Privacy Policy

1. Introduction — Purpose and Scope

This Privacy Policy explains how Bytte collects, uses, stores, shares, and protects personal data in connection with our business of creating, annotating, documenting and licensing African-language datasets, and related services (the "Services"). It applies to:

• Contributors, annotators, and speakers (collectively "Contributors") who provide speech, text, and related metadata to Bytte.
• Clients and prospective clients (collectively "Clients") who purchase or inquire about Bytte datasets or services.
• Website visitors and subscribers to communications.
• Job applicants, contractors, partners, advisors, and other individuals we interact with.

This Policy is intended to ensure compliance with the Nigeria Data Protection Act (NDPA 2023), applicable provisions of the EU General Data Protection Regulation (GDPR) when applicable, and recognized international AI-data governance principles. Where legal requirements differ by jurisdiction, we follow the applicable law for the data subject.

2. Summary of Key Promises

• We collect only the data necessary to deliver our Services.
• All Contributor data used in datasets is obtained under informed consent and work-for-hire / IP assignment that transfers required rights to Bytte.
• We maintain audit trails and dataset provenance for all datasets we create.
• We apply appropriate technical and organizational security measures (encryption, access control, logging) and follow security practices aligned with SOC 2 and ISO 27001 principles.
• We honor data-subject rights (access, correction, deletion, objection, portability) and provide clear channels to exercise those rights.
• We will notify supervisory authorities and affected data subjects of data breaches where required by law.

3. Categories of Personal Data We Collect

A. Contributor Data (Primary Collection for Datasets)

• Identity & demographic metadata: name (optional), age range, gender (optional), region, dialect, language proficiency, accent markers, occupation (optional).
• Contact details: email mailing , phone number (for recruitment and payments).
• Speech/audio: voice recordings, timestamps, contextual metadata (location type, background noise level).
• Text contributions: typed or transcribed text, chat logs, SMS, social media excerpts, where provided with consent.
• Annotation data: labels, corrections, reviewer notes, timestamps.
• Payment & tax details: bank account or payment processor identifiers for paid contributors.
• Consent and IP documents: signed consent forms, IP assignment/work-for-hire contracts, ID verification documents (where required by local law or KYC).

B. Client & Prospect Data

Company name, contact person, role, business email, business phone, contract documents, purchase history, invoices, project requirements, correspondence.

C. Website Visitors and Marketing Contacts

IP mailing , device/browser identifiers, cookie identifiers, interactions with the website, newsletter subscription email.

D. Operational & Security Logs

Access logs, system logs, audit trails necessary for security, billing and compliance.

E. Job Applicants and Contractors

CVs, contact details, interview notes, tax/contractual documents.

4. Legal Bases for Processing

We process personal data only where we have a lawful basis:

• Consent: Contributors explicitly consent to collection, processing, and licensing of their recordings/text and to IP assignment. Consent is documented. Contributors can withdraw consent; withdrawal may affect their participation and payment.
• Contract / Pre-contractual measures: For Clients, processing is necessary to perform contracts for dataset creation, pilots, and licensing.
• Legal obligation: To comply with NDPA, tax, and company law obligations.
• Legitimate interests: For security, fraud prevention, quality assurance, operational management, and analytics where such interests are not overridden by the data subject's rights and freedoms. We document legitimate-interest assessments.
• Vital interests / public interest: Only where applicable and strictly necessary; not used for standard collection.

For EU data subjects, we will rely on GDPR lawful bases above and provide the specific basis at point of collection where required.

5. Purposes of Processing — What We Do With the Data

We collect and process data to:

• Recruit, onboard, pay, and manage Contributors.
• Create, annotate, QA, and document speech and text datasets (including creation of Data Cards and provenance records).
• Operate, maintain, and improve Bytte services and internal systems.
• Provide Clients with dataset licensing, project delivery, support, billing, and communications.
• Run pilots, benchmarks, error analyses and to publish aggregated non-identifying sample datasets and case studies if permitted by contracts and consents.
• Ensure security, detect and remedy incidents, and meet compliance obligations.
• Fulfill lawful requests (e.g., subpoenas) and protect legal rights.
• Marketing and communications (where consented).

We do not use Contributor recordings for unrelated secondary purposes without additional informed consent.

6. How We Collect Data

• Directly from data subjects: Contributors upload files, complete forms, sign consent/IP agreements, and annotate data. Clients provide business and project details. Visitors submit forms/contact information.
• From automated technologies: website cookies, analytics, logs.
• From third parties: payment processors, identity verification vendors, subcontractors (e.g., payment or tooling platforms) when necessary and lawful. We disclose third-party processing below.

7. Consent, Contributor Agreements and IP Ownership

Informed consent: Contributors receive clear, plain-language consent forms describing the data collected, processing purposes, sharing/licensing terms, retention, rights to withdraw, and contact details. Consent is recorded and retained.

