Privacy Policy - CardinalStone Securities Limited

CardinalStone Securities Limited (“we,” “our,” or “CSS”) is full-fledged Trading Licensed Holder of Nigerian Exchange Group (NGX), a Participating Institution of the NASD Plc (NASD) and registered with the Nigerian Securities and Exchange Commission (SEC) as a broker/dealer. CSS is supported by a team of competent, highly skilled, and motivated staff. As a Data Controller with respect to the personal data you share with us under this Policy, CSS takes its role seriously in ensuring the confidentiality, integrity, and security of your personal data.

To deliver our services and fulfil our obligations to you, we collect and use certain personal data. We are committed to adhering to the highest standards of confidentiality and data privacy, in compliance with applicable laws and regulations.

CSS reserves the right, at its sole discretion, to alter and update this Privacy Policy from time to time.

Your Trust is Our Priority

When you use our services, you entrust us with your information. We understand this is a significant responsibility and strive to safeguard your information while empowering you with control. This Privacy Policy explains what data we collect, why we collect it, and how you can manage, access, and delete your information.

WHERE-OF

A. This Policy is established in compliance with:

Section 37 of the Constitution of the Federal Republic of Nigeria (CFRN) 1999 (as amended)
The Nigeria Data Protection Act (NDPA), 2023
The General Application and Implementation Directive (GAID), 2025
All other applicable data privacy legislation, frameworks and regulations.

B. It outlines our approach to data privacy principles when processing the personal data of:

Clients
Staff
Vendors
Visitors
Any third party interacting with CSS.

C. For individuals, this Policy emphasizes their rights under the Nigeria Data Protection Act (NDPA), 2023. It applies to all data subjects whose personal data we collect and process.

D. Data Protection Officer and Employee Responsibilities:

CSS’s designated Data Protection Officer (DPO) is accountable for ensuring this Policy’s accuracy and timeliness.

The DPO also oversees proper notification of data subjects before data collection and processing, including data collected through our website.

All employees who handle personal data must adhere to the provisions outlined in this Policy.

ARTICLE 1: OUR COMMITMENT TO DATA PROCESSING PRINCIPLES

We are committed to processing your personal data in accordance with the principles outlined in Section 24 of the Nigeria Data Protection Act (NDPA):

Fairness, lawfulness, and transparency: We will always obtain your consent or rely on another lawful basis for processing your data and will be transparent about its use.
Specified, explicit, and legitimate purposes: We will collect and process your data only for clearly communicated purposes.
Data minimization: We collect only the necessary data for the intended
Accuracy: We ensure that personal data is accurate and updated as
In a manner that ensures appropriate security: We implement robust security measures to protect data against unauthorized access, disclosure, alteration, or destruction.

BEYOND COMPLIANCE: ACCOUNTABILITY AND DATA PROTECTION TRIAD

Furthermore, we go beyond compliance with the NDPA 2023. We are committed to demonstrating accountability in our data processing practices and upholding the data protection triad of confidentiality, integrity, and availability.

This means we will be responsible for our actions and ensure your data remains confidential, accurate, and accessible when needed.

ARTICLE 2: CONSENT OF DATA SUBJECTS

We respect your right to control your personal data. Subject to legal requirements, your consent is our primary justification for processing your data. You have the right to grant, withhold, or withdraw your consent at any time.

For detailed explanations, refer to Sections 26, 34, 36, and 38 of the NDPA 2023.

ARTICLE 3:

SCOPE OF DATA PROCESSING

In compliance with the NDPA 2023, we are committed to ensuring that personal data is collected, processed, stored, and shared lawfully and transparently. The table below outlines the categories of personal data we collect, the purposes for which they are processed, and the applicable lawful bases for processing.

Please note that this is not an exhaustive list, and we adhere to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability as prescribed by the NDPA 2023.

