Introduction

GRUU Diamond Ltd (“We,” “Us,” “Our,” or “Company”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you visit our website (gruudn.com), use our services, make purchases through our shop, book appointments, or otherwise interact with us.

This policy is issued in accordance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and applicable international best practices including the General Data Protection Regulation (GDPR) where relevant to data subjects located in the European Economic Area.

By using our website or engaging our services, you confirm that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not use our website or services.

2. Who We Are (Data Controller)

GRUU Diamond Ltd is the Data Controller for personal data collected through this website and in connection with our services.

If you have any questions about how we handle your personal data, or wish to exercise any of your rights under this policy, please use the form in the contact us page or send an email to our support team.

3. What Personal Data We Collect

We collect personal data in the following categories depending on how you interact with us:

3.1 Website Enquiries & Contact Forms

• Full name
• Email address
• Phone number (if provided)
• Company name and job title (if provided)
• The content of your message or enquiry

3.2 Growth Assessment & Consultation Forms

• Full name and contact details
• Business name, industry, and size
• Current IT infrastructure details
• Business challenges, goals, and pain points as described by you
• SAP system usage and maturity information (if applicable)
• Any other information you voluntarily provide in the assessment form

3.3 Appointment Booking

• Full name and email address
• Phone number (if provided)
• Preferred date, time, and type of consultation
• Any pre-appointment notes or questions submitted
• If booking is processed through a third-party tool, that platform’s own privacy policy also applies.

3.4 ECommerce Shop & Purchases

• Full name and billing address
• Email address and phone number
• Payment card details (processed securely by our payment gateway — we do not store card data)
• Purchase history and transaction records
• IP address and browser information at time of purchase

3.5 Newsletter & Marketing Signups

• Email address
• First name (if provided)
• Subscription preferences and communication opt-ins.

3.6 Live Chat

• Name and email address (if provided during chat)
• The content of your chat conversation
• Device type, browser, and IP address
• Chat data is processed by our live chat provider. Their privacy policy also applies.

3.7 Automatically Collected Data (Analytics & Cookies)

• IP address and approximate location
• Browser type, version, and operating system
• Pages visited, time spent on pages, and navigation paths
• Referral source (how you arrived at our website)
• Device type and screen resolution

This data is collected via cookies and analytics tools. Please refer to our Cookie Policy for full details.

4. How We Use Your Personal Data

We use your personal data for the following purposes, each underpinned by a lawful basis under the NDPR and NDPA:

4.1 Providing & Managing Our Services (Contractual Necessity)

• Processing quotes, invoices, and payments
• Delivering digital products and project deliverables
• Scheduling and managing appointments and consultations
• Communicating about your project, scope of work, or support needs
• Issuing receipts, statements, and financial records

4.2 Business Operations & Legal Compliance (Legitimate Interest / Legal Obligation)

• Maintaining accurate financial and project records
• Complying with Nigerian tax law, FIRS requirements, and VAT obligations
• Detecting and preventing fraud, abuse, or unauthorised access
• Responding to legal requests, court orders, or regulatory enquiries
• Enforcing our Terms and Conditions and contractual rights

4.3 Communication & Marketing (Consent / Legitimate Interest)

• Responding to your enquiries and messages
• Sending service-related updates and notifications
• Sending marketing emails, newsletters, or service announcements where you have opted in
• Conducting client satisfaction follow-ups

You may withdraw your consent to marketing communications at any time by clicking “Unsubscribe” in any email or contacting us at hello@gruudn.com.

4.4 Website Improvement & Analytics (Legitimate Interest)

• Understanding how visitors use our website
• Identifying and fixing technical issues
• Improving the content, structure, and performance of our website
• Measuring the effectiveness of our marketing and content

5. Lawful Bases for Processing

Under the NDPR 2019 and NDPA 2023, we rely on the following lawful bases for processing your personal data:

• Consent: For newsletter signups, marketing communications, and non-essential cookies. You may withdraw consent at any time.
• Contractual Necessity: For processing enquiries, quotes, invoices, payments, and service delivery.
• Legal Obligation: For tax record-keeping, financial reporting, and compliance with Nigerian law.
• Legitimate Interests: For analytics, fraud prevention, and improving our services, where these interests are not overridden by your rights.

6. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share your data only in the following limited circumstances:

6.1 Service Providers & Processors

We engage trusted third-party service providers who process data on our behalf. All processors are contractually bound to handle your data securely and only for the purposes we specify:

• [PAYMENT GATEWAY] — payment processing
• [EMAIL PLATFORM] — newsletter and marketing emails
• [BOOKING TOOL] — appointment scheduling
• [LIVE CHAT TOOL] — website live chat
• Google LLC — Google Analytics (website analytics), Google Search Console, Google Workspace (email and document storage)
• Automattic Inc. — WordPress and WooCommerce platform hosting and ecommerce infrastructure
• [HOSTING PROVIDER] — website hosting and server infrastructure

6.2 Legal & Regulatory Disclosure

We may disclose your personal data to regulatory authorities, law enforcement agencies, or courts where required by Nigerian law or a valid legal order.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of GRUU Diamond Ltd, your personal data may be transferred to the successor entity. We will notify you of any such transfer and your rights in that context.

7. International Data Transfers

Some of our third-party service providers are based outside Nigeria, including in the United States and the European Union. Where your personal data is transferred outside Nigeria, we ensure that appropriate safeguards are in place in accordance with the NDPR and NDPA, including:

• Transfers to countries with adequate data protection laws as recognized by the Nigeria Data Protection Commission (NDPC)
• Standard contractual clauses or data processing agreements with service providers
• Transfers to providers certified under recognized international frameworks (e.g. EU-US Data Privacy Framework)

The primary international processors involved are Google LLC (United States) and Automattic Inc. (United States), both of which maintain GDPR-compliant data processing agreements.

8. How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by Nigerian law:

• Client project records, invoices, and financial documents: 5 years from project completion, in line with Nigerian tax and financial record-keeping requirements.
• Enquiry and contact form data: 12 months from last contact, unless the enquiry converts to a client engagement.
• Growth assessment form submissions: 12 months from submission, or for the duration of the client relationship.
• Appointment records: 12 months from the appointment date.
• Newsletter and marketing subscriptions: Until you unsubscribe or withdraw consent.
• Analytics data: As configured in our analytics platform (typically 14 months for Google Analytics).
• Live chat transcripts: As configured in our live chat platform, typically 6–12 months.

Upon expiry of the applicable retention period, data will be securely deleted or anonymised.

9. Your Data Protection Rights

Under the NDPR 2019 and NDPA 2023, you have the following rights in relation to your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data where we no longer have a lawful basis to retain it.
• Right to Restrict Processing: You may request that we limit the processing of your data in certain circumstances.
• Right to Data Portability: You may request your data in a structured, machine-readable format where processing is based on consent or contract.
• Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us in writing at hello@gruudn.com. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are dissatisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure. These measures include:

• SSL/TLS encryption for all data transmitted via our website
• Secure access controls and password policies for internal systems
• Limited access to personal data on a need-to-know basis
• Regular security reviews of our WordPress and WooCommerce installation
• Use of reputable, security-audited third-party processors

While we take all reasonable steps to protect your data, no method of transmission over the internet is entirely secure. We cannot guarantee absolute security but commit to notifying you and the NDPC promptly in the event of a data breach that is likely to result in a risk to your rights and freedoms, in accordance with our obligations under the NDPA 2023.

11. Children’s Privacy

Our website and services are directed exclusively at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us at hello@gruudn.com and we will delete it promptly.

12. Third-Party Links

Our website may contain links to third-party websites, tools, or resources. This Privacy Policy applies only to gruudn.com. We are not responsible for the privacy practices of any third-party sites and encourage you to review their privacy policies before providing any personal data.

13. Cookies

Our website uses cookies and similar tracking technologies to improve your browsing experience, analyze website traffic, and support our marketing activities. For full details of the cookies we use, the purposes they serve, and how to manage your preferences, please refer to our Cookie Policy available at gruudn.com/cookie-policy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the services we offer. Material changes will be communicated by email to active clients and/or by a prominent notice on our website at least 14 days before taking effect. The effective date at the top of this document will always reflect the date of the most recent update.

15. Contact & Complaints

For any questions, requests, or concerns regarding this Privacy Policy or the handling of your personal data, please use the form on the contact us page.