Work-for-Hire / IP assignment: Contributors and contractors sign agreements transferring necessary intellectual property and commercial rights to Bytte, including rights to license datasets exclusively, semi-exclusively, or non-exclusively. These contracts contain representations that Contributors have the right to grant such rights, and indemnities as appropriate.

Withdrawal: Contributors may withdraw consent. Withdrawal does not retroactively invalidate licenses already granted to third-party buyers under contracts executed prior to withdrawal; withdrawal affects future processing and new licensing. Withdrawal procedures and implications are explained at the time of consent.

8. Data Sharing and Recipients

We share personal data only as necessary for the Services and under legal protections:

• Clients / Licensees: dataset artifacts, metadata and, where contractually permitted, dataset access under license. Contributor identities are not disclosed to Clients unless expressly agreed and consented.
• Subprocessors / Service providers: cloud hosts, payment processors, analytics providers, annotation tooling vendors, quality assurance contractors, identity verification providers. All subprocessors are contractually bound by standard data processing agreements. A current subprocessor list is available on request.
• Legal & regulatory authorities: when required by law or to defend legal claims.
• Acquirers / corporate transaction parties: in connection with M&A, with confidentiality and data handling protections.
• Aggregated, de-identified outputs: We may publish aggregated or fully de-identified datasets or benchmarks; we will not publish data that can be re-identified except where explicit contributor consent and IP assignment permit it.

9. Cross-Border Transfers and Hosting

Bytte may store and process data in Nigeria and with cloud providers outside Nigeria (e.g., AWS/GCP/Azure). Where cross-border transfers occur, we rely on lawful mechanisms: standard contractual clauses, appropriate safeguards, and documented transfer assessments. Cross-border transfer details are included in our Data Processing Agreements and available to Clients on request.

We disclose cross-border hosting in consent forms and privacy notices.

10. Retention Periods

We retain personal data only as long as necessary for the stated purpose, subject to legal requirements and contract terms:

• Raw contributor audio / text: retained for project duration and for a maximum of 5 years after last active use unless contract or consent specifies otherwise. For pilot datasets, retention is typically 12–24 months unless otherwise agreed.
• Annotated datasets / production datasets: retained as long as Bytte owns the dataset and subject to licensing obligations and legal recordkeeping (typically up to 7–10 years for commercial records).
• Consent & IP agreements: retained for the longer of 7 years or the full term of data usage rights.
• Client contract records and billing: 7 years for tax and audit needs.
• Marketing contacts: until consent withdrawal or 3 years of inactivity, subject to country law.

Retention periods are applied with the principle of data minimization and documented in our Record of Processing Activities (ROPA). Specific retention schedules can be provided to Clients and Contributors upon request.

11. Security Measures

We implement appropriate technical and organizational measures proportionate to the risk, including:

• Encryption at rest and in transit for sensitive data; key management policies.
• Role-based access control (least privilege) and multi-factor authentication for staff.
• Secure development lifecycle and code reviews for internal tools.
• Regular vulnerability scanning, scheduled penetration testing, and patch management.
• Audit trails, logging, and monitoring of access to datasets.
• Secure deletion and secure backup strategies.
• Access reviews, employee training, and contractual obligations with subprocessors requiring comparable protections.

We align security practices with SOC 2 and ISO/IEC 27001 principles. Where Clients require additional controls, we negotiate contractual and technical measures.

12. Data Subject Rights and How to Exercise Them

Depending on applicable law, you have rights including:

• Access: Request a copy of personal data we hold.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure (right to be forgotten): Request deletion of personal data where lawful (subject to contractual or legal retention needs).
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests or direct marketing.
• Portability: Request a machine-readable copy for data you provided.
• Withdraw consent: Withdraw consent at any time for processing based on consent.
• Lodge a complaint: With supervisory authorities or with Bytte.

How to make a request: Contact contact@bytte.xyz with "Data Subject Request" in the subject line and include proof of identity. We aim to respond within 30 days (or within the timeframe required by applicable law). If we need more time we will inform you and provide reasons.

For EU residents, if unsatisfied you may contact the relevant supervisory authority. For Nigeria, you may contact the National Data Protection Commission (NDPC).

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will:

• Notify the relevant supervisory authority (e.g., NDPC or applicable EU authority) without undue delay and, where feasible, within 72 hours of becoming aware, unless the breach is unlikely to result in risk.
• Notify affected data subjects without undue delay when required by law, describing the nature of the breach, likely consequences, measures taken, and contact details.

Internal incident response is documented and tested periodically.

14. Cookies, Tracking, and Analytics

We use cookies and similar technologies on our website for required site functionality, analytics, and marketing. We provide a cookie banner and preference center to manage consent. Categories:

• Strictly necessary cookies (required).
• Functional cookies (preferences).
• Performance/analytics cookies (aggregated usage).
• Advertising/marketing cookies (where consented).