S/N	Purpose of Collection	Type of Data Processed	Lawful Basis
1	Identification	Full name, title, marital status, phone number, email address, contact address, gender, date of birth, identification documents (e.g., driver’s license, international passport, national identity card, voter’s card), signature, postal address, educational records, billing address, and personal information of next of kin and guarantors.	Legal Obligation (Some instances may also involve Public Interest or require Consent as prescribed by the NDPA).
2	Notifications/Contact	Contact details including name, phone number, email address, and mailing address.	Legitimate Interest or Consent, depending on the nature of the communication.
3	Financial Data	Bank account details, Bank Verification Number (BVN), biometrics, and payment card details.	Consent (Processing may also be based on Legitimate Interest or Legal Obligation, particularly for fraud prevention and security analytics).
4	Security (Safety and Protection of Lives and Property)	Name, phone number, email address, contact address, gender, date of birth, video recordings/still images from CCTV cameras, and passport photograph.	Legal Obligation (Processing may also rely on Legitimate Interest or Public Interest for security purposes).
5	Employment	Name, phone number, email address, contact address, gender, date of birth, passport photograph, medical records, educational records, and details of referees/guarantors.	Contractual Obligation (In certain cases, processing may be based on Consent, Vital Interest, or Legal Obligation).
6	Contractual Agreements	Name, phone number, email address, contact address, and gender.	Contractual Obligation (Some instances may involve Legitimate Interest or Public Interest, particularly for due diligence processes).
7	Transactions	Details of payments made or received, as well as records of subscribed products and services.	Legal Obligation (Processing may also be based on Legitimate Interest or Public Interest for security and compliance analytics).
8	Technical Usage Data	Internet Protocol (IP) address, login credentials, browser type and version, time zone setting, location data, browser plug-in details, operating system, and platform information.	Legitimate Interest (To enhance system security, prevent fraud, and improve user experience).
9	Profile Data	Username, password, user preferences, feedback, and survey responses.	Legitimate Interest or Consent, depending on user interactions.
10	Usage Data	Information on how users interact with our website, products, and services.	Legitimate Interest, particularly for service improvement and analytics.
11	Marketing and Communications	Preferences related to marketing and communications, including interactions with third parties.	Consent (Users retain the right to withdraw consent at any time).

3.1 Compliance with NDPA 2023

We ensure that all data processing activities adhere to the principles and obligations set out under the NDPA 2023. Where processing requires explicit consent, we obtain such consent in a clear and transparent manner. We also provide mechanisms for data subjects to exercise their rights, including access, rectification, objection, erasure, and data portability, as stipulated under the Act.

If you have any inquiries regarding your personal data or our processing activities, please contact our Data Protection Officer (DPO) at: compliance@cardinalstone.com

ARTICLE 4:

HOW CARDINALSTONE SECURITIES LIMITED COLLECTS YOUR INFORMATION

CSS is committed to ensuring transparency in how we collect and process personal data. In compliance with the NDPA, we collect information through various means, including direct interactions, automated technologies, third-party sources, and security recordings.

4.1 Direct Collection from You

We collect personal data directly from you when you:

Account Creation and Service Usage: When you register for an account, log in, or use our services via our website, mobile application, or other digital platforms, we collect the information you provide. This includes forms you fill out, policy transfers, uploaded documents, and any communications you send via email, phone, or post.
Inquiries and Communications: If you make inquiries, submit requests, or engage in any other communication with CSS, we collect and process the necessary personal data to respond appropriately.

4.2 Website Browsing and Automated Collection

As you browse our website or interact with our online services, we automatically collect data through various technologies, including:

Cookies and Similar Technologies: We collect technical data about your device, browser type, IP address, browsing behaviour, and other online identifiers using cookies, server logs, and similar tracking technologies. You can manage your cookie preferences via our website’s cookie settings.

4.3 Collection from Third Parties and Public Sources

In some cases, we may obtain personal data from trusted third parties, including:

Technical Data: We may receive technical data about your device from analytics providers, advertising networks, and search information providers.
Contact, Financial, and Transaction Data: To facilitate financial transactions and compliance, we may collect contact, financial, and transaction-related data from providers of technical services, payment processors, credit bureaus, and anti- fraud agencies.
Financial Crime Prevention: In compliance with regulatory requirements, we engage third-party services to verify customer data against financial crime prevention databases, fraud detection systems, sanction lists, and Politically Exposed Persons (PEP) registries.

4.4 Recordings and Images

To ensure compliance with regulatory requirements and enhance security, we collect and process audio and visual data through:

Phone Call Recordings: We may record or monitor phone calls for regulatory compliance, training, quality assurance, security, dispute resolution, and fraud prevention.
CCTV Surveillance: We use CCTV cameras at our premises to ensure the safety and security of customers, employees, and company assets.

4.5 Compliance with NDPA 2023

All personal data collected through the means outlined above are processed in accordance with the NDPA 2023. We ensure that personal data are handled lawfully, fairly, and transparently, while implementing measures to protect your privacy rights.

For further details on how we process personal data, including your rights as a data subject, please contact our DPO at: compliance@cardinalstone.com

ARTICLE 5: DATA SUBJECT RIGHTS

At CSS, we take your data privacy rights seriously and are committed to upholding the principles of transparency, accountability, and fairness as prescribed under the NDPA 2023.

Under Sections 34 and 35 of the NDPA 2023, you have several rights regarding the processing of your personal data.

In addition to your right to grant, withhold, or withdraw consent, you are entitled to the following:

5.1 Right to Access

You have the right to request a copy of the personal data we hold about you. This enables you to confirm the lawfulness of our processing and verify the accuracy of your data.

5.2 Right to Rectification

You can request that we correct any inaccurate or incomplete personal data in our records. We will promptly update your information to ensure its accuracy.

5.3 Right to Object

You have the right to object to how we process your personal data in certain situations, including where processing is based on legitimate interest, public interest, or direct marketing purposes. You may also request that we restrict the processing of your data in specific circumstances.

5.4 Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, and machine-readable format. This allows you to transfer your data to another service provider if necessary.

5.5 Right to Erasure (“Right to be Forgotten”)

You may request the deletion of your personal data from our systems, subject to legal and regulatory obligations that may require us to retain certain information.

5.6 Right to Restrict Processing

In certain situations, you can request that we limit how we use your personal data. This may apply when you contest the accuracy of the data, object to its processing, or require the data to be retained for legal claims.

5.7 Right to Object to Automated Decision-Making and Profiling

You have the right to object to decisions made solely through automated processing, including profiling, where such decisions may significantly impact you. You can request human intervention in these cases.

5.8 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw it at any time. This will not affect the lawfulness of any processing conducted before your withdrawal.

5.9 Exercising Your Rights

If you wish to exercise any of your rights, you may contact our DPO using the details provided in our Privacy Policy.

We will respond to all legitimate requests within the timeframe stipulated under the NDPA 2023.

For further details on these rights and the complaint process, please refer to Part VI of the NDPA 2023 or reach out to the Nigeria Data Protection Commission (NDPC) for redress.

ARTICLE 6: DATA RETENTION AND SECURITY

6.1 Data Retention Periods

The retention period for personal data depends on the purpose for which it was collected. We adhere to the following principles:

Necessity: We limit data collection to what is reasonably required by law or best practices to serve you or respond to inquiries about our transactions with you.
Legitimacy: We only process and retain data for purposes that are lawful and have a justified basis under the NDPA 2023.

Our commitment to data privacy and security is rooted in your fundamental rights as guaranteed by Section 37 of the 1999 Constitution of the Federal Republic of Nigeria and international human rights laws on data protection.

The table below outlines typical retention periods for different categories of data. Please note that these are general guidelines; the specific retention period for your data may vary based on legal, regulatory, or business requirements.

6.1 Data Retention Schedule Table 2.0

S/N	Type of Data	Retention Timeline	Justification
1	Customer/Client Records	Retained for the duration of service usage. Upon termination, data is securely deleted or anonymized, unless required by law to be retained for up to 10 years.	To fulfil contractual obligations, provide ongoing services, and comply with legal or regulatory requirements.
2	Notifications and Communications	Retained as long as necessary to fulfil service needs or legal obligations.	To maintain communication records for reference, legal compliance, and customer support.
3	Employment Records	Retained for the duration of employment plus any legally mandated retention period.	To comply with labour laws, regulatory obligations, and contractual commitments.
4	Contract Records	Retained for the duration of the contract and beyond, as required by law (typically up to 10 years).	To fulfil contractual obligations, dispute resolution, and regulatory compliance.
5	Transaction/Usage/Profile Data	Retained as long as necessary for service delivery and legal obligations, unless required for national security or regulatory purposes.	To fulfil contractual obligations, Legitimate/Public Interest, national security, and service continuity.
6	Technical Data	Retained for a period necessary to ensure cybersecurity, fraud prevention, and service improvement.	To enhance system performance, protect against cyber threats, and analyse usage patterns.
7	Security Data (CCTV, Access Logs, etc.)	Retained for security monitoring purposes and deleted within the legally stipulated period unless required for an ongoing investigation.	To ensure workplace and customer security, fraud prevention, and compliance with law enforcement requirements.

6.2 Secure Disposal and Data Minimization

When personal data is no longer needed or beyond the stipulated retention period, and where there is no legal requirement to maintain such records, CSS Limited will:

Permanently delete or destroy the data from its systems and
Securely archive certain data in a way that protects identity and privacy rights, where required.
Anonymize data so that it can no longer be linked to an identifiable individual, where appropriate.

We continuously review our data retention and security policies to ensure compliance with evolving legal, regulatory, and security standards.

For further details on our data retention practices or your rights under the NDPA 2023, please refer to our Privacy Policy or contact our DPO at:

compliance@cardinalstone.com

ARTICLE 7: MANDATORY DATA COLLECTION

At CSS, certain types of personal data are essential for us to fulfil our contractual obligations and comply with legal and regulatory requirements. Without this information, we may be unable to provide you with our services or meet our compliance obligations.

