PRIVACY
POLICY.

This Privacy Policy ("Policy") describes how Estyne International Limited ("Estyne," "we," "us," or "our"), a company incorporated under the laws of the Federal Republic of Nigeria, collects, uses, stores, shares, and protects your personal information when you access or use the Cre8Afrika platform (the "Platform"), including our website (cre8afrika.com), mobile applications, learning management system (LMS), fellowship programs, alumni ecosystem, talent hiring portal, and all related services (collectively, the "Services"). Cre8Afrika is the trading name and digital platform operated by Estyne International Limited.

This Policy applies to all Users of the Platform, including Applicants, Fellows (Students), Alumni, Investors, Partners submitting Hire Requests, and general visitors. By creating an account or using any part of the Services, you acknowledge that you have read, understood, and consent to the data practices described in this Policy.

We are committed to protecting your privacy and handling your data with transparency. This Policy should be read alongside our Terms of Service, which govern your use of the Platform.

We reserve the right to update this Policy at any time, with or without prior notice. While we may communicate material changes via email notification or an in-platform announcement, it is your responsibility to review this Policy periodically. The "Last Updated" date at the top of this page reflects the most recent revision. Your continued use of the Services after any changes constitutes acceptance of the updated Policy.

We collect information you provide directly, information generated automatically through your use of the Platform, and information from third-party services.

2.1 Information You Provide Directly

• Account Registration: Full name, email address, and password. Upon registration, a unique identifier is generated for your account.

• Profile Information: Biography, avatar/profile photo (hosted via Cloudinary), experience level (beginner, junior, mid, senior), and social/professional links including GitHub URL, LinkedIn URL, Twitter/X URL, and personal website URL.

• Fellowship Applications: Motivation statement, hardware/IoT track interest, project assessment submissions (GitHub repository links, uploaded ZIP files), and interview scheduling preferences.

• Payment Information: When you make a payment, our payment processor Flutterwave collects your card details. We store only the card token, BIN (first 6 digits), last 4 digits, card brand (e.g., Visa, Mastercard), and issuing bank name. We never store your full card number or CVV.

• Hire Requests: Company name, work email, required tech stack, and hiring goals submitted by Partners through the Talent Hiring Portal.

• Job Applications: Resume/portfolio information, cover letter content, and professional details submitted when applying for positions on our Job Board.

• Communications: Emails, support tickets, and messages exchanged with our team.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features accessed, time spent on the Platform, course progress, lesson completion timestamps, and learning pathway advancement.

• Device & Browser Information: IP address, browser type, operating system, device type, screen resolution, and language preferences.

• Authentication Data: Login timestamps, session duration, JWT token metadata (issuance and expiration dates), and two-factor authentication (2FA) activation status.

• Activity Logs: Platform actions recorded for security monitoring, including login attempts, profile updates, payment events, and administrative actions.

• Discord & Slack: Basic user identity when you join our community servers through OAuth-based verification (if applicable).

2.4 Accuracy of Information. You represent and warrant that all personal information you provide to us is accurate, complete, and current. You agree to notify us immediately of any changes to your information. Estyne International Limited is NOT responsible for any consequences arising from inaccurate, incomplete, or outdated information provided by you. If you provide personal data about a third party (e.g., a reference or team member), you represent and warrant that you have obtained all necessary consents from that individual to share their data with us.

2.5 Third-Party Data Disclaimer. We rely on information provided by third-party services (e.g., Flutterwave, Google, Discord). Estyne International Limited does not warrant and is not responsible for the accuracy, reliability, or timeliness of any data received from these third parties.

We process your personal information for the following purposes:

3.1 Service Delivery & Account Management — Creating and maintaining your account with appropriate role-based access (Super Admin, Admin, Student, Applicant, Alumni, Investor). — Authenticating your identity using JWT-based tokens with configurable expiration periods. — Enabling and managing two-factor authentication (TOTP) for enhanced security. — Tracking your learning progress across courses, modules, and lessons. — Processing fellowship applications through our automated selection pipeline (Application → Assessment → Review → Interview → Offer → Launch).

3.2 Payment Processing — Processing application fees, tuition payments, and subscription charges. — Managing recurring billing cycles for subscription plans (Daily, Weekly, Monthly, Yearly). — Storing tokenised card details for auto-renewal functionality. — Issuing refunds when applicable. — Maintaining financial records for audit and compliance.

