VisiChek
Sign in
Back to legal documents

Privacy Policy

Privacy Policy

This Privacy Policy explains how VisiChek collects, uses, stores, and protects personal data when individuals interact with the VisiChek platform, when organisations deploy VisiChek within their facilities, and when administrators manage tenant environments.

Effective:May 27, 2026Published:May 26, 2026Updated:May 26, 2026Version:4

Effective date: 16 April 2026

Version: 1.0

This Privacy Policy explains how VisiChek collects, uses, stores, and protects personal data when individuals interact with the VisiChek platform, when organisations deploy VisiChek within their facilities, and when administrators manage tenant environments.

This policy is issued in compliance with applicable data protection laws including:

  • Nigeria Data Protection Act (2023)
  • Nigeria Data Protection Regulation (NDPR)
  • NDPC General Application and Implementation Directive (GAID)

Scope of this privacy policy

VisiChek operates as a visitor-management platform used by organisations to manage facility access and reception workflows. VisiChek processes personal data in two different roles:

As Data Processor: VisiChek processes visitor identity and visit-session records on behalf of organisations that deploy the platform within their premises.

As Data Controller: VisiChek independently processes certain platform-administration data such as administrator accounts, billing records, service analytics, and security logs.

Where visitor data is collected during entry into a facility using VisiChek, the organisation you visited acts as the Data Controller for that information. Requests relating to visitor records should normally be directed to the organisation you visited.

Definitions

Organisation: An Organisation is any company, institution, government body, or facility operator that deploys VisiChek within its premises. Organisations act as Data Controllers for visitor-session data.

Visitor: A Visitor is any individual whose information is recorded during entry into a facility using VisiChek-enabled reception workflows. Visitors are Data Subjects under applicable data protection law.

VisiChek: VisiChek is the visitor-management platform that processes visitor-session data on behalf of Organisations and administers tenant environments supporting access-control workflows.

Tenant environment: A Tenant Environment is the logically isolated workspace assigned to each Organisation within the VisiChek platform. Visitor-session data is segregated between tenant environments and is not shared across organisations.

Categories of personal data we process

Depending on deployment configuration, VisiChek may process:

Visitor identity information

  • Visitor name
  • Visitor email
  • Visitor phone number
  • Organisation affiliation
  • Host reference
  • Purpose of visit
  • Check-in time
  • Check-out time

VisiChek does not store copies of scanned identification documents.

Platform administration data

VisiChek processes limited administrator information, including:

  • Administrator names
  • Administrator email addresses
  • Login activity records
  • Platform audit logs
  • Security-monitoring records

Sources of personal data

VisiChek may collect personal data from:

  • Visitor self-check-in interfaces at reception
  • Receptionist-assisted registration workflows
  • Identification-document scanning interfaces
  • Organisation administrator onboarding workflows
  • Customer support communications
  • Platform security and access-control logs

Cookies and website analytics

VisiChek’s website and administrative dashboard may use essential cookies and limited analytics technologies to support platform functionality, session security, and service improvement. These technologies may include:

  • Session authentication cookies
  • Security monitoring cookies
  • Usage analytics supporting service performance improvements

VisiChek does not use cookies for behavioural advertising or cross-site tracking. Where non-essential cookies are introduced in future, users will be notified through an appropriate cookie notice or consent mechanism.

How visitor data is collected

Visitor information may be entered:

  • Directly by visitors through supervised self-check-in workflows
  • Through automated identification-document scanning with structured data extraction
  • By reception personnel during manual registration at facility reception desks

Processing occurs only within reception-level access-control workflows operated by deploying organisations.

Purposes of processing

VisiChek processes personal data to support:

  • Facility access control
  • Reception identity verification
  • Visitor-session tracking
  • Badge generation
  • Compliance recordkeeping within controlled premises
  • Platform security monitoring
  • Service administration

Lawful basis for processing

Visitor-session processing is typically carried out under:

Legitimate interest: Facility security and reception access-control operations.

Organisations deploying VisiChek determine the lawful basis applicable within their facilities. VisiChek processes platform-administration data under:

  • Legitimate interest
  • Contractual necessity
  • Legal obligations where applicable

When VisiChek acts as a data processor

VisiChek processes visitor identity and visit-session data on behalf of organisations for:

  • Reception check-in workflows
  • Administrator login credentials
  • Billing records
  • Platform analytics
  • Audit logs
  • Infrastructure security records

Data sharing and subprocessors

VisiChek does not sell personal data. VisiChek may use trusted infrastructure providers supporting secure hosting, storage services, messaging infrastructure, authentication services, and identity verification. The following infrastructure providers are used in VisiChek:

  • Cloudflare Turnstile: Bot protection on self-onboarding
  • Dojah: KYC/ Identity Verification
  • Cloudflare R2: Blog/ Media image storage
  • Paystack: Payment processing
  • Redis: Cache, rate limiting, celery broker
  • MongoDB (Atlas/ self-hosted): Primary database

These providers act as authorised subprocessors under contractual confidentiality and security obligations.

