Privacy Policy

Last Updated: April 2026

Data Controller: Network Capital Limited, 13 Maitama Sule Street, Southwest Ikoyi, Lagos, Nigeria. RC: 949815.

Data Protection Officer: dpo@networkcapitalltd.com

1. About This Policy

This Privacy Policy explains how Network Capital Limited (“we”, “us”, “our”, “NETCAP”) collects, uses, stores, shares, and protects personal data when you use our website at www.networkcapitalltd.com, apply to open an investment account, use our brokerage services, or interact with us through any channel.

We are registered and regulated by the Securities and Exchange Commission of Nigeria and hold a Trading License from the Nigerian Exchange Limited. As a regulated capital market operator, we are subject to specific legal requirements regarding the collection and retention of client data, which are reflected in this policy.

We comply with the Nigeria Data Protection Act 2023 (NDPA) and all applicable data protection laws. For the purposes of the NDPA, Network Capital Limited is the data controller responsible for your personal data.

This policy should be read alongside our Terms of Use, Cookie Policy, and Disclaimer, all of which are available on the website.

2. What Personal Data We Collect

The personal data we collect depends on how you interact with us. We collect only what is necessary for the specific purpose.

2.1 When You Browse Our Website

When you visit www.networkcapitalltd.com, we may collect:

Technical data: your IP address, browser type and version, operating system, device type, and screen resolution.
Usage data: pages you visit, time spent on each page, navigation paths, referral source (the website or search engine that brought you to us), and the date and time of your visit.
Cookie data: identifiers stored on your device by our website and by third-party services we use. Full details are in our Cookie Policy.

This data is collected through Google Analytics 4 and Cloudflare. It is aggregated and used to understand how visitors use the site, improve performance, and detect security threats. We do not use this data to identify individual visitors unless required for security purposes.

2.2 When You Open an Investment Account

When you apply to open an account with Network Capital Limited, we collect:

Identity data: full legal name (as it appears on your BVN), date of birth, gender, nationality, state of origin, local government area, mother’s maiden name, and country of residence.
Contact data: residential address, postal address, phone numbers, email address, and preferred communication channel.
Identification data: government-issued ID type and number (International Passport, Driver’s Licence, National ID Card, or Permanent Voter’s Card), a scanned copy of the ID document, and a passport photograph.
Bank Verification Number (BVN): your 11-digit BVN, which we forward to the Central Securities Clearing System (CSCS) for identity verification and account creation. We do not perform real-time BVN lookups. CSCS validates the BVN against your name.
Financial data: bank name, bank account number, employment status, employer name, job title, annual income range, net worth range, and source of funds.
Investment profile data: investment objective, experience level, time horizon, risk tolerance, and Politically Exposed Person (PEP) status.
Consent records: timestamps of your agreement to our Terms and Conditions, Risk Disclosure Statement, Email Indemnity, and this Privacy Policy.

2.3 When You Use Our Brokerage Services

Once your account is active, we collect:

Transaction data: buy and sell mandates, trade execution records, contract notes, settlement details, and fee records.
Portfolio data: your securities holdings, CSCS account records, Clearing House Number, dividend entitlements, and corporate action elections.
Communication records: emails, phone call logs, WhatsApp messages, and any other correspondence between you and your Relationship Officer or our team, to the extent these relate to mandates and account instructions.

2.4 When You Contact Us or Use Website Features

When you use the contact form, callback request, live chat (Tawk.to), newsletter signup, or submit any enquiry, we collect the information you provide, typically your name, email, phone number, and the content of your message.

3. Why We Collect Your Data and Our Legal Basis

Under the NDPA, we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we use your data and the legal basis for each.