7.1 Why We Require Mandatory Data

The collection of mandatory data is necessary to:

Comply with legal and regulatory requirements, including the NDPA, Anti-Money Laundering (AML) laws, Know Your Customer (KYC) regulations, and tax laws.
Facilitate contractual obligations related to your investments, trading activities, and financial transactions.
Ensure security and fraud prevention, including verifying your identity and monitoring transactions for suspicious activity.
Provide customer support and respond to inquiries regarding your account or transactions.

7.2 Consequences of Not Providing Mandatory Data

If you choose not to provide the required personal data, we may be unable to:

Open or maintain your account
Process your investment transactions.
Provide financial services, including trade execution and reporting
Comply with legal and regulatory obligations related to financial crime prevention and investor protection.

For further clarification on our data processing practices, or if you have concerns about mandatory data collection, please contact our DPO as detailed in Article 12 of this policy.

ARTICLE 8:

TRANSFER OF DATA TO A THIRD PARTY

8.1 Third-Party Services Oﬀered Through Our Platform

CSS may partner with trusted third-party service providers to deliver enhanced services and operational support. These third parties may process your personal data based on their own lawful basis, in accordance with applicable privacy and data protection laws, including the NDPA 2023.

The types of data typically processed by these third parties may include, but are not limited to:

Contact Information (e.g., name, email address, phone number).
Financial Transaction Details (where applicable).
Technical Data (such as IP addresses, device information, and usage data for analytics purposes).

We ensure that any third-party providers processing your personal data implement appropriate safeguards and security measures to protect your information.

8.2 Your Right to Control Your Data

Your privacy rights remain a priority when engaging with third-party services. You have the following rights:

Consent and Control: For any services that require your explicit consent, you have the right to decline participation or restrict the processing of your personal data.
Opt-Out from Promotional Communications: If you receive marketing or promotional messages from third-party service providers through our platform, you can unsubscribe at any time.
Data Protection Measures: We implement contractual agreements and Data Processing Agreements (DPAs) with third parties to ensure compliance with the NDPA 2023 and protect your personal information.

If you have any concerns regarding how your personal data is shared with third-party service providers, you may contact our DPO as outlined in Article 12 of this policy.

ARTICLE 9: TECHNICAL INFORMATION AND COOKIES

9.1 Website Data Collection and Cookies

When you visit the CSS website, certain technical information is automatically collected to enhance your browsing experience. This includes:

IP Address
Browser Type and Version
Time Zone Settings
Operating System and Platform
Device Information

These data points help us understand user behaviour, optimize website functionality, and improve security measures in compliance with the NDPA 2023.

9.2 Cookies and Your Preferences

Cookies are small text files stored on your device (computer, smartphone, or tablet) when you visit our website. They allow us to:

Remember your preferences across multiple
Enhance website functionality by storing login details and browsing
Improve security by detecting unusual login attempts and preventing fraud.

However, we acknowledge that not all websites use cookies responsibly. Therefore, we ensure transparency in how our cookies operate.

Managing Cookies

You have the right to control or restrict cookie usage on your browser. You may:

Accept all cookies for an optimized browsing
Reject or customize cookies through browser
Clear stored cookies from your device at any

Please note that disabling cookies may affect certain website functionalities, including secure login and personalized settings.

9.3 Our Commitment to Privacy

We are fully committed to protecting your privacy under the NDPA 2023. To ensure the responsible use of cookies, we:

Implement robust security protocols to prevent cookie
Ensure cookies are not used to collect excessive personal data beyond what is necessary.
Provide clear disclosures about our use of cookies in our Privacy

If you have any concerns regarding technical data collection or cookies, you can reach out to our DPO as detailed in Article 12 of this policy.

ARTICLE 10: PERSONAL DATA SECURITY AND INTEGRITY

10.1 Data Security and Regulatory Compliance

At CSS, we are committed to safeguarding your personal data using state-of- the-art security technologies and robust cybersecurity protocols. Our security framework is designed to:

Prevent cyberattacks and unauthorized
Protect against data loss, corruption, or unauthorized
Ensure data confidentiality, integrity, and availability at all times. We implement a multi-layered security approach that includes encryption, access controls, intrusion detection systems, and continuous monitoring to mitigate security risks.

10.2 Meeting Legal Requirements

We actively fulfil our legal and regulatory obligations under the NDPA through the following measures:

i. Compliance with the Nigeria Data Protection Act 2023

We ensure that all data processing activities align with the principles, requirements, and obligations set out in the NDPA 2023.

ii. Conducting Data Privacy Assessments

Regular Data Privacy Impact Assessments (DPIAs) are conducted to identify potential risks associated with personal data processing and to implement mitigating controls.

iii. Employee Training on Data Protection Practices

We provide mandatory training to our employees to promote awareness and adherence to data protection principles, ensuring that personal data is handled responsibly.

iv. Obtaining Strict Data Security Warranties from Vendors

Where applicable, we engage third-party service providers that adhere to strict data security requirements and comply with contractual data protection obligations before processing any personal data on our behalf.

