Privacy
Policy

We collect information you provide directly, information generated through your use of our services, and limited information from third-party sources. The types of data we collect depend on how you interact with the CompassNG platform.

Account Information: When you create an account, we collect your full name, email address, and password (stored as a cryptographic hash). If you create or join an organization, we also store your role within that organization.

Usage Data: We automatically collect information about your API usage, including the endpoints you call, request timestamps, response codes, IP addresses, and the number of credits consumed. This data is used to enforce rate limits, generate usage analytics, and improve service reliability.

API Key Data: When you generate API keys, we store key metadata including the key name, creation date, permissions, and a masked prefix. The full key value is shown only once at creation and is stored as a secure hash.

Device and Browser Information: We collect standard technical information such as your browser type, operating system, screen resolution, and referring URL. This helps us optimize the platform experience and diagnose technical issues.

We use the information we collect for the following purposes:

• Service Delivery — To provide, maintain, and improve the CompassNG API platform, including processing your API requests, delivering search results, and serving enriched article data.
• Authentication and Security — To verify your identity, manage sessions via secure httpOnly cookies, and protect against unauthorized access to your account and API keys.
• Usage Tracking and Billing — To monitor API usage against your plan quota, enforce rate limits, calculate credits consumed, and generate usage reports visible in your dashboard.
• Communication — To send transactional emails such as email verification, password resets, organization invitations, and critical service notifications.
• Support — To respond to your support requests and troubleshoot issues with your account or API integration.
• Legal Compliance — To comply with applicable laws, respond to legal requests, and enforce our Terms of Service.

CompassNG processes personal data in compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023. For users located in the European Economic Area, we also recognize obligations under the General Data Protection Regulation (GDPR).

Our legal bases for processing include:

• Contractual Necessity — Processing required to perform our contract with you (e.g., providing API access, managing your account, processing billing).
• Legitimate Interest — Processing necessary for our legitimate business interests (e.g., improving the platform, preventing fraud, analyzing aggregate usage patterns), where those interests are not overridden by your rights.
• Consent — Where you have given explicit consent (e.g., receiving optional marketing communications). You may withdraw consent at any time.
• Legal Obligation — Processing necessary to comply with applicable laws, regulations, or court orders.

CompassNG does not sell, rent, or trade your personal information to third parties. We share data only in the following limited circumstances:

• Infrastructure Providers — We use cloud hosting and infrastructure services to operate the platform. These providers process data on our behalf under strict data processing agreements.
• Payment Processors — If you subscribe to a paid plan, your payment information is handled directly by our payment processor. We do not store credit card numbers or bank account details on our servers.
• Legal Requirements — We may disclose information if required by law, subpoena, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers — In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our platform before your data is subject to a different privacy policy.

We retain your data only as long as necessary to fulfil the purposes described in this policy. The following table outlines our retention periods:

When your account is deleted, we remove or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes such as fraud prevention.

We implement industry-standard security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction.

• Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Password Security — Passwords are never stored in plaintext. We use bcrypt hashing with a high work factor to protect stored credentials.
• API Key Security — API keys are stored as secure hashes. Only a masked prefix is displayed in the dashboard after initial creation.
• Cookie Security — Authentication tokens are stored in httpOnly, Secure, SameSite=Strict cookies, preventing access from client-side JavaScript and protecting against CSRF attacks.
• Access Controls — Employee access to production data is restricted on a need-to-know basis, with all access logged and audited.
• Infrastructure Security — Our hosting infrastructure is protected by firewalls, intrusion detection systems, and automated vulnerability scanning.

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Under the NDPR, NDPA, and where applicable the GDPR, you have the following rights regarding your personal data:

• Right of Access — You may request a copy of the personal data we hold about you.
• Right to Rectification — You may request correction of inaccurate or incomplete data. You can update most account information directly from your dashboard settings.
• Right to Erasure — You may request deletion of your personal data, subject to legal retention requirements. Deleting your account will trigger this process.
• Right to Data Portability — You may request your data in a structured, commonly used, machine-readable format.
• Right to Object — You may object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
• Right to Restrict Processing — You may request that we limit how we process your data in certain circumstances.
• Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@compassng.com. We will respond to verified requests within 30 days, as required by applicable law.

CompassNG is operated from Nigeria. Our cloud infrastructure may process and store data in data centres located outside Nigeria. When we transfer data internationally, we ensure appropriate safeguards are in place.

For users in the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure your data receives an adequate level of protection.

For users in Nigeria, international transfers comply with the requirements of the NDPR and NDPA, including ensuring that recipient jurisdictions provide adequate data protection or that appropriate contractual safeguards are in place.

CompassNG is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@compassng.com, and we will take steps to delete that information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) and update the "Last updated" date at the top of this page.

Your continued use of CompassNG after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you should stop using the service and delete your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@compassng.com
• Company: CompassNG (Metronio Technologies Ltd.)
• Location: Lagos, Nigeria

You may also wish to review our Terms of Service and Cookie Policy for additional information about how we operate the platform.