PRIVACY POLICY

Key Objectives of this Policy

This Policy aims to:

• Explain the nature of data processed by Dojah through Profiled Risk;
• Clarify the respective data-protection responsibilities of Dojah and its Clients;
• Describe how data are collected, used, stored, transferred, and secured;
• Ensure transparency in Dojah’s processing operations; and
• Protect the rights, privacy, and security of all individuals whose data may be processed by the Platform.

Scope of Application

This Policy covers:

• All personal and sensitive personal data processed through Profiled Risk;
• All activities carried out by Dojah Technologies Limited and its authorised vendors or sub-processors in connection with the Platform; and
• All Clients and authorised users accessing or integrating Profiled Risk through APIs, web dashboards, or other approved interfaces.

This Policy does not apply to:

• Any personal data collected directly by Clients outside the Platform; or
• Processing activities conducted by Clients in their own systems, which are governed by their respective privacy policies and data-protection frameworks.

Applicable Data Protection Laws

means all laws and regulations relating to the protection of personal data and privacy applicable to the processing of personal data under this Policy, including without limitation the Nigeria Data Protection Act 2023, the Nigeria Data Protection Regulation 2019 (NDPR), and, where relevant, the EU General Data Protection Regulation (GDPR).

Client

means any company, organisation, or entity that subscribes to, integrates with, or otherwise uses the Profiled Risk Platform for its internal business, compliance, or fraud-prevention purposes. Each Client determines the categories of personal data supplied to the Platform and the purposes for which such data are processed.

Authorized User

means any employee, agent, contractor, or representative of a Client who is permitted by the Client to access or use the Platform on the Client’s behalf.

Profiled Risk or Platform

refers to the proprietary risk-analytics and fraud-prevention solution developed and operated by Dojah Technologies Limited, which aggregates data from multiple sources to generate a unified risk profile and score.

Controller

means the natural or legal person, public authority, agency, or other body which determines the purposes and means of processing personal data. For all processing conducted through the Platform, the Client acts as the Controller.

Processor

means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. Dojah Technologies Limited acts as the Processor in relation to all data processed through the Platform.

Sub-Processor

means any third party engaged by Dojah to process personal data on its behalf in connection with the provision or operation of the Platform.

Personal Data

means any information relating to an identified or identifiable natural person (“Data Subject”), including but not limited to name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Sensitive Personal Data

means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, sexual orientation, or any other information classified as sensitive under Applicable Data Protection Laws.

Processing

means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Data Subject

means the identified or identifiable natural person to whom the personal data relate. In the context of Profiled Risk, Data Subjects are typically the end-customers or individuals whose information is provided by the Client for risk analysis and fraud-prevention purposes.

DPA or Data Processing Agreement

means any written agreement executed between Dojah and a Client governing the processing of personal data and incorporating the obligations required by Applicable Data Protection Laws.

Breach or Personal Data Breach

means a confirmed or reasonably suspected security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data processed through the Platform.

DPO or Data Protection Officer

means the person designated by Dojah Technologies Limited to oversee compliance with Applicable Data Protection Laws and to act as the primary contact for privacy-related matters. Dojah’s DPO can be reached at [email protected]

Dojah as Data Processor

Dojah acts as a Data Processor in relation to all personal data processed through the Profiled Risk Platform. Dojah processes personal data solely on the documented instructions of the Client, except where required to do otherwise by Applicable Data Protection Laws. In such cases, Dojah shall inform the Client of that legal requirement before processing, unless the law prohibits such notification.

Dojah shall:

• Process personal data only for the purposes and to the extent necessary to deliver the services available through Profiled Risk;
• Implement appropriate technical and organisational measures to protect the security and confidentiality of personal data; and
• Ensure that all persons authorised to process personal data on its behalf are bound by confidentiality obligations.

Client as Data Controller

Each Client acts as the Data Controller for all personal data submitted, transmitted, or otherwise made available to the Platform. The Client determines the categories of data shared, the risk-scoring rules applied, and the lawful basis for processing.

