Privacy Policy

DODO Design Agency ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This policy explains how we collect, use, disclose, and safeguard your information when you interact with us through our website https://dododesign.africa/, services, or communications.

We may collect the following types of information:

• Personal data: Name, email, phone number, job title, company name, and country.
• Technical data: IP address, browser type, device information, cookies, and usage data (e.g., pages visited, session duration).
• Project-specific Data: Information shared during consultations, such as business goals, user research insights, or design preferences.
• Third-party data: Publicly available information or data from partners (e.g., analytics providers like Google Analytics, AWS, MailChimp, LinkedIn, X or Instagram).

We use your data to:

• To answer any request, query, or inquiry you may submit through a contact form.
• Provide the design and consulting services you may request for
• Communicate about projects and updates.
• Improve our website, services, and client experiences.
• Comply with legal obligations and protect against fraud.
• Send marketing communications (with your consent).
• To enable you to register for an event or webinar
• To provide access to reports, articles, or other documents for download

We process data based on:

• Performance of a contract: To fulfill service agreements.
• Consent: For marketing or optional data collection.
• Legitimate interests: To improve operations and security.
• Legal compliance: To meet regulatory requirements.
By “legitimate interests”, we refer to necessary and proportionate data processing activities essential for DODO’s business operations, such as fraud prevention, service improvement, and secure client communication where the benefits are balanced against individual privacy rights and do not override them..

We may share your information with:

• Partners: Collaborators (such as vendors, media partners, contract staff) on joint projects (with your consent).
• Authorities: (Within or without Nigeria’s judiciary system as the case may be) If required by law or to protect our rights.
• Affiliates: (Contract staff or team members) For internal administrative purposes.

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by applicable law. Retention periods are determined based on the nature of the data, the purpose for which it was collected, applicable legal obligations, and our legitimate business needs.

A. Purpose of Data Collection

• Service-Specific Retention:
• Event registrations: Deleted within 30-90 days post-event (unless consent is given for future communications).
• Client projects and contracts: Retained for 6 years post-project completion (to support warranty claims, audits, or contractual obligations).
• User Accounts: Inactive accounts are purged after 24 months of dormancy.

B. Legal, tax and regulatory requirements

• Data such as tax records will be deleted on or before 6 years.
• Medical records will be deleted on or before 6 years unless legally required to retain it.
• All other data will be retained only for the period necessary.
• We retain data based on these compliance policies:
European Union (GDPR):
• Tax records: 6years (varies by member state).
• Marketing consent: 1–2 years (with periodic re-consent checks).
Nigeria (NDPA):
• “Necessary period” defined by purpose e.g., customer transactions are typically 5–7 years for financial audits.
• Extended retention requires documented justification.
United States:
• HIPAA medical records: 6 years post-last interaction (minimum).
• California (CCPA): 12-month retention disclosures required for collected categories.

C. Best Practices:

• Retention Schedule:
• Marketing leads: 24 months (with opt-out mechanisms).
• Contracts: 6 years post-termination (statute of limitations alignment).
• Review Process:
• Annual audits to reassess retention needs.
• Secure deletion methods (e.g., cryptographic erasure for digital data).

We implement technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or alteration. This includes secure storage, restricted access, and staff training on data privacy practices.

As data processors, especially operating in Nigeria and potentially across borders, DODO complies with several legal and ethical frameworks that govern how we handle personal data on behalf of clients, such as the Nigeria Data Protection Act (NDPA).

However, if DODO experiences a data breach, the company would follow a structured response to protect affected individuals and comply with legal obligations:

A. Immediate Containment and Assessment:
Upon discovering a breach, DODO would act quickly to contain the incident, prevent further data loss, and assess the scope and impact. This includes identifying what data was compromised, how the breach occurred, and which individuals or systems are affected.

B. Notification of Authorities:
If the breach is likely to result in a risk to individuals’ rights and freedoms (such as identity theft or reputational harm), DODO would notify the relevant supervisory authority-such as the Nigeria Data Protection Commission (NDPC) or, if applicable, an EU Data Protection Authority-within 72 hours of becoming aware of the breach. The notification would include:

• A description of the nature of the breach (including the types and approximate number of individuals and records affected)
• Contact details for DODO’s Data Protection Officer or responsible contact
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate adverse effects.

C. Notification of Affected Individuals:
IIf the breach poses a high risk to the rights and freedoms of affected individuals, DODO would also notify those individuals without undue delay. The communication would be clear and plain, explaining:

• The nature of the breach
• Likely consequences for the individual
• Steps DODO has taken or will take to address the breach.
• Advice on how individuals can protect themselves.
• Contact details for further information or support.

