Terms & Privacy

In plain language

VIAS is a data-analysis assistant built for the National Population Commission (NPC) to decentralise access to civil registration insights across Nigeria. It stores your chats so we can improve the AI. We follow the Nigeria Data Protection Act (NDPA) 2019. You have rights, and we explain them below.

1. About VIAS

The VitalReg Intelligent Analytics System (VIAS) is an AI-powered analytics platform purpose-built for Nigeria's National Population Commission (NPC). It forms part of an innovation initiative to decentralise data analysis from a small team of data scientists in Abuja headquarters to programme officers, state directors, DCRs, and field staff across the 36 states and the Federal Capital Territory.

VIAS provides real-time, natural-language access to the VitalReg CRVS database, allowing authorised NPC staff and government partners to query birth and death registration statistics, generate structured reports, and monitor programme performance — without writing a single line of SQL.

2. Data Controller & Contact

For the purposes of the NDPA, the data controller is:

National Population Commission (NPC)
Plot 2031 Olusegun Obasanjo Way, Wuse Zone 7, Abuja, Nigeria
Website: nationalpopulation.gov.ng

VIAS is developed and maintained by:

Ibukunoluwa Omonijo — VIAS Developer & System Architect
Email: billibukun@gmail.com
Role: Technical lead for development, deployment, and security of the VIAS platform

3. Legal Basis for Processing

Under the NDPA, your data is processed on the following lawful bases:

Consent — You explicitly accept this notice before using the platform.
Public interest — Processing is necessary for the performance of NPC's statutory duties relating to civil registration and vital statistics.
Legitimate interest — Administrative oversight, fraud prevention, and service improvement by authorised staff.

4. Categories of Personal Data We Process

We collect only the data needed to operate the service:

Identity & Account Data

Full name, username, work email, phone number, job title, organisation, state of assignment, role, and password hash.

Usage & Interaction Data

Chat conversations, AI-generated documents, tool calls executed on your behalf, query parameters, response contents, and file generation history.

Technical Data

IP address, browser user-agent, device information, session timestamps, authentication events.

VitalReg Data (accessed on your behalf)

When you query the system, VIAS retrieves data from the VitalReg CRVS database per your organisation's access scope. This includes aggregated registration statistics and (where your role authorises it) individual registration records.

5. Purposes of Processing

Your data is used strictly to:

Authenticate and authorise your access to the platform
Execute the queries you submit and return results to you
Maintain audit trails for security, compliance, and accountability
Review chats internally to improve AI-response accuracy and fix failing tools
Generate anonymous, aggregated statistics for NPC leadership reporting
Detect and investigate misuse, unauthorised access, or policy violations
Enforce state-access restrictions and PII scoping rules

Your data is NOT used to train any third-party AI model, sold, or shared with external commercial entities.

6. How Admins Use Your Conversations

Authorised VIAS administrators may review your chat conversations only for these purposes:

Identifying incorrect AI responses and correcting the underlying instructions
Detecting failed tool calls and fixing data-retrieval errors
Flagging conversations for structured review with written admin notes
Enforcing acceptable-use policy where warranted

When an administrator views your conversation, the system automatically masks personally identifiable information (NINs, phone numbers, email addresses) unless the admin has explicit superadmin clearance.

7. Data Scoping & Access Control

Access to personal data is enforced at the API layer through organisation profiles:

Each organisation has a defined list of states it may access
PII access (names, addresses, identifiers) is scoped per organisation
Tool visibility and rate limits are enforced per profile
Every API call is logged with the requesting user, tool, parameters, and timestamp

8. Data Retention

Data Type	Retention Period
Chat conversations	90 days after last activity
Generated files (CSV, charts)	30 days from creation
Documents & reports	Retained until user-initiated deletion
Admin audit logs	12 months (extended as legally required)
Consent records	Retained for the lifetime of the account + 3 years
Account data	Retained while account is active; deleted within 30 days of account closure

9. Your Rights Under the NDPA

You have the following rights with respect to your personal data:

Right of access — Request a copy of the personal data we hold about you.
Right to rectification — Correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — Request deletion of your data, subject to legal retention obligations.
Right to restrict processing — Temporarily limit how we process your data pending investigation.
Right to data portability — Receive your data in a structured, commonly used, machine-readable format.
Right to object — Object to processing based on legitimate interests.
Right to withdraw consent — At any time, without affecting lawful processing already performed.
Right to lodge a complaint — With the Nigeria Data Protection Commission (NDPC) if you believe your rights have been violated.

To exercise these rights, contact your organisation administrator or the VIAS developer at billibukun@gmail.com. We will respond within 30 days.

10. Security Measures

We implement the following technical and organisational safeguards:

All network traffic is encrypted end-to-end using TLS 1.2+
Passwords are stored as one-way PBKDF2-SHA256 hashes with per-user salt
Sessions expire automatically after 30 minutes of inactivity
Database access requires OpenVPN authentication on a closed government network
Every privileged action is logged with user, timestamp, IP address, and user-agent
API access is rate-limited per organisation to prevent abuse
Personal data is pseudonymised in non-production environments
Full daily encrypted backups of system metadata (chat database)

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach, as required by the NDPA. Where the risk is high, affected users will be notified directly without undue delay.

12. Cross-Border Data Transfer

Primary processing occurs on infrastructure hosted in Nigeria where available. Where AI processing requires the use of foreign-hosted services (e.g. Google Gemini for natural-language responses), only the minimum necessary query text and aggregate numerical results are transmitted, and no individual-level PII is shared. All such transfers are subject to the recipient's own enterprise-grade security controls and are subject to the safeguards outlined in Section 41 of the NDPA 2023 (Cross-Border Transfer of Personal Data).

13. Cookies & Tracking

VIAS uses only session cookies strictly necessary for authentication and security. We do not use third-party analytics trackers, advertising cookies, or behavioural profiling. No tracking pixels are embedded in emails.

14. Acceptable Use

Your use of VIAS must comply with the following:

Use only for authorised CRVS and programme-related work
Do not share your credentials with unauthorised persons
Do not attempt to circumvent state-access or PII restrictions
Do not submit queries unrelated to your official duties
Do not attempt to reverse-engineer, probe, or attack the system
Report suspicious activity immediately to your administrator

Violations may result in account suspension and referral to appropriate disciplinary or legal processes.

15. Children's Data

VIAS processes records of children registered under the civil registration system. Access to such records is strictly limited to authorised officers fulfilling their legal duties, governed by the Child Rights Act 2003 and the Compulsory Registration of Births and Deaths Act (Decree No. 69 of 1992). VIAS applies enhanced PII masking on records of minors by default.

16. Automated Decision-Making

VIAS uses AI to generate analytical responses, but does not make automated decisions that produce legal effects concerning you. The AI is a decision-support tool; all operational, administrative, and programmatic decisions remain with authorised human personnel.

17. Changes to This Notice

This Data Privacy Notice may be revised to reflect new features, regulatory updates, or organisational changes. When the version number is incremented, you will be required to review and re-accept the updated notice at your next login. Historical versions are archived and available on request. Current version: 1.0.

18. Complaints & Grievance

If you believe your data is being processed unlawfully, you may:

Contact your organisation administrator in the first instance
Email the VIAS developer at billibukun@gmail.com — a response will be provided within 30 days
If unresolved, escalate to NPC's Data Protection Officer via nationalpopulation.gov.ng
As a last resort, file a complaint with the Nigeria Data Protection Commission (NDPC)

Legal References

Nigeria Data Protection Act (NDPA) 2023
Nigeria Data Protection Commission (NDPC) General Application and Implementation Directive 2025
Births, Deaths Etc. (Compulsory Registration) Act Cap B9, Laws of the Federation of Nigeria 2004 (formerly Decree No. 69 of 1992)
Constitution of the Federal Republic of Nigeria 1999 (as amended) — Section 37 (right to private life)
Child Rights Act 2003

Questions?

For anything related to this notice, your data, platform features, or technical issues, please contact the VIAS developer:

Ibukunoluwa Omonijo
VIAS Developer & System Architect
billibukun@gmail.com

By accepting this notice, you confirm that you have read, understood, and agree to these terms.

Terms of Use & Data Privacy Notice