The Client is solely responsible for:

• Determining and documenting a lawful basis for collecting and processing the personal data it provides to Dojah (such as consent, contractual necessity, legitimate interest, or legal obligation);
• Obtaining all required consents and authorizations from Data Subjects and third-party data providers before submitting any personal data to the Platform;
• Providing clear and accessible privacy notices to Data Subjects describing how their data will be used, including disclosure of Dojah’s role as a data-processing partner;
• Ensuring the accuracy, quality, and legality of the personal data supplied to Dojah; and
• Complying with all applicable privacy, data-protection, and financial-crime-prevention laws in connection with its use of the Platform.

Lawful Basis and Consent

The Client acknowledges and agrees that Dojah does not determine the lawful basis for processing and does not obtain consent directly from Data Subjects. The Client represents and warrants that all such lawful bases and consents have been properly obtained prior to transmitting any data to the Platform.

Dojah shall not be responsible or liable for any unauthorised, unlawful, or inaccurate collection, disclosure, or processing of personal data by the Client or its third-party data sources.

Independent Processing by Dojah

Dojah may, acting as an independent Data Controller, process limited personal data (such as administrative logs, service-usage data, or contact details of Client representatives) for purposes of account management, billing, audit, compliance monitoring, or improvement of its services. Such processing shall be carried out in accordance with this Policy and Applicable Data Protection Laws.

Indemnity

The Client shall indemnify, defend, and hold harmless Dojah Technologies Limited, its directors, officers, employees, and agents from and against any claims, losses, fines, damages, liabilities, costs, or expenses (including reasonable legal fees) arising from or relating to:

• The Client’s failure to obtain a lawful basis or valid consent for processing;
• The Client’s breach of Applicable Data Protection Laws;
• Any inaccuracy, unauthorised disclosure, or unlawful transmission of personal data supplied by the Client; or
• The Client’s misuse or misconfiguration of the Platform.

This indemnity is without prejudice to any other rights or remedies available to Dojah under law or contract.

Client as Data Controller

The Client acknowledges and agrees that, in connection with all personal data transmitted to the Profiled Risk Platform:

• The Client acts as the Data Controller, determining the purposes and means of processing.
• The Client is solely responsible for establishing, documenting, and maintaining a lawful basis for processing all personal data, in accordance with Applicable Data Protection Laws. Such lawful bases may include:
  • Consent obtained from Data Subjects;
  • Performance of a contract with the Data Subject;
  • Legal obligations imposed by law; or
  • Legitimate interests pursued by the Client, provided such interests do not override the fundamental rights and freedoms of Data Subjects.

Consent and Authorizations

The Client shall:

• Obtain all necessary consents, authorizations, and permissions from Data Subjects and any third-party data providers prior to transmitting personal data to the Platform.
• Maintain records of consents and authorizations in a manner consistent with Applicable Data Protection Laws.
• Ensure that Data Subjects are fully informed that their personal data may be processed by Dojah as a Data Processor for the purposes described in Section 5.

Transparency and Privacy Notices

The Client must:

• Provide clear, accessible, and legally-compliant privacy notices to all Data Subjects, explicitly disclosing:
  • That the Client uses a third-party processor (Dojah Technologies Limited) for fraud detection, risk scoring, and compliance purposes;
  • The types of personal and sensitive personal data collected;
  • The purposes of processing;
  • The rights of Data Subjects and the means to exercise them (e.g., access, correction, deletion); and
  • Contact information for the Client and Dojah’s Data Protection Officer.

Accuracy, Completeness, and Compliance

The Client is solely responsible for ensuring that:

• All personal data provided to the Platform is accurate, complete, and up-to-date;
• Processing of the personal data complies with all applicable privacy, data-protection, and financial-crime-prevention laws; and
• The design, testing, and configuration of any risk-scoring rules or “Flows” do not create unlawful bias, discrimination, or other unlawful outcomes.

Limitations on Dojah Liability

Dojah acts strictly as a Data Processor and:

• Does not determine the lawful basis for processing, collect consent directly from Data Subjects, or verify compliance with Applicable Data Protection Laws.
• Is not liable for any unlawful, inaccurate, or unauthorized data provided by the Client or third-party sources.
• Will process personal data only according to documented Client instructions and as necessary to deliver the Platform’s services.

Assistance in Compliance

Dojah will, upon reasonable request, assist Clients in meeting their obligations under Applicable Data Protection Laws, including responding to Data Subject requests, reporting breaches, and providing information about processing activities. Such assistance shall be provided in accordance with the Client’s instructions and may be subject to additional fees if extensive work is required.