Purpose	Data Used	Legal Basis
Processing your account opening application and creating your CSCS account	Identity, contact, identification, BVN, financial, and investment profile data	Performance of a contract (your brokerage agreement with us)
Executing buy and sell mandates on the NGX	Transaction data, portfolio data, and communication records	Performance of a contract
Verifying your identity and preventing fraud and money laundering	Identity, identification, BVN, financial data	Legal obligation (Investments and Securities Act 2025, Money Laundering Prevention and Prohibition Act 2022, NDPA 2023)
Regulatory reporting to the Securities and Exchange Commission, Nigerian Exchange, CSCS, and other regulators	Identity, transaction, and portfolio data	Legal obligation
Sending contract notes, trade confirmations, and account statements	Contact data, transaction data	Performance of a contract
Sending you market research, newsletters, and educational content	Name, email address	Your consent (opt-in at account opening or newsletter signup). You can withdraw at any time.
Responding to your enquiries and providing client support	Contact data, communication records	Legitimate interest (providing the service you requested)
Analysing website usage and improving website performance	Technical data, usage data, cookie data	Your consent (via cookie banner for analytics cookies)
Protecting the security of our website and systems	Technical data, IP address	Legitimate interest (security of our infrastructure)

4. Who We Share Your Data With

We do not sell your personal data. We do not share your data with any third party for their own marketing purposes. We share your data only where it is necessary for the purposes set out in this policy or where we are required to do so by law.

4.1 Regulatory and Statutory Bodies

As a regulated capital market operator, we are legally required to share certain client data with:

The Central Securities Clearing System (CSCS): your identity data, BVN, and portfolio data for the creation and maintenance of your CSCS account.
The Securities and Exchange Commission (SEC): client identity and transaction data as required for regulatory oversight and reporting.
The Nigerian Exchange Limited (NGX): trade execution data as part of our trading licence obligations.
The Nigerian Financial Intelligence Unit (NFIU): transaction data where required under anti-money laundering regulations.
Tax authorities: withholding tax records as required by law.

4.2 Service Providers

We use the following third-party service providers who may process your data on our behalf:

Service Provider	Purpose	Data Processed
Google (Google Analytics 4)	Website traffic analysis and performance monitoring	Anonymised usage data, IP address (truncated), cookie identifiers
Cloudflare	Website security (DDoS protection, WAF, SSL, CDN)	IP address, request headers, technical data
Tawk.to	Live chat support on the website	Name, email (if provided in chat), chat content, IP address
TradingView	Embedded market data widgets (ticker tape, stock charts, screener, symbol info)	No personal data is shared by us. TradingView may place its own cookies and collect technical data (see Cookie Policy).
Trading Economics	Embedded economic indicators matrix widget (GDP, inflation, interest rates, bonds for Nigeria and global markets)	No personal data is shared by us. Trading Economics may collect technical data and place cookies through its widget script.
Investing.com	Embedded live currency cross rates widget	No personal data is shared by us. Investing.com may collect technical data through its iframe embed.
ExchangeRate-API	Automated daily currency exchange rates (USD, GBP, EUR, CAD vs NGN)	No personal data shared. Server-side API call only.
Zoho	CRM, newsletter management, and email marketing distribution	Email address, name, subscription preferences, email engagement data (opens, clicks).
SendPulse	Email marketing distribution, transactional email delivery, and automated email campaigns	Email address, name, email engagement data (opens, clicks, bounces). SendPulse may also process IP address and device data for delivery optimisation.
Calendly	Appointment scheduling for diaspora investor consultations with Relationship Officers	Name, email address, phone number, selected time slot, and any notes provided during booking.
Cookie Yes	Cookie consent management banner (NDPA compliance)	Cookie consent preferences, IP address (for geolocation of consent requirements).
Vercel Inc.	Website hosting, serverless infrastructure, edge CDN, and continuous deployment pipeline	All website data and application code is deployed on Vercel’s infrastructure. Data is encrypted at rest and in transit. Vercel’s privacy policy is available at vercel.com/legal/privacy-policy.

Each service provider is bound by a data processing agreement that requires them to process your data only for the purposes we specify, to keep it secure, and to delete it when no longer needed for the contracted purpose.

4.3 Professional Advisers and Legal Proceedings

We may share your data with our auditors, legal advisers, and professional consultants to the extent reasonably necessary for the performance of their professional duties. We may also disclose your data where required by court order, subpoena, or other legal process.

5. International Data Transfers

Some of our third-party service providers operate servers outside Nigeria. These include Google (United States), Cloudflare (global network), Tawk.to (international), TradingView (United States), Trading Economics (international), Investing.com (international), SendPulse (international), Calendly (United States), and Cookie Yes (international). Where your data is transferred outside Nigeria as a result of these integrations, we ensure that appropriate safeguards are in place, including confirming that the receiving country provides an adequate level of data protection or that the service provider is bound by contractual terms that meet NDPA requirements.

