Privacy Policy

1. Who We Are

The data controller for your personal information is The Providence News Limited, a company incorporated in Nigeria (RC No. 1847291) with registered offices at 14 Bode Thomas Street, Surulere, Lagos 101245, Nigeria.

We operate a digital news platform accessible at theprovidencenews.com and related subdomains. Where we refer to “Services” in this policy, we mean all digital products, websites, applications, and newsletters operated by The Providence News.

For residents of the European Economic Area (EEA) and the United Kingdom, we act as a data controller under the EU General Data Protection Regulation (GDPR) and the UK GDPR respectively. Our EU representative is The Providence News Europe B.V., registered in the Netherlands.

2. Information We Collect

We collect information in three principal ways: information you provide directly, information collected automatically when you use our Services, and information received from third parties.

2.1 Information You Provide Directly

When you create an account, subscribe to our newsletter, submit a contact form, purchase a membership, or interact with editorial tools, you may provide us with:

• Full name and email address (required for account creation and newsletters)
• Password (stored in hashed, salted form — we never store plaintext passwords)
• Payment information (card details are processed by Stripe; we store only a tokenised reference and last-four digits)
• Billing address and country of residence (for tax and compliance purposes)
• Profile information such as job title or organisation (optional; used to personalise editorial communications)
• Correspondence you send to our editorial or support teams, including tip-offs, corrections, and complaints

2.2 Information Collected Automatically

When you access our Services, our servers and analytics infrastructure automatically record:

• Internet Protocol (IP) address and approximate geographic location derived from it
• Browser type, version, and operating system
• Referring URL and pages visited on our platform, including time spent on each page
• Device identifiers and screen resolution
• Search queries entered on our platform
• Scroll depth, click events, and reading progress (used to improve editorial product decisions)
• Date and time of access

2.3 Information from Third Parties

We may receive information about you from third-party sources including:

• Social sign-in providers (Google, Apple) if you choose to authenticate via these services
• Payment processors (Stripe) to confirm subscription status and detect fraud
• Our email service provider (Resend) to track delivery and open rates for transactional emails
• Public registries and databases where permitted by applicable law for journalistic verification purposes

3. How We Use Your Data

We use the personal information we collect exclusively for the following purposes. We do not use your data for profiling for advertising purposes, nor do we sell your data to any third party.

3.1 Providing and Improving Our Services

• Creating and maintaining your account and membership subscription
• Processing payments and managing billing via Stripe
• Delivering newsletters and editorial digests you have subscribed to
• Providing customer and subscription support
• Analysing aggregate, anonymised usage patterns to improve platform performance and editorial product decisions
• Debugging and resolving technical errors in our platform

3.2 Communications

• Sending transactional emails (account confirmations, password resets, receipts)
• Sending editorial newsletters where you have subscribed or where we have a legitimate interest as a subscriber
• Notifying you of material changes to these policies or your subscription
• Responding to your enquiries, corrections, or complaints

3.3 Legal and Compliance Obligations

• Complying with applicable law, court orders, or regulatory requirements
• Detecting, investigating, and preventing fraudulent transactions and abuse of our platform
• Enforcing our Terms of Service

4. Legal Basis for Processing (GDPR)

For readers located in the EEA or United Kingdom, we rely on the following legal bases under Article 6 of the GDPR:

• Contract performance: Processing necessary to provide Services you have subscribed to (Article 6(1)(b))
• Legitimate interests: Analytics, fraud prevention, and improving our editorial platform, where these interests are not overridden by your rights (Article 6(1)(f))
• Legal obligation: Processing required to comply with applicable law (Article 6(1)(c))
• Consent: Where we rely on consent (e.g., marketing emails beyond the transactional scope), you may withdraw consent at any time without affecting the lawfulness of prior processing

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve our Services. A cookie is a small text file stored on your device. We use the following categories:

5.1 Strictly Necessary Cookies

These cookies are required for the platform to function and cannot be disabled. They include session authentication cookies (our internal tpn_token cookie) and security cookies (CSRF protection). These cookies contain no personally identifiable information beyond an encrypted session reference.

5.2 Analytics Cookies

We use a self-hosted, privacy-first analytics solution. Analytics cookies collect anonymised data on page views, session duration, and referral sources. We do not share raw analytics data with third parties. You may opt out of analytics tracking at any time via your account settings or by enabling the Do Not Track header in your browser.

5.3 Preference Cookies

These cookies store your preferences such as display mode (light/dark), saved articles, and newsletter category preferences. Disabling these cookies will result in your preferences not being saved between sessions.

5.4 Managing Cookies

You can control cookies through your browser settings. Note that disabling strictly necessary cookies will impair core platform functionality including login. A full list of cookies we set, including their names, purposes, and expiry periods, is available in our Cookie Declaration.

6. Third-Party Sharing

We do not sell your personal data. We do not share your personal information with advertising networks or data brokers. We share data with third parties only in the following limited circumstances:

6.1 Service Providers (Data Processors)

We engage the following categories of third-party processors who act strictly on our instructions and are bound by Data Processing Agreements:

• Payment processing: Stripe, Inc. (United States) — processes payment card data under PCI-DSS Level 1 certification
• Email delivery: Resend, Inc. — sends transactional and newsletter emails on our behalf
• Cloud infrastructure: Amazon Web Services (EU-West-1 region) — hosts our application and media storage
• Error monitoring: Sentry — receives anonymised error reports and stack traces for debugging

6.2 Legal Disclosure

We may disclose personal information if required to do so by law, court order, or governmental authority, or where we believe disclosure is necessary to prevent imminent harm or protect the rights of The Providence News or its readers. Where legally permitted, we will notify affected users before disclosure.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and a prominent notice on our platform at least 30 days before your information becomes subject to a different privacy policy.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes described in this policy, or as required by applicable law:

• Account data: Retained for the duration of your account and for 3 years after account deletion (to comply with financial record-keeping obligations)
• Payment records: Retained for 7 years as required by Nigerian tax law and applicable financial regulations
• Newsletter subscription data: Retained until you unsubscribe, plus a 90-day grace period
• Contact form submissions: Retained for 2 years unless the matter requires ongoing correspondence
• Server logs: Automatically purged after 90 days
• Analytics data: Stored in anonymised, aggregated form indefinitely; raw session data is purged after 13 months

When data is no longer required, it is securely deleted or anonymised. You may request earlier deletion of your data subject to our legal retention obligations (see Section 8 — Your Rights).

8. Your Rights

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

• Right of access: Obtain a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to our legal obligations
• Right to data portability: Receive your personal data in a structured, machine-readable format
• Right to restrict processing: Request that we pause processing of your data in certain circumstances
• Right to object: Object to processing based on legitimate interests at any time
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without penalty
• Right to lodge a complaint: File a complaint with your national data protection authority

To exercise any of these rights, please contact our Data Protection Officer at privacy@theprovidencenews.com. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Data Security

We implement industry-standard technical and organisational security measures to protect your personal information, including:

• Encryption in transit via TLS 1.3 for all data transmitted between your browser and our servers
• Encryption at rest for databases containing personal data using AES-256
• Bcrypt hashing with a minimum cost factor of 12 for all stored passwords
• Role-based access controls limiting employee access to personal data on a strict need-to-know basis
• Multi-factor authentication required for all staff with access to production systems
• Regular independent security audits and penetration testing

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with GDPR Article 33 and 34.

10. Children's Privacy

Our Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 16, we will take immediate steps to delete that data. If you believe a child has provided us with personal data, please contact us at privacy@theprovidencenews.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our data practices, or our Services. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Send a notification email to all registered users at least 14 days before the changes take effect
• Display a prominent notice on our platform for 30 days following the effective date of any material change

Continued use of our Services after the effective date of any change constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you may delete your account at any time.

12. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact our Data Protection Officer:

If you are located in the EEA or UK and believe we have not addressed your concern satisfactorily, you have the right to lodge a complaint with your national Data Protection Authority. In Nigeria, the relevant authority is the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.