Powerstart Integrated Technologies Limited (RC 2021832), hereinafter referred to as "PowerLabs," ("We", "Us", "