10.3 Data Breach Notification

In compliance with Sections 28, 39, and 40 of the NDPA 2023, we are required to report any personal data breach that poses a high risk to your rights and freedoms to the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the incident.

In the event of a data breach:

We immediately assess the scope and impact of the
We notify affected individuals without undue delay, where
We take corrective measures to mitigate any risks and prevent future

For further information regarding data breach procedures, please refer to Sections 28, 39, and 40 of the NDPA 2023 or contact our DPO as detailed in Article 12 of this policy.

ARTICLE 11: JOB APPLICANTS

11.1 Application Information

When you apply for a position at CSS, you are required to submit certain personal data to facilitate the recruitment process. This includes, but is not limited to:

Name and Contact Details (e.g., phone number, email address, residential address).
Educational Background and Work History (e.g., academic qualifications, employment records, professional certifications).
Medical Information and Other Relevant Background Information (e.g., skills, competencies, references).
Financial Data ( such as; BVN, TIN, PFA, bank account details)
Personal Details of Referees, Next of Kin, and

Providing this information is essential for us to process your application.

Failure to provide the required data may result in delays or disqualification from the recruitment process.

11.2 Data Usage for Recruitment

We use the information submitted during the application process to assess your suitability for employment at CSS. Specifically, we process your data to:

i. Evaluating Suitability for Employment

Assess your skills, experience, and qualifications against the job
Track feedback and interactions throughout the recruitment

ii. Internal Recruitment Process Improvement

In addition to evaluating candidates, we may use application data to analyse and enhance our recruitment strategies by:

Identifying effective recruitment
Improving onboarding, integration, and training
Enhancing the interview model for better hiring

11.3 Optional Communications and Data Sharing

With your explicit consent, we may:

Send you updates about CSS events, job fairs, and industry
Share your data with affiliated companies and third-party service providers (e.g., recruitment agencies, background check providers, IT system vendors) who assist in the hiring process.

Where necessary, data may be transferred across jurisdictions to enable seamless global recruitment while ensuring compliance with the NDPA 2023 and other relevant privacy laws.

11.4 Data Retention

We retain your application data for a maximum period of three (3) years, unless:

Your application is successful, in which case your data will be retained as part of your employment record.
You request deletion of your information before the expiration of the retention period, subject to legal and regulatory obligations.

After the retention period, your data will be securely deleted, anonymized, or archived in compliance with data protection standards.

11.5 Data Subject Rights and Contact

You have the right to:

Request access to your personal
Request corrections to inaccurate or incomplete
Withdraw your consent for optional communications or data
Request the deletion of your application data, subject to legal

To exercise your data subject rights, or for any inquiries regarding data

privacy, please contact our DPO at: compliance@cardinalstone.com

ARTICLE 12: MAINTAINING ACCURATE INFORMATION

At CSS, we are committed to maintaining accurate, complete, and up-to- date personal data in compliance with the NDPA 2023.

If your personal information changes during your relationship with CSS we encourage you to promptly notify us to ensure the accuracy of our records. Keeping your data up-to-date helps us:

Provide seamless services without
Ensure effective communication regarding your account and
Comply with regulatory and legal

12.1 Updating Your Personal Information

You can easily update your information by:

Contacting our DPO via email compliance@cardinalstone.com
Visiting any CSS office or using our online customer portal (where available).

12.2 Your Right to Rectification

Under Section 35 of the NDPA 2023, you have the right to rectification, which allows you to request corrections to inaccurate or incomplete personal data. We will process such requests promptly and transparently. For further details on how we handle data updates and rectification requests, please refer to our Privacy Policy or reach out to our DPO at: compliance@cardinalstone.com

ARTICLE 13:

CHILDREN’S PRIVACY

13.1 Children’s Privacy

CSS is committed to protecting the privacy of children in accordance with the NDPA 2023 and Child Rights Act 2003. Our website, applications, and services are not directed towards children under the age of 13, and we do not knowingly collect personal data from children under this age.

If we become aware that we have inadvertently collected personal data from a child under 13 without verifiable parental consent, we will take immediate steps to delete or anonymize that information in compliance with the NDPA 2023.

ARTICLE 14:

CAVEAT ON WEBSITE LINKS

Our website may contain links to third-party websites for your convenience. These external links do not imply any endorsement, sponsorship, or approval of the content, products, or services offered on those websites by CSS.

