1. ABOUT THIS POLICY

1.1 Introduction
Getly Ltd (“Getly”), a subsidiary of Takeout Media Ltd, takes its responsibilities regarding data protection very seriously. This Data Privacy Policy (“Policy”) outlines how Getly manages these responsibilities.
Getly obtains, uses, stores, and processes information (“Personal Data”) relating to potential users, employees including clients, former employees and clients, current and former contractors, website and application users, and other contacts (collectively referred to as “Data Subjects”). When processing Personal Data, Getly is committed to meeting individuals’ reasonable expectations of privacy by complying with applicable data protection Laws.
This Policy ensures that Getly defines how Personal Data must be processed, sets expectations for those processing data on its behalf, complies with data protection Laws and best practices, protects its reputation by ensuring that Personal Data is handled in line with Data Subjects’ rights, and safeguards against risks of data breaches and other violations.

1.2 Scope
This Policy applies to all Personal Data processed by Getly, regardless of where the data is stored or the identity of the Data Subject. All staff and others processing Personal Data on Getly’s behalf must comply with this Policy. Failure to do so may result in disciplinary action.
All Getly staff are required to read, understand, and fully comply with this Policy. Getly reserves the right to seek redress against any staff member whose failure to comply results in damages, legal action, or reputational harm.
The data protection officer (“DPO”) is responsible for ensuring compliance with this Policy and for implementing appropriate practices, processes, controls, and training. The DPO is the Chief Technology Officer and can be reached at hello@getly.app.

2. DATA PROTECTION PRINCIPLES
When processing Personal Data, Getly adheres to the following principles in line with applicable data protection laws in Nigeria:
• Ensure lawfulness, fairness, and transparency when processing Personal Data.
• Collect Personal Data only for specified, explicit, and legitimate purposes.
• Limit data collection to what is necessary for the intended purpose.
• Maintain accuracy and keep data up to date where necessary.
• Avoid retaining data longer than necessary for the intended purpose.
• Protect data security using appropriate technical and organizational measures.

2.1 Consent
The Data Subject consents to the processing of Personal Data through a clear statement or positive action. Consent must be specific and expressly given. If consent is included in a document addressing other matters, it must be separated and clearly distinguished.
Before giving consent, Data Subjects will be informed of their right to withdraw it at any time by uninstalling the app. Withdrawal must be promptly honoured once the app is uninstalled.
Consent may need to be renewed if Getly intends to process Personal Data for a different or incompatible purpose that was not disclosed when the Data Subject first consented.
Getly will store event tracking information as evidence of consent to demonstrate compliance.
Consent will not be sought, given, or accepted in circumstances that may promote atrocities, hate, child rights violations, criminal acts, or anti-social conduct.

2.2 Data Collection
Getly may collect Personal Data depending on the service and platform it creates. This includes names, dates of birth, phone numbers, email addresses, nationality, tax identity numbers, bank details, bank verification numbers, identity numbers, location data, photographs, IP addresses, MAC addresses, IMEI numbers, IMSI numbers, and other relevant information.
Data is collected through in-app forms and device information. When users communicate with Getly via email or other channels, Getly may retain those communications to process inquiries, respond to requests, and improve services. Getly’s servers automatically record information sent by the user’s browser when accessing its services.
Getly collects Personal Data for evaluating credit risk, conducting due diligence, ensuring regulatory compliance, and for marketing purposes.
Before collecting Personal Data, Getly will provide the Data Subject with the following information in its privacy policy:
i. identity and contact details of Getly;
ii. the email address of the DPO;
iii. the purpose and legal basis for processing the data;
iv. legitimate interests pursued by Getly or any person or entity other than Getly (“Third Party”) with access to the data;
v. recipients or categories of recipients of the data (if any);
vi. if applicable, intention to transfer data to a foreign country or Third Party and the adequacy of protections;
vii. right to withdraw consent at any time without affecting the lawfulness of prior processing;
viii. right to lodge a complaint with National Information Technology Development Agency or any other relevant authority;
ix. whether providing Personal Data is a statutory or contractual requirement and the consequences of not providing it; and
x. intention to further process Personal Data for a purpose other than the original one and relevant details before such processing.
Personal Data must be accurate and kept up to date where necessary.
Inaccurate or incomplete records can lead to incorrect conclusions and should be promptly corrected.

