Sky Capital Privacy Policy

PREAMBLE

Sky Capital & Financial Allied International Limited offers a range of financial products such as Loans, Deposit Fixing, and Wealth Management services tailored to our client’s unique needs.

As a Data Controller under the Nigeria Data Protection Act (NDP Act) 2023, we are committed to safeguarding the confidentiality, integrity, and security of all personal data entrusted to us.

By using our services, you entrust us with your information. We understand the responsibility this carries and are dedicated to processing your data in compliance with the NDP Act 2023, GAID 2025, and other applicable regulations.

We may update this Privacy Policy periodically, and the latest version will always be available on our official platforms.

ARTICLE 1: OUR COMMITMENT TO DATA PROCESSING PRINCIPLES

We process your personal data in line with Section 24 of the NDP Act 2023 and Article 15 of the GAID 2025:

  • Fairly, lawfully, and transparently.
  • For specified, explicit, and legitimate purposes.
  • Limited to what is adequate, relevant, and necessary.
  • Accurately and kept up to date.
  • In a manner that ensures confidentiality, integrity, and availability.

We also uphold accountability by documenting our processing activities, conducting Data Privacy Impact Assessments (DPIAs), and reviewing our practices regularly.

ARTICLE 2: LAWFUL BASES OF PROCESSING

As required under Section 25 of the NDP Act 2023 and Article 16 of the GAID 2025, the Company shall assess and determine the lawful basis for each category of data processing prior to processing personal data.

  • Consent
  • Contractual obligation
  • Legal obligation
  • Vital interest
  • Public interest
  • Legitimate interest

ARTICLE 3: CONSENT OF DATA SUBJECT

In accordance with Articles 17 and 18 of the GAID 2025, the Company shall ensure:

  • Consent is freely given, informed, specific and unambiguous.
  • Consent withdrawal shall be as easy as giving consent.
  • Consent is required especially for:
  • Direct marketing
  • Processing of sensitive personal data
  • Processing a child’s data
  • Further processing incompatible with the original purpose
  • Cross-border transfer without adequacy decision
  • Decisions based solely on automated processing

ARTICLE 4: OUR SCOPE OF DATA PROCESSING

S/N Purpose Type of Data Lawful Basis
1 Client identification (KYC) Name, contact details, NIN, BVN, passport, utility bills Legal Obligation
2 Account opening & stockbroking services Personal, financial, and transaction data Contract / Legal Obligation
3 Regulatory reporting (SEC, NGX, CBN) Financial & transaction records Legal Obligation
4 Communication & updates Email & phone number Consent / Legitimate Interest
5 Security & fraud prevention CCTV images, access logs, device/IP information Legal Obligation / Legitimate Interest
6 Employment & HR Employee records, guarantor details, medical data Contract / Legal Obligation

ARTICLE 5: HOW WE COLLECT DATA

  • Directly from you (forms, account opening, customer service).
  • Automated technologies (cookies, IP addresses, login activity).
  • Third parties (credit bureaus, regulators, anti-fraud databases).
  • Security systems (CCTV surveillance, call recordings).

ARTICLE 6: TRANSPARENCY AND NOTICE TO DATA SUBJECTS

  • The identity of the Company
  • Lawful basis for processing
  • Categories of personal data collected
  • Purpose of processing
  • Means of processing
  • Third-party access and purpose
  • Data subject rights
  • Complaint mechanisms including the NDPC

ARTICLE 7: DATA SUBJECT RIGHTS

  • Right to Access

    • You have the right to request and obtain confirmation as to whether your personal data is being processed, as well as access to the personal data and information about how it is processed. Organizations must provide copies of your data upon request.

  • Right to Rectification

    • You have the right to request correction of inaccurate, incomplete, or outdated personal data. The organization must take reasonable steps to rectify such data without undue delay.

  • Right to Erasure

    • You may request the deletion or removal of your personal data where there is no lawful basis for retaining it, where consent has been withdrawn, or where processing is unlawful—subject to legal and regulatory retention requirements.

  • Right to Restrict Processing

    • You may request a temporary or permanent restriction on the processing of your personal data, particularly where accuracy is contested, processing is unlawful, or you object to the processing.

  • Right to Data Portability

    • You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format, and to request that the data be transmitted to another data controller where technically feasible.

