Subject rights — ZevID¶
How ZevID fulfils each NDPA-granted user right. NDPA grants users (NDPA §34–§38):
| Right | What it means | NDPC clock |
|---|---|---|
| Access | Get a copy of personal data we hold | 30 days |
| Rectification | Correct inaccurate data | 30 days |
| Erasure | Delete personal data (subject to legal-retention carve-outs) | 30 days |
| Restriction | Halt processing pending a dispute | Immediate |
| Portability | Receive a structured, machine-readable copy | 30 days |
| Objection | Object to processing based on legitimate interest or for marketing | Immediate |
Routing¶
All subject-rights requests are routed through the Data Protection Officer at dpo@zevop.com. The DPO acknowledges the request, verifies the requester's identity (typically by confirming control of the account's verified email), and coordinates the technical fulfilment with engineering.
Per-right behaviour for ZevID¶
Access¶
The DPO requests an export from engineering. The export bundles every category of personal data tied to the user's accountId — profile, phones (decrypted E.164), security settings, MFA enrolment state (booleans only; secrets and recovery-code hashes are not returned), KYC outcome, login events, active sessions, product enrollments, ZPIP scope grants, Zev Credit grants + transaction history, referrals + referral codes. Delivered as a JSON bundle to the user's verified email.
Rectification¶
User self-edit in the account portal:
- First name, last name (Profile page).
- Display picture (Profile page).
- Phone numbers (Security → Phones — add or remove; the user removes the old number and adds a new one rather than editing in place).
- All Security tabs (MFA, geo rules, allowed IPs, app passwords).
Email-address change and KYC-verified-name change are handled by the DPO route — both require re-verification.
Erasure¶
Routed via the DPO. The DPO assesses regulatory carve-outs (financial records under CBN's 7-year rule; KYC records retained for 7 years in anonymised form). Engineering executes the deletion under the DPO's direction. Standard cascade rules:
- Hard-delete:
accounts,account_phones,account_geo_rules,account_allowed_ips,account_app_passwords,sessions,otps,authorization_codes,product_authorizations,product_enrollments,zpip_consent_requests,referrals,referral_codes,inviteslinked to this account. - Anonymise + retain (7 years):
kyc_verifications— clearverified_first_name/verified_last_name; retainbvn_hash/nin_hash/face_match/verified_atfor AML lookup. - Retain (7 years):
credit_grants+credit_transactions+credit_transaction_lines— financial records under CBN retention. - Retain (audit):
admin_audit_logs,zpip_token_log.
user.account.deleted webhook fires so each Zev product mirrors the deletion in its own systems.
Restriction¶
When a user disputes processing, the DPO instructs engineering to flag the account; secondary processing is paused for the duration of the dispute.
Portability¶
Same payload as the Access request, delivered in the same JSON format. JSON satisfies NDPA §37's "structured, commonly used, and machine-readable" requirement.
Objection¶
- Marketing: ZevID does not run marketing communications; nothing to object to here. Each product runs its own marketing flows — objection lives in that product's section.
- Login notifications: user-controlled toggle in Security → Preferences.
- Legitimate-interest objection: the DPO evaluates case-by-case under NDPA's balancing test.
Audit¶
Subject-rights requests are logged by the DPO. Engineering's technical execution lands in admin_audit_logs as an admin action.