We will not transfer your personal data to any country that does not provide adequate data protection safeguards without first putting appropriate contractual protections in place. Where no adequacy determination exists for a recipient country, we rely on contractual safeguards such as standard contractual clauses or binding corporate rules to protect the data in transit and at rest.

6. How Long We Keep Your Data

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following retention periods apply:

Data Category	Retention Period	Reason
Account opening records (KYC data)	Duration of the client relationship plus 10 years after account closure	SEC regulations and anti-money laundering law require retention of KYC records for a minimum of 5 years after the business relationship ends. We apply 10 years for prudence.
Transaction records and contract notes	Duration of the client relationship plus 10 years	SEC regulations, NGX rules, and tax compliance obligations.
Communication records (mandates, instructions)	Duration of the client relationship plus 6 years	Regulatory evidence and dispute resolution.
Website analytics data	26 months from the date of collection	Google Analytics default retention. Anonymised and aggregated.
Newsletter subscription records	Until you unsubscribe, plus 12 months	Proof of consent and subscription record.
Contact form and live chat records	2 years from the date of the enquiry	Service quality and follow-up.
Unsuccessful account applications	12 months from the date of rejection or withdrawal	Audit trail and regulatory review.

When the retention period expires, we securely delete or anonymise the data so that it can no longer be linked to you.

7. How We Protect Your Data

We take the security of your personal data seriously. The following measures are in place:

All data transmitted between your browser and our website is encrypted using TLS (Transport Layer Security) via Cloudflare.
Our website is protected by Cloudflare’s Web Application Firewall, DDoS mitigation, and bot detection.
Administrative access to the website backend requires two-factor authentication and is restricted to authorised staff.
Database access is restricted to localhost connections only. No external access to the database is permitted.
Staff access to client data is granted on a need-to-know basis and is logged for audit purposes.
We conduct regular security assessments, including third-party penetration testing.
Offsite backups are encrypted and stored separately from the production environment.

No system is perfectly secure. While we implement industry-standard safeguards, we cannot guarantee that data transmitted over the internet will be completely free from interception. You are responsible for keeping your login credentials (including your Netcap Trader password) confidential.

8. Data Breach Notification

In compliance with Sections 28, 39, and 40 of the Nigeria Data Protection Act 2023, we are required to report any personal data breach that poses a risk to the rights and freedoms of affected individuals.

8.1 Notification to the NDPC

If we become aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, we will notify the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms.

8.2 Notification to Affected Individuals

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. The notification will include a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we have taken or propose to take to address the breach and mitigate its effects.

8.3 Our Breach Response Process

Upon discovering a potential breach, our response process involves four steps. First, we immediately assess the scope, severity, and nature of the breach. Second, we contain the breach and take steps to prevent further unauthorised access. Third, we notify the NDPC and affected individuals as required. Fourth, we conduct a post-incident review to identify root causes and implement measures to prevent recurrence.

We maintain a record of all personal data breaches, including facts relating to the breach, its effects, and the remedial actions taken, regardless of whether the breach triggers the notification obligation.

9. Automated Decision-Making and Profiling

Network Capital Limited does not currently use automated decision-making processes, including profiling, that produce legal effects concerning you or that significantly affect you.

If we introduce any form of automated decision-making in the future (for example, automated risk assessment or credit scoring for share-backed lending), we will update this policy to describe the processing, the logic involved, and the significance and expected consequences for you. We will also provide you with the right to obtain human intervention, express your point of view, and contest the decision, as required under the NDPA.

Where any automated processing is introduced, it will only operate on the basis of your explicit consent or where it is necessary for the performance of a contract between you and us, and appropriate safeguards will be in place to protect your rights.

10. Your Rights Under the NDPA

Under the Nigeria Data Protection Act 2023, you have the following rights in relation to your personal data:

Right of access: you can request a copy of the personal data we hold about you.
Right to rectification: you can ask us to correct any data that is inaccurate or incomplete.
Right to erasure: you can ask us to delete your personal data in certain circumstances. Note that we may be unable to comply if we are required by law to retain the data (for example, KYC records under SEC regulations).
Right to restrict processing: you can ask us to limit how we use your data in certain circumstances.
Right to data portability: you can ask us to provide your data in a structured, commonly used, machine-readable format so that you can transfer it to another service provider.
Right to object: you can object to processing based on legitimate interest. You can also object to receiving marketing communications at any time.
Right to object to automated decision-making: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where the decision is necessary for a contract, authorised by law, or based on your explicit consent.
Right to withdraw consent: where processing is based on your consent (for example, marketing emails or analytics cookies), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

10.1 How to Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer at dpo@networkcapitalltd.com or write to us at 13 Maitama Sule Street, Southwest Ikoyi, Lagos.

