Pavilion CreditOSPavilion CreditOS

Privacy Policy

This policy is Nigerian-first: it reflects the Nigeria Data Protection Act and NDPC expectations for lawful, transparent processing. It describes our practices for personal information in connection with Pavilion CreditOS, our websites, and related marketing and support. Read it together with our Terms of Service.

1. Scope and roles

Pavilion is Nigerian-first: we align our privacy programme with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation (NDPR) where it remains applicable, and guidance from the Nigeria Data Protection Commission (NDPC). This policy applies to visitors to our public websites, individuals who request demos or contact us, and users of the authenticated product. Where your organization subscribes to Pavilion CreditOS and uploads or connects borrower, loan book, or business data (“Customer Data”), your organization is typically the controller of that data and Pavilion processes it as a processor under your instructions and agreement, subject to our Terms of Service and any data processing terms in your contract.

2. Information we collect

2.1 You provide directly

  • Business contact details: name, work email, phone, job title, company name, industry, company size, and similar fields submitted through demo requests, contact forms, or onboarding.
  • Account and authentication: credentials, profile details, and preferences for users of the Services.
  • Support and communications: messages you send us, including email and in-product requests.

2.2 Customer Data in the product

Depending on how you configure the Services, Customer Data may include portfolio files, analytics inputs, identifiers, transaction attributes, model outputs, audit trails, and other business records you choose to load or generate. Categories depend entirely on what your organization submits.

2.3 Automatically collected

  • Usage and device data: IP address, approximate location derived from IP, browser type, device identifiers, pages viewed, referring URLs, timestamps, and diagnostic events needed to operate and secure the Services.
  • Cookies and similar technologies: we may use cookies and similar technologies on our websites for functionality, preferences, analytics, and security. You can control cookies through browser settings; disabling some cookies may limit certain features.

3. How we use information

We use personal information to:

  • Provide, operate, maintain, and improve the Services;
  • Create and manage accounts and authenticate users;
  • Respond to inquiries, schedule demos, and communicate about products and security;
  • Process transactions and send administrative messages;
  • Detect, prevent, and investigate fraud, abuse, and security incidents;
  • Comply with legal obligations and enforce our terms;
  • Analyze aggregate or de-identified usage to improve reliability and user experience, where permitted by law.

We do not sell personal data in the manner restricted under the NDPA and applicable Nigerian law, and we do not use Customer Data to train generalized public models unless expressly agreed in writing for a specific programme you opt into.

4. Legal bases (Nigeria first; other regions)

Nigeria: Where the NDPA applies, we process personal data only on a lawful basis recognised under Nigerian law, including consent where required; performance of a contract; compliance with a legal obligation; protecting vital interests; performing a task in the public interest; or legitimate interests that are not overridden by your rights (such as securing the Services, fraud prevention, and proportionate product improvement). We maintain retention and security measures consistent with NDPA duties.

European Economic Area, United Kingdom, and Switzerland: Where GDPR or equivalent laws apply, we rely on one or more of the following: performance of a contract; legitimate interests (such as securing our Services, improving products, and communicating with business prospects), consistent with your rights; consent where required; and legal obligation.

5. How we share information

We may share information with:

  • Service providers who process data on our behalf under contracts (for example, cloud hosting, email delivery, logging and monitoring, customer relationship tools), only as needed for the purposes described in this policy.
  • Professional advisers when necessary (for example, auditors or lawyers bound by confidentiality).
  • Authorities when required by law, regulation, legal process, or to protect rights, safety, and security.
  • Corporate transactions such as a merger or acquisition, subject to appropriate safeguards.

We may publish a list of subprocessor categories or named subprocessors for enterprise customers as part of our commercial documentation.

6. Cross-border processing

We may process and store information in Nigeria and in other countries where we or our providers operate (for example cloud regions). Where Nigerian personal data is transferred outside Nigeria, we do so in line with NDPA requirements (including adequacy decisions, appropriate safeguards, or other lawful mechanisms as applicable). Where GDPR applies, we may rely on Standard Contractual Clauses or equivalent safeguards together with supplementary measures when appropriate.

7. Retention

We retain personal information for as long as necessary to fulfill the purposes described here, resolve disputes, enforce agreements, and meet legal, security, and operational requirements. Retention periods vary by data type and context. Customer Data in the product is retained according to your configuration, subscription terms, and technical capabilities described in your agreement or admin controls.

8. Security

We implement administrative, technical, and organizational measures designed to protect information appropriate to the risk, including access controls, encryption in transit where applicable, monitoring, and vendor diligence. No method of transmission or storage is completely secure; we encourage strong passwords and enterprise-grade controls on your side.

9. Your rights and choices

Nigeria: Subject to the NDPA, you may have rights to obtain information about processing, access your personal data, request rectification or erasure where applicable, restrict certain processing, object on grounds relating to your situation, withdraw consent where processing is consent-based, and lodge a complaint with the Nigeria Data Protection Commission (NDPC). Use the contact routes below to reach us; we respond within timeframes required by law where they apply.

Other regions: Depending on your location, you may have comparable rights under GDPR or other laws (including access, correction, deletion, restriction, objection, or portability). You may lodge a complaint with a supervisory authority where you live or work when that law applies.

If U.S. state privacy laws apply to you, we honour applicable consumer rights (such as access and deletion requests) to the extent required. We do not discriminate against you for exercising rights.

10. Children

The Services are not directed to children under 16, and we do not knowingly collect personal information from children for marketing purposes.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version and update the “Last updated” date. Where required, we will provide additional notice.

12. Contact

For privacy requests or questions about this policy, contact us through Book a demo or your Pavilion account representative. Enterprise customers may use the contacts specified in their agreement. Nigerian residents may also refer complaints to the NDPC in accordance with its published procedures.

For privacy-related requests, contact us through Book a demo or your Pavilion commercial contact.

Last updated: May 10, 2026