Privacy Policy.

Who we are#

Plain English: Worllet Limited runs MiTax. We are the Data Controller for your personal data.

Worllet Limited, a company incorporated in the Federal Republic of Nigeria and a subsidiary of JCP Group, is the Data Controller for personal data processed through MiTax. Our registered office is in Lagos, Nigeria.

For any privacy question, write to privacy@mitax.ng. For requests that invoke your rights under the Nigeria Data Protection Act 2023, write to our Data Protection Officer at dpo@mitax.ng. We respond to verified requests within thirty calendar days.

What we collect#

Plain English: account details, the tax data you give us, payment info, and the usual device data.

Account data includes your full legal name, your email address, your Nigerian phone number, your date of birth, your home or business address within Nigeria, your Tax Identification Number, your National Identification Number where verification is required, and your Bank Verification Number where required by Nigerian Know Your Customer rules.

Financial data includes the income, expense, invoice, and transaction information you enter, the supporting documents you upload, payment instrument details handled by our Payment Service Providers, the bank account references you nominate for refunds, and the calculated tax obligations produced by our engine.

Device and usage data includes IP address, device model, operating system, browser version, app version, session timestamps, the pages you view, the features you use, and crash diagnostics. We do not collect precise GPS location. Where you grant in-app camera or storage access for document upload, the captured files belong to your account.

Communication data includes the messages you send to support, the chat transcripts with our AI assistant, and any feedback you submit.

Why we collect it#

Plain English: to calculate your tax, file it, take payment, support you, and keep the service safe.

We process personal data to deliver the MiTax service as described in our Terms. This includes calculating your tax position under the Nigeria Tax Act 2025, preparing and submitting filings to the Nigeria Revenue Service or relevant State Internal Revenue Service, instructing payment to government accounts, issuing receipts, maintaining your document vault, and replying to support requests.

We process aggregated, de-identified usage data to improve the service. We never sell personal data. We never share personal data for cross-context behavioural advertising.

The lawful bases for processing under the Nigeria Data Protection Act 2023 are performance of a contract with you, compliance with Nigerian tax and anti-money-laundering law, your explicit consent for optional features such as marketing emails, and our legitimate interests in keeping the service secure and detecting fraud.

How long we keep it#

Plain English: while your account is active, plus seven years after closure for tax records.

Active account data is kept for as long as your account is open. After closure, tax filings, supporting documents, payment receipts, and audit logs are retained for seven years from the relevant tax year, as required by the Nigeria Tax Act and the Federal Inland Revenue Service archival rules.

Support transcripts and product analytics are retained for twenty-four months from collection, then anonymised or deleted. Marketing consent records are kept for the life of the consent plus three years.

Where a regulator, court, or law enforcement agency requires a longer hold, we comply with the lawful order and notify you where allowed.

Who we share with#

Plain English: the tax authority, our payment providers, our hosting providers, and any advisor you book.

We share personal data with the Nigeria Revenue Service and the relevant State Internal Revenue Service when we file or pay on your behalf. The data shared is what the authority requires for the filing or payment, no more.

We share payment instructions and the minimum personal data required with our licensed Payment Service Providers, Paystack Payments Limited and Flutterwave Technology Solutions Limited. They are independent Data Controllers for the payment data they hold.

We share hosting infrastructure with Supabase Inc and Amazon Web Services Europe, who act as Data Processors under written contract. Backups are stored in the European Union.

Where you book a licensed tax advisor through the MiTax marketplace, we share the data you authorise with that advisor for the engagement.

We disclose data to Nigerian law enforcement, the Nigeria Financial Intelligence Unit, or a court when compelled by a lawful order or where we reasonably believe disclosure is necessary to prevent imminent harm, fraud, or money laundering.

We never sell personal data. We never share personal data with advertising networks.

Where we store it#

Plain English: primary storage in London. Backups in the European Union. Both have data protection laws considered adequate.

Primary application data is stored on Supabase infrastructure hosted in London, United Kingdom, which the Nigeria Data Protection Commission has assessed as providing adequate data protection.

Encrypted backups are replicated to Amazon Web Services data centres within the European Union. Cross-border transfers from Nigeria are made on the basis of adequacy decisions and standard contractual clauses approved by the Nigeria Data Protection Commission.

We do not transfer personal data to jurisdictions that have not been recognised as providing adequate protection, unless you have given explicit informed consent or the transfer is necessary for performance of a contract you have requested.

Your rights#

Plain English: see your data, fix it, export it, delete it, or tell us to stop using it for something.

Under the Nigeria Data Protection Act 2023 you have the right to be informed about processing, to access the personal data we hold about you, to correct inaccurate or incomplete data, to delete data where retention is no longer lawful, to restrict processing in specific circumstances, to receive your data in a portable machine-readable format, to object to processing based on legitimate interests, and to withdraw consent at any time without affecting prior lawful processing.

To exercise a right, email dpo@mitax.ng from the address linked to your account. We verify your identity, respond within thirty calendar days, and do not charge for the first request in any twelve month period.

If you are not satisfied with our response, you may complain to the Nigeria Data Protection Commission at ndpc.gov.ng.

Cookies and analytics#

Plain English: a few cookies keep you signed in. We use privacy-respecting analytics. No third party advertising.

Strictly necessary cookies keep you signed in, remember your preferences, and protect against cross-site request forgery. These cookies cannot be disabled and do not require consent under Nigerian law.

Analytics cookies measure how the service is used in aggregate. We use a privacy-respecting analytics tool that does not set third party tracking cookies, does not fingerprint devices, and does not enable cross-site behavioural profiling. You can decline analytics through the cookie banner on first visit.

We do not run advertising cookies on MiTax. We do not embed social media tracking pixels in the product.

Children#

Plain English: MiTax is for people aged sixteen and over.

MiTax is not directed at children under sixteen. We do not knowingly create accounts for children under sixteen. If we learn that a child under sixteen has registered, we close the account and delete the data unless retention is required by law.

If you are a parent or guardian and you believe a child has registered without your consent, contact dpo@mitax.ng.

Security#

Plain English: encryption everywhere, MFA available, and a written incident plan.

All data is encrypted in transit using TLS 1.3 and at rest using AES 256. Sensitive identifiers, including Tax Identification Number and Bank Verification Number, are stored using field-level encryption.

Access to production systems is gated by multi-factor authentication, hardware security keys for engineers, and least-privilege role assignment with quarterly review. All access is logged and audited.

We strongly recommend that you enable multi-factor authentication on your account, use a unique passphrase managed by a password manager, and verify the URL of any email link before signing in.

In the event of a data breach that is likely to result in risk to your rights and freedoms, we notify the Nigeria Data Protection Commission within seventy-two hours of discovery and notify affected users without undue delay.

Changes#

Plain English: we will tell you when this changes.

We may update this Privacy Policy to reflect changes in our practices, the service, or applicable law. Material changes are announced at least fourteen days in advance by email and in-app banner. Non-material changes take effect on the date shown at the top of this page.

Contact#

Plain English: privacy questions go to privacy@mitax.ng. Rights requests go to dpo@mitax.ng.

For general privacy questions, email privacy@mitax.ng. For requests under the Nigeria Data Protection Act, email our Data Protection Officer at dpo@mitax.ng.

Our registered office is Worllet Limited, Lagos, Nigeria. Read the related NDPA Compliance Statement for more detail on the Nigerian regime.