Privacy Policy

Last Updated: March 17, 2026

This Privacy Policy describes how Alan&Grant (“the Company,” “we,” “us,” or “our”) collects, uses, and protects your personal data in compliance with the Nigeria Data Protection Act (NDPA) 2023. This policy applies to the TWO platform hosted at https://two.alanandgrant.com/.

1. Legal Basis for Processing

In accordance with Section 25 of the NDPA, we process your personal data only when:

  • Consent: You have given clear consent for us to process your data for a specific purpose.
  • Contract: Processing is necessary for the performance of a contract (e.g., providing HR advisory services).
  • Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject in Nigeria.
  • Legitimate Interest: Processing is necessary for our legitimate business interests, provided they do not override your fundamental rights.

2. Information We Collect

a. Personal Data Provided by You:

  • Identifiers: Name, professional email, phone number, and National Identification Number (NIN) where required for statutory filings.
  • Employment & Business Data: Job titles, company structure, payroll data (if using managed services), and performance metrics.

b. Automated Data:

  • IP addresses, device IDs, and “strictly necessary” cookies required for platform security and functionality.

3. Purpose of Processing

We process your data to:

  • Provide economic data that impact on people and the organisations they work for. Others include job demand and supply indices,  talent management practices, and business scaling tools.
  • Verify identities in compliance with “Know Your Customer” (KYC) requirements.
  • Conduct internal audits and data analysis to improve the TWO algorithm.

4. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or to comply with statutory retention periods (e.g., 6 years for financial records under Nigerian tax law). When data is no longer required, it is securely deleted or anonymized.

5. Data Security & Storage

We implement “Privacy by Design” principles. Your data is stored on secure servers with restricted access. In the event of a Personal Data Breach, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required by the NDPA.

6. Third-Party Disclosures & International Transfers

  • Disclosures: We may share data with the Nigeria Internal Revenue Service (FIRS) or other regulatory bodies where legally mandated.
  • International Transfers: If your data is transferred outside Nigeria, we ensure the recipient country has an adequate level of data protection or that Standard Contractual Clauses (SCCs) are in place, subject to the NDPC’s “White List.”

7. Your Rights as a Data Subject

Under the NDPA, you have the right to:

  1. Withdraw Consent: At any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  2. Access & Portability: Request a copy of your data in a structured, machine-readable format.
  3. Object: Object to automated decision-making or profiling that significantly affects you.
  4. Lodge a Complaint: You have the right to lodge a complaint directly with the Nigeria Data Protection Commission (NDPC).

8. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee our privacy strategy. For any inquiries, please contact:

The Data Protection Officer: info@alanandgrant.com
Address: Aina Theresa House, 21 James Robertson, Street, Surulere, Lagos. Nigeria.