Legal
Data Protection
The governance standards applied to Vigilante's personal-data processing, with particular attention to precise location, active SOS tracking, public sharing, security, and user rights.
Last updated: 28 June 2026
1. Our Data-Protection Commitment
CriticalThinkers Technology Limited operates Vigilante and is committed to handling personal data lawfully, fairly, transparently, and securely. This page summarises the governance standards we apply to the design and operation of Vigilante.
Our framework is informed by the Nigeria Data Protection Act 2023, the Nigeria Data Protection Act General Application and Implementation Directive 2025, guidance issued by the Nigeria Data Protection Commission, contractual duties, and applicable app-platform requirements.
2. Core Processing Principles
We aim to process personal data in a manner that is lawful, fair, transparent, purpose-specific, proportionate, accurate, secure, and accountable. Data should not be retained for longer than the purpose and applicable law require.
- Purpose limitation: data collected for a safety or service function should not be quietly reused for an incompatible purpose.
- Data minimisation: each feature should request and process only the data reasonably necessary to work.
- Accuracy: users should be able to correct relevant account and contact information, and location timestamps should make clear when a coordinate was last reported.
- Storage limitation: retention should be tied to an identified operational, safety, security, or legal need.
- Integrity and confidentiality: access should be controlled and data should be protected against unauthorised use, loss, alteration, or disclosure.
- Accountability: material processing activities, service providers, incidents, and rights requests should be documented and reviewed.
3. Privacy by Design and Default
Privacy considerations should be included when new features are planned, not added only after launch. Product teams should assess the data involved, the user benefit, the least intrusive implementation, who can access the data, how long it is needed, and what controls the user receives.
Higher-risk processing, including precise background location, public location links, emergency-contact data, and large-scale monitoring, should receive enhanced review and a data-protection impact assessment where required.
4. Location-Data Governance
Foreground and background location serve different purposes and should not be presented as the same permission. Foreground location supports user-requested maps, local safety information, route context, reporting, and VigilAI while the user is engaging with the app.
Background location is reserved for continuous location updates during an active, user-initiated SOS session when the app is closed, minimised, the screen is locked, or the app is otherwise not in active use. It must not be requested for advertising or unrelated analytics.
The user should receive a clear in-app disclosure immediately before the relevant Android permission request. The disclosure should state that precise location is collected and transmitted, identify the SOS feature, explain that collection may continue when the app is closed or not in use, describe sharing through the trusted-contact tracking link, and offer a genuine choice to continue or decline.
5. Consent and User Controls
Consent must be specific, informed, freely given where the law requires it, and recorded through an affirmative action. Silence, continued navigation, a pre-selected option, or closing a notice must not be treated as consent.
Users should be able to refuse optional permissions, change device permissions later, stop an active SOS where the feature provides that control, manage notifications, edit emergency-contact details, deactivate an account, and contact us about data deletion or another rights request.
6. Access Control and Security
Access to personal data should be restricted according to role, operational need, and least-privilege principles. Administrative access should be authenticated, logged where appropriate, reviewed, and removed when no longer required.
Security measures may include encrypted transmission, secure credential storage, environment separation, software updates, monitoring, backups, incident logging, vendor due diligence, rate limiting, and controls designed to prevent unauthorised access or misuse. No control can eliminate every risk, so safeguards should be reviewed as the service evolves.
7. Service Providers and Data Processors
We use service providers for functions such as hosting, databases, storage, maps, authentication, crash reporting, analytics, push notifications, email, and text messaging. Providers should receive only the data required for their role and should be subject to appropriate confidentiality, security, and data-processing obligations.
A provider must not use Vigilante data for its own unrelated purposes unless it acts as an independent controller and gives users the legally required notice. Material provider changes should be reviewed for privacy and security implications.
8. International Transfers
Where a provider stores or processes personal data outside Nigeria, we assess the transfer basis and seek appropriate safeguards, taking account of the destination, contractual protections, technical controls, and the nature of the data. Sensitive location information should receive particular care.
9. Retention, Deactivation, and Deletion
Retention schedules should distinguish active account data, public content, live SOS records, security logs, notification tokens, support correspondence, backups, and legal records. Data should be deleted or anonymised when the applicable purpose and retention period have ended, unless a lawful reason requires continued retention.
Account deactivation prevents ordinary account access but is not always identical to immediate deletion. Verified deletion requests are assessed against legal obligations, safety needs, fraud prevention, dispute resolution, backup cycles, and the rights of other users.
10. Handling Data-Subject Rights
Requests for access, correction, erasure, restriction, portability, objection, withdrawal of consent, or review of relevant automated processing may be sent to support@criticalthinker.tech. We may ask for proportionate information to verify identity and prevent an unauthorised person from obtaining or deleting another user’s data.
Requests should be logged, assessed, answered within the legally required period, and escalated where they involve complex safety, legal, or technical issues. Any refusal or limitation should be explained where the law requires it.
11. Personal-Data Incidents
Suspected loss, unauthorised disclosure, account compromise, or other personal-data incident should be reported internally without delay. We assess the nature of the data, affected people, likely harm, containment measures, and notification obligations.
Where an incident creates a legally reportable risk, we will notify the Nigeria Data Protection Commission and affected individuals within the period and in the manner required by applicable law. Records of the incident, assessment, response, and lessons learned should be retained appropriately.
12. Children and Vulnerable Users
Features involving live location, public sharing, emergency contacts, and distress reporting can present heightened risks for children and vulnerable people. Product decisions should take account of age, capacity, guardian involvement, accidental disclosure, coercion, and the possibility that a trusted-contact link may be forwarded.
13. Accountability and Review
We periodically review material data flows, permission requests, public disclosures, service-provider arrangements, security controls, retention practices, and user complaints. Staff and contractors with access to personal data should receive appropriate instructions and confidentiality obligations.
This framework may be updated as Vigilante changes or as the Nigeria Data Protection Commission, Google Play, Apple, or another competent authority issues new requirements.
14. Questions and Complaints
Questions about this framework, concerns about misuse of data, and data-subject requests may be sent to CriticalThinkers Technology Limited at support@criticalthinker.tech.
A person who remains dissatisfied may lodge a complaint with the Nigeria Data Protection Commission or another supervisory authority with jurisdiction over the matter.
