Privacy Policy
1. Who We Are
Data Controller: Rankine Innovation Lab, operating FloodSight Lagos โ a flood early-warning system for Lagos State, Nigeria.
Contact: For all data privacy enquiries, write to ahadegok@asu.edu with the subject line "FloodSight Data Privacy".
2. Data We Collect
When you subscribe to flood alerts, we collect and store the following:
| Data item | Required? | Purpose |
|---|---|---|
| Phone number (E.164 format) | Yes | Deliver flood alert SMS messages to you |
| Name | No (optional) | Personalise alert messages |
| Location (latitude / longitude) | Yes | Determine your local flood risk level and route alerts correctly |
| Area name | No (optional) | Include a human-readable location in your alert messages |
| Flood risk class | Computed, not entered | Determine when to send alerts for your specific location |
| Consent timestamp | Recorded automatically | Demonstrate NDPR-compliant consent for processing |
| Subscription date | Recorded automatically | Enforce 12-month retention policy |
We do not collect: identity documents, financial information, device identifiers, IP addresses, or any special category data under the NDPR.
3. Legal Basis for Processing
We process your personal data on the basis of explicit consent (Section 2.2 of the NDPR). You provide this consent by ticking the consent checkbox on the subscription form. You may withdraw consent at any time (see Section 6 โ Your Rights).
4. How We Use Your Data
Your data is used exclusively to:
- Send you SMS flood Watch or Warning alerts when your area is at elevated risk
- Determine the correct alert level for your specific location using our flood model
- Avoid sending you duplicate alerts on the same day
We do not use your data for marketing, profiling, research unrelated to flood alerting, or any automated decision-making that produces legal effects for you.
5. Data Processors (Third Parties)
We share your phone number with the following service providers solely to deliver SMS messages. They act as data processors on our behalf and are contractually required to protect your data:
| Processor | Role | Data shared | Location |
|---|---|---|---|
| Africa's Talking | SMS delivery | Phone number, alert message text | Kenya (regional offices in Nigeria) |
| Supabase | Database hosting | All subscriber fields listed in Section 2 | EU West (Ireland) โ encrypted at rest and in transit |
No other third parties receive your personal data. We never sell subscriber data.
6. Your Rights Under the NDPR
You have the following rights regarding your personal data:
- Right to unsubscribe / withdraw consent โ Reply STOP to any alert SMS at any time. This immediately deactivates your subscription and stops all future messages.
- Right of access โ Request a copy of the data we hold about you by emailing ahadegok@asu.edu.
- Right to rectification โ Re-subscribe with corrected information (your phone number is the unique key; resubscribing updates your record).
- Right to erasure โ Email us to request full deletion of your subscriber record. We will delete it within 7 days.
- Right to lodge a complaint โ You may complain to the Nigeria Data Protection Commission (NDPC) if you believe we have not handled your data lawfully.
7. Data Retention
We retain your subscriber record for as long as your subscription is active. If your subscription has been inactive (no alerts sent) for 12 consecutive months, your record is automatically deactivated and marked for deletion. Full deletion occurs within 30 days of deactivation.
Alert log records (which track that a message was sent, without repeating your personal data) are retained for 24 months to support system audit and validation.
8. Security
All subscriber data is stored in an encrypted PostgreSQL database (Supabase, hosted in EU West / Ireland). Access is restricted to the FloodSight API using a service-role key with row-level security enabled. Your phone number and location are never exposed via any public API endpoint.
The only time your phone number leaves our database is when we instruct Africa's Talking to deliver an alert SMS โ and only the phone number and message text are transmitted, nothing else.
9. Children
This service is not directed at persons under 13 years of age. If you believe a child's data has been submitted without parental consent, please contact us for immediate deletion.
10. Changes to This Policy
If we change how we collect or use personal data, we will update this page and revise the "Last updated" date above. Existing subscribers will be notified by SMS of any material changes.
11. Contact
For any data protection question, access request, or erasure request, contact:
Rankine Innovation Lab โ FloodSight Data Privacy
Email: ahadegok@asu.edu
We aim to respond within 5 business days.