D. Documentation and Review:
DODO would document all breaches, regardless of severity, including the facts, effects, and remedial actions taken. This documentation enables regulatory review and helps DODO improve its data protection practices.

E. Ongoing Communication and Support:
DODO would provide ongoing updates to both authorities and affected individuals as more information becomes available or as the situation evolves, ensuring transparency and trust.

You have the right to:

• Access, correct, or delete your personal data.
• Withdraw consent for marketing or data processing.
• Object to processing based on legitimate interests.
• Request data portability (where applicable).
• To exercise these rights, contact us at hello@dododesign.africa
• If you are not satisfied with the response given, lodge complaints with the following supervisory authorities:
  • Nigeria Data Protection Commission (NDPC): Submit complaints via email to info@ndpc.gov.ng or visit their office in Abuja, Nigeria (If you are a Nigerian).
  • European Data Protection Supervisor (EDPS): Submit complaints via edps.europa.eu (If you are an EU citizen or live in any of the EU member states)

As a design and research consulting firm, the responsible collection, use, and protection of research data is central to our work. This includes all forms of data gathered through qualitative and quantitative methods such as interviews, focus group discussions, field observations, surveys, co-creation sessions, ethnographic studies, and digital interactions.

Types of Research Data We Handle

We may collect and process the following categories of research data:

• Audio and video recordings from research interviews, FGDs, and workshops (with consent).
• Photographs and visual artifacts created or captured during design or fieldwork activities.
• Transcripts and notes from recorded sessions or observations.
• Survey responses, including demographic and behavioral data.
• Participant-generated content (e.g., sketches, co-creation worksheets, etc).
• Consent forms.

Our Approach to Handling Research Data

• Informed consent: Before any data collection begins, we obtain informed, voluntary consent from participants. This includes explaining:
  • The purpose of the research
  • What data will be collected
  • How it will be used
  • Who will have access to it
  • The participant’s right to withdraw at any time
• Anonymization and de-identification: Wherever possible, we remove or obscure personal identifiers from research data to protect participant identity. This includes using pseudonyms in transcripts and reports, and blurring or cropping identifiable features in visuals.
• Data minimization: We only collect data that is necessary for the specific project goals, and we avoid excessive or intrusive data collection practices.
• Secure storage: Research Data is stored on secure servers hosted with reputable cloud providers, like AWS, which offer advanced security features All data is encrypted both in transit and at rest using strong encryption protocols. Physical materials (e.g., handwritten notes or forms) are kept in locked, access-controlled environments. Access to data is limited to authorized project team members..
• Data sharing and use:
  • Research data is only shared with clients, collaborators (such as vendors, media partners) or external parties when necessary for project outcomes, and only in anonymized or aggregated form unless otherwise consented to.
  • Any use of data for secondary research, publications, or case studies is subject to a separate consent process or ethical review, where applicable.
• Data retention and deletion: We retain research data for a specified period based on project needs, legal obligations, or client agreements. After this period, we securely delete or archive the data following best practices and ethical guidelines.
• Participant rights: Research participants have the right to:
  • Access the data they provided,
  • Request corrections or clarifications,
  • Withdraw their data (unless anonymized or already used in aggregate),
  • Request deletion of their data from our systems, where applicable.
• Ethical oversight and responsibility: We are committed to conducting ethical, inclusive, and culturally sensitive research across all the communities we work with. Our team is trained in research ethics, data protection, and responsible storytelling. We also align our practices with global research ethics guidelines, including ESOMAR, the Belmont Report, and local IRB requirements when applicable.
• Cross-Border Data Transfers: There may be instances where personal or research data collected in Nigeria (or outside Nigeria) is transferred to other countries for processing, storage, or collaboration purposes. These transfers may occur, for example, when:
  • We collaborate with international clients or partners who need access to anonymized research insights or data.
  • We use cloud-based platforms or services (e.g., transcription tools, data analytics platforms, storage services) hosted outside Nigeria.
  • Team members or consultants located in other countries need to access project files or research findings.
  To safeguard personal and sensitive data transferred outside Nigeria, we implement the following protective measures.
  • Legal compliance: All cross-border transfers are conducted in accordance with the Nigeria Data Protection Act (NDPA), which requires that data transfers only occur to countries that have adequate data protection laws or where proper safeguards are in place.
  • Adequate decisions and jurisdiction checks: Where possible, we only transfer data to countries or organizations that are recognized by the Nigerian authorities or relevant international frameworks (e.g., the EU) as having adequate levels of data protection.
  • Data Transfer Agreements (DTAs): We enter into legally binding agreements such as Standard Contractual Clauses (SCCs) or Data Processing Agreements (DPAs) with third-party service providers, clients, or international partners to ensure the protection and confidentiality of transferred data.
  • Anonymization and pseudonymization: Whenever feasible, we anonymize or pseudonymize personal or research data before transferring it. This minimizes risks in the unlikely event of a data breach or unauthorized access.
  • Vendor due diligence: We thoroughly vet international vendors and partners, especially those providing cloud, analytics, or communication services, to ensure they meet high data security and privacy standards.
  • Security measures: All cross-border data transfers are protected using encryption, secure file-sharing protocols, and access controls to prevent unauthorized access, interception, or loss of data.