Such assistance shall be provided in accordance with the Client’s instructions and may be subject to additional fees if extensive work is required.

Data Ingestion

Dojah receives personal and sensitive personal data exclusively from Clients, who act as Data Controllers. Data may be submitted through the following methods:

• API Integration: Clients transmit event data (e.g., transactions, signups, account activity) to the Profiled Risk Platform in a structured format such as JSON.
• Dashboard Uploads: Clients may upload datasets directly via the secure web dashboard for aggregation and risk analysis.
• Third-Party Data Injection: Clients may provide data originating from other services they use (e.g., CRM, payment platforms, or AML providers).

Note: Dojah does not collect personal data directly from end-users. All processing is performed strictly on Client-provided data.

Profile Aggregation

Upon ingestion, the Platform:

• Creates a centralized Profile for each unique individual.
• Aggregates all submitted and injected data, combining information from multiple sources to provide a 360-degree view of the individual’s risk profile.
• Associates each Profile with historical events, transactions, and metadata for risk scoring, monitoring, and compliance purposes.

Risk Evaluation and Scoring

The Platform processes data to generate a dynamic risk score according to Client-defined rules (“Flows”). This includes:

• Evaluating transactional behavior, device and location data, KYC information, and any AML flags.
• Assigning a Risk Level (e.g., Low, Medium, High) based on aggregated criteria.
• Generating notifications and cases for further manual review where rules are triggered.

Outputs to Clients

Clients receive the results of risk evaluation via:

• API Webhook Responses: Including the risk score, decision (Allow, Pending, Block), behavioral analysis, and the original event data submitted.
• Dashboard Visualization: Including risk scores, detailed case information, behavioral insights, and historical trends.

Note: The output may contain personal data as necessary to provide accurate risk evaluation and transparency for client decision-making.

Data Storage and Access

• All aggregated profiles and event data are stored within Dojah-controlled systems to support the functioning of the Platform.
• Clients have access only to their own data through the API and dashboard.
• Access by Dojah personnel is strictly controlled and limited to authorized roles necessary for service delivery, maintenance, or legal compliance.

Real-Time and Historical Processing

• Data is processed in real time to enable immediate risk scoring and decisioning.
• Historical data is retained to support ongoing monitoring, trend analysis, case management, and compliance reporting.
• Clients may request deletion of their data in accordance with Section 8 (Data Storage, Retention, and Deletion).

Technical and Organizational Safeguards

• Data is encrypted in transit and at rest.
• Access is controlled using MFA and role-based permissions.
• System logs track all processing activities for audit and compliance purposes.

Data Storage Locations

• All personal and sensitive personal data processed through the Profiled Risk Platform is stored in secure Dojah-controlled environments, hosted on Amazon Web Services (AWS) in U.S. regions (East US, West US 2).
• Data is encrypted at rest and in transit using industry-standard protocols.
• Access is limited to authorized Dojah personnel based on roles and responsibilities, with multi-factor authentication (MFA) and logging of all access events.

Retention Period

• By default, all client-submitted personal data is retained for a period of six (6) months from the date of ingestion.

This retention period allows the Platform to:

• Maintain centralized Profiles and historical event data;
• Support risk scoring, case management, and reporting;
• Comply with audit, regulatory, and security obligations.
• Clients may request deletion of their accounts and associated data at any time. Upon such request, Dojah will delete the data in accordance with Client instructions and Applicable Data Protection Laws.

Data Minimization and Masking

• Personal data is stored in its original form to ensureaccurate risk scoring and profile aggregation.
• The Platform does not automatically anonymise or mask personal identifiers prior to storage; any anonymisation or aggregation must be performed under Client instructions.

Deletion and Archiving

• Deletion on Client Request: Clients can request the deletion of their data via the dashboard or by contacting Dojah support. Deletion requests are processed promptly, subject to operational and legal constraints.
• Archival for Compliance: Certain metadata or system logs may be retained for audit, compliance, or legal purposes, even after deletion of primary client data.
• Temporary Caching: Data may be temporarily cached for real-time processing and scoring but is included within the retention period and protected by the same security controls.

Client Responsibility

• Clients are responsible for determining whether additional retention, archival, or deletion obligations apply undersector-specific regulations or contractual requirements.
• Dojah will process such instructions only within the scope of its role as Data Processor.

Data Transfer Locations

• Personal and sensitive personal data processed through the Profiled Risk Platform may be transferred and stored outside Nigeria, specifically within AWS data centers located in the United States (East US, West US 2).
• Such transfers are necessary to ensure high availability, security, and performance of the Platform.

Safeguards and Security Measures

To protect data during cross-border transfers, Dojah implements the following safeguards:

• Encryption in Transit: All data transmitted between the Client and the Platform, and between AWS regions, is encrypted using industry-standard TLS protocols.
• Encryption at Rest: Data stored in AWS environments is encrypted using AES-256 or equivalent standards.
• Access Controls: Only authorized Dojah personnel with a legitimate business need may access cross-border data. MFA and role-based access permissions are enforced.
• Sub-Processor Contracts: Third-party vendors involved in data storage or processing are contractually required to maintain equivalent data protection standards.

Legal Compliance

• Cross-border transfers are conducted in accordance with Applicable Data Protection Laws, including the Nigeria Data Protection Act 2023, NDPR, and any other applicable international frameworks.
• Clients remain responsible for ensuring that cross-border transfers comply with any sector-specific or contractual obligations, and for obtaining any required consents or authorizations from Data Subjects.

Client Instructions and Risk Acknowledgement

• Clients instruct Dojah to process and store data in the Platform, including cross-border transfers.
• By using Profiled Risk, Clients acknowledge and accept that data may be transferred outside Nigeria and that Dojah implements all reasonable safeguards to protect the data.
• Dojah is not responsible for legal compliance regarding cross-border data transfers beyond implementing the safeguards described herein.

Engagement of Sub-Processors

• Dojah Technologies Limited may engage third-party vendors or sub-processors to assist with the provision, operation, and maintenance of the Profiled Risk Platform.
• Sub-processors may provide services such as:
• Hosting and infrastructure (e.g., AWS, cloud management)
• AML and watchlist verification services
• Artificial intelligence and machine learning integrations
• Monitoring, analytics, or system support services

Due Diligence and Selection

Dojah conducts reasonable due diligence on all prospective sub-processors to ensure that they:

• Implement appropriate technical and organizational measuresto protect personal data.
• Comply with Applicable Data Protection Laws.
• Maintain confidentiality and restrict access to authorized personnel only.

Contractual Safeguards

All sub-processors are contractually required to:

• Process personal data only on Dojah’s documented instructions.
• Maintain security measures equivalent to those implemented by Dojah.
• Notify Dojah promptly of any data breaches or security incidents.
• Ensure that any further sub-processing is only undertaken with Dojah’s prior written consent.

Client Notification

• Clients will be notified of any material changes or additions to the list of sub-processors that involve the processing of their data.
• A current list of sub-processors is maintained and available to Clients upon request via the compliance contact.

Liability and Responsibility

• Dojah remains responsible for the acts and omissions of its sub-processors to the same extent as for its own processing activities.
• Clients acknowledge that the engagement of sub-processors is necessary for the operation of the Platform and accept the safeguards implemented by Dojah.

Encryption and Data Protection

• All personal and sensitive personal data processed through the Profiled Risk Platform is encrypted both in transit and at rest using industry-standard protocols, including TLS for data in transit and AES-256 or equivalent for data at rest.
• Data stored in third-party systems (e.g., AWS) is protected by strong access controls, network segregation, and security monitoring.

Access Controls and Authentication

• Access to personal data is restricted to authorized personnel who require it for legitimate business purposes, maintenance, or legal obligations.
• Multi-factor authentication (MFA) and role-based access permissions are implemented for all personnel with access to personal data.
• Internal access logs are maintained to track who accessed data, when, and for what purpose.

Network and System Security

• Firewalls, intrusion detection systems, and secure network architecture protect the Platform from unauthorised access, attacks, or malware.
• Routine vulnerability assessments, penetration tests, and system monitoring are performed to detect and mitigate security risks.

Staff Training and Confidentiality

• All Dojah personnel with access to personal data receive regular training on data protection, privacy, and security policies.
• Staff are bound by confidentiality agreements and are aware of the legal and contractual obligations surrounding personal data.

Breach Detection and Response

Dojah maintains a comprehensive incident response plan to address potential security incidents or personal data breaches. Key steps include:

• Detection and Monitoring: Continuous monitoring of systems and logs to identify potential security events.
• Containment: Immediate isolation of affected systems or data to prevent further exposure.
• Investigation: Conducting a root-cause analysis to understand the nature and scope of the incident.
• Notification: Informing affected Clientspromptly and in accordance with contractual and legal obligations.
• Remediation: Implementing corrective actions to prevent recurrence and mitigate risks.

Ongoing Security Improvements

• Dojah continuously evaluates and updates technical and organizational security measures to align with best practices and evolving threats.
• Security controls are reviewed regularly to ensure they remain effective, appropriate, and sufficient for protecting Client data.

Client Responsibility for Data Subject Rights

As the Data Controller, each Client is solely responsible for fulfilling the rights of Data Subjects under Applicable Data Protection Laws, including:

• Access: Allowing Data Subjects to access their personal data.
• Correction / Rectification: Correcting inaccurate or incomplete data.
• Deletion / Erasure: Requesting deletion of personal data (“Right to be forgotten”).
• Objection / Restriction: Objecting to or requesting restriction of certain processing activities.
• Data Portability: Providing a copy of personal data in a structured, commonly used, and machine-readable format.

Dojah’s Role as Data Processor

Dojah, as a Data Processor, assists Clients in fulfilling Data Subject requests but does not have independent obligations to respond directly to Data Subjects.

Assistance may include:

• Providing access to stored data via dashboards or APIs.
• Deleting or exporting personal data upon documented Client instruction.
• Supplying relevant technical information about processing activities to support Client compliance.

Request Handling Procedures

• Clients should submit Data Subject requests to Dojah via the designated compliance contact or dashboard interfaces.
• Dojah will process requests promptly and within the timelines reasonably required under Applicable Data Protection Laws, unless prevented by legal or technical constraints.

Client Acknowledgment

By using the Platform, Clients acknowledge that they:

• Must ensure valid lawful basis and consent for processing.
• Retain responsibility for responding to Data Subject requests.
• Are responsible for accurately instructing Dojah on any actions related to Data Subject rights.

Limitations and Exceptions

• Dojah may refuse or delay action on a request if:
• It conflicts with Dojah’s legal obligations or contractual requirements.
• Immediate action could compromise the security or integrity of the Platform.
• Any refusal or limitation will be communicated to the Client promptly, with reasons for the decision.

Anonymisation of Personal Data

• Profiled Risk does not anonymise or pseudonymise personal data by default.
• All personal data processed through the Platform retains identifiers necessary for risk scoring, case management, and historical tracking.

Internal Use of Anonymised or Aggregated Data

• Dojah may use anonymised or aggregated data derived from multiple Clients for internal purposes such as:
• Platform analytics and performance monitoring
• Product improvement and feature development
• Trend analysis for fraud detection research
• Such data is stripped of identifiers and cannot be used to re-identify individual Data Subjects.

Client Data Separation

Even in aggregated datasets, Client data remains logically separated to ensure:

• No cross-Client exposure
• Strict adherence to B2B SaaS data isolation principles

Limitations

• Any aggregated or anonymised data used by Dojah is limited to internal operational purposes.
• Dojah does not share anonymised or aggregated datasets with third parties unless explicitly authorised by the Client.

Internal Compliance and Accountability

• Dojah maintains records of processing activities in accordance with Applicable Data Protection Laws.

These records include:

• Data types processed and processing purposes
• Categories of Data Subjects
• Retention periods
• Sub-processor engagements and contracts
• Dojah’s internal policies ensure consistent adherence to this Privacy Policy and Applicable Data Protection Laws.

Monitoring and Security Oversight

• Continuous monitoring is conducted to detect:
• Security incidents
• System misconfigurations
• Unauthorized access attempts
• Monitoring includes audit logs, access logs, and anomaly detection to ensure accountability and traceability.

Client Audit Requests

• Clients may request reasonable information about Dojah’s processing activities to verify compliance with contractual and legal obligations.

Such requests are subject to:

• Prior notice
• Reasonable scope and frequency limitations
• Protection of Dojah’s confidential and proprietary information
• Direct audits of Dojah systems by Clients are not permitted; compliance information will be provided via documentation, attestations, or reports.

Training and Awareness

• Dojah provides regular training to all personnel involved in personal data processing.
• Staff are made aware of:
• Their roles and responsibilities under Applicable Data Protection Laws
• Platform-specific privacy and security policies
• Incident reporting and escalation procedures

Accountability Reporting

• Dojah maintains internal audit trails and version histories for processing activities, sub-processor use, and changes to security controls.
• This ensures:
• Traceability of all actions impacting personal data
• Transparency for internal and regulatory compliance reviews

Limitation of Liability

• To the maximum extent permitted by law, Dojah Technologies Limited’s liability for any claims, losses, or damages arising out of or related to the use of the Profiled Risk Platform is limited to the fees paid by the Client for the Platform during the twelve (12) months preceding the claim.
• Dojah shall not be liable for:
• Indirect, incidental, special, punitive, or consequential damages, including loss of profits, revenue, or business opportunities;
• Any loss or damage arising from the Client’s failure to obtain lawful consent or comply with Applicable Data Protection Laws;
• Outcomes arising from Client-configured risk rules or misinterpretation of scores; or
• Any third-party claims, fines, or regulatory penalties incurred by the Client.

Indemnity by Client

The Client agrees to indemnify, defend, and hold harmless Dojah, its officers, directors, employees, and agents from and against any claims, losses, damages, fines, penalties, liabilities, costs, or expenses (including reasonable legal fees) arising from or related to:

• The Client’s failure to obtain a lawful basis or valid consent for processing;
• Any breach of Applicable Data Protection Laws by the Client;
• The accuracy, completeness, or legality of the personal data provided by the Client; or
• Misuse, misconfiguration, or improper integration of the Platform by the Client.

Exceptions

The limitations and indemnities in this Section do not apply to fraud, willful misconduct or any other liabilities that cannot be limited or excluded under applicable law.

Risk Acknowledgment

• Clients acknowledge that, as a Data Controller, they bear primary responsibility for ensuring compliance with Applicable Data Protection Laws and for any consequences resulting from their own data collection, processing, or risk rules.
• Dojah’s Platform is provided “as is”, with its security and privacy safeguards as described in this Policy, and the Client accepts these terms when using Profiled Risk.

Policy Review and Updates

Dojah Technologies Limited may update this Privacy Policy from time to time to reflect:

• Changes in Applicable Data Protection Laws or regulations;
• Updates or enhancements to the Profiled Risk Platform;
• Improvements in security, operational, or processing practices; or
• Changes in Dojah’s sub-processors or data-handling procedures.

Notification of Changes

• Clients will be notified of material changes to this Policy through:
• Email communication to the primary contact registered with Dojah; and/or
• Notifications posted on the Profiled Risk Platform dashboard.
• Minor or technical updates may be reflected directly in the Policy without separate notice, provided they do not materially alter Client obligations or data-protection practices.

Client Acceptance of Updates

• Continued use of the Profiled Risk Platform after any update constitutes acceptance of the updated Policy.
• Clients are responsible for reviewing and complying with the updated Policy and for updating their internal procedures and privacy notices to reflect changes, as applicable.

Effective Date

This Policy is effective as of the date indicated at the top of the document and remains in effect until superseded by a later version.

Dojah Technologies Limited Contact Details

For any questions, concerns, or requests regarding this Privacy Policy or the processing of personal data through the Profiled Risk Platform, Clients may contact Dojah using the details below:

Company Name:

Dojah Technologies Limited

Email:

[email protected]

Website:

www.dojah.io

Data Protection Officer (DPO)

• Dojah’s DPO oversees compliance with Applicable Data Protection Laws and serves as the primary contact for privacy-related matters.
• Clients may reach the DPO directly via: [email protected]

Submitting Requests or Concerns

• Clients may use the contact details above to:
• Report suspected security incidents or breaches
• Request assistance in responding to Data Subject requests
• Seek clarifications on the Privacy Policy or data-processing practices
• Dojah will respond promptly and in accordance with contractual and legal obligations.