Legal & Compliance
Huize Telecom's terms, privacy policy, and legal documents
Privacy Policy
Last Updated: February 2026 · Version 2026-02
1. Introduction
Huize Telecom (operating entities: Huize Telecom Limited, Nigeria RC 8165363; and Huize Holdings LLC, Kyrgyz Republic — collectively "Company", "we", "us") is committed to protecting your privacy. This Policy explains how we collect, use, store, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR, EU 2016/679) and the Nigerian Data Protection Regulation (NDPR).
Scope: This policy applies to all users accessing our services via huize.asia and the enterprise customer portal.
2. Information We Collect
2.1 Account Information
When you register an enterprise account, we collect:
- Corporate Data: Company name, company registration number / tax ID, registered address
- Contact Information: Name, job title, work email, phone number
- Credentials: Account password (bcrypt encrypted), JWT Session Tokens
2.2 Network Traffic Metadata
To deliver network services and support troubleshooting, we log:
- Source and destination IP addresses
- Packet size and transmission timestamps
- Protocol types (TCP / UDP / QUIC, etc.)
- Routing paths (SCION ISD nodes traversed)
- QKD key-generation logs (metadata only — not the keys themselves)
Note: We do not inspect or log the contents of encrypted packets. QKD customers benefit from end-to-end encryption that is mathematically unbreakable.
2.3 Usage Behaviour Data
Through the customer portal and website, we collect:
- Login timestamps and IP addresses
- Pages and features accessed
- Device information (browser type, OS, screen resolution)
- AI intent search queries (anonymised after 1 year)
2.4 Cookies & Tracking Technologies
We use cookies to maintain login sessions and optimise user experience. Non-essential cookies are only placed after you grant explicit consent via our Consent Management Platform. See our Cookie Policy for full details.
3. Purposes & Legal Bases for Processing
| Purpose | GDPR Legal Basis |
|---|---|
| Providing network connectivity & routing | Contract performance (Art. 6(1)(b)) |
| Billing, invoicing & payment processing | Contract performance (Art. 6(1)(b)) |
| DDoS detection & account security | Legitimate interests (Art. 6(1)(f)) |
| Network performance analysis & product improvement | Legitimate interests (Art. 6(1)(f)) |
| Marketing & analytics cookies | Consent (Art. 6(1)(a)) |
| Responding to lawful authority requests | Legal obligation (Art. 6(1)(c)) |
4. Information Sharing & Disclosure
4.1 No Sale of Data
We never sell your personal data to third parties.
4.2 Sub-processors (all under signed DPAs)
- Cloud Infrastructure: ISO 27001-certified data centres in Nigeria and the Kyrgyz Republic; AWS for disaster-recovery backup
- Payment Processing: Stripe (transaction data only)
- Network Carriers: Upstream bandwidth providers (traffic statistics only)
4.3 Legal Requirements
We may disclose personal data when:
- Responding to court orders or competent regulatory authority demands
- Investigating cybercrime (hacking, ransomware distribution)
- Protecting the Company's or users' legitimate interests
5. Data Storage & Security
5.1 Storage Locations
Customer data is stored in ISO 27001-certified data centres located in Nigeria and the Kyrgyz Republic. Customers in the EEA may request storage in EU-region data centres, protected by Standard Contractual Clauses (SCCs).
5.2 Encryption Measures
- In-Transit: TLS 1.3 for all web traffic
- At-Rest: AES-256 database encryption
- Passwords: bcrypt hashing + salting
- QKD Lines: Information-theoretic security via quantum key distribution
5.3 Access Controls
Only authorised personnel (background-checked network engineers and support staff) can access customer data, subject to strict role-based access control (RBAC) and immutable audit logging.
6. Data Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | 3 years post-termination | Tax compliance, dispute resolution |
| Traffic logs | 90 days | Troubleshooting, security analysis |
| Payment records | 7 years | Financial audit requirements |
| AI search queries | 1 year (anonymised) | Product optimisation |
| Cookie consent records | 3 years | GDPR accountability (Art. 5(2)) |
7. Your Rights Under GDPR
Under GDPR and the NDPR, you have the right to:
- Access (Art. 15): Request a copy of your personal data
- Rectification (Art. 16): Correct inaccurate information
- Erasure (Art. 17): Request deletion in certain circumstances ("right to be forgotten")
- Restrict Processing (Art. 18): Limit how we use your data
- Data Portability (Art. 20): Export your data in a structured, machine-readable format
- Withdraw Consent (Art. 7(3)): Revoke previously given consent without affecting prior lawful processing
- Object to Processing (Art. 21): Object to processing based on legitimate interests
To exercise any of these rights, email [email protected]. We will respond within 30 calendar days as required by GDPR Art. 12.
8. Cross-Border Data Transfer (CBDT)
For customers located within the European Economic Area (EEA), all transfers of personal data to Huize Telecom Limited (Nigeria) or Huize Holdings LLC (Kyrgyz Republic) are strictly safeguarded by the modular Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021, pursuant to Article 46 of the GDPR.
We supplement SCCs with the following technical safeguards:
- SCION Path Isolation: Contractually specify data routes through only approved jurisdictions
- Transfer Impact Assessments (TIAs): Completed for Nigeria and the Kyrgyz Republic as destination countries
- End-to-End Encryption: QKD-line content is quantum-encrypted; we are technically unable to access it
9. Children's Privacy
Our services are directed exclusively at business entities (B2B) and are not intended for individuals under 18. If we inadvertently collect data about a minor, we delete it immediately upon discovery.
10. Policy Updates
This Privacy Policy may be updated to reflect legal or business changes. Material changes will be communicated at least 30 days in advance via customer portal notification and email to registered addresses. The policy version number and "Last Updated" date above will be revised on every change.
Contact Information
Data Protection Officer (DPO):
Email: [email protected]
Phone: +234 8065874913
Postal address: Plot 83 Ralph Shodeinde Street, Central Business District, 4th Floor, Building II, Rivers House, Abuja, 901002, Nigeria
Supervisory Authority Complaints:
EEA residents may lodge a complaint with the data protection authority of their EU/EEA member state. Nigerian residents may contact the National Information Technology Development Agency (NITDA).
This policy is governed by the GDPR (EU 2016/679) and the Nigerian Data Protection Regulation (NDPR).