Cross-border data transfers

VisiChek stores visitor-session and platform-administration data using secure cloud infrastructure located in Paris, France. These transfers are necessary to provide the service and are protected using appropriate technical and organisational safeguards consistent with applicable data-protection requirements.

France operates within the GDPR regulatory framework and provides enforceable protections for personal data supported by:

  • Independent supervisory oversight
  • Judicial remedies
  • Internationally recognised human-rights protections

Data retention

Visitor-session retention periods are determined by deploying organisations acting as Data Controllers. VisiChek provides configurable retention controls enabling organisations to define retention timelines appropriate to their operational policies.

Platform administration data retention

VisiChek retains platform-administration data only for as long as necessary to support service delivery, platform security, regulatory compliance, and contractual obligations.

Typical retention periods include:

  • Administrator account records: retained for the duration of the customer relationship and up to 24 months after account closure
  • Security and audit logs: retained for 12 to 24 months to support incident investigation and platform integrity monitoring
  • Support communications: retained for up to 24 months
  • Billing and financial records: retained for up to 7 years in accordance with applicable accounting and tax obligations

Retention periods may be extended where required by law, regulatory request, dispute resolution needs, or security investigations.

Security safeguards

VisiChek implements appropriate technical and organisational safeguards including:

  • Encryption in transit
  • Encryption at rest
  • Role-based administrator permissions
  • Tenant-level logical isolation between organisations
  • Audit logging supporting accountability
  • Breach-response procedures aligned with applicable data-protection requirements

Data breach response and notification

VisiChek maintains documented incident-response procedures designed to detect, investigate, contain, and remediate personal-data security incidents affecting systems supporting the platform.

Where VisiChek becomes aware of a personal-data breach affecting personal data under its control, notification will be made to the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach in accordance with applicable legal requirements.

Where VisiChek processes visitor-session data on behalf of organisations acting as Data Controllers, VisiChek will notify the affected organisation without undue delay after becoming aware of a breach so that the organisation can fulfil its regulatory notification and data-subject communication obligations where required.

Where appropriate, VisiChek will cooperate with deploying organisations in investigating incidents, implementing containment measures, and supporting remediation actions.

Data subject rights

Under applicable data-protection law, individuals may have the right to:

  • Access personal data
  • Request correction
  • Request deletion
  • Restrict processing
  • Object to processing
  • Request portability where applicable

Requests relating to visitor-session data should normally be directed to the organisation where the visit occurred. VisiChek supports organisations in responding to such requests where required.

Children and vulnerable persons

VisiChek is designed for reception-level visitor identity verification within organisational environments and is not intended for use in contexts involving routine processing of children’s personal data.

VisiChek does not knowingly collect or process personal data relating to persons under 18 years of age as part of its standard deployment model.

Where organisations deploy VisiChek in environments where visitors may include minors or vulnerable persons, responsibility for ensuring lawful processing remains with the deploying organisation acting as Data Controller. Organisations are expected to configure deployment policies appropriate to their regulatory environment before enabling such use.

Complaints

If you believe your personal data has been processed unlawfully, you may contact:

Nigeria Data Protection Commission

https://ndpc.gov.ng

Contact details

VisiChek maintains internal responsibility for data protection compliance and oversight of personal data processing activities.

At the time of publication of this policy, VisiChek does not meet the statutory threshold requiring designation of a formal Data Protection Officer under the Nigeria Data Protection Act. However, data protection responsibilities are actively managed by a designated data protection contact responsible for compliance monitoring, incident response coordination, and data-subject request handling.

Data protection contact

Abah Emmanuel Adakole
abah@visichek.app
VisiChek Systems Limited,
OAU Quarters, Maitama, Abuja, Nigeria.

As VisiChek scales its operations or onboarding scope, a formal Data Protection Officer designation may be implemented where required by law.

Updates to this policy

This Privacy Policy may be updated periodically to reflect:

  • Regulatory changes
  • Platform improvements
  • Deployment configuration updates
  • Security enhancements

The latest version will always be available at www.visichek.app

Back to legal documents