14.1 Third-Party Websites Disclaimer

While we strive to provide reliable resources, CSS does not control or assume responsibility for:

The privacy practices of third-party
The accuracy, security, or reliability of their
How they collect, process, or use personal

14.2 Your Responsibility

Since third-party websites have independent privacy policies, we encourage you to:

Review their privacy policies before sharing any personal
Exercise caution when interacting with external
Report any suspicious links or privacy concerns related to third-party sites linked from our platform.

14.3 Scope of CardinalStone Securities Limited’s Privacy Policy

The CSS Privacy Policy applies exclusively to our own website, services, and platforms. If you navigate to an external website through a link on our site, your data will be subject to that website’s privacy practices.

For any concerns regarding third-party links or online security, please contact our DPO at compliance@cardinalstone.com

ARTICLE 15:

TRANSFER TO THIRD PARTIES AND COUNTRIES (CROSS-BORDER TRANSFERS)

In fulfilling our mandate effectively, CSS may engage third-party service providers located within or outside Nigeria. In such cases, we ensure that strict data protection measures are in place to safeguard your personal data against unauthorized access, use, disclosure, loss, or destruction in accordance with the NDPA 2023.

15.1 Third-Party Transfers and Data Protection Measures

Where personal data is transferred to a third party, CSS will:

Enter into a Data Processing Agreement (DPA) with the third party, ensuring they meet data security and privacy standards.
Obtain your consent if the data processing purpose was not originally stated at the time of collection.
Assess the third party’s security controls to ensure compliance with global data protection best practices and NDPA requirements.

15.2 Cross-Border Transfers and Regulatory Compliance

Where personal data is transferred outside Nigeria, CSS will ensure that:

i. Adequacy Decision

The recipient country has adequate data protection laws that meet global standards, as recognized by the NDPC.

ii. Data Protection Contracts

If the recipient country does not have an adequacy decision, CSS will implement contractual safeguards, such as:

NDPC-approved Standard Contractual Clauses (SCCs).
Other legally binding data protection frameworks.
Binding Corporate Rules (BCRs)

Where data is transferred within CSS corporate group, the transfer will be governed by approved Binding Corporate Rules (BCRs), ensuring compliance with global data protection standards.

15.3 Examples of Cross-Border Data Processing Services

Cross-border data transfers may be required for services such as:

Internet Connectivity – Cloud-based financial
Cloud Storage – Secure data hosting and
Data Analytics – Advanced trading analytics and investor
Data Security – Cybersecurity monitoring and fraud
Software Development – Maintenance and upgrades of financial

ARTICLE 16:

DATA PROTECTION HELP DESK

At CSS, we are committed to addressing all data protection-related inquiries, complaints, and requests in a timely and effective manner. To facilitate this, we have established a Data Protection Help Desk, managed by our DPO.

You can contact our DPO for assistance via: compliance@cardinalstone.com

16.1 Role of the Data Protection Officer (DPO)

Our DPO serves as an internal compliance mechanism to ensure adherence to data protection laws and best practices. The DPO is responsible for handling privacy-related concerns and providing guidance on data protection matters.

16.2 Key Services Provided by the Data Protection Help Desk

The Data Protection Help Desk provides support and expertise on a wide range of data privacy and security matters, including:

i. Data Protection Regulations Compliance & Breach Services

Ensuring compliance with the Nigeria Data Protection Act (NDPA)
Monitoring and responding to data breaches, including incident reporting to regulatory bodies.

ii. Data Protection and Privacy Advisory Services

Providing expert guidance on data privacy policies, best practices, and legal obligations.

iii. Data Protection Capacity Building

Conducting training and awareness programs for employees and stakeholders on data protection principles.

iv. Data Regulations Contract Drafting & Advisory

Assisting in the drafting and review of contracts to ensure compliance with data privacy laws and regulatory requirements.

v. Data Protection & Privacy Breach Remediation Planning & Support

Developing strategies to mitigate and remediate data breaches, ensuring minimal risk exposure.

vi. Information Privacy Audits

Conducting internal audits to evaluate compliance with privacy and security

vii. Data Privacy Breach Impact Assessments

Assessing the impact of data breaches and recommending corrective actions to minimize risk.

viii. Data Protection & Privacy Due Diligence Investigations

Carrying out due diligence for mergers, acquisitions, or partnerships to assess data privacy risks.

16.3 Commitment to Data Protection Excellence

CardinalStone Securities Limited is dedicated to ensuring the confidentiality, integrity, and security of your personal data. Our Data Protection Help Desk serves as a centralized support system to uphold our commitment to privacy rights and regulatory compliance.

For further inquiries or to exercise your data subject rights, please reach out to our DPO via compliance@cardinalstone.com

ARTICLE 17: DATA DELETION

At CSS, we recognize your right to request the deletion of your personal data in accordance with the Nigeria Data Protection Act (NDPA) 2023. We have implemented secure and effective data deletion processes to ensure that personal data is removed from our systems when it is no longer needed for legal, regulatory, or business purposes.

