PRIVACY POLICY

ARTICLE 1: PREAMBLE & SCOPE

This document is prepared in accordance with Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended), the provisions of the Nigeria Data Protection Act (NDPA) 2023, and the EU General Data Protection Regulation (GDPR). It sets out how Kain Energy (hereinafter “The Company”) applies and complies with the principles of the Act and Regulation in processing the personal data of our data subjects, specifically: individuals (Customers, Service Users), clients, joint venture partners, host communities, vendors, and third parties that interact with us. This privacy policy describes how we collect and process your personal information through your use of our platforms, operational sites, and during the execution of contracts (e.g., Employment, Vendor Registration, Community Development Projects). The primary purpose of this policy is to provide you with a better understanding of:

• Information we collect.
• How we use the data we collect.
• Who we share your data with.
• Lawful grounds of processing (including Legitimate Interest Assessment).
• Your data rights.

 

ARTICLE 2: POLICY STATEMENT & DEFINITIONS

Who We Are? We are a leading player in the Oil and Gas sector. We are responsible for ensuring compliance with petroleum laws, regulations, and internal HSE (Health, Safety, and Environment) standards in our operations. Personal Data Definition In line with Section 65 of the NDPA and Article 4 of the GDPR, Personal Data is defined as: “Any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.”  

ARTICLE 3: HOW WE USE YOUR INFORMATION

We will process (collect, use, and store) the information you provide in a manner that complies with the NDPA 2023 and GDPR. We will endeavor to keep your information accurate and up to date and not keep it for longer than is necessary. The Company is required to retain information in accordance with laws such as the Petroleum Industry Act (PIA), Tax Laws, and Local Content Regulations. Service Delivery & Optimization We process your personal data to ensure all-round efficient service delivery, relationship management, business analytics, and product development. specifically:

• To Improve Our Services: We analyze user interactions to understand how you use our platforms and products, allowing us to improve functionality and user experience.
• Customer Support: We use your data to identify you and respond effectively to your inquiries, complaints, or feedback.
• Communication: To send you administrative updates, newsletters (where consented), and safety information relevant to the services we provide you.

What Personal Data Do We Use? The personal data we collect depends on the processing activity:

Data Category	Data Type	Sources
Vendor/Contractor Data	Company Directors’ Names, Tax IDs, Safety Certifications, Bank Details.	Vendor Portals (NipeX), Bids.
Employee/Expat Data	Bio-data, Passport, Medical Records (HSE), Biometrics.	Direct Application, Recruiters.
Host Community Data	Names of beneficiaries, Land ownership documents, Bank details.	Community Liaison Officers (CLOs).

 

ARTICLE 4: PURPOSE & LAWFUL BASIS OF PROCESSING

Why Do We Need the Data? We need to collect your personal data in order for us to conduct our oil and gas operations effectively. In strict adherence to Section 25 of the NDPA, every processing purpose has at least one lawful basis:

Purpose of Processing	Lawful Basis of Processing
Vendor Registration & Management	We need to process this information to meet our contractual obligations and verify eligibility under the NUPRC/NipeX guidelines.
Staff & Field Personnel Management	To pay salaries (Contract) and ensure Fit-to-Work/HSE compliance (Legal Obligation under Petroleum Laws).
Community Trust/Scholarship Disbursement	To comply with Host Community Development Trust (HCDT) regulations under the PIA.
Site Access Control (Biometrics/CCTV)	It is in our legitimate business interest to secure our physical assets and prevent unauthorized access to hazardous areas.
Regulatory Reporting (NUPRC/NMDPRA)	Mandatory reporting of operational data which may include personnel details.1
Emergency Medical Evacuation	Processing necessary to save a life in the event of an offshore/field accident.
To allow you to use our Services (Service Delivery)	We need to process this information to meet our obligations to you (e.g., processing a fuel order, registering you on our portal, or facilitating a transaction).
To receive Feedback & Improve Services	It is our legitimate business interest to understand how we can improve our products (e.g., surveys, website analytics) to serve you better.
To provide Customer Support	To respond to any communications we receive from you. If you do not provide us with this information, we would not be able to resolve your complaints or inquiries.
Visitor Management (Physical & Digital)	To manage access to our premises and ensure the security of our digital platforms for all visitors.

