Z
ZUTAX Standards-Ready Invoicing

Last updated: February 13, 2026

Privacy Policy

Your privacy matters to us. This policy explains how ZUTAX collects, uses, stores, and protects your information.

1. Who We Are

ZUTAX ("we", "us", "our") is a Peppol-compliant e-invoicing platform operated by ZUTAX Technologies Ltd., registered in Nigeria. We provide cloud-based invoicing, credit note management, and tax compliance services to businesses of all sizes.

For questions about this policy, contact our Data Protection Officer at privacy@getzutax.com.

2. Information We Collect

We collect the following categories of information:

Account Information

  • Full name, email address, phone number
  • Business name, Tax Identification Number (TIN), RC number
  • Business address and contact details
  • Login credentials (passwords are hashed and never stored in plaintext)

Invoice & Transaction Data

  • Invoice details: amounts, line items, tax breakdowns, payment terms
  • Counterparty information (buyer/seller names, TINs, addresses)
  • Invoice Reference Numbers (IRNs) and digital signatures
  • Credit notes and dispatch records

Usage & Technical Data

  • IP address, browser type, device information
  • Pages visited, features used, timestamps
  • Error logs and performance data

3. How We Use Your Information

We use your information for the following purposes:

  • Service delivery: Creating invoices, generating IRNs, processing credit notes, and managing dispatches
  • Regulatory compliance: Submitting invoices to the Federal Inland Revenue Service (FIRS) via our Access Point Provider (Pasca) as required under the NRS e-invoicing framework
  • Peppol network operations: Transmitting and receiving invoices through the Peppol 4-corner model
  • Account management: Authentication, authorization, role-based access control, and tenant management
  • Communication: Sending transactional emails, compliance alerts, and service updates
  • Analytics & improvement: Understanding usage patterns to improve the platform
  • Security: Detecting fraud, abuse, and unauthorized access via audit logs

4. Legal Basis for Processing

We process your data under the following legal bases as permitted by the Nigeria Data Protection Act (NDPA) 2023:

  • Contract performance: Processing necessary to provide services you've subscribed to
  • Legal obligation: Compliance with FIRS/NRS e-invoicing requirements and tax record-keeping laws
  • Legitimate interest: Platform security, fraud prevention, and service improvement
  • Consent: Marketing communications and optional analytics (you can withdraw consent at any time)

5. Data Sharing & Third Parties

We share data with the following categories of recipients, only as necessary to operate the platform:

Regulatory Bodies

Invoice data is submitted to FIRS (Federal Inland Revenue Service) through our certified Access Point Provider as required by NRS regulations. This includes IRN signing, invoice validation, and fiscalization reporting.

Access Point Provider

We use Pasca as our Peppol-certified Access Point Provider to transmit and receive invoices on the Peppol network. Pasca processes invoice data solely for delivery and compliance purposes.

Infrastructure Providers

We use trusted cloud service providers to host our platform, store data, and deliver emails. These providers are contractually bound to protect your data and process it only on our instructions.

We never sell your personal data to third parties. We do not share your information with advertisers or data brokers.

6. Data Retention

We retain your data for the following periods:

  • Invoice & tax records: Minimum 6 years after the relevant tax year, as required by Nigerian tax law. FIRS/NRS regulations require a minimum 24-month retention for e-invoices.
  • Account data: For the duration of your account, plus 12 months after closure to handle any pending obligations.
  • Audit logs: 24 months from the date of the event.
  • Usage analytics: 12 months, in aggregated form.

You may request earlier deletion of non-regulatory data by contacting us. Data required for legal compliance cannot be deleted before the statutory retention period expires.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • TLS encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Role-based access control (RBAC) with granular permissions
  • Cryptographic signing of invoices using FIRS-certified keys
  • Regular security assessments and penetration testing
  • Comprehensive audit logging of all system actions
  • Secure password hashing with industry-standard algorithms

8. Your Rights

Under the NDPA 2023, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your data (subject to legal retention requirements)
  • Right to restrict processing: Request that we limit how we use your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw consent for optional processing at any time

To exercise any of these rights, email us at privacy@getzutax.com. We will respond within 30 days.

9. International Data Transfers

Your data is primarily stored and processed within Nigeria. Where data is transferred to service providers outside Nigeria (e.g., cloud infrastructure), we ensure appropriate safeguards are in place, including contractual clauses that comply with NDPA requirements.

10. Cookies

We use cookies and similar technologies to operate the platform and improve your experience. For details on what cookies we use and how to manage them, see our Cookie Policy.

11. Children's Privacy

ZUTAX is a business platform and is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice on the platform at least 30 days before changes take effect. Your continued use of ZUTAX after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

ZUTAX Technologies Ltd.

Data Protection Officer

Email: privacy@getzutax.com

Address: Victoria Island, Lagos, Nigeria

If you are unsatisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC).