Privacy Policy

Secure Hub Connect Limited (trading as Shub Connect) is committed to protecting the privacy and personal data of our users, employees, contractors and partners. This Privacy Policy explains how we collect, use, disclose and protect personal data when you interact with our websites, mobile applications, products and services. The policy reflects the requirements of the Nigeria Data Protection Act 2023 (NDPA) and the Nigerian Data Protection Regulation 2019 (NDPR), and it is designed to comply with other applicable data protection laws where we operate. We process personal data at a level consistent with our business: we provide digital platforms and recruitment services connecting employers and workers, manage internal HR functions, and support payment processing and communications. We do not sell personal data or engage in high‑risk automated profiling. Our processing is limited to what is necessary to provide our services and comply with legal obligations.

Secure Hub Connect Limited is a company incorporated in Nigeria with its registered office at No 21, Oyo Road, Opposite Ajibade Street, Coca-Cola, Sango, Ibadan, Oyo State, Nigeria. For the purposes of the NDPA/NDPR and any other applicable data protection laws, we are the data controller of the personal data collected through our platforms and services unless otherwise stated. If we process data on behalf of another organisation (for example, when acting as a recruiter for client companies), we act as a data processor under the controller’s instructions.

To assist you in understanding this policy, we use the following terms: • Personal Data: Any information relating to an identified or identifiable individual. Examples include names, contact details, identification numbers and employment records. • Sensitive Personal Data: Personal data revealing race or ethnic origin, religious beliefs, political opinions, trade union membership, genetic or biometric data, health information or information concerning a person’s sex life or orientation. • Data Subject: The individual to whom personal data relates. • Controller: The entity that determines the purposes and means of processing personal data. In most cases, Shub Connect is the controller. • Processor: An entity that processes personal data on behalf of a controller. • Processing: Any operation performed on personal data (such as collection, recording, organisation, storage, use, disclosure or erasure).

This policy applies to personal data that we collect through:

management and browsing activity.

payroll and benefits administration.

personal data. It does not apply to third‑party websites or services that may be linked from our platforms. We encourage you to review the privacy policies of those third parties before providing them with personal data.

We collect personal data in the following categories: Category Examples (short descriptions) Purpose of collection Lawful basis Contact information Name, email address, phone number, postal address. To create and manage user accounts, communicate with users and candidates, respond to enquiries. Consent; performance of a contract. Identity verification Government identification numbers, date of birth, photographs. To verify identity for recruitment and legal compliance (e.g., right‑to‑work checks). Legal obligation; legitimate interest. Employment information Employment history, job titles, qualifications, references, CVs. To assess suitability for roles, match workers with clients and maintain employment records. Consent; performance of a contract. Payment and payroll details Bank account numbers, tax identification numbers, salary information. To pay employees and contractors and administer benefits. Performance of a contract; legal obligation. Communications data Records of calls, emails, and messages with our support or recruitment teams. To provide customer service, maintain internal records and handle disputes. Legitimate interest; performance of a contract. We collect personal data directly from you when you register, fill out forms or provide information during recruitment or employment. We may also obtain data from third parties such as background check providers, previous employers, recruiters and regulatory agencies, but only where lawful and necessary.

We will only process personal data when we have a valid legal basis under the NDPA/NDPR. The main purposes for which we use personal data include:

information to connect workers and clients, match job seekers to roles, manage bookings, process payments and perform HR functions. We rely on the performance of a contract or legitimate interests to do this. Under the NDPA/NDPR, personal data may only be processed if there is a lawful basis such as consent, performance of a contract, legal obligation, legitimate interest or vital interest.

labour laws, tax laws, immigration requirements, health and safety regulations and industry‑specific rules. For example, we must retain certain payroll records for statutory periods.

detect and prevent fraudulent or illegal activities and maintain system integrity. This processing is based on our legitimate interests and legal obligations to ensure security.

service notifications and to respond to enquiries. We may also send marketing communications about our services if we have your consent or where permitted by law. You can opt out at any time.

websites and apps, understand user preferences and develop new features. Where possible, we anonymise or aggregate data to remove personal identifiers.

may use personal data to assess qualifications and suitability. We do not use fully automated decision‑making to make hiring or employment decisions without human involvement. Under the NDPA, individuals have the right not to be subject to decisions based solely on automated processing and to contest such decisions.

We may share personal data with the following categories of recipients: • Clients and employers. When you apply for or accept a job through our platform, we may share your personal data with the relevant client or employer. We will inform you before sharing additional data and will only disclose what is necessary to facilitate the role. • Service providers. We engage trusted third‑party providers to host our platforms, conduct background checks, process payments, provide IT support and perform other services. These providers may only process personal data on our instructions and must implement appropriate security measures. • Regulators and law enforcement. We may disclose personal data to government authorities or regulators where required to comply with legal obligations or to protect our rights, property or safety (e.g., to the Nigeria Data Protection Commission or labour authorities). • Corporate transactions. If we undergo a merger, acquisition or sale of assets, personal data may be transferred as part of that transaction. We will ensure appropriate confidentiality and security measures are in place. We do not sell personal data to third parties. We do not permit third‑party advertising networks to collect data about your interactions with our services for marketing purposes.

Shub Connect is headquartered in Nigeria but some of our service providers and group companies are located outside Nigeria. When we transfer personal data internationally, we ensure that protections equivalent to those required under the NDPA are implemented. The NDPA allows cross‑border transfers if the destination country offers adequate data protection, businesses implement contractual safeguards similar to standard contractual clauses or where the data subject gives explicit consent. Because Nigeria has not yet published an adequacy list, we rely on contractual safeguards and, where necessary, obtain explicit consent. We will inform you when your data is transferred abroad and explain the safeguards we use.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting or reporting requirements. Factors we consider include the nature of the data, the purpose of processing, our legal obligations and legitimate business needs. When personal data is no longer needed, we will securely delete or anonymise it. Where we anonymise or aggregate data so that it can no longer be associated with an individual, we may use such data without further notice.

As a data subject under the NDPA, you have the following rights:

collected and used.

be corrected.

no lawful basis to continue processing it.

personal data under certain circumstances.

another organisation in a structured, commonly used and machine‑readable format.

based on legitimate interests or direct marketing.

withdraw your consent at any time without affecting the lawfulness of prior processing.

be subject to decisions based solely on automated processing that significantly affects you.

Protection Commission (NDPC) or other supervisory authority. To exercise any of these rights, please contact us using the details provided below. We will respond to your request within the timeframe required by law. In some cases, we may need to verify your identity or ask for additional information to process your request.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration and destruction. These measures include: • Encryption and access controls. Sensitive data is encrypted in transit and at rest. Access to personal data is restricted to authorised employees and contractors who need it to perform their duties. • Policies and training. We have internal policies covering data handling, confidentiality and information security. Employees receive regular data protection training and awareness sessions. • Incident response and breach notification. We maintain procedures for identifying, reporting and responding to data breaches. We will notify the NDPC and affected individuals of any breach as required by law and will take steps to mitigate any harm. • Regular audits and assessments. We conduct periodic security assessments, data protection impact assessments and reviews of our third‑party providers to ensure ongoing compliance with NDPA requirements.

Our services are not directed to children under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete the data as soon as possible.

We have appointed a Data Protection Officer (DPO) to oversee compliance with this policy and data protection laws. You can contact our DPO at: • Email: dpo@ shubconnect.com • Address: No 21, Oyo Road, Opposite Ajibade Street, Coca-Cola, Sango, Ibadan, Oyo State, Nigeria. If you have any questions or concerns about how we handle your personal data, or wish to exercise your rights, please contact our DPO using the above details.

We may update this Privacy Policy from time to time to reflect changes in law, technology or our business operations. The “Last updated” date at the top of this page indicates when this policy was last revised. We encourage you to review this policy regularly. Material changes will be notified via our website or by email.

If you have any questions about this Privacy Policy, our data practices or your rights under Nigerian law, please contact: Privacy Officer Secure Hub Connect Limited No 21, Oyo Road, Opposite Ajibade Street, Coca-Cola, Sango, Ibadan, Oyo State, Nigeria. Email: privacy@ shubconnect.com