Last Updated: 1 March 2025
Privacy Policy
Your privacy is not just a policy — it's the architecture of our trust. Learn how Deskpadi protects your digital workspace.
Introduction
Quantumica Ltd ("Deskpadi", "we", "us", or "our") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, store, and protect data when you use the Deskpadi platform ("the Platform").
This policy applies to all users of the Deskpadi platform, including company administrators, employees, and any individual whose data is processed through the Platform. By using Deskpadi, you agree to the practices described in this policy.
If you have any questions or concerns about our policy, please contact us at [email protected].
Data Collection
Personal Information
Full name, work email, password (hashed), company details, profile photo, role and department assignment.
Technical Data
IP addresses, browser types, device info, session duration, API access logs and audit trail entries.
Operational Data (collected in the course of using the Platform)
- Employee records: job titles, employment dates, salaries, attendance records
- Leave requests and balances
- Purchase requests and approval decisions
- Maintenance requests linked to assets and vehicles
- Financial disbursement records
- Bank account details (encrypted at rest using AES-256-GCM)
- Phone numbers (encrypted at rest)
How We Use Your Data
We use personal data only for legitimate, specified purposes:
- check_circleService delivery: To provide, operate, and maintain the Deskpadi platform.
- check_circleAuthentication: To verify your identity and protect your account.
- check_circleWorkflow processing: To process approvals, disbursements, and notifications.
- check_circleCompliance: To maintain audit logs required by your organisation's policies.
- check_circleBilling: To process subscription payments and generate receipts.
- check_circleSecurity: To detect and prevent fraud, abuse, and unauthorised access.
- check_circleSupport: To respond to support requests and resolve platform issues.
- check_circleImprovement: To analyse aggregated, anonymised usage patterns to improve the platform.
We do not use your data for advertising, and we do not sell personal data to third parties.
Data Sharing
We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations. We do not sell your personal data to third parties for marketing purposes.
- Within your organisation: Relevant data is accessible to colleagues who have been granted the appropriate role-based permissions by your company administrator.
- Payment processors: Billing data is processed by our payment provider (Paystack). We do not store raw card details.
- Infrastructure providers: We use cloud hosting providers to run the platform under strict data processing agreements.
- Legal obligations: We may disclose data if required by law, regulation, or a valid order from a government authority.
We do not share personal data with third-party marketers, analytics platforms, or data brokers.
Data Storage and Security
All data is stored on secured servers. PII — including bank account details, phone numbers, and home addresses — is encrypted using AES-256-GCM before storage and decrypted only for authorised requests.
- • TLS 1.2+ encryption for all data in transit
- • AES-256-GCM encryption for sensitive PII fields at rest
- • Bcrypt hashing for all passwords — plaintext is never stored
- • JWT-based authentication with short-lived access tokens
- • Role-based access control (RBAC) enforced at the API level
- • Comprehensive audit logging of all data access and modification events
- • Rate limiting and brute-force protection on all authentication endpoints
In the event of a data breach, we will notify affected users and relevant regulatory bodies within 72 hours of becoming aware, in accordance with applicable law.
Data Retention
We retain personal data for as long as your company account is active, or for as long as required to fulfil the purposes described in this policy.
When a company account is terminated, personal data is retained for 90 days to allow for data export, and then permanently deleted from our systems within 30 days thereafter, unless retention is required by law.
Audit logs are retained for 24 months to support compliance and dispute resolution.
Your Rights Under NDPR
As a data subject under the Nigeria Data Protection Regulation (NDPR), you have the following rights:
Access
Request copies of your personal data.
Rectification
Request correction of inaccurate data.
Erasure
Request deletion of your information.
You also have the right to data portability, the right to object to processing, and the right to restrict processing in certain circumstances.
To exercise any of these rights, contact your company administrator or reach us directly at the contact details below. We will respond within 30 days. Learn more about our NDPR compliance programme.
Cookies
Deskpadi uses only strictly necessary session cookies to maintain your logged-in state. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
Authentication tokens are stored in localStorage (not cookies) for the web application. These tokens expire automatically and are cleared when you log out.
Children's Data
The Deskpadi platform is intended for business use by adults. We do not knowingly collect data from individuals under the age of 18. If you become aware that a minor has provided data through the Platform, please contact us immediately.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify company administrators via email and display a notice within the platform. The "Last updated" date at the top of this page reflects the most recent revision.
Continued use of the Platform after changes are posted constitutes your acceptance of the updated policy.