Users can adjust cookie settings anytime via the cookie preference center and browser settings.

15. Minors and Sensitive Categories

We do not knowingly collect data from minors under the legal minimum age without verifiable parental/guardian consent.

We avoid processing special categories of personal data (e.g., health, race, religion) unless strictly necessary and only with explicit consent and appropriate safeguards. If collected for a specific project, we obtain explicit additional consent and document lawful basis.

16. Subprocessors and Third-Party Vendors

We use subprocessors for cloud hosting, payment processing, annotation tooling, identity verification, and analytics. All subprocessors are subject to Data Processing Agreements requiring:

• Processing only on documented instructions.
• Confidentiality obligations.
• Adequate security measures.
• Limitations on onward transfers without Bytte's approval.

A current list of subprocessors is available upon request by emailing contact@bytte.xyz.

17. Data Protection Assessments and Governance

Bytte maintains:

• A Record of Processing Activities (ROPA) for compliance and audits.
• Data Protection Impact Assessments (DPIAs) for high-risk processing (e.g., large voice collections, sensitive categories).
• Regular internal reviews and audits of privacy and security controls.
• Data protection clauses in contractor and partner agreements.
• A designated contact for privacy inquiries and oversight.

18. Automated Decision-Making and Profiling

We do not perform automated decision-making that produces legal or similarly significant effects on individuals without explicit disclosure and lawful basis. If a project involves profiling or automated decisions impacting individuals, we will provide specific disclosures and rights notices as required.

19. Marketing Communications

We send marketing or promotional emails only with consent where required. Recipients can unsubscribe via links in emails or by contacting contact@bytte.xyz. We retain unsubscribed contact details to respect opt-out preferences.

20. International Buyers and Contractual Protections

For Clients outside Nigeria, our standard contracts include:

• Appropriate data processing and transfer clauses (e.g., EU Standard Contractual Clauses or equivalent safeguards).
• Security schedules, confidentiality and liability provisions.
• Clear licensing terms describing scope (exclusive/semi-exclusive/non-exclusive), permitted use, and duration.

We negotiate additional protections (e.g., onsite audits, encryption at rest/client-side encryption) as required by enterprise contracts.

21. How We Handle Requests from Law Enforcement

We respond to lawful requests from authorities only with proper process. Where we receive such a request, we will limit disclosure to what is legally required, notify the affected Client or Contributor unless legally prohibited, and seek to require legal process where appropriate.

22. Third-Party Links and Embedded Content

Our website may link to third-party sites. This Policy does not apply to external sites; please review their privacy policies. We are not responsible for third-party practices.

23. Changes to This Privacy Policy

We may update this Policy to reflect changes in law, business practice, or services. When material changes occur we will post a notice on our website and, where appropriate, notify registered users by email. The "Effective date" at the top reflects the last update.

24. Contact, Complaints and Supervisory Authorities

Contact: contact@bytte.xyz

Mailing mailing : Bytte LTD, Abuja, Nigeria.

If you are not satisfied with our response, data subjects may lodge a complaint with:

• Nigeria: National Data Protection Commission (NDPC) — https://ndpc.gov.ng
• EU: the supervisory authority in the EU Member State of residence.

25. Practical Templates and Annexes (For Internal Use)

A. Minimal Contributor Consent Template (Example)

B. Minimal Work-for-Hire / IP Assignment Clause (Example)

C. Data Subject Request Process (Internal)

• Verify identity.
• Log request in ROPA.
• Locate data and provide redacted export if required.
• Respond within 30 days (extend if necessary and document reason).
• If request is for deletion and legal/contractual obligations prevent deletion, explain limitation in response.

(These templates should be reviewed and finalized by legal counsel.)

26. Auditability and Evidence

We maintain internal evidence to support all public compliance claims, including:

• Copies of signed consent and IP assignment forms.
• ROPA, DPIAs, security control evidence, and penetration-test reports.
• Subprocessor contracts and DPA appendices.
• Incident response and breach notification logs.
• Data Cards and provenance records for each dataset.

We will provide evidence to Clients under NDA or as contractually agreed and subject to reasonable confidentiality protections.

27. Final Notes and Disclaimer

This Privacy Policy is a binding statement of our practices but does not create contractual rights beyond those set out in individual contributor and client agreements. This Policy should be read together with Bytte's Contributor Agreement, Terms of Service, and Dataset License Agreements.

Legal review recommended: This draft is comprehensive and aligned to NDPA/GDPR principles, but you must obtain legal counsel in Nigeria (and in any major client jurisdiction) to verify final language, complete placeholders (e.g., CAC/RC number, postal mailing ), and confirm retention schedules and lawful-basis language for specific contracts and projects.