3.3 Fellowship & Alumni Operations — Managing cohort enrollment, weekly progression tracking, and elimination/graduation status. — Facilitating team formation during the Product Build phase. — Calculating activity-based points for Alumni Product revenue distribution. — Processing dividend withdrawals and managing equity records. — Generating and issuing verifiable digital certificates with unique certificate codes.

3.4 Talent Matching & Hiring — Processing Hire Requests from Partners and matching them with qualified Alumni. — Sharing relevant profile information (name, skills, experience, portfolio links) with hiring Partners, with your consent. — Managing job listings and applications through our Job Board.

3.5 Communications — Sending transactional emails: payment confirmations, application status updates, assessment notifications, interview scheduling, and security alerts. — Sending marketing communications about new courses, fellowship openings, and platform features (with opt-out available). — Delivering in-platform notifications for critical account events.

3.6 Platform Improvement & Analytics — Analysing usage patterns to improve course content, user experience, and platform performance. — Monitoring security events and preventing fraudulent activity. — Generating aggregated, anonymised statistics for internal reporting.

3.7 AI & Algorithm Optimization. We may use anonymised, de-identified, and aggregated data collected through the Platform to train, test, and improve our selection engine, automated scoring systems, matching algorithms, and other machine learning models. This processing is conducted in a manner that does not identify any individual User and is used solely to enhance the accuracy and efficiency of our Services.

We process your personal data under the following legal bases, in accordance with applicable data protection laws including the Nigeria Data Protection Regulation (NDPR) and, where applicable, the EU General Data Protection Regulation (GDPR):

4.1 Contractual Necessity. Processing necessary to perform our obligations under the Terms of Service, including account management, service delivery, payment processing, and fellowship program administration.

4.2 Consent. Processing based on your explicit consent, such as marketing communications, sharing profile data with hiring Partners, and optional notification preferences. You may withdraw consent at any time through your profile settings or by contacting us.

4.3 Legitimate Interests. Processing necessary for our legitimate business interests, including platform security, fraud prevention, service improvement, analytics, and enforcing our Terms of Service. We balance these interests against your rights and freedoms.

4.4 Legal Obligation. Processing required to comply with applicable laws, regulations, tax requirements, financial reporting obligations, and legal proceedings.

4.5 Regulatory Oversight. Data protection compliance in Nigeria is overseen by the National Information Technology Development Agency (NITDA) under the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act (NDPA) 2023. If you believe your data protection rights have been violated, you may lodge a complaint with NITDA in addition to contacting us directly.

We do not sell your personal data to third parties. We share your information only in the following circumstances:

5.1 Payment Processing. We share transaction data with Flutterwave to process payments, manage subscriptions, and handle recurring billing. Flutterwave acts as an independent data controller for payment information.

5.2 Talent Hiring Partners. When a Partner submits a Hire Request, we may share relevant Alumni profiles (name, skills, experience level, portfolio links, bio) to facilitate talent matching. Profile sharing occurs only with your prior consent or where you have opted into the talent pool.

5.3 Certificate Verification. Third parties may verify your certificates using the unique certificate code or QR code. Verification returns only your name, the pathway completed, the certificate code, and the issuance date.

5.4 Service Providers. We engage trusted service providers for: — Cloud hosting and infrastructure management. — Email delivery and notification services. — File storage (Cloudinary for profile images, Google Cloud Storage for project files). — Analytics and monitoring tools. All service providers are contractually bound to process data only on our behalf and in accordance with this Policy.

5.5 Legal Requirements. We may disclose your information if required by law, court order, subpoena, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.6 Business Transfers. In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you of any such transfer and the choices available to you.

5.7 Aggregated & Anonymised Data. We may share aggregated, de-identified data that cannot reasonably be used to identify you for industry research, marketing, or statistical purposes.

We implement robust technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

6.1 Authentication & Access Control — Passwords are securely hashed using industry-standard algorithms before storage. We never store plain-text passwords. — Secure authentication tokens are used with configurable expiration periods. — Token revocation mechanisms are in place to immediately invalidate compromised sessions. — Optional time-based two-factor authentication (2FA) with securely stored recovery codes. — Role-based access control (RBAC) ensures users can only access data and features appropriate to their role.

