← Back to Home

Privacy Policy

Last updated: June 1, 2026

1. Introduction

Entrifi ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your information when you use our visitor management platform ("Service"). This policy applies to all users of the Service, including organization administrators, staff operators, security personnel, and visitors whose information is processed through the platform.

This policy is designed to comply with the Nigeria Data Protection Act 2023 (NDPA), theNigeria Data Protection Regulation 2019 (NDPR), and other applicable data protection laws in jurisdictions where we operate.

2. Data Controller and Processor Roles

Entrifi operates as both a Data Controller and a Data Processor, depending on the context:

  • As Data Controller: We are the controller for account registration data, billing information, platform usage data, and licensing data that we collect directly from you for our own purposes.
  • As Data Processor: When an organization uses Entrifi to manage visitor information, the organization is the Data Controller and Entrifi acts as a Data Processor, processing visitor data on behalf of and under the instructions of that organization.

3. Information We Collect

3.1 Account Information

When you register, we collect:

  • Full name and email address
  • Organization name, location details, and configuration preferences
  • Password (stored in hashed form, never in plain text)
  • Role assignment within your organization

3.2 Visitor Data

Organizations using Entrifi may collect the following visitor information:

  • Visitor name, email, phone number, and company affiliation
  • Photographs captured during check-in (see Section 4 on Sensitive Data)
  • Visit purpose, host information, and check-in/check-out timestamps
  • Digital signatures on NDAs or other documents (where enabled by the organization)
  • Badge numbers and unique identifiers used for express check-in
  • Visitor classification type (e.g., Client, Contractor, VIP, Delivery)
  • Notes or observations recorded by staff during the visit

3.3 Pre-Registration and Event Attendee Data

We collect expected visitor and event attendee information in advance or at the point of registration:

  • Pre-Registrations: When visitors are pre-registered by host staff, we collect names, emails, company details, expected arrival times, and visit purposes.
  • Event Registrations: When registering for an event hosted by an organization via Entrifi, we collect the attendee's name, email, company, and phone number on behalf of the host. We also generate admission tokens (e.g., "evt_..." tokens), deliver QR tickets, and record attendance check-in timestamps.

3.4 Security Screening Data

Organizations may maintain internal screening records to flag individuals who should be denied or escalated upon arrival. This may include names, identifying details, and the reason for the screening flag. This data is maintained solely by the organization and is not shared across organizations.

3.5 Activity Records

The Service maintains records of significant actions performed within each organization, such as visitor check-ins, check-outs, configuration changes, and security-related events. These records include the identity of the user who performed the action and the time it occurred. Activity records are used for accountability, compliance, and operational transparency.

3.6 Automatically Collected Information

  • Browser type, device type, and operating system
  • IP address and approximate geographic location (used for currency localization and security purposes)
  • Usage patterns and feature interaction data
  • Session duration and access timestamps

4. Sensitive and Biometric Data

Visitor photographs captured during the check-in process may constitute sensitive personal data under the NDPA. We handle this data with additional safeguards:

  • Photographs are captured only when the feature is enabled by the organization and with the visitor's awareness at the point of check-in
  • Photos are stored securely and are accessible only to authorized personnel within the relevant organization
  • Photos are not used for facial recognition, biometric profiling, or any automated decision-making
  • Organizations may configure automatic deletion of photographs after a defined retention period
  • Visitors may request deletion of their photographs by contacting the host organization
  • Digital signatures collected during document signing are treated with the same safeguards as photographs
  • Organizations (acting as Data Controllers) are solely responsible for establishing a lawful basis and obtaining explicit consent from visitors and staff before utilizing the photo capture, signature capture, or visitor registration features of the Service.

