Data Protection Policy

Effective Date: 1 April 2026

1. Introduction

Energy Smart Petroleum Services Ltd (“Energy Smart”, “ESN”, “we”, “our”, or “us”) is committed to protecting personal data and maintaining responsible data governance practices across its operations, platforms, and services.

As part of this commitment, Energy Smart implements technical, administrative, and organizational safeguards designed to ensure the lawful, fair, secure, and transparent processing of personal data.

Energy Smart maintains compliance obligations in line with applicable Nigerian data protection requirements, including the Nigeria Data Protection Regulation (NDPR) and related regulatory frameworks where applicable.

2. Scope

This Policy applies to all personal and operational data processed by Energy Smart, including data relating to:

• customers and client organizations
• employees and contractors
• fuel card users and fleet operators
• website and application users
• business partners and vendors
• support and survey interactions
• transaction and operational records

This Policy applies to all employees, contractors, consultants, and third parties acting on behalf of Energy Smart.

3. Data Protection Principles

Energy Smart processes data in accordance with the following principles:

3.1 Lawfulness, Fairness & Transparency

Personal data shall be processed lawfully, fairly, and transparently for legitimate business purposes.

3.2 Purpose Limitation

Data shall be collected only for specified, legitimate, and operationally necessary purposes.

3.3 Data Minimization

Only information reasonably required for service delivery, compliance, operational management, or lawful obligations shall be collected.

3.4 Accuracy

Reasonable steps shall be taken to maintain accurate and up-to-date records.

3.5 Storage Limitation

Data shall not be retained longer than necessary, subject to operational, legal, contractual, audit, or regulatory obligations.

3.6 Integrity & Confidentiality

Appropriate safeguards shall be implemented to protect data against unauthorized access, alteration, disclosure, or loss.

4. Categories of Data Processed

Energy Smart may process the following categories of information:

4.1 Customer & Business Data

Including:

• company information
• authorized representatives
• onboarding documentation
• contact details
• account records

4.2 Transaction & Fleet Data

Including:

• fuel transaction records
• vehicle mappings
• card activity
• fleet operational information
• transaction timestamps and references

4.3 Technical & System Data

Including:

• IP addresses
• login activity
• browser/device information
• audit logs
• authentication records
• security events

4.4 Employee & Internal Data

Including:

• HR records
• internal approvals
• operational logs
• support and communication records

5. Lawful Basis for Processing

Energy Smart may process personal data based on:

• contractual obligations
• legitimate business interests
• legal and regulatory obligations
• fraud prevention and security requirements
• customer consent where applicable

6. Data Security Controls

Energy Smart implements reasonable security measures including:

• role-based access controls (RBAC)
• secure authentication procedures
• encrypted communications (HTTPS/TLS)
• password protection and credential security
• audit logging and monitoring
• secure hosting environments
• periodic backups and recovery controls

Access to sensitive information is restricted to authorized personnel with legitimate business need.

7. Data Sharing & Third Parties

Energy Smart may share information with approved third parties where necessary for:

• payment processing
• card issuing and banking services
• cloud infrastructure and hosting
• customer support operations
• compliance obligations
• lawful regulatory requests

Energy Smart takes reasonable steps to ensure third-party providers maintain appropriate confidentiality and security standards.

Energy Smart does not sell personal data.

8. Data Subject Rights

Subject to applicable law, individuals may request:

• access to their personal data
• correction of inaccurate data
• deletion where legally permissible
• restriction of processing in certain cases
• withdrawal of consent where applicable

Requests shall be reviewed in accordance with applicable legal and operational obligations.

9. Data Retention

Energy Smart retains information only for periods reasonably necessary to:

• provide services
• maintain operational records
• support audits and investigations
• resolve disputes
• comply with contractual or regulatory obligations

Records may be securely deleted, archived, or anonymized once retention periods expire.

10. Incident & Breach Management

Any actual or suspected data breach shall be escalated through Energy Smart’s incident management procedures.

Where appropriate, Energy Smart may take actions including:

• containment and investigation
• remediation measures
• partner notification
• customer notification where required
• regulatory engagement where applicable

11. Employee Responsibilities

Employees and authorized personnel must:

• protect confidential information
• access data only where authorized
• follow approved security procedures
• report incidents promptly
• avoid unauthorized disclosure or misuse

Failure to comply may result in disciplinary action.

12. NDPR Compliance

Energy Smart maintains alignment with applicable obligations under the Nigeria Data Protection Regulation (NDPR) and related Nigerian data protection frameworks.

Energy Smart may periodically review and strengthen its controls to support continued compliance and responsible data governance practices.

13. Monitoring & Review

This Policy shall be reviewed periodically based on:

• operational changes
• legal or regulatory developments
• partner requirements
• technology changes
• security and risk assessments

14. Contact Information

For data protection or privacy-related inquiries:

Energy Smart Petroleum Services Ltd
29 Opebi Road, Lagos, Nigeria
Email: contact@energysmartng.com