17.1 Your Right to Request Data Deletion

You may request the deletion of your personal data at any time by submitting a Data Subject Access Request (DSAR) Form through our DPO at compliance@cardinalstone.com

We will take reasonable steps to process your deletion request within a commercially reasonable timeframe, subject to any legal or regulatory obligations that require us to retain certain data.

17.2 Secure Data Deletion Procedures

To ensure the secure and irreversible deletion of personal data that is no longer necessary, we follow a structured data deletion process:

i. Identification

We regularly review our data storage systems to identify personal data that has exceeded its retention period or is no longer required for legal or business purposes.

ii. Scheduling

Data marked for deletion is placed on a scheduled deletion The schedule considers:
- The type of
- Legal and regulatory
- Potential risks associated with deletion

iii. Overwriting

Data identified for deletion is overwritten with random characters or patterns, rendering the original data unreadable and irrecoverable.

iv. Verification

After overwriting, we verify that the data deletion process has been successful and that the original data is no longer accessible.

v. Audit Trail

We maintain an audit trail of all data deletion activities, including:
- Type of data
- Date of
- Individual or system responsible for

17.3 Exceptions to Data Deletion

While we strive to honour deletion requests, there are certain circumstances where we may be legally required or justified in retaining specific data:

i. Legal and Regulatory Requirements

We may be required by law to retain your data for a specific period (e.g., anti-money laundering (AML) regulations, tax laws, and financial compliance requirements).

ii. Legal Disputes and Contractual Obligations

If your data is needed to resolve a legal dispute, enforce our terms of service, or protect CardinalStone Securities Limited‘s legal interests, we may temporarily retain it until the issue is resolved.

iii. Anonymized Data

If your data has been anonymized and is no longer personally identifiable, it may be retained for analytical, research, or statistical

In such cases, we will limit further processing of your data only to the extent necessary and ensure it is securely stored.

17.4 Contact for Data Deletion Requests

For data deletion requests, please contact our Data Protection Officer (DPO) at: Email: compliance@cardinalstone.com

We are committed to protecting your data rights and will process your request in accordance with the NDPA 2023.

ARTICLE 18:

DATA SUBJECT ACCESS REQUEST (DSAR)

18.1 Data Subject Access Requests (DSARs)

Under the Nigeria Data Protection Act (NDPA) 2023, you have the right to request access to the personal data that CardinalStone Securities Limited holds about you. This includes, but is not limited to:

Personal Identifiers (e.g., name, contact details).
Demographic
Account or Transaction
Any other information that can directly or indirectly identify

A Data Subject Access Request (DSAR) enables you to obtain a copy of your data and understand how it is processed, stored, and shared.

Submitting a DSAR

You can submit a DSAR request using the following methods:

Email Submission

Send an email to compliance@cardinalstone.com, clearly specifying the information you are requesting.

DSAR Form Submission

Complete the DSAR Form available on our website and email it to

compliance@cardinalstone.com

For faster processing, please include specific details about the data you wish to access (e.g., the timeframe, type of information, and reason for the request).

18.3 Verification Process

To protect your privacy and security, we may request additional verification to ensure that we are providing access to the correct data subject. This verification process may include:

Requesting official identification documents, such as:
- Driver’s License
- International Passport
- National Identification Number (NIN) Slip
Verifying information associated with your account, such as recent transactions, security questions, or registered contact details.

Once your identity is confirmed, we will proceed with processing your request.

18.4 Response Timeline

We strive to respond to your DSAR within 30 days of confirmation. Our response will include:

Confirmation of your request
A copy of the requested personal data in a clear, concise, and electronic format (or an alternative format if required).

Reasons for Denying Access

In rare cases, we may be unable to provide the requested information due to legal, regulatory, or security restrictions. If we deny access, we will:

Explain the reason for the denial
Inform you of your right to challenge the

18.5 Fees

Submitting a DSAR is free of charge. However, we may apply a reasonable administrative fee in the following cases:

Clearly unreasonable requests (e.g., requests that require excessive technical resources).
Excessive frequency (e.g., multiple requests within a short period).
Repeated requests for the same

We will inform you of any applicable fees before proceeding with your request.

18.6 Contact for DSAR Requests

For further inquiries or to submit a Data Subject Access Request (DSAR), please contact our DPO at: compliance@cardinalstone.com

ARTICLE 19: REMEDIATION

At CardinalStone Securities Limited, we are committed to promptly addressing and resolving any concerns related to your data privacy in compliance with the NDPA 2023.

We encourage you to report any complaints, inquiries, or concerns regarding the processing of your personal data through our DPO. Please refer to Article 22 of this Policy for contact details.

19.1 Resolution Process

Upon receiving your complaint or inquiry, our DPO will acknowledge receipt and commence an investigation.
We aim to resolve complaints within seven (7) business days from the date of receipt.
If the issue requires further investigation or is more complex, we will promptly inform you of the additional time required and provide regular updates on the progress.
Throughout the process, we will take all necessary steps to protect your rights and interests.

19.2 Escalation Process

If you are dissatisfied with the resolution provided by our DPO, you have the right to:

Request further review by an internal escalation team.
Escalate your complaint to the NDPC, as per the guidelines under the NDPA 2023.

For any remediation-related inquiries, please contact our DPO as detailed in Article 22 of this Policy.

ARTICLE 20:

ALTERATION OF PRIVACY POLICY

CardinalStone Securities Limited, as the Data Controller, reserves the right to modify, update, or amend this Privacy Policy as necessary. Such updates may be required to:

20.1 Reasons for Policy Updates

Enhance Data Privacy Rights – To strengthen user privacy protections and incorporate best practices in data security.
Align with Evolving Public Interest Considerations – To reflect technological advancements, industry trends, and changing societal expectations regarding privacy.

Comply with Legal & Regulatory Directives – To meet new data protection regulations, court rulings, and government directives issued by the Federal Government of Nigeria.

20.2 Compliance with Legal Frameworks

Any modifications to this Privacy Policy will be implemented in full compliance with:

The Nigeria Data Protection Act (NDPA)
The 1999 Constitution of the Federal Republic of
Other applicable national and international data protection

20.3 Notification of Policy Changes

Major updates will be communicated through email notifications, website banners, or platform announcements.
The latest version of this Privacy Policy will be available on our website and official channels.
Continued use of our services after policy updates implies acceptance of the revised Privacy Policy.

For questions or concerns about any policy changes, please contact our DPO at: compliance@cardinalstone.com

21.1 General Definitions

Cookie: A small data file stored by your web browser when you visit a website. Cookies help websites remember your preferences, login details, and browsing activity to enhance user experience.
CardinalStone Securities Limited (“we,” “our,” or “CSS”) refers to CardinalStone Securities Limited, headquartered at 5 Okotie Rd, Ikoyi, Lagos 106104, Lagos, Nigeria, CardinalStone Securities Limited serves as the Data Controller responsible for your personal data under this Privacy Policy.
Country: Refers to Nigeria, the jurisdiction of CardinalStone Securities Limited and its founders/owners.
Customer: An individual, organization, or company that uses our services to manage financial transactions, investments, and other stockbroking-related activities.
Device: Any internet-enabled gadget (such as a smartphone, tablet, laptop, desktop computer) used to access our website, mobile application, or services.
Internet Protocol (IP) Address: A unique identifier assigned to a device connected to the internet. An IP address can sometimes indicate the general geographic location of the device.
Closed-Circuit Television (CCTV): A video surveillance system used at CardinalStone Securities Limited premises and branches for security and safety purposes. CCTV recordings and still images are stored securely in accordance with our privacy policy and regulatory standards.
Personnel: Employees, contractors, consultants, or any other individuals working under the authority or supervision of CardinalStone Securities Limited.
Personal Data: Any information that can identify a natural person, either directly (e.g., full name, national identification number) or indirectly (e.g., IP address, location data, or combined data sets).
Service: Refers to the financial and investment services offered by CardinalStone Securities Limited, as described in our terms and conditions (if available) and on our platforms.
Third-Party Service: External providers such as advertisers, marketing partners, financial service providers, contest sponsors, and affiliates that offer products, services, or content through CardinalStone Securities Limited’s platform.
You: Any individual, customer, investor, or business entity registered with CardinalStone Securities Limited to use our services.

ARTICLE 22:

CONTACT

If you have any questions, comments, or requests regarding your privacy rights or how CardinalStone Securities Limited processes your personal data, please contact us using the details below.

22.1 Data Controller Contact Information CardinalStone Securities Limited

Head Office: 5 Okotie Rd, Ikoyi, Lagos 106104, Lagos, Nigeria.

Phone: +234 (1) 631 2225 | +234 (1) 710 0433

General Inquiries: Info@cardinalstone.com

Website: www.cardinalstonesecurities.com

22.2 Data Protection Officer (DPO) Contact Information

For privacy-related concerns, data protection inquiries, or requests to exercise your data subject rights, please contact our DPO:

DPO Email: compliance@cardinalstone.com

We are committed to addressing all privacy inquiries in a timely and transparent manner in accordance with the Nigeria Data Protection Act (NDPA) 2023.