6.2 Payment Security — Full card numbers and CVVs are never stored on our servers. — Card tokenisation is handled entirely by Flutterwave's PCI DSS-compliant infrastructure. — Only non-sensitive card metadata (token, BIN, last 4 digits, brand, issuer) is stored for subscription management.

6.3 Data Encryption — All data in transit is encrypted using TLS/SSL protocols. — Sensitive data at rest is encrypted using industry-standard encryption algorithms. — Authentication secrets are stored with appropriate encryption.

6.4 Monitoring & Incident Response — Activity logs track security-relevant events across the Platform. — We maintain incident response procedures for data breaches. — In the event of a breach affecting your personal data, we will notify you and relevant authorities within the timeframes required by applicable law.

6.5 Limitations & Assumption of Risk. While we strive to use commercially acceptable means to protect your personal data, no method of electronic storage or internet transmission is 100% secure. You acknowledge and agree that you use the Platform and transmit information to us at your own risk. Estyne International Limited shall NOT be liable for any unauthorised access, data breaches, or loss of information resulting from factors beyond our reasonable control, including but not limited to: (a) your failure to secure your account credentials; (b) vulnerabilities in third-party software or infrastructure; (c) zero-day exploits; or (d) acts of state-sponsored actors or sophisticated cyber-attacks.

6.6 User Security Responsibility. You are responsible for the security of your own devices, internet connection, and account credentials. Any breach of security originating from your device or caused by your negligence (e.g., sharing passwords, using public Wi-Fi without a VPN) is your sole responsibility. You agree to indemnify Estyne International Limited for any losses or damages we incur as a result of a security breach caused by your act or omission.

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Policy, unless a longer retention period is required or permitted by law.

7.1 Active Accounts. Your data is retained for the duration of your active account. Profile information, learning progress, enrollment records, and notification preferences are maintained as long as your account exists.

7.2 Deleted Accounts. When you request account deletion, your account is deactivated and personal data is removed from public visibility. Certain records are retained as required: — Financial records required for tax and audit compliance. — Certificate records for ongoing third-party verification. — Equity and revenue sharing records for Alumni Products. — Activity logs for security and legal purposes. After deactivation, your account is immediately inaccessible, all active sessions are invalidated, and your personal profile data is no longer displayed publicly.

7.3 Fellowship Applications. Application data, including assessment scores, project submissions, and interview records, is retained for the lifetime of the Platform to support alumni verification, cohort analytics, and dispute resolution.

7.4 Payment Records. Financial transaction records are retained for a minimum of seven (7) years to comply with applicable tax, accounting, and financial reporting regulations.

7.5 Activity Logs. Security and activity logs are retained for a minimum of twelve (12) months and may be retained longer if required for ongoing investigations or legal proceedings.

7.6 Marketing Data. If you opt out of marketing communications, your preference is recorded immediately. Your email may be retained on a suppression list to ensure we do not contact you again.

7.7 Data Destruction. Upon expiry of the applicable retention period and where no legal obligation requires further retention, personal data is permanently deleted or irreversibly anonymised using industry-standard data destruction methods. Financial records retained for regulatory compliance are destroyed after the mandatory retention period expires.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 Right of Access. You have the right to request a copy of the personal data we hold about you. You can access much of this data directly through your dashboard and profile settings.

8.2 Right to Rectification. You may update or correct your personal information at any time through your profile settings, including your name, bio, avatar, experience level, and social links.

8.3 Right to Deletion. You may request deletion of your account by contacting support@cre8afrika.com. Please note that certain data is retained post-deletion as described in Section 7 (Data Retention) for legal, financial, and operational reasons.

8.4 Right to Restrict Processing. You may request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.

8.5 Right to Data Portability. Where technically feasible, you may request a copy of your personal data in a structured, commonly used, machine-readable format.

8.6 Right to Object. You may object to the processing of your personal data for direct marketing purposes at any time. You can exercise this right through your notification preferences: — General email updates and promotions — New course alerts — Elite job alerts — Fellowship schedule and survival updates

8.7 Right to Withdraw Consent. Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

8.8 Exercising Your Rights. To exercise any of these rights, contact us at support@cre8afrika.com. We will respond to your request within thirty (30) days. We may require verification of your identity before processing certain requests.