  • Right to Withdraw Consent

    • Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

  • Right to Object to Processing

    • You may object at any time to the processing of your personal data, particularly where the basis is legitimate interest, performance of a task in the public interest, or for direct marketing purposes.

  • Right to Complain to the NDPC

    • You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe that your data protection rights have been violated.

  • Right to Judicial Remedy

    • You have the right to seek judicial redress where you suffer harm as a result of a breach of data protection laws or where you are dissatisfied with the outcome of a complaint.

  • Right to Non-Discrimination

    • You have the right not to be discriminated against for exercising any of your data protection rights.

  • Right to be Informed

    • You have the right to receive clear, concise, and transparent information about the collection and use of your personal data, including the purposes, legal basis, retention period, and recipients.

To exercise these rights, contact our Data Protection Officer (DPO).

ARTICLE 8: DATA RETENTION AND SECURITY

  • Customer and transaction data retained for 10 years.
  • Employee records retained for 6 years post-employment.
  • CCTV/security logs retained for 90 days–1 year.
  • Data no longer needed is securely deleted or archived.

We use encryption, access controls, intrusion detection systems, and continuous monitoring to protect your data.

ARTICLE 9: DATA PRIVACY IMPACT ASSESSMENT (DPIA)

  • Profiling or automated decision-making
  • Systematic monitoring
  • Processing of sensitive data
  • Processing involving vulnerable data subjects
  • Deployment of new technologies
  • Surveillance using CCTV
  • Financial services using digital platforms
  • Cross-border data transfer

ARTICLE 10: EMPLOYEE TRAINING

  • Duties and responsibilities regarding data protection
  • Practices to stop, start, and continue
  • Organisational privacy guidelines
  • Routine checks for compliance

ARTICLE 11: MANDATORY DATA COLLECTION

Certain personal data is mandatory for us to comply with regulatory obligations such as KYC and AML/CFT requirements.

ARTICLE 12: DATA SHARING AND CROSS-BORDER TRANSFER

  • We may share your data with regulators and service providers.
  • Third parties must comply with NDP Act 2023.
  • Cross-border transfers are protected with approved safeguards.

    • In compliance with Article 34 of the GAID 2025, all third-party processors engaged by the Company must enter into a binding Data Processing Agreement (DPA) that clearly defines:

  • Obligations regarding confidentiality, integrity, and availability
  • Boundaries of processing
  • Security measures
  • Audit and oversight mechanism

    • In accordance with Article 45 of the GAID 2025, the Company shall ensure that cross border data transfers occur only under:

  • NDPC adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Explicit consent where applicable
  • Appropriate safeguards ensuring continuity of fundamental rights

ARTICLE 13: TECHNICAL INFORMATION AND COOKIES

When you use our website or online services, we collect technical data (IP address, device type, browser details). Cookies may be used to enhance user experience. You can manage cookie settings via your browser.

Cookies may be used to enhance user experience and can be managed through your browser settings.

ARTICLE 14: DATA BREACH NOTIFICATION

  • Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of a breach.
  • Notify affected data subjects immediately if the breach poses high risk.
  • Document breach details, risks, and remedial actions as part of the CAR filing.

ARTICLE 15: CHILDREN’S PRIVACY

Our services are not targeted at children under 13 years. Where processing involves minors, we require verifiable parental or guardian consent in line with Section 31 NDP Act 2023.

ARTICLE 16: CONTACT INFORMATION

Data Controller: SKY CAPITAL ASSET MANAGEMENT LIMITED

Head Office: 10 ANIFOWOSE STREET, VICTORIA ISLAND, LAGOS

Email: info@skycapitallimited.com

Phone: +2347025002871

Data Protection Officer (DPO):

Email: dpo@skycapitallimited.com

In line with Articles 11–14 of the GAID 2025, the Company shall ensure that:

  • The DPO participates in all matters relating to personal data.
  • The DPO is supported with resources, independence, and training.
  • The DPO prepares and submits semi-annual internal data protection reports to management.
  • The DPO undergoes Annual Credential Assessment by the NDPC.

    • ARTICLE 17: ALTERATION OF PRIVACY POLICY

    SKY CAPITAL ASSET MANAGEMENT LIMITED reserves the right to review and update this Privacy Policy in line with regulatory changes or operational requirements.

    Notice of significant updates will be communicated via our website or direct communication.

    ©2022 - Sky Capital | All right reserved​