5. Lawful Basis for Processing

We process personal data only when we have a valid legal basis to do so, as required by the NDPA:

  • Performance of a contract: Processing your account data is necessary to provide the Service you have signed up for, including managing your subscription and delivering platform features.
  • Consent:Where required, we obtain your explicit consent before processing certain data. For example, visitor check-in involves the visitor's awareness and participation. You may withdraw consent at any time (see Section 10).
  • Legitimate interest: We may process data for our legitimate business interests, such as improving the Service, ensuring platform security, preventing fraud, and maintaining operational integrity, provided these interests do not override your fundamental rights and freedoms.
  • Legal obligation: We may process data to comply with applicable laws, regulations, or court orders.
  • Vital interest: In emergency or safety situations, we may process visitor data to protect the vital interests of individuals present at a facility, such as generating evacuation rosters or headcounts.

6. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process visitor check-ins, check-outs, and generate visitor badges
  • Facilitate pre-registration, event attendee registration, and express check-in workflows
  • Process event registrations, manage approval/decline workflows, verify event capacity limits, and issue QR-coded entry tickets
  • Screen visitors against organization-maintained security records
  • Support emergency and safety features, including evacuation rosters
  • Send service-related notifications (host alerts, event updates, registration confirmations, security alerts)
  • Process payments and manage subscriptions
  • Maintain activity records for organizational accountability and compliance
  • Detect and prevent fraud, abuse, and security threats
  • Generate aggregated analytics and usage reports for your organization
  • Localize pricing and content based on your geographic location
  • Perform routine platform maintenance, including automated status updates and data hygiene
  • Validate software licenses for privately hosted deployments
  • Comply with legal obligations

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

7. Self-Service and Shared Device Usage

Entrifi may be deployed on shared devices (such as reception tablets or lobby stations) where visitors and event attendees interact directly with the Service to check in. In such configurations:

  • Each visitor session is isolated. Previous visitor data is not displayed to subsequent visitors.
  • The organization deploying the shared device is responsible for ensuring the device is used in an appropriate setting and that visitors are aware their information is being collected.
  • Shared devices may validate and enforce location-bound rules, ensuring that pre-registrations and event check-ins are restricted to the correct physical branch or location.
  • We do not store device-level identifiers or track individual devices beyond the authenticated session.

8. Multi-Tenant Data Isolation

Entrifi operates on a multi-tenant architecture. Each organization's data is logically isolated using tenant-level access controls. This means:

  • Your organization's visitor records, user accounts, security screening data, and settings are not accessible to other organizations
  • All requests are scoped to your authenticated organizational context
  • Platform administrators (Entrifi staff) may access aggregate, anonymized data for platform health monitoring but do not access individual visitor records without explicit authorization from the relevant organization
  • Organizations using privately hosted deployments maintain complete control over their data environment

9. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal information. We may share data only in these circumstances:

  • Payment processors: Transaction data is shared with payment providers (e.g., Paystack) solely to process your subscription payments. We do not store full payment card details.
  • Hosting and infrastructure: Your data is stored on servers provided by our hosting provider, which maintains appropriate security standards
  • Email services: We use third-party email providers to send transactional notifications (e.g., host alerts, account confirmations)
  • Content delivery and security: We use content delivery and web security services to protect the Service from attacks and to improve performance
  • Legal requirements: When required by law, court order, or government regulation
  • Security: To investigate, prevent, or respond to suspected fraud, security incidents, or violations of our Terms of Service
  • Business transfers: In connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets. In such cases, your account data and collected visitor database records will be transferred to the acquiring or successor entity as a business asset.
  • User-Configured Integrations: When organization administrators connect third-party platforms (such as Slack, Microsoft Teams, webhook receivers, or custom email/SMS gateways), visitor and check-in data is transmitted to those external systems at the organization's request. Entrifi does not control and is not responsible for the privacy practices, security, or data handling of these third-party platforms.

All sub-processors are bound by data processing agreements that require them to protect your data to standards no less protective than those described in this policy.

10. Your Rights

Under the NDPA and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data, subject to legal retention obligations
  • Right to data portability: Request your data in a structured, commonly used, machine-readable format. Organization administrators can use the "Download Your Data" feature in Settings at any time to export a comprehensive multi-sheet XLSX file containing organization details, user accounts, complete visitor records, and audit trail history. No vendor lock-in, no export fees, no waiting period.
  • Right to object: Object to the processing of your data where processing is based on legitimate interest
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances
  • Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days.