8.9 Impact of Consent Withdrawal. If you withdraw consent or exercise your right to deletion, please note that: — Active enrollments and course progress may become inaccessible. — Fellowship participation may be affected if essential data processing is no longer permitted. — Revenue sharing and dividend distributions may be suspended until necessary data is provided. — We will continue to retain data where we have a legal obligation to do so, regardless of consent withdrawal. Withdrawing consent does not affect the lawfulness of any processing carried out prior to withdrawal.

9.1 Cookies. The Platform uses cookies — small text files stored on your device — to maintain your session, remember your preferences, and improve your experience.

9.2 Types of Cookies We Use: — Essential Cookies: Required for authentication, session management, and core Platform functionality. These cannot be disabled without breaking the Service. — Preference Cookies: Store your settings, such as notification preferences and display options. — Analytics Cookies: Help us understand how you use the Platform, which pages you visit, and where we can improve. These cookies collect aggregated, anonymised data.

9.3 JWT Tokens. We use JSON Web Tokens (JWTs) stored in your browser for authentication. These tokens contain your session identifier and expiration date but do not contain sensitive personal information.

9.4 Managing Cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Platform.

9.5 Cookie Consent. Where required by applicable law (including NDPR and GDPR), we will obtain your consent before placing non-essential cookies on your device. You may update your cookie preferences at any time through your browser settings or the cookie consent mechanism provided on the Platform.

9.6 Do Not Track. We currently do not respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard interpretation of DNT signals for web applications.

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such information from our servers.

10.1 Guardian's Responsibility. Parents and legal guardians are solely responsible for monitoring and supervising their children's use of the internet and the Platform. Estyne International Limited disclaims all liability for any unauthorised use of the Platform by minors. If you believe your child has provided data to us, contact us at support@cre8afrika.com.

11.1 Primary Processing Location. Your personal data is primarily processed and stored on servers located in regions where our cloud infrastructure providers operate.

11.2 Cross-Border Transfers. As a platform serving users across Africa and globally, your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws than your jurisdiction.

11.3 Safeguards. When transferring data internationally, we implement appropriate safeguards, including: — Standard contractual clauses approved by relevant data protection authorities. — Ensuring that our service providers maintain adequate security certifications (e.g., SOC 2, ISO 27001, PCI DSS for payment processing). — Data processing agreements with all third-party processors.

11.4 NDPR Compliance. For Users in Nigeria, we comply with the Nigeria Data Protection Regulation (NDPR) and ensure that any international transfer of personal data is subject to adequate protections as required under the regulation. 11.5 Data Controller Sovereignty. Regardless of where your personal data is stored or processed, Estyne International Limited remains the primary Data Controller. We ensure that all processing, including transfers to international service providers, adheres to the protections provided under the Nigeria Data Protection Act (NDPA) 2023.

The Platform integrates with and relies on the following third-party services. Each has its own privacy policy governing its data practices:

12.1 Flutterwave (Payment Processing) — Purpose: Processing all financial transactions, card tokenisation, recurring billing. — Data Shared: Payment amounts, card details (processed by Flutterwave, not stored by us), transaction metadata. — Their Policy: https://flutterwave.com/privacy-policy

12.2 Google Cloud Platform / Cloud Storage — Purpose: File storage for project submissions and platform assets. — Data Stored: Fellowship project ZIP files, uploaded documents.

12.3 Cloudinary — Purpose: Image hosting and optimisation. — Data Stored: Profile avatars and platform media assets.

12.4 Discord — Purpose: Community engagement and networking for applicants. — Data Shared: Basic identity information for community server access. — Their Policy: https://discord.com/privacy

12.5 Slack — Purpose: Private alumni networking and the Founder's Lounge community for graduates. — Data Shared: Basic identity information for workspace access. — Their Policy: https://slack.com/privacy-policy

12.6 Google Meet — Purpose: Conducting Fellowship interviews. — Data Shared: Meeting links and scheduling metadata.

12.7 No Liability for Third Parties. Estyne International Limited has no control over, and assumes no responsibility for, the privacy policies, data practices, or content of any third-party services integrated with or linked from the Platform. Your use of these services is entirely at your own risk. We encourage you to review their policies before sharing any personal data with them. Estyne shall not be liable for any damages or losses arising from the acts or omissions of these third-party providers.

13.1 Revenue & Equity Data. If you are an Alumni Product stakeholder, we collect and process additional data related to your participation, including: — Equity percentage and assigned role (Lead, Finance, Marketing, Developer, Member, Investor, Platform, Reinvestment). — Activity points and monthly contribution logs used to calculate dividend distribution. — Withdrawal requests, including amounts, source types (team dividend, investor dividend, platform dividend, product reinvestment), and banking/transfer details.

13.2 Financial Transparency. Revenue sharing calculations, equity distributions, and withdrawal approvals are tracked on the Platform for transparency and audit purposes. All stakeholders with access to a product's dashboard can view aggregate financial data.

13.3 Banking Information. Withdrawal banking details are stored securely and used solely for processing approved payouts. This information is not shared with other stakeholders or third parties except as necessary to execute the transfer.

13.4 Retention. Alumni Product financial data, including equity records and withdrawal history, is retained indefinitely to support ongoing revenue distribution, tax compliance, and dispute resolution.

We respect your communication preferences and provide granular controls over the notifications you receive.

14.1 Notification Categories. You can independently toggle the following notification types through your profile settings: — General Updates: Platform news, feature announcements, and promotional content. — New Courses: Alerts when new courses or learning pathways are published. — Job Alerts: Notifications about job opportunities from our hiring partners. — Fellowship Updates: Schedule changes, cohort announcements, and survival updates.

14.2 Transactional Communications. Certain communications are essential to the operation of your account and cannot be opted out of, including: — Payment confirmations and billing alerts. — Application status changes and assessment notifications. — Security alerts (password changes, 2FA events, suspicious login attempts). — Legal notices and Terms/Policy updates.

14.3 Email Unsubscribe. All marketing emails include an unsubscribe link. Unsubscribe requests are processed within 48 hours.

14.4 In-Platform Notifications. Dashboard notifications for critical events (payment confirmations, status changes, admin messages) are delivered regardless of email preferences, as they are integral to Platform functionality.

15.1 Our Commitment. In the event of a data breach that results in unauthorised access to, disclosure of, or loss of your personal data, we will: — Investigate the breach promptly and take immediate steps to contain it. — Assess the risk to affected individuals. — Notify relevant data protection authorities within 72 hours of becoming aware of the breach, as required by applicable law. — Notify affected Users without undue delay if the breach is likely to result in a high risk to your rights and freedoms.

15.2 Notification Content. Breach notifications will include: — A description of the nature of the breach. — The categories and approximate number of individuals and data records affected. — The likely consequences of the breach. — The measures taken or proposed to address the breach and mitigate its effects.

15.3 Your Responsibility. If you become aware of any security vulnerability, unauthorised access, or suspicious activity on your account, you must notify us immediately at security@cre8afrika.com.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. Changes may be made with or without prior notice.

16.1 Notification of Changes. If we choose to notify you of material changes to this Policy, we may do so through one or more of the following methods: — Email notification to the address associated with your account. — A prominent notice on the Platform (e.g., a banner or in-platform notification). — Updating the "Last Updated" date at the top of this page. However, notification is not guaranteed, and it is your responsibility to review this Policy periodically.

16.2 Continued Use. Your continued use of the Platform after any changes to this Policy constitutes acceptance of the revised Policy. If you do not agree with the updated terms, you should discontinue use of the Platform and request account deletion.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the following channels:

General Privacy Inquiries Email: privacy@cre8afrika.com

Support & Account Requests Email: support@cre8afrika.com

Security Concerns Email: security@cre8afrika.com

Mailing Address Estyne International Limited (Trading as Cre8Afrika) Lagos, Nigeria

Data Protection Officer (DPO) Email: dpo@cre8afrika.com In accordance with the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act (NDPA) 2023, Estyne International Limited has appointed a Data Protection Officer responsible for overseeing our data protection strategy and compliance. For any data protection concerns, you may contact the DPO directly at the email address above.

Website: https://cre8afrika.com

We aim to respond to all privacy-related inquiries within thirty (30) days. For complex requests, we may extend this period by an additional thirty (30) days, in which case we will inform you of the extension and the reasons for the delay.