Privacy Policy — FortressPoint Compliance Suite
Last updated: [DATE — fill in on actual publication]
⚠️ DRAFT — NOT LEGALLY REVIEWED. Do not publish as final without review by a qualified Nigerian lawyer (and ideally UK-qualified input given the platform's dual-market positioning). This draft is written to be substantively complete and accurate to the actual system architecture described in this project's build history, but every sub-processor, retention period, and legal basis stated here should be verified against the live system before publication, and reviewed for legal sufficiency.
1. Who We Are
FortressPoint Consulting Limited ("FortressPoint," "we," "us," "our") operates FortressPoint Compliance Suite (the "Service"). This Privacy Policy explains how we collect, use, share, and protect personal data belonging to users of the Service itself — this is distinct from the compliance documents (such as privacy policies) the Service generates *for* our customers about *their own* data handling practices.
Our data protection contact can be reached at: compliance@fortresspointconsulting.com
2. What Personal Data We Collect
- Account information: name, email address, and authentication data, collected and managed on our behalf by our authentication provider (Clerk).
- Organisation information: company name, and, where you use our team/organisation features, information about your organisation's members and their assigned roles (Admin, Editor, Viewer).
- Audit response data: your answers to our compliance self-assessment questionnaires, and the compliance scores and documents generated from those answers.
- Payment information: processed by our payment processor (Paystack) — we do not directly store your full card details. We retain records of transaction status, subscription tier, and billing history necessary to administer your subscription.
- Support communications: information you submit through our support ticket system, including your messages and any information you choose to provide when raising a request.
- Technical/usage data: standard web request data (e.g. IP address, browser type, pages visited) collected automatically for security, troubleshooting, and service-improvement purposes.
3. How We Use Your Data
We use the personal data described above to:
- Provide, operate, and maintain the Service;
- Process your compliance self-assessments and generate documents on your behalf;
- Process payments and manage your subscription;
- Communicate with you about your account, support requests, and material changes to the Service or these terms;
- Maintain the security and integrity of the Service;
- Comply with our own legal and regulatory obligations.
We do not sell your personal data to third parties, and we do not use your audit response data or uploaded evidence to train AI models beyond the processing necessary to generate your requested documents, responses, or search results in the moment.
4. Legal Basis for Processing
As a Nigerian-registered company processing personal data primarily in connection with Nigerian compliance obligations, we process your data under the Nigeria Data Protection Act 2023 and its General Application and Implementation Directive (GAID). Our legal bases include: performance of our contract with you (providing the Service you've signed up for), your consent (where separately obtained, e.g. for marketing communications), and our legitimate interests in operating and securing the Service.
Where you are located in the United Kingdom or European Union, we also process your data consistently with UK GDPR / EU GDPR principles.
5. Who We Share Your Data With
We share personal data with the following categories of service providers ("sub-processors"), each engaged under contractual terms requiring them to protect your data appropriately:
- Clerk — authentication and account management
- Supabase — database hosting for account, organisation, and audit data
- Sanity — content management for question sets and document templates (does not process your personal audit responses directly)
- Anthropic — AI-assisted generation of your compliance documents and grounded responses (including our compliance assistant chat feature) from your audit responses and indexed evidence
- OpenAI — generates numerical representations ("embeddings") of your evidence and audit content so it can be searched by meaning, supporting features like our AI compliance assistant and questionnaire automation tool
- Paystack — payment processing
- Resend — transactional email delivery (e.g. support ticket notifications)
- Vercel — application hosting and file storage for generated documents
6. International Data Transfers
Some of our sub-processors host or process data outside Nigeria (including in the European Union and United States). Where this occurs, we take steps intended to ensure an adequate level of protection for your data during transfer, consistent with the GAID's requirements for cross-border data transfers — including, where applicable, standard contractual clauses or other approved transfer mechanisms.
7. Data Retention and Deletion
We retain your account and compliance data for as long as your account remains active. If you request deletion of your account, the following process applies — this reflects our actual, built system, not a generic promise:
Grace period. Once you request deletion, your account enters a 14-day grace period during which it is scheduled for deletion but not yet purged — this exists to protect against accidental requests or a change of mind. You (or, where applicable, our support team) can cancel a pending deletion during this window.
What is deleted. Once the grace period ends, we permanently delete your compliance content — audit responses and scores, generated documents and their underlying files, uploaded evidence files, vendor assessments, training records, chat/assistant conversation history, and your account identity itself (including with our authentication provider, Clerk).
What is retained, and why. Nigerian tax law (the Companies Income Tax Act, the Companies and Allied Matters Act, and FIRS guidance) requires us to retain financial and transactional records for six (6) years. We retain the minimum necessary financial facts (payment amounts, dates, subscription plan, and payment processor reference) for this period — but we do not keep these records linked to your full personal profile once your account relationship ends; your name and email on these records are replaced with an internal reference, consistent with NDPA's principle that personal data should only be retained as long as necessary for the specific purpose it serves — here, that purpose narrows from "operating your account" to "our own tax record-keeping obligation."
Accountability record. We keep a minimal internal log confirming that a deletion request was made and completed, using a one-way cryptographic reference that cannot be reversed to identify you. This exists solely so we can demonstrate, if ever required, that we genuinely honour deletion requests — it does not retain your personal data.
Shared organisation data. If you are a member of a company account alongside other users, deleting your personal account removes your own access and profile, but does not delete data your organisation owns collectively (e.g. shared audit history) — that data remains available to your organisation's other members, consistent with how organisation accounts are structured.
Sole administrators. If you are the sole Administrator of an organisation account, self-service deletion is not available to you directly, since it would leave your organisation's data without anyone able to manage it. Please contact compliance@fortresspointconsulting.com to arrange this — we will work with you to transfer administration to a colleague first, or to arrange deletion of the entire organisation account if that is what you want.
8. Your Rights
Depending on your location, you may have rights including: access to your personal data, correction of inaccurate data, deletion of your data, objection to certain processing, and data portability.
Deletion specifically can be requested directly within the Service itself, from your account settings — see Section 7 above for exactly what happens once you do. For all other rights requests, or if you are a sole Administrator needing to arrange deletion of an organisation account, contact us at compliance@fortresspointconsulting.com or through our in-Service support ticket form.
We will respond to legitimate requests within the timeframes required by applicable law. If you are unsatisfied with our response, you may escalate your concern to Nigeria's National Data Protection Commission (NDPC), or, where applicable, your local data protection authority.
9. Cookies
We use essential cookies necessary for authentication and maintaining your signed-in session. We do not currently use non-essential tracking or advertising cookies.
10. Children's Data
The Service is intended for use by business professionals and is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
11. Security
We apply reasonable technical and organisational measures to protect your data, including encryption in transit and access controls. No system can be guaranteed fully secure, and we encourage you to use a strong, unique password for your account.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through the Service or by email before they take effect.
13. Contact and Complaints
If you have questions, concerns, or a complaint about how we handle your personal data, please contact us at: compliance@fortresspointconsulting.com, or through our in-Service support ticket form (selecting the appropriate category).
We aim to acknowledge and address all data protection concerns directly and promptly, consistent with the same standard of accessible, no-legal-knowledge-required complaint handling (in the spirit of the GAID's Standard Notice to Address Grievance approach) that we help our own customers build for their users.