For visitors whose data is processed by an organization using Entrifi, please contact the relevant organization directly to exercise your rights, as they are the Data Controller for your visitor information.

11. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Passwords are securely hashed using industry-standard algorithms and are never stored in plain text
  • All data in transit is encrypted via TLS/HTTPS
  • Session tokens are securely managed with automatic expiration
  • Role-based access control limits data access to authorized users based on their assigned permissions
  • Activity records track administrative actions within each organization for accountability
  • Automated security measures are in place to detect and mitigate abuse, including protection against excessive or malicious requests

While we strive to use commercially acceptable means to protect your personal data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our security practices.

12. Data Retention

We retain your account and organizational data for as long as your account is active or as needed to provide the Service. Visitor records, photographs, and activity logs are retained according to your organization's plan tier and configuration settings. Specific retention periods are as follows:

  • Free Plan: 30 days of visitor record retention
  • Starter Plan: 90 days of visitor record retention
  • Pro Plan: 180 days of visitor record retention
  • Enterprise & On-Premise: 365 days visitor record retention

Photographs, where captured, are subject to separate photo retention limits that may be configured within the bounds of your plan. We recommend that organizations export their data regularly using the "Download Your Data" feature to maintain local copies.

Accounts that remain inactive for an extended period may be subject to archival or deactivation in accordance with our account management policies. We will make reasonable efforts to notify account holders before taking such action.

Upon account deletion or termination, we will delete or anonymize your data within 90 days, unless longer retention is required by applicable law. You may request a data export at any time through the Service or by contacting our Data Protection Officer.

13. Automated Processing

The Service performs certain routine operations automatically to maintain data integrity and operational continuity. These include, but are not limited to, updating visitor statuses, managing subscription lifecycles, enforcing data retention policies, and performing routine platform maintenance. These automated processes do not involve profiling or produce decisions with legal or similarly significant effects on individuals.

14. Emergency and Safety Features

The Service includes safety features that allow authorized personnel to generate real-time rosters of all visitors currently present at a facility. During an emergency, this data may be processed rapidly and shared with safety officers, building management, or emergency responders as necessary to protect the safety of individuals on the premises. This processing is carried out under the lawful basis of vital interest and legitimate interest in protecting physical safety.

15. Data Residency and International Transfers

For cloud-hosted deployments, your personal and visitor data may be transferred to, stored, and processed on servers located outside your country of residence (including cloud database and storage providers). Where such international transfers occur, we ensure that appropriate safeguards are in place, including executing standard data processing agreements with our service providers to comply with the NDPA and other applicable data protection laws.

16. Privately Hosted and On-Premises Deployments

Organizations deploying the Service on their own infrastructure maintain absolute control over the physical location and residency of their data. For these configurations, no visitor data or personal profiles are transmitted to Entrifi. Privately hosted instances communicate with Entrifi licensing servers solely to validate license keys and verify active usage limits, which transmits only license-validation metadata and zero personal data.

17. Children's Data

The Entrifi Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If an organization uses Entrifi to check in visitors who may be minors (e.g., in educational settings), the organization is responsible for ensuring appropriate parental or guardian consent is obtained in compliance with the NDPA and applicable child protection laws. If we become aware that we have inadvertently collected personal data from a child without appropriate consent, we will take steps to delete such data promptly.

18. Cookies and Tracking

Entrifi uses essential cookies for session management and authentication. We do not use third-party advertising cookies or cross-site tracking pixels. Functional cookies may be used to remember your preferences such as theme mode and currency selection. These cookies are necessary for the operation of the Service and do not require separate consent under applicable law.

19. Compliance with Nigerian Data Protection Law

In compliance with the Nigeria Data Protection Act 2023 (NDPA) and the General Application and Implementation Directive (GAID), we process personal data lawfully, fairly, and transparently. We collect data only for specified, explicit, and legitimate purposes, and retain it only for as long as necessary to fulfil those purposes.

© 2026 Entrifi. All rights reserved.