We will verify your identity before processing any request. For account holders, we will match your request against the identity documents on file. For non-account holders, we may ask you to provide a valid government-issued ID.

We will respond to your request within 30 calendar days of receiving it and verifying your identity. If the request is complex or we receive a high volume of requests, we will notify you of any extension.

10.2 Fees

Exercising your data protection rights is free of charge. However, we may apply a reasonable administrative fee if a request is clearly unfounded, repetitive, or excessive. We will inform you of any applicable fee before proceeding.

11. Complaints and Dispute Resolution

11.1 Internal Complaint Procedure

If you believe your personal data has been processed in a way that does not comply with this policy or with the NDPA, or if you are dissatisfied with how we have responded to a request you have made under Section 10 above, you may lodge a complaint with our Data Protection Officer.

Email: dpo@networkcapitalltd.com

Phone: 0706 200 2333

Address: 13 Maitama Sule Street, Southwest Ikoyi, Lagos, Nigeria

Upon receiving your complaint, our Data Protection Officer will acknowledge receipt within 2 business days and commence an investigation. We aim to resolve all data protection complaints within 7 business days of receipt. If the matter is complex and requires additional time, we will inform you of the expected timeline and provide regular updates until the matter is resolved.

11.2 Escalation to the NDPC

If you are not satisfied with our response or the outcome of the internal complaint process, you have the right to escalate your complaint to the Nigeria Data Protection Commission (NDPC), which is the supervisory authority responsible for data protection under the NDPA 2023.

Nigeria Data Protection Commission

Email: info@ndpc.gov.ng

Website: www.ndpc.gov.ng

Address: No. 12 Clement Isong Street, Asokoro, Abuja, Nigeria

We encourage you to contact our Data Protection Officer first, as we take all complaints seriously and prefer to resolve matters directly. However, your right to complain to the NDPC is not affected by whether you have raised the issue with us first.

11.3 Judicial Remedies

Nothing in this policy affects your right to seek judicial remedies under Nigerian law if you believe your data protection rights have been violated.

12. Children’s Data

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a person under 18 without appropriate parental or guardian consent, we will take steps to delete that data promptly.

Where a minor holds shares through a custodial arrangement with a parent or guardian, the parent or guardian provides consent for data processing on the minor’s behalf, and the personal data collected relates to the custodial relationship rather than to the minor independently.

13. Marketing Communications

We will only send you marketing communications (market research, newsletters, educational content, service updates) if you have given us your explicit consent to do so. Consent is collected during account opening (optional checkbox) or through the newsletter signup form on the website.

Every marketing email we send includes an unsubscribe link. You can also withdraw consent by emailing info@networkcapitalltd.com or by contacting your Relationship Officer.

Withdrawing from marketing communications does not affect transactional communications (contract notes, trade confirmations, account statements, regulatory notices), which we are required to send to you as part of our brokerage service.

14. Third-Party Websites and Services

Our website contains links to third-party websites, including those of the Securities and Exchange Commission (sec.gov.ng), the Nigerian Exchange (ngxgroup.com), the Central Securities Clearing System (cscs.ng), the Central Bank of Nigeria (cbn.gov.ng), and others. We also embed third-party services such as TradingView widgets, Google Maps, and Tawk.to live chat.

We do not control these third-party websites or services and are not responsible for their privacy practices. We encourage you to review their privacy policies before providing them with any personal information.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, in the services we offer, or in applicable law. The “Last Updated” date at the top of this page indicates when the policy was most recently revised.

For significant changes that affect how we process your data, we will notify you by email (if you are a registered client) or by prominent notice on the website. Your continued use of the website or our services after the updated policy takes effect constitutes acceptance of the changes.

16. Contact Us

If you have any questions about this Privacy Policy, about how we process your data, or if you wish to exercise any of your data protection rights, please contact us: