PRIVACY POLICY

LeevaInvoicing — Privacy Policy

Last updated: October 21, 2025

1. Introduction

Leeva Invoicing (operated by [Leverage Multimedia and Networks Ltd], “we”, “us”, “our”) respects your privacy and is committed to protecting personal data in line with applicable law, including the Nigeria Data Protection Act and related regulations and the EU General Data Protection Regulation (GDPR). This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, your rights, and how to contact us.

2. Data controller

The data controller responsible for personal data processed via LeevaInvoicing is:
[Leverage Multimedia and Networks Ltd]
Address: [No. 14 Ebele Okeke Crescent, Wuye Abuja-Nigeria]
Email: [privacy@LeevaInvoicing.com]

3. Scope & who this applies to

This policy applies to personal data we process about:

• Users, customers, and visitors of LeevaInvoicing.com (including business contacts and representatives), and
• EU/EEA data subjects whose personal data we process (GDPR applies), and
• Nigerian data subjects (NDPA/NDPR apply).

4. Personal data we collect

Depending on how you use our services, we may collect:

• Identity & contact data: name, company, job title, email, phone, postal address.
• Account & billing data: username, password hash, billing address, payment card metadata (we do not store full card numbers unless using a PCI-compliant provider).
• Transaction & invoice data: invoice details, payment history, product/service descriptions, tax IDs.
• Usage & technical data: IP address, browser, device identifiers, cookies, log data, crash reports, timestamps.
• Support & communications: correspondence, support tickets, recordings of consent where applicable.
• Sensitive data: only processed if you explicitly supply it and only where lawful and necessary (e.g., for payroll/invoice items that require special categories); we will obtain explicit consent where required.

5. Legal bases for processing (GDPR)

For EU/EEA personal data we rely on one or more lawful bases under Article 6 GDPR:

• Contract: processing necessary to perform or manage your contract with us (e.g., create invoices, process payments).
• Legal obligation: processing to comply with laws (tax, anti-money laundering, statutory record-keeping).
• Legitimate interests: where our legitimate business interests (security, fraud prevention, product improvement, direct marketing to business contacts) do not override your rights. We conduct a Legitimate Interests Assessment where applicable.
• Consent: when you explicitly consent (e.g., marketing emails where consent is required).

For Nigerian data subjects we comply with the Nigeria Data Protection Act and related NITDA guidance (NDPR) and will rely on equivalent lawful bases (consent, contract, legal obligation, legitimate interest) as required.

6. Purposes of processing & categories mapped to legal bases

• Providing the service & account management — identity, contact, billing, transaction data. (Contract)
• Payments & fraud prevention — transaction and device data. (Contract, Legitimate interest)
• Customer support — support history and communications. (Contract/ Legitimate interest)
• Marketing & newsletters — contact data (Email). (Consent or Legitimate interest where lawful)
• Analytics & product improvement — usage and technical data. (Legitimate interest, anonymized where possible)
• Legal compliance & tax — billing, transaction records. (Legal obligation)

7. Sharing & recipients

We may share personal data with:

• Service providers (payment processors, hosting providers, analytics, email delivery, support platforms) under written contracts (processors).
• Professional advisors (lawyers, accountants) where necessary.
• Regulators or law enforcement where required by law or to protect rights.
• Affiliates or successors in case of business sale or reorganization (with appropriate safeguards).

We require processors to implement appropriate technical and organizational measures and only act on our instructions.

8. International transfers

If we transfer personal data outside Nigeria or the EEA (for example to cloud providers or payment processors), we will ensure appropriate safeguards are in place:

• Transfers from the EEA: rely on an adequacy decision, standard contractual clauses (SCCs), or another GDPR-approved safeguard.
• Transfers from Nigeria: we will comply with Nigerian law and apply appropriate contractual and technical safeguards.
  We will not export data to jurisdictions without adequate protections unless safeguards are adopted and data subjects are informed.

9. Data retention

We retain personal data only as long as necessary for the purpose collected, to comply with legal obligations (e.g., tax records), to resolve disputes, and for legitimate business purposes. Typical retention ranges:

• Account & transaction records: [7 years] (or as required by tax law).
• Marketing consent: until withdrawn + proof of consent retention.
• Support records: [2 years] (adjust to needs).
  Adjust these periods to match local legal requirements and business needs.

10. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, alteration or disclosure. Measures include encryption at rest and in transit, access controls, logging, intrusion detection, regular security assessments, and staff training. However, no system is 100% secure; we will inform affected data subjects and authorities of breaches when required by law.

11. Cookies & similar technologies

We use cookies and similar technologies to operate the site, analyze usage, and provide features. Where required by law, we obtain consent for non-essential cookies. You can manage cookie preferences in your browser or via our cookie banner.

12. Children

Our services are not directed at children under [16 — adjust as required by local law]; we do not knowingly collect personal data from children. If we become aware we have collected data from a child without consent we will take steps to delete it.

13. Your rights

If you are an EU/EEA data subject, you have under the GDPR:

• Right of access to your personal data;
• Right to rectification of inaccurate data;
• Right to erasure (“right to be forgotten”) where applicable;
• Right to restriction of processing;
• Right to object to processing (including profiling and direct marketing);
• Right to data portability for data provided in a structured, machine-readable format;
• Right to withdraw consent at any time where processing is based on consent;
• Right to lodge a complaint with a supervisory authority.

If you are a Nigerian data subject, under the Nigeria Data Protection Act and NDPR you similarly have:

• rights of access, correction, deletion, objection, and to complain to the Nigeria Data Protection Commission (NDPC).

14. How to exercise your rights

To exercise rights, contact our DPO at dpo@LeevaInvoicing.com or privacy@LeevaInvoicing.com. We will respond within applicable legal timeframes and may require identity verification. If unsatisfied, EU/EEA individuals may lodge a complaint with their local supervisory authority; Nigerian data subjects may contact the Nigeria Data Protection Commission.

15. Complaints & supervisory authorities

• For GDPR matters, EU/EEA data subjects may contact their local supervisory authority (links and guidance available on the European Data Protection Board site).
• For Nigeria, complaints can be directed to the Nigeria Data Protection Commission (NDPC) established under the Nigeria Data Protection Act, and NITDA’s NDPR guidance remains relevant for compliance practices.

16. Changes to this policy

We may update this policy. We will publish the revised policy on LeevaInvoicing.com with the updated “Last updated” date. Where changes are material, we will notify you by email or via our website.

17. Contact

Data controller: [Leverage Multimedia and Networks Ltd]
Email: privacy@LeevaInvoicing.com
Address: [No. 14 Ebele Okeke Crescent, Wuye Abuja-Nigeria]