Privacy

Privacy Policy

📅 Effective: March 13, 2026 🏢 iQOverseas Solutions Limited
Section 01

Overview

iQOverseas Solutions Limited ("we", "us", "our") operates the Eroidan CBT platform. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use eroidan.com and its subdomains.

We are committed to complying with Nigeria's Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act 2023. We act as the data controller for individual user accounts and as a data processor for student data uploaded by schools.

We do not sell your personal data to any third party. Ever.

Section 02

Data We Collect

User TypeData CollectedPurpose
Individual Users Full name, email address, hashed password, subscription plan, practice session history, scores Account management, practice delivery, analytics
School Admins & Staff Name, email address, hashed password, school details, staff role and permissions School portal access, exam management
Students (School) Student name, student number, date of birth, gender, class, exam sessions, scores Student authentication, exam delivery, result management
All Users IP address, browser/device type, usage logs Security, fraud prevention, service improvement

We do not collect NIN, BVN, financial account details, or biometric data. Payment card details are handled entirely by Paystack and are never stored on our servers.

Section 03

How We Use Your Data

We use personal data for: service delivery and account management, identity verification and security, communication (exam results, account alerts, service updates), platform analytics and improvement, and legal and regulatory compliance.

We will not use your data for purposes incompatible with those listed above without your prior consent.

Section 04

School & Student Data

Data isolation: Each school's data is stored in a completely isolated PostgreSQL database schema. No school can access another school's data.

Student authentication: Students log in using their student number and date of birth only — no password is required or stored for students. This design minimises the risk of credential exposure for young users.

Our role: We process school and student data strictly as a data processor on behalf of the school (the data controller). We do not use student data for advertising, profiling, or any purpose beyond delivering the school portal service.

SMS notifications: Schools on the Premium plan may send SMS result notifications to parents via Termii. Phone numbers used for SMS are provided by the school and are not used by us for any other purpose.

Student data is never used for advertising or profiling, never sold to or shared with any third party, and never shared with other schools or individual users on the platform.

Section 05

Data Sharing & Third Parties

Third PartyPurposeData Shared
Paystack Payment processing Email address, payment amount. Card details handled directly by Paystack.
SendGrid Transactional email delivery Email address, name (for personalised emails only)
Termii SMS notifications (Premium schools only) Phone numbers provided by the school for parent notifications
Cloudinary Image storage (school logos) Uploaded image files only
Railway.app Cloud hosting and database infrastructure All platform data stored on Railway-hosted servers

All third-party providers are contractually required to protect your data and use it only for the specified purpose. We may disclose personal data if required to do so by Nigerian law or a valid court order.

Section 06

Data Storage & Security

All platform data is stored on Railway.app's infrastructure. Our security measures include:

  • All data in transit encrypted using TLS 1.2+
  • Passwords hashed using Django's PBKDF2 algorithm — plain-text passwords are never stored
  • Database schemas isolated per school — cross-schema access is technically prevented
  • HTTPS enforced across all pages with automatic HTTP redirects
  • HTTP Strict Transport Security (HSTS) with 1-year duration enabled
  • Session and CSRF cookies marked Secure and HttpOnly
  • Login rate limiting — 5 failed attempts trigger a 15-minute lockout

In the event of a data breach affecting your personal data, we will notify affected users in accordance with NDPR obligations.

Section 07

Data Retention

  • Active individual accounts: Retained for the lifetime of the account
  • Inactive free individual accounts: Deleted after 24 months of inactivity, with 30 days' email notice
  • Active school accounts: Retained for the duration of the subscription
  • Cancelled school accounts: All school and student data deleted within 30 days of cancellation
  • Payment records: Retained for 7 years in accordance with Nigerian financial regulations
  • Server access logs: Retained for 90 days for security and debugging, then deleted

You may request early deletion of your personal data by contacting privacy@eroidan.com, subject to any legal obligations to retain certain records.

Section 08

Your Rights Under the NDPR

Under the NDPR 2019 and Nigeria Data Protection Act 2023, you have the right to: access your data, request correction of inaccurate data, request deletion ("right to be forgotten"), restrict processing in certain circumstances, data portability, object to processing, and withdraw consent at any time.

To exercise any of these rights, contact us at privacy@eroidan.com. We will respond within 30 days. If you believe your rights have been violated, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC).

Section 09

Cookies & Local Storage

Eroidan uses only the following browser storage mechanisms:

  • Session cookie — Required for authentication. Expires when you close your browser (unless "Remember me" is selected)
  • CSRF token cookie — Required for security against cross-site request forgery
  • IndexedDB via localforage — Saves exam answers locally during connectivity loss; synced to server on reconnection and cleared after submission
  • Service Worker cache — Caches static assets for offline PWA functionality

We do not use advertising cookies, third-party tracking cookies, Google Analytics, or any external analytics that could track your behaviour across websites.

Section 10

Children's Privacy

Eroidan's school platform is designed for students of all ages including children under 13. Student accounts are created and managed exclusively by the school administrator — students do not self-register. Schools are responsible for obtaining any necessary parental consent before uploading a student's data.

The individual practice platform requires users to be at least 13 years of age. If we become aware that a child under 13 has self-registered without parental consent, we will delete that account promptly.

Parents or guardians with concerns about a child's data should contact privacy@eroidan.com.

Section 11

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify school administrators by email and display a notice on the platform for individual users.

Your continued use of the platform after changes take effect constitutes your acceptance of the updated policy.

Section 12

Contact Us

  • Company: iQOverseas Solutions Limited
  • RC Number: 8399982
  • Address: Suite 216, Ebenezer Place, Area 1, Garki, Abuja, FCT, Nigeria
  • Privacy enquiries: privacy@eroidan.com
  • General support: support@eroidan.com

You also have the right to lodge a complaint directly with the Nigeria Data Protection Commission (NDPC) if you are unsatisfied with how we have handled your data.