Cookies are small text files placed on your device (computer, phone, or tablet) when you visit our website. They help us recognize your device, analyze traffic, remember preferences, and improve functionality. You can manage preferences via your browser settings.

A. Types of cookies we use:

• Essential cookies: Essential cookies are necessary for the basic functionality of our website, ensuring features like login and payment processing work smoothly. For example, session cookies can help keep a user logged in as they navigate different pages of a website, while security cookies protect against fraud; these cookies typically expire once you close your browser, and these types of cookies are always active.
• Analytics cookies: Analytics cookies are used to track how visitors interact with our site-such as which pages are visited and how often, helping us improve performance and user experience. Common examples include Google Analytics and Hotjar, which may collect anonymized data like IP addresses, browser types, and referral URLs; these cookies usually have a lifespan ranging from 30 days to two years.
• Marketing cookies: Marketing or tracking cookies are primarily used to deliver personalized advertisements and monitor the effectiveness of marketing campaigns. They help us understand your interests by collecting information such as the ads you click on, your browsing behavior across different websites, and your engagement with marketing content. Common examples include tools like Facebook Pixel and LinkedIn Ads. The data gathered by these cookies is used to tailor advertising to your preferences and to analyze campaign performance.
• Preference cookies are designed to remember your individual settings and choices, such as your selected language, preferred font size, or regional preferences. By storing these details, these cookies ensure a more personalized and consistent user experience each time you visit the site. Examples include "remember me" login cookies and theme selectors, which help the website recall your preferences without requiring you to reset them on every visit. The lifespan of preference cookies usually ranges from six to twelve months.

B. How consent is obtained: When you first visit our website, a cookie banner will appear, allowing you to:

• Accept all cookies (essential, analytics, marketing, etc.),
• Reject all except strictly necessary cookies, or
• Customize preferences (e.g., allow analytics but block marketing cookies).

Withdrawing or changing consent:

• Persistent tool: Use the button in the website footer to adjust preferences anytime.
• Browser settings: Block or delete cookies via your browser’s privacy/security settings (e.g., Chrome: Settings > Privacy and Security > Cookies). Note: Blocking cookies may limit site functionality.

Our services are not intended for individuals under the age of 16, or under the legal age of digital consent in their respective jurisdiction, whichever is higher.

In cases where we intentionally process children’s data (e.g., educational projects, youth-focused initiatives):

A. Parental consent

• We require verifiable parental consent (e.g., signed consent forms, video call verification, or credit card confirmation as per applicable law).

B. Data Collection & use

• Minimal data: Collect only information necessary for the specific service (e.g., first name, age, project-related inputs).
• No sensitive data: Avoid collecting location, biometrics, or health information without explicit justification and additional safeguards.
• Purpose limitation: Use data solely for the stated purpose (e.g., educational workshops, design prototypes) and delete it once the purpose is fulfilled.

C. Parental rights

• Access/deletion: Parents/guardians may review, correct, or request deletion of their child’s data. To exercise these rights, parents/guardians may contact us at our designated email address.
• Withdrawal: Consent can be withdrawn at any time, after which we will cease processing and delete existing data where feasible.

D. Security & transparency

• Encryption: Data is encrypted in transit and at rest.
• Age-appropriate notices: Provide simplified, child-friendly explanations of data practices when interacting directly with minors.
• Third parties: Disclose any partners (e.g., schools, NGOs) involved in data processing and ensure contractual compliance with child protection laws.

E. Exceptions

• Incidental collection: If we inadvertently collect a child’s data without consent, we will delete it immediately upon discovery.
• Legal compliance: Data may be retained where required by law (e.g., safeguarding obligations) or to protect the child’s vital interests.