Privacy Policy

Effective date: May 13, 2026 Β· Last updated: May 13, 2026

1. Introduction

Elyonar Technologies Ltd (β€œYona”, β€œwe”, β€œus”) operates useyona.com and the Yona API. This policy describes what data we collect, how we use it, and your rights under the Nigeria Data Protection Act 2023 (NDPA).

2. Data We Collect

Account Data

Name, email, phone number, password (hashed), gender (optional), date of birth (optional), avatar, language and timezone preferences, notification settings.

Organization Data

Business name, tax identification number (TIN), business registration number, email, phone, website, postal address, country, webhook URLs.

Invoice & Party Data

Seller and buyer details (names, TINs, emails, phones, postal addresses, registration numbers), invoice numbers, dates, amounts, line items (descriptions, quantities, prices, HSN codes, tax rates), currency, payment status.

Billing & Payment Data

Subscription plan, credit balance, payment history, card last 4 digits and brand (via Stripe/Paystack β€” we never store full card numbers), billing email, transaction logs.

Technical Data

API key prefixes and last-4 characters, IP address of last API key usage, usage counts, rate limit configuration, webhook delivery logs, browser type and device info from website visits.

Cookies

We use essential cookies only for session management and theme preference. No advertising or tracking cookies.

3. How We Use Your Data

We process your data under the following lawful bases defined by the NDPA:

Contract Performance

Processing invoices, managing subscriptions, delivering the API service.

Legal Obligation

Submitting invoices to the relevant tax authority, retaining tax records as required by applicable tax law, verifying tax IDs against the tax authority's database.

Legitimate Interest

Preventing fraud, monitoring API abuse, improving service reliability, sending operational notifications (low credit alerts, invoice status updates).

Consent

Marketing emails (opt-in only), optional profile fields (gender, date of birth).

4. Third-Party Data Sharing

Tax Authorities

Invoice data, seller and buyer tax IDs, and tax amounts are submitted to the relevant tax authority as required by applicable e-invoicing regulations. This is a legal obligation, not optional.

Payment Processors (Stripe, Paystack)

Payment card details are processed directly by these providers. We receive only the last 4 digits and card brand for display purposes. We never see or store full card numbers.

Your Webhook Endpoints

If you configure webhooks, we deliver event notifications (invoice status changes, billing events) to URLs you specify.

We do NOT sell personal data. We do NOT share data with advertisers.

5. Data Retention

  • Invoice and tax records: Minimum 6 years from the end of the relevant tax year, as required by applicable tax law (tax authority retention requirements).
  • Account data: Retained while your account is active, plus 90 days after deletion to allow recovery.
  • Billing records: 7 years for financial audit compliance.
  • API logs and webhook delivery logs: 90 days.

We delete or anonymize data when the retention period expires.

6. Data Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • API authentication via scoped API keys with configurable rate limits
  • Webhook signature verification (HMAC-SHA256)
  • Two-factor authentication support (TOTP or SMS)
  • Role-based access control (RBAC) with custom permissions
  • Regular security audits

7. Your Rights Under NDPA

Under the Nigeria Data Protection Act 2023, you have the following rights:

  • Right to access your personal data
  • Right to rectify inaccurate data
  • Right to request deletion (subject to legal retention obligations for tax records)
  • Right to data portability
  • Right to object to processing based on legitimate interest
  • Right to withdraw consent (for optional processing like marketing)
  • Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC)

To exercise these rights, email privacy@elyonar.ng.

8. International Data Transfers

Your data is primarily processed and stored on servers accessible to Nigerian authorities as required by NITDA guidelines.

Where data is processed outside Nigeria (e.g., payment processing via Stripe), we ensure adequate safeguards are in place as required by the NDPA.

9. Children's Data

Yona is a B2B infrastructure service. We do not knowingly collect data from anyone under 18. If you believe a minor's data has been submitted, contact us immediately.

10. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email to account holders and posted on this page. Continued use of the service after changes constitutes acceptance.

11. Contact

Elyonar Technologies Ltd

Email: privacy@elyonar.ng

Support: support@elyonar.ng

Website: useyona.com