3. DATA PROCESSING
Getly must ensure data processing is lawful. Processing is lawful if any of the following apply:
i. Data Subject consents to processing for specific purposes;
ii. the processing is necessary for the performance of a contract with the Data Subject or in order to take steps at the request of the Data Subject prior to entering into a contract;
iii. the processing is necessary for compliance with a legal obligation to which Getly is subject;
iv. the processing is necessary to protect the vital interests of the Data Subject or another natural person; and
v. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Getly.

3.1 Data Subject Rights
Data Subjects have the following rights regarding their personal data:
i. withdraw consent at any time, e.g., by uninstalling the app;
ii. object to data processing in certain cases;
iii. request correction of inaccurate or incomplete data;
iv. restrict processing where data accuracy is disputed;
v. avoid decisions based solely on automated processing unless consented to or legally permitted;
vi. stop processing likely to cause damage or distress;
vii. receive notice of data breaches posing high risks to their rights; and
viii. lodge complaints with the Nigeria Data Protection Commission (“NDPC”) or other relevant authorities.

3.2 Requests
• Getly must provide information on processing to the Data Subject in a concise, transparent, and accessible form using clear and plain language, especially for information directed at a child.
• Information may be provided electronically.
• We verify the identity of any individual requesting data. If there is reasonable doubt about the requestor’s identity, we may request additional information to confirm the Data Subject’s identity.
• Forward any Data Subject Access Request immediately to the DPO at hello@getly.app.
• Information and any action taken must be provided free of charge. If the request is manifestly unfounded or excessive, especially if repetitive, Getly may:
i. Charge a reasonable fee based on administrative costs; or
ii. Refuse to act on the request and notify the NDPC.
iii. Do not disclose Personal Data to third parties without proper authorisation. For example, spouses and parents do not have an automatic right to access the Data Subject’s data.
iv. Do not alter, conceal, block, or destroy Personal Data after receiving an access request. Contact hello@getly.app before making any changes to data that is the subject of a request.

3.3 Accountability
• Getly must implement appropriate technical and organisational measures to ensure compliance with data protection principles and demonstrate compliance with the following:
• Appointing a suitably qualified DPO.
• Integrating data protection into policies and procedures, including privacy notices and records of processing and breaches.
• Training staff on data protection compliance and maintaining records of training.
• Regularly testing privacy measures and conducting periodic audits to assess and improve compliance.

3.4 Data Security
• Getly implements appropriate safeguards including encryption and pseudonymization, where appropriate, and maintaining confidentiality (limiting access to those authorised), integrity, and availability of data to protect Personal Data from unauthorised or unlawful processing, loss, destruction, or damage.
• Measures must be in place to prevent accidental loss, disclosure, or processing of data. Extra care should be taken to protect Sensitive Personal Data from unauthorised access or disclosure.
• Security procedures must cover the entire lifecycle of Personal Data from collection to destruction.
• All staff must comply with security policies and not attempt to circumvent administrative, physical, and technical safeguards.

4. RESPONSIBILITIES
4.1 Responsibilities of the DPO
The DPO is responsible for:
i. advising Getly and its employees on their obligations under the Nigeria Data Protection Act 2023 (“NDPA”) and other applicable data protection laws;
ii. monitoring compliance with this Policy and Getly’s internal data protection policies, including training and audits;
iii. providing advice on data protection impact assessments when requested.
iv. supervising internal data processing;
v. handling requests, complaints, and enquiries from Data Subjects and law enforcement agencies;
vi. acting as the contact point between Getly and NDPC; and
vii. considering the risks associated with data processing, taking into account its nature, scope, and purpose.

4.2 Employee Responsibilities
Employees handling Personal Data must:
i. keep all Personal Data secure;
ii. avoid disclosing Personal Data to unauthorised third parties;
iii. ensure all processing complies with this Policy;
iv. direct queries, access requests, and complaints to the DPO or data protection team;
v. promptly report data breaches to the DPO and support resolution efforts;
vi. seek advice from the DPO or data protection team when uncertain about data protection matters or authorised disclosures;
vii. ensure temporary staff, contractors, or interns involved in data processing understand data protection principles; and
viii. process Personal Data only as required for job duties.