 

ARTICLE 5: LEGITIMATE INTEREST ASSESSMENT (LIA)4

Reference: Modeled after NUPRC LIA Standard Where Legitimate Interest is considered the legal basis for processing personal data (e.g., CCTV monitoring, Fraud Detection, Network Security), The Company shall follow the steps below in line with NDPA Section 25(1)(b)(v): Step 1: Determine the Purpose for Processing We establish the exact reason for the processing.

• Example: Ensuring safety at our drilling locations.
• Benefit: Protecting lives and multi-million dollar assets.

Step 2: Determine the Necessity of the Processing We establish why the processing must take place and if there are less intrusive alternatives.

• Test: Can we secure the facility without collecting visitor logs? (Answer: No).

Step 3: Balance Test We balance our interest against the Privacy Interest of the Data Subject.

• Question: Does monitoring a hazardous rig floor negatively impact the worker’s privacy rights?
• Conclusion: The safety benefit outweighs the privacy intrusion, provided data is secured.

 

ARTICLE 6: CONSENT

In compliance with Section 26 of the NDPA, The Company requires your explicit consent where no other lawful basis exists (e.g., for marketing or optional surveys). By consenting to this privacy policy, you are giving us permission to process your personal data specifically for the purpose identified. You may withdraw consent at any time by contacting us. Sensitive Personal Data: If we request sensitive data (e.g., health records for offshore deployment), we will notify you of the specific reason and obtain explicit consent unless the processing is required by Labor or Social Security Laws (NDPA Section 30).  

ARTICLE 7: DISCLOSURE & THIRD-PARTY SHARING

Will The Company share my Personal Data with anyone else? We may pass your personal data to third-party service providers contracted by us. Any third parties (Processors) are under an obligation to secure your details in line with Section 29 of the NDPA. We may share data with:

1. Regulators: NUPRC, NMDPRA, FIRS (Statutory requirements).
2. Joint Venture Partners: For operational alignment in JV assets.
3. Third-Party Processors: Cloud hosts, Payment processors, Payroll providers, and HMOs.

International Transfers (Section 41 NDPA / GDPR Chapter V): Where there is a need to transfer data outside Nigeria (e.g., to technical partners in Europe/USA), The Company will ensure:

• The country has adequate data protection controls (Whitelisted).
• We have a contract using Standard Contractual Clauses (SCCs).
• The transfer will be covered by Binding Corporate Rules (BCRs).

ARTICLE 8: DATA SECURITY

All information you provide to us is stored on our secure systems. In compliance with Section 39 of the NDPA, we implement appropriate technical and organizational measures such as:

• Firewalls & Encryption: To protect data in transit and at rest.
• Access Control: Strict “Need to Know” policy for accessing staff or vendor files.
• Physical Security: Secure archiving for paper-based exploration/land records.

Note: While we strive for 100% security, transmission via the internet is never completely secure.  

ARTICLE 9: RETENTION OF RECORDS

The purposes of data processing determine the length of time within which your personal data is stored. We retain your personal data, including any correspondence you have with us, only for as long as is necessary to fulfill the purposes set out in this policy, or as required by law. Specifically, we retain data for the duration of your active contract, license, or engagement with us. We collect and store only the personal data reasonably required by law, the Petroleum Industry Act (PIA), or industry best practice to serve you effectively or to respond to legitimate inquiries regarding our transactions with you.

ARTICLE 10: COOKIES POLICY

Customarily, websites are designed to collect certain information from the visitor. This website is also designed to collect your IP address and other information that your web browser typically shares with the websites that you visit. Our websites use cookies to enhance user experience.

ARTICLE 11: COMPLAINTS & CONTACT

If you wish to make a complaint about how our processes your personal data, you have the right to lodge a complaint directly with us or the Nigeria Data Protection Commission (NDPC). Data Protection Officer (DPO)

• Email: info@kainenergy-ng.com

Supervisory Authority

• Nigeria Data Protection Commission: https://ndpc.gov.ng

ARTICLE 12: ALTERATION OF PRIVACY POLICY

We reserve the right to update or amend the foregoing policy for the purposes of advancing data privacy rights, public interest or complying with lawful directives of the Federal Government – in accordance with changes in the NDPA 2023 or Petroleum Regulations.