quebec — Act respecting the protection of personal information in the private sector ("Law 25")

• Person in charge of personal information protection: [PRIVACY OFFICER NAME — same as PIPEDA officer], [DPO EMAIL].
• Privacy-by-default settings: our default configurations limit collection to what is necessary; you may modify them in your account settings.
• Use of personal information for purposes not initially disclosed requires renewed consent.
• Automated decision-making: we will inform you, upon your request, of the personal information used in any decision based exclusively on automated processing (none, in respect of final lending decisions — see Section 10.1).
• Transfer outside Quebec: we conduct privacy-impact assessments and apply appropriate safeguards before transferring personal information outside Quebec. A summary of the assessment is available on request.
• Right to data portability in a structured, commonly used technological format.
• Right to de-indexation in respect of online content concerning you, subject to the conditions of Law 25.
• Complaints: you may complain to the Commission d'accès à l'information du Québec (CAI), cai.gouv.qc.ca.
• Confidentiality incidents: reported to the CAI and affected individuals where there is a risk of serious injury.

17. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will provide reasonable notice — typically by email to the address on your account and by a banner on the Platform — at least 30 days before the change takes effect, except where law requires earlier or different notice. The "Effective date" at the top of this Policy reflects the most recent revision. Continued use of the Platform after the effective date of a change constitutes acceptance of the updated Policy, but does not, by itself, constitute consent for new processing requiring consent — for such processing we will obtain fresh consent.

18. Contact and complaints

For any privacy enquiry or to exercise a right described in this Policy:

• Email: privacy@merge2own.com
• Data Protection Officer: [DPO NAME], [DPO EMAIL]
• Postal address: Road 1, Block D Office 224 Ikota, Off Chevron Lekki, Lagos State, Nigeria

If we are unable to resolve your enquiry, you have the right to lodge a complaint with the supervisory authority for your jurisdiction (see addenda Sections 13–16).