4.3 Third-Party Data Processors
• Data Processing by a Third Party must be governed by a written contract between the Third Party and Getly.
• When external companies process Personal Data on behalf of Getly, Getly remains responsible for the security and proper use of the data.
• If a Third-Party data processor (“Data Processor”) is used:
i. the Data Processor must be selected by Getly and provide sufficient guarantees about its security measures;
ii. the DPO must ensure that these security measures are in place; and
iii. a written contract, provided by the Information Compliance Team, must outline the data processing scope and purpose and be signed by both parties.
• Getly shall ensure that the Data Processor does not have a record of violating data processing principles and is accountable to NDPC or a reputable authority within or outside Nigeria.
• Getly may only transfer Personal Data to approved Third-Party service providers that comply with data protection Laws and agree to act solely on Getly’s instructions.

4.4 Contractors, Short Term and Voluntary Staff
Getly is responsible for Personal Data handled by anyone working on its behalf. Managers hiring contractors, short-term, or voluntary staff must ensure they are properly vetted for data processing activities and that:
• Personal Data is kept secure and confidential;
• all Personal Data is returned to Getly upon completion of work or securely destroyed, with confirmation provided to Getly;
• Getly is notified before disclosing Personal Data to any other party;
• Personal Data is not stored or processed outside Nigeria without Getly’s written consent; and
• Access to Personal Data is restricted to what is essential for the work.

4.5 Customer/Client and User Responsibilities
Customers/Clients and Users are responsible for:
• familiarizing themselves with Getly’s Policy at the start of their relationship with Getly; and
• ensuring that any Personal Data provided to Getly’s is accurate and up to date.

5. REPORTING A PERSONAL DATA BREACH
• Getly is required to report any Personal Data breach where there is a risk to the rights and freedoms of the Data Subject.
• If the breach poses a high risk to the Data Subject, Getly must notify the Data Subject unless:
i. corrective steps have been taken to eliminate the risk;
ii. security measures (e.g., encryption) render the data unintelligible; and
iii. informing the Data Subject would require disproportionate effort; in such cases, a public notice or similar measure must be used.
• Getly has procedures to handle suspected breaches and will notify Data Subjects or NDPC where legally required. Breaches must be remedied within one month of the report.
• Any suspected breach should be reported immediately to the data protection team at hello@getly.app. Getly will retain evidence of breaches to comply with data protection laws.
• Employees or staff who detect a breach must record:
i. the facts of the breach;
ii. its effects; and
iii. the remedial actions taken.
• Getly will not be liable for breaches resulting from:
i. events beyond its control (e.g., natural disasters);
ii. acts of terrorism, war, or civil unrest;
iii. transfers of data to a Third Party on the Data Subject’s instructions; and
iv. use of data by a Third Party designated by the Data Subject.

6. LIMITATIONS ON THE TRANSFER OF PERSONAL DATA
• Personal Data transfers to foreign countries or international organizations for processing require confirmation from the Attorney-General of the Federation that the destination provides adequate data protection under NDPC regulations.
• Applications to the Attorney-General must include:
i. applicable data protection laws; and
ii. the foreign recipient’s data protection policies.
• If the Attorney-General has not ruled on adequacy, data transfer is permitted only if:
i. the Data Subject explicitly consents after being informed of the risks;
ii. the transfer is necessary for contract performance or pre-contractual measures requested by the Data Subject;
iii. the transfer is required for a contract between Getly and another party in the Data Subject’s interest; and
iv. the transfer is necessary for public interest, legal claims, or to protect the Data Subject’s vital interests when the Data Subject cannot consent.
• The Data Subject must be clearly informed of any likely data protection violations arising from the transfer unless they are subject to legal action in the destination country.

7. TRAINING AND AUDIT
• All employees must undergo regular training to comply with data protection Laws.
• We periodically test our systems and processes to ensure compliance.
• We review systems and processes under our control to confirm alignment with this Policy.

8. DIRECT MARKETING
• We comply with privacy laws when marketing to customers, clients, alumni, and other potential users.
• We may send marketing texts or emails to existing customers/clients if contact details were obtained during a sale and the marketing relates to similar services.

9. SHARING PERSONAL DATA
• Personal Data should not be shared with third parties without Consent, a legal obligation, or another legal basis for Processing, except for:
i. reports to credit bureaus; and
ii. contact information shared with collection agencies if the user fails to repay a loan.
• Law enforcement agencies have no automatic right to access Personal Data without a court order, but voluntary disclosure may be allowed for crime prevention or detection. Refer law enforcement requests to the DPO.
• Personal Data may be shared for research purposes, subject to applicable safeguards. For guidance, contact the data protection team at hello@getly.app.

10. CHANGES TO THIS POLICY
• We may amend this Policy at any time. You will be notified of any changes.

Dated this 28th day of July, 2025.