Cresthub Media (Rooli) is committed to protecting the personal data of employees, customers, partners, and other stakeholders. All Personal Data processed by Rooli must comply with international best practices and the seven core principles below.
| Principle | Requirement |
|---|---|
| Lawfulness, Fairness & Transparency | Processing must have a clear lawful basis (Consent, Contract, Legal Obligation, Legitimate Interest) and be communicated transparently to Data Subjects. |
| Purpose Limitation | Data is collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. |
| Data Minimisation | Data collected must be adequate, relevant, and limited to what is strictly necessary for the purpose of processing. |
| Accuracy | Personal Data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure inaccurate data is corrected or erased. |
| Storage Limitation | Personal Data shall be kept only for as long as necessary for the purposes for which the Personal Data is processed. |
| Integrity & Confidentiality | Processing must ensure appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage. |
| Accountability | Cresthub Media (Rooli) is responsible for, and must be able to demonstrate compliance with, all principles. |
Contractual Necessity
Processing data required to fulfil the Rooli Terms and Conditions (e.g. managing user accounts, executing scheduled posts).
Consent (Opt-in)
Used for marketing communications, non-essential cookies, and any processing that goes beyond the core service. Consent must be freely given, specific, informed, and unambiguous.
Legitimate Interest
Used for core business functions such as product improvement, internal analytics, security, and fraud prevention, provided fundamental rights are not overridden.
Legal Obligation
Processing necessary to comply with legal or regulatory requirements (e.g. tax, audit, law enforcement requests).
* Consent must meet GDPR/NDPA standards; legal obligations include responding to lawful requests from supervisory authorities.
| Right | Compliance Requirement | Applicable Laws |
|---|---|---|
| Right to Access | Provide confirmation of processing and a copy of the data free of charge. | GDPR, NDPA, CCPA/CPRA |
| Right to Rectification | Correct inaccurate or incomplete Personal Data promptly. | All major laws |
| Right to Erasure | Delete Personal Data when no longer necessary, consent is withdrawn, or data was processed unlawfully (Right to be Forgotten). | GDPR, NDPA, CCPA/CPRA |
| Right to Restriction | Temporarily halt processing while accuracy or lawfulness is contested. | GDPR, NDPA |
| Right to Data Portability | Provide data in a structured, commonly used, machine-readable format. | GDPR, NDPA, CCPA/CPRA |
| Right to Object | Stop processing for direct marketing or based on Legitimate Interests. | GDPR, NDPA, CCPA/CPRA |
| Opt-Out of Sale/Sharing | Provide a mechanism to opt out of the ‘sale’ or ‘sharing’ of data for cross-context behavioural advertising. | CCPA/CPRA |
Personal Data transfers outside the Federal Republic of Nigeria, the European Economic Area (EEA), or relevant U.S. States must be protected by appropriate safeguards.
- NDPA/GDPR Compliance: Transfers require an Adequacy Decision (if applicable) or the use of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to ensure equivalent protection.
- U.S. Compliance: Transfers must be transparently disclosed in the Privacy Policy. Any transfer constituting a “sale” or “sharing” must respect the User's Right to Opt-Out.
5.1 Security Measures
- Encryption of data in transit (TLS/SSL) and at rest.
- Access control based on the principle of Least Privilege.
- Pseudonymisation and anonymisation techniques where appropriate.
- Regular security assessments, penetration testing, and vendor due diligence.
5.2 Data Breach Notification
- Regulatory Notification (NDPA/GDPR): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, if likely to result in risk to rights and freedoms.
- Data Subject Notification (All Laws): Communicate the breach without undue delay if likely to result in high risk to Data Subjects.
6.1 DPIA Requirement
Conduct a Data Protection Impact Assessment (DPIA) before any new processing likely to result in high risk to Data Subjects. Mandatory under GDPR/NDPA and considered best practice under U.S. privacy laws.
6.2 Privacy by Design & Default
All new features, systems, and product developments must incorporate data protection principles from the outset (Privacy by Design). By default, only the minimum amount of Personal Data necessary must be processed (Privacy by Default – Data Minimisation).
Data Controller. Determines the purpose and means of processing and oversees compliance.
Monitors compliance, advises the organisation, and acts as contact point for supervisory authorities and Data Subjects.
Must adhere to this Policy, complete mandatory training, and immediately report potential incidents or breaches.
Rooli[at]cresthub.com
Please title your email: “Data Protection Inquiry”
Registered Office
Cresthub Media · RAYFIELD, JOS, PLATEAU STATE, NIGERIA