WATERLIGHT SAVE INITIATIVE

PRIVACY POLICY

waterlightsave.africa | I-HEAL Registration & All Digital Services

Effective Date: 11 May 2023

Last Updated: 19 May 2026

Compliant with the EU General Data Protection Regulation (GDPR) and the Nigeria Data Protection Act 2023 (NDPA)

Waterlight Save Initiative (“WSI”, “we”, “us”, or “our”) is an international nonprofit organisation with UN ECOSOC consultative status, operating from Abuja, Nigeria, and Atlanta, Georgia, USA. We are dedicated to ending cycles of poverty through access to clean water, healthcare, education, youth empowerment, and women’s welfare across Africa and the diaspora.

This Privacy Policy explains how we collect, use, store, share, and protect personal data obtained through our website (waterlightsave.africa), including the I-HEAL Youth Forum registration form, donation forms, contact pages, volunteer sign-ups, and other digital touchpoints. It also sets out your rights as a data subject and how to exercise them.

By accessing our website or submitting information through any of our online forms, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use our website or submit your information to us.

1. Data Controller Information

Waterlight Save Initiative is the data controller responsible for your personal data in connection with activities carried out through this website. Our contact details are:

Waterlight Save Initiative

Registered Office (Nigeria): Abuja, Federal Capital Territory, Nigeria

US Office: Atlanta, Georgia, USA

Website: www.waterlightsave.africa

Email: info@waterlightsave.africa

Phone: +234 9041555555 | +1 (917) 295 8298

For data protection enquiries or to exercise your rights, please contact us at: info@waterlightsave.africa (subject line: “DATA PROTECTION”).

2. What Personal Data We Collect

We collect personal data only to the extent necessary to fulfil the purposes described in this Policy. The categories of data we may collect include:

2.1 Registration and Event Sign-Up Data (I-HEAL Forum & Other Events)

Full name
Email address
Phone number
Country and city of residence
Date of birth or age range
Gender
Organisation or institution (if applicable)
Area of interest / professional focus
Social media handles (where voluntarily provided)
Business registration details (for youth startup participants)

2.2 Donation and Financial Data

Name and billing address
Payment method details (processed securely by third-party payment processors; we do not store card data on our servers)
Donation history

2.3 Volunteer and Partnership Enquiries

Name, email, phone
Skills, qualifications, and areas of interest
Availability and location

2.4 Communications and Contact Form Data

Name and email address
Subject and message content
Any attachments you choose to share

2.5 Automatically Collected Technical Data

IP address
Browser type and version
Device type and operating system
Pages visited and time spent on each page
Referring URL
Cookie identifiers (see Section 11)

We do not intentionally collect special categories of personal data (e.g., health, ethnicity, political opinion, religion) unless you voluntarily disclose such information in a message or application. Where such data is received, we handle it with heightened care in accordance with GDPR Article 9 and NDPA provisions on sensitive data.

3. How We Collect Personal Data

We collect personal data through the following means:

Directly from you when you complete a registration, donation, volunteer, or contact form on our website
When you subscribe to our newsletter or follow-up communications
When you participate in our events, programmes, or campaigns
Automatically, through cookies and analytics tools when you browse our website
Through third-party platforms (e.g., social media, event ticketing) when you engage with our content

4. Legal Basis for Processing

We process personal data only where we have a valid legal basis to do so. The applicable legal bases under the GDPR (Article 6) and the Nigeria Data Protection Act 2023 are set out below:

4.1 Consent (GDPR Art. 6(1)(a); NDPA §25)

Where you have given us clear, specific, and informed consent — for example, when subscribing to our newsletter or agreeing to receive event communications. You may withdraw consent at any time (see Section 9).

4.2 Contractual Necessity (GDPR Art. 6(1)(b); NDPA §25)

Where processing is necessary to perform a contract to which you are a party, or to take steps at your request before entering into a contract — for example, processing your registration for the I-HEAL Forum or a fellowship programme.

4.3 Legitimate Interests (GDPR Art. 6(1)(f); NDPA §25)

Where processing is necessary for our legitimate interests, provided these do not override your fundamental rights. Our legitimate interests include: improving our programmes and website, detecting and preventing fraud, and maintaining organisational security.

4.4 Legal Obligation (GDPR Art. 6(1)(c); NDPA §25)

Where processing is required to comply with a legal obligation imposed on us under Nigerian law, US law, or other applicable regulation (e.g., financial record-keeping for donations).

4.5 Vital Interests / Public Task (GDPR Art. 6(1)(d) & (e); NDPA §25)

Where processing is necessary to protect the vital interests of data subjects or to perform tasks carried out in the public interest, consistent with our humanitarian mandate.

5. How We Use Your Personal Data

We use personal data collected through our website for the following purposes:

To process and confirm your registration for the I-HEAL Youth Forum, fellowships, and other events
To communicate with you regarding your application, participation, or enquiry
To process donations securely and issue receipts or acknowledgements
To send you newsletters, impact reports, and event updates, where you have consented
To manage volunteer and partnership relationships
To comply with our legal, financial, and regulatory obligations
To analyse website usage and improve user experience (using aggregated and anonymised data where possible)
To detect, investigate, and prevent fraudulent or harmful activity
To fulfil our mission of humanitarian and developmental impact across Africa

We will not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects without your explicit consent.

6. Data Sharing and Disclosure

Waterlight Save Initiative does not sell, rent, or trade personal data. We may share your data in the following limited circumstances:

6.1 Service Providers and Data Processors

We engage carefully vetted third-party service providers who process data on our behalf under binding data processing agreements. These include:

Website hosting and technical infrastructure providers
Email communication platforms (e.g., newsletter services)
Secure payment processors (who handle donation transactions)
Event management and registration platforms
Analytics tools (e.g., Google Analytics — see Section 11)

All processors are contractually required to process data only on our instructions and to implement appropriate security measures.

6.2 Partners and Co-Organisers

Where an event or programme is organised in partnership with another body (e.g., a UN agency, USAID, a government body, or a co-sponsoring NGO), we may share relevant participant data with that partner for programme-management purposes. We will inform you of any such sharing at the point of data collection.

6.3 Legal and Regulatory Disclosure

We may disclose personal data if required to do so by law, court order, or regulatory authority in Nigeria, the United States, or another jurisdiction with applicable authority over our activities.

6.4 Safety and Fraud Prevention

We may share data where we reasonably believe disclosure is necessary to protect the safety, rights, or property of WSI, our participants, or the public.

7. International Data Transfers

Waterlight Save Initiative operates internationally, and your personal data may be transferred to, stored in, or processed in countries outside your country of residence, including Nigeria, the United States, and other jurisdictions where our service providers are based.

Where personal data is transferred from the European Economic Area (EEA) to a country that has not been granted adequacy status by the European Commission, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms under GDPR Chapter V.

For transfers from Nigeria to foreign countries, we ensure that appropriate protections are in place consistent with the NDPA 2023 and the Nigeria Data Protection Regulation (NDPR) 2019, including ensuring that the recipient country provides an adequate level of data protection, or that contractual safeguards are in place.

8. Data Retention

We retain personal data for no longer than is necessary for the purposes for which it was collected or as required by law. Our general retention periods are:

Event registration data: up to 3 years after the event, unless you request earlier deletion
Donation records: 7 years (to comply with financial and tax obligations in Nigeria and the US)
Newsletter subscriber data: until you unsubscribe or withdraw consent, plus 3 months for system updates
Contact and correspondence data: up to 2 years after the last communication
Volunteer and partnership data: duration of the relationship plus 2 years
Technical and log data: up to 12 months

At the end of the applicable retention period, data is securely deleted or irreversibly anonymised. Where we are required to retain data by law, we will retain the minimum amount necessary.

9. Your Rights as a Data Subject

Depending on your location and applicable law, you may have the following rights regarding your personal data. We are committed to honouring these rights promptly and without charge.

9.1 Rights Under GDPR (Applicable to EEA/UK Residents)

Right of Access (Art. 15): obtain a copy of the personal data we hold about you
Right to Rectification (Art. 16): request correction of inaccurate or incomplete data
Right to Erasure (Art. 17): request deletion of your data (“right to be forgotten”), subject to legal exceptions
Right to Restriction of Processing (Art. 18): request that we limit how we use your data
Right to Data Portability (Art. 20): receive your data in a structured, machine-readable format
Right to Object (Art. 21): object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent (Art. 7(3)): withdraw consent at any time where processing is consent-based
Right not to be subject to automated decision-making (Art. 22)

9.2 Rights Under the Nigeria Data Protection Act 2023 (Applicable to Nigerian Residents)

Right to be informed about how your data is processed
Right of access to your personal data
Right to rectification of inaccurate data
Right to deletion/erasure of your data
Right to object to processing
Right to withdraw consent at any time
Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC)

To exercise any of these rights, please contact us at: info@waterlightsave.africa with the subject line “DATA SUBJECT REQUEST”. We will respond within 30 days (GDPR) or 14 working days (NDPA), as applicable. We may request proof of identity to verify your request.

9.3 How to Complain

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority:

In Nigeria: Nigeria Data Protection Commission (NDPC) — www.ndpc.gov.ng
In the EU/EEA: Your national data protection authority (e.g., CNIL in France, BfDI in Germany)
In the UK: Information Commissioner’s Office (ICO) — www.ico.org.uk

We encourage you to contact us first so we can resolve your concern directly.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

Encrypted data transmission (TLS/SSL) across our website
Access controls limiting who within WSI can access personal data
Regular review of our data handling and security practices
Use of reputable, security-certified third-party processors
Staff awareness of data protection obligations

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

11. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your browsing experience, analyse site usage, and support our communications. A cookie is a small text file placed on your device when you visit our website.

Categories of Cookies We Use

Strictly Necessary Cookies: essential for the website to function correctly (e.g., session management, form submissions). No consent required.
Analytics Cookies: used to understand how visitors interact with our website (e.g., Google Analytics). We anonymise IP addresses where possible. Consent required.
Functional Cookies: remember your preferences to improve your experience. Consent required.
Marketing/Communication Cookies: used to deliver relevant content and track engagement with our campaigns. Consent required.

When you first visit our website, you will be presented with a cookie consent banner. You may accept all cookies, select specific categories, or reject non-essential cookies. You can also manage or withdraw cookie consent at any time through your browser settings or our cookie preference centre.

For more information on how Google Analytics handles data, visit: policies.google.com/privacy.

12. Children’s Privacy

Our website and programmes are open to young people. The I-HEAL Youth Forum and similar programmes are designed for participants aged 15 and above. For participants under the age of 18 (or 13 in the US), we require verifiable parental or guardian consent before collecting personal data.

If you believe that a child under the relevant age threshold has provided personal data to us without appropriate parental consent, please contact us immediately at info@waterlightsave.africa and we will take steps to delete such data.

13. Links to Third-Party Websites

Our website may contain links to external websites operated by third parties (e.g., partner organisations, UN agencies, social media platforms). This Privacy Policy does not apply to those websites. We encourage you to read the privacy policies of any external sites you visit, as we have no control over their content or data practices.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or organisational structure. When we make material changes, we will:

Post the updated Policy on this page with a revised “Last Updated” date
Where appropriate, notify registered users by email

We encourage you to review this Policy periodically. Your continued use of our website after changes have been posted constitutes your acceptance of the revised Policy.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us at:

Waterlight Save Initiative — Data Protection Office

Email: info@waterlightsave.africa (Subject: “DATA PROTECTION”)