MACH-HR
MACH-HR
Sign Up
Login
Last Updated
February 3, 2026

HRMS Privacy Notice and Data Protection Policy

Effective Date: February 3, 2026

Your privacy is important to us. This policy explains how we collect, use, protect, and share personal information on behalf of our subscribing organizations.

Quick Navigation

Introduction Information We Collect Data Categories How We Use Information Data Security Data Sharing Employee Types Your Rights Refund Policy Contact Us

B2B Platform Notice: Machi Kunzult HRMS is a business-to-business (B2B) platform. We provide HR management services to subscribing organizations (businesses), who are our direct customers. Employee data is collected and processed on behalf of these organizations, who determine the purposes and means of processing. Organizations are responsible for obtaining employee consent and managing employee data rights.

1. Introduction to HRMS Privacy Policy

Machi Kunzult Ltd (“we,” “our,” or “the Company”) operates a business-to-business (B2B) Human Resource Management System (HRMS) platform. We provide HR management software services to Nigerian businesses and organizations (“Subscribing Organizations” or “Organizations”), who are our direct customers.

As a B2B SaaS provider, we process employee data on behalf of and under the instructions of our Subscribing Organizations. The Organizations are the data controllers who determine the purposes and means of processing their employees' personal data, while we act as the data processor providing the technical platform and services.

This Privacy Notice explains how we, as a data processor, handle personal information within our HRMS platform, which includes modules for payroll processing, attendance tracking, leave management, performance reviews, recruitment, document management, and financial accounting.

1.1 Our Role and Responsibilities

Subscribing Organizations (Data Controllers)

  • Determine purposes for processing employee data
  • Obtain employee consent where required
  • Handle employee data rights requests
  • Ensure lawful basis for data processing
  • Responsible for data protection compliance

Machi Kunzult HRMS (Data Processor)

  • Process data per organization instructions
  • Implement technical and security measures
  • Provide platform tools and features
  • Assist with data protection obligations
  • Maintain data security and confidentiality

1.2 HRMS Privacy Policy Interpretation

In this Privacy Notice:

  • “Machi Kunzult Ltd,” “Machi Kunzult,” “we,” “us,” or “our” refers to Machi Kunzult Ltd, the B2B SaaS platform provider.

  • “HRMS” or “the Platform” refers to our Human Resource Management System software service.

  • “Subscribing Organization” or “Organization” refers to businesses that subscribe to our HRMS platform to manage their workforce. These are our direct customers and act as data controllers.

  • “Employee” or “End User” refers to individuals whose data is processed through our platform by their employer (the Subscribing Organization).

  • “Personal Information” refers to any information that identifies or can be used to identify an individual, collected and processed on behalf of Subscribing Organizations.

  • “Sensitive Personal Information” includes financial data, health information, biometric data, and government-issued IDs processed through our platform.

1.3 HRMS Privacy Standards

At Machi Kunzult, we adhere to the following privacy principles:

  • a.

    Transparency: We clearly communicate what data we collect on behalf of organizations, how we process it, and who has access to it.

  • b.

    Security First: We implement enterprise-grade security measures to protect data entrusted to us by our B2B clients.

  • c.

    Data Minimization: Our platform is designed to collect only data necessary for HR services as configured by Subscribing Organizations.

  • d.

    Legal Compliance: Our practices align with the Nigeria Data Protection Act (NDPA) 2023, serving as a compliant data processor.

  • e.

    Organizational Control: We empower Subscribing Organizations with tools to manage their employees’ data according to their policies and legal obligations.

  • f.

    Purpose Limitation: We process personal data only as instructed by Subscribing Organizations and for the purposes they have defined.

  • g.

    Contractual Obligations: We maintain Data Processing Agreements with all Subscribing Organizations outlining our processing obligations.

2. Information Collected on Behalf of Organizations

Our HRMS platform is configured by Subscribing Organizations to collect various categories of employee information necessary for HR management services. Organizations determine what data to collect based on their business needs and legal requirements.

Important: The actual data collected for any specific employee is determined by their employer (the Subscribing Organization). Machi Kunzult provides the platform capabilities, but organizations decide which fields to use and what information to enter.

CategoryAvailable FieldsEmployee TypesPurpose
1. Normal Employee DataFull Name, Date of Birth, Gender, Marital Status, Address, Phone, Email, Emergency Contacts, Passport PhotoNormalContractEmployee profile management, communication
2. Guard-Specific Data *Org ConfiguredNIN, BVN, Beat Location, Coordinator, Verification Status, Uniform Details, Date of Joining as GuardGuardSecurity personnel management as configured by organization
3. Casual Worker Data *LimitedBasic Identification, Contact Info, Work Details (Limited statutory deductions)CasualTemporary workforce management
4. Financial & Payroll DataSalary Structure, Bank Details, Pension Fund Administrator, RSA PIN, Tax Information, Loan RecordsNormalContractPayroll processing as instructed by organization
5. Attendance & Location DataClock-in/out Times, GPS Location, Biometric Data, Work Hours, Overtime, Geofence Data, Trust ScoresAllAttendance tracking if enabled by organization
6. Performance & ProductivityPerformance Reviews, KPI Scores, URL Logs, Productivity Scores, YouTube Usage, Website ActivityNormalPerformance management if enabled by organization

3. Employee Type Specific Processing

Our platform supports different employee types, allowing Subscribing Organizations to configure appropriate data collection and processing rules:

Organization Decision: The Subscribing Organization determines which employee types to use and what data requirements apply to each type. We provide the technical capabilities; they make the policy decisions.

3.1 Guard Data Processing (When Configured)

For organizations in the security industry, our platform supports enhanced verification features for guards. Organizations can configure:

  • NIN (National Identification Number) and BVN verification for identity confirmation
  • Beat location assignment and coordinator tracking for field deployment
  • Uniform and equipment inventory linked to individual guards
  • Verification status tracking (pending, verified, suspended)
  • Attendance tied to assigned client sites with GPS geofencing

3.2 Normal & Contract Employee Processing

Standard employees and contract staff have access to the full suite of HRMS modules as configured by the organization, including:

  • Full payroll processing with NTA 2025 statutory deductions (PAYE, Pension, NHF, NSITF, NHIS, ITF)
  • Leave management including annual, sick, maternity/paternity leave
  • Performance appraisals, KPI tracking, and 360° reviews
  • Training and development records
  • Document management — contracts, certificates, IDs

3.3 Casual Worker Processing (Limited)

Casual workers are processed with a simplified data profile. Organizations configure limited statutory deductions appropriate for casual/temporary staff:

  • Basic identification and contact details only
  • Daily or weekly wage calculation without full pension enrollment
  • Simplified attendance tracking
  • No performance appraisal or leave accrual modules

4. How We Process Data on Behalf of Organizations

As a data processor, we process personal information only as instructed by Subscribing Organizations through their use of our platform. Our processing activities include:

Processing Instructions: All data processing is performed according to the Organization's instructions as configured in our platform. Organizations control what features to enable and how employee data is used.

4.1 Payroll Processing Services

Process payroll calculations, statutory deductions (PAYE, Pension, NHF, NSITF, NHIS, ITF), and generate payslips as configured by the Organization according to their payroll policies and Nigerian statutory requirements including NTA 2025.

4.2 Attendance & Leave Management

Record and report employee clock-in/out data, GPS locations, overtime, and manage leave requests, balances, and approvals — all as configured and enabled by the Organization.

4.3 Performance Management

Facilitate appraisal cycles, KPI tracking, 360-degree feedback, and goal management as set up by the Organization for their workforce.

4.4 Recruitment & Onboarding

Support the Organization's hiring process: job posting, candidate application collection, automated scoring, shortlisting, interview scheduling, and digital onboarding workflows.

4.5 Document Management

Store and manage employee documents (contracts, certificates, IDs, policies) securely in the platform on behalf of the Organization, with role-based access controls.

4.6 Bulk Salary Disbursement

Process wallet-powered bulk salary transfers to employees' bank accounts as authorized by the Organization, with real-time status tracking and retry logic.

5. Data Security and Protection Measures

As a B2B SaaS provider entrusted with our clients' employee data, we implement enterprise-grade security measures across all layers of our infrastructure:

5.1 Technical Security Measures

🔐

Encryption

All data encrypted in transit (TLS 1.2+) and at rest (AES-256). Payroll and financial data receive additional encryption layers.

🔑

Access Control

Role-based access control (RBAC) with 15 distinct permission levels. Multi-factor authentication (MFA) available for all admin accounts.

🛡️

Infrastructure Security

Regular security audits, penetration testing, and vulnerability assessments. DDoS protection and Web Application Firewall (WAF).

💾

Data Backup

Automated daily backups with point-in-time recovery. Backups stored in geographically separate locations with encryption.

5.2 Organisational Security Measures

  • Staff undergo mandatory data protection training and are bound by confidentiality agreements
  • Access to production data is restricted to authorized personnel only, on a need-to-know basis
  • All data access and modifications are logged in immutable audit trails
  • We maintain an incident response plan and notify affected Organizations within 72 hours of a confirmed breach
  • Regular internal security reviews and third-party audits are conducted

Shared Responsibility: While we implement robust technical and organisational security measures, Subscribing Organizations are responsible for managing user access within their account, enforcing strong password policies for their administrators, and promptly revoking access for departed employees.

6. Data Sharing and Sub-Processing

We do not sell or share employee data for marketing purposes. As a data processor, we only share data in the following circumstances:

6.1 Access by Subscribing Organizations

The Subscribing Organization (your employer) has full access to employee data they have entered into our system, controlled by role-based permissions they configure. Different HR roles (org_admin, hr_manager, payroll_officer, etc.) have tiered access levels defined by the organization.

6.2 Sub-Processors (Service Providers)

We engage carefully vetted sub-processors to support platform operations. All sub-processors are bound by data protection agreements:

  • Payment Processing: Secure payment gateways for bulk salary disbursements and subscription billing

  • Cloud Infrastructure: Secure hosting providers for platform operation and data storage

  • Communication Services: Email and SMS providers for payslip delivery, OTPs, and notifications

  • Analytics Services: Anonymised, aggregated platform usage analytics (no personal employee data)

6.3 Legal Requirements

We may disclose data when legally required by Nigerian law, court order, or regulatory authority. We will notify the affected Subscribing Organization as soon as possible when permitted by law, and will only disclose the minimum data necessary to comply.

6.4 What We Never Do

  • Sell employee personal data to third parties
  • Share employee data with advertisers or marketing companies
  • Use employee data to build profiles for purposes outside the organization's HR management
  • Transfer data outside Nigeria without appropriate safeguards

7. Data Subject Rights & Organizational Responsibilities

B2B Platform — Rights Flow

As a B2B platform, employee data rights requests should be directed to the Subscribing Organization (employer), who is the data controller. We provide organizations with the tools to fulfill these requests, but they hold the responsibility for managing employee rights.

7.1 Subscribing Organization Responsibilities (Data Controllers)

As the data controller, Subscribing Organizations have the following responsibilities to their employees:

Legal Obligations

  • Obtain employee consent where required by law
  • Provide privacy notices to employees
  • Respond to employee data rights requests
  • Ensure lawful basis for all processing

Platform Controls

  • Manage employee data through our platform
  • Export and delete employee records as needed
  • Configure data retention policies
  • Control access permissions for HR staff

7.2 Employee Data Rights (Exercised Through Employer)

Employees have rights under the Nigerian Data Protection Act (NDPA) 2023, which should be exercised through their employer (the Subscribing Organization):

Right to Access

Request access to personal data from your employer’s HR department

Right to Rectification

Request data corrections through your organization’s HR processes

Self-Service Access

View your own data through the employee portal (if enabled by employer)

Grievance Process

Raise concerns through your employer’s internal channels

Important for Employees: Since your employer (the Subscribing Organization) is the data controller, all data-related requests should be directed to your organization's HR department. We cannot directly respond to individual employee requests without authorization from the organization.

7.3 Our Role in Supporting Data Rights

As a data processor, we support Subscribing Organizations in fulfilling their data protection obligations by:

  • Providing platform tools for organizations to manage employee data requests

  • Enabling data export, correction, and deletion capabilities for organizations

  • Maintaining audit logs of data access and modifications

  • Assisting organizations with technical aspects of rights fulfillment

  • Responding to authorized data requests from organizations on behalf of employees

7.4 How to Exercise Rights

👔

For Employees

Contact your organization's HR department directly. They are responsible for handling your data rights requests and have full control over your data in our system.

🏢

For Subscribing Organizations

Contact our support team at support@machi-kunzult.com for assistance with employee data requests or platform features. Your organization administrators can also manage most requests directly through the platform.

⚖️

Regulatory Complaints

If unsatisfied with how your employer handles your data rights, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

8. Monitoring Technologies (Organization Configured)

Our platform includes optional monitoring features that Subscribing Organizations can enable based on their policies:

Organization Control: All monitoring features are optional and configured by the Subscribing Organization. Employees should consult their employer's policies to understand what monitoring is enabled.

8.1 Attendance & GPS Tracking

When enabled by the organization, the mobile app collects GPS coordinates at clock-in and clock-out. Geofencing can be configured to restrict attendance marking to approved locations only.

  • GPS data collected only at clock-in/out events, not continuously tracked
  • Geofence boundaries configured by the organization per their premises
  • Trust scores generated based on attendance compliance, not continuous surveillance

8.2 Productivity & Website Activity (Optional)

Organizations may optionally enable the productivity monitoring module which logs browser activity (URL visits, YouTube usage) during work hours on company devices.

Employee Notice: If this feature is enabled by your employer, your browser activity on work devices during work hours may be logged. Your employer is responsible for informing you of any monitoring policies in place.

8.3 Biometric Data

Where the organization uses biometric-enabled attendance devices, biometric templates (not raw biometric images) may be processed. Organizations are responsible for obtaining explicit employee consent before collecting any biometric data, as required by NDPA 2023.

9. Updates to This Privacy Policy

We will notify Subscribing Organizations of significant changes to this policy via email and/or in-platform notice at least 14 days before changes take effect. Organizations are responsible for communicating relevant changes to their employees.

Material changes (such as new categories of data processing or changes to data sharing practices) will require Organizations to review and acknowledge the updated policy through the platform before the changes take effect for their account.

The “Last Updated” date at the top of this policy reflects the date of the most recent revision. Continued use of the platform after the effective date of changes constitutes acceptance of the updated policy.

10. Subscription & No Refund Policy

No Refund Policy: All subscription fees paid to Machi Kunzult Ltd are strictly non-refundable. By subscribing to our HRMS platform, Subscribing Organizations explicitly agree to this policy.

10.1 Why We Do Not Offer Refunds

Our no-refund policy exists for the following reasons:

1

Immediate Platform Access

Upon payment, Subscribing Organizations receive immediate, full access to our HRMS platform including all subscribed modules. The service is delivered and consumed from the moment of activation, making reversal impractical.

2

Infrastructure & Operational Costs

Subscription fees fund ongoing infrastructure, server maintenance, security operations, and support services that are provisioned and committed upon subscription activation. These costs are incurred immediately and cannot be recovered.

3

Pre-Subscription Trial & Demonstration

We offer prospective clients the opportunity to evaluate our platform through a 5-day free trial and demonstrations before committing to a subscription. Organizations are encouraged to thoroughly assess the platform before purchasing.

4

Data Security & Processing Obligations

Once employee data is entered into the system, significant resources are allocated to secure storage, encryption, backup, and compliance operations. These obligations persist regardless of whether the subscription continues.

5

Subscription Period Commitment

Subscriptions are sold for defined periods (monthly, quarterly, or annually). Pricing reflects a commitment to the full subscription period, and early cancellation does not entitle the Organization to a refund for unused time.

10.2 Scope of No-Refund Policy

This policy applies to all of the following situations without exception:

  • Voluntary cancellation of subscription at any time
  • Non-use or underuse of the platform or any of its modules
  • Early termination of an annual or multi-month subscription
  • Dissatisfaction with features after subscription commencement
  • Change of business needs or organizational restructuring
  • Employee count reduction after subscription purchase
  • Switching to a different HR software provider
  • Failure to onboard staff or utilize the platform

10.3 Exceptional Circumstances

While our policy is strictly no refunds, we may at our sole and absolute discretion consider service credits (not cash refunds) in the following limited circumstances:

  • Verified extended platform downtime directly caused by Machi Kunzult exceeding 72 consecutive hours
  • Duplicate payments made in error, which will be corrected within 14 business days
  • Billing errors attributable solely to Machi Kunzult Ltd

Any credits issued are applied to the next billing cycle and have no cash value. All decisions regarding service credits are made at the sole discretion of Machi Kunzult Ltd management.

10.4 Subscription Cancellation

Subscribing Organizations may cancel their subscription at any time by contacting support@machi-kunzult.com. Upon cancellation:

  • Access to the platform continues until the end of the current paid subscription period
  • No further charges will be made after the cancellation date
  • Organization data will be available for export for 30 days post-cancellation
  • No refund will be issued for the remaining unused subscription period

11. Contact Us

Data Protection Officer

Company

Machi Kunzult Ltd

Address

3rd Floor, 35 Olowu Street
Ikeja, Lagos
Nigeria

For Organizations

Contact us for Data Processing Agreement (DPA) inquiries, platform support, or compliance assistance

For Employees

Please contact your organization's HR department for all data-related requests

Nigeria Data Protection Commission

For unresolved data protection concerns:

🔒

Committed to Data Protection

As a B2B SaaS provider, Machi Kunzult is committed to supporting our Subscribing Organizations in their data protection obligations. We maintain the highest standards of security and compliance, enabling Nigerian businesses to manage their workforce data with confidence and in full compliance with the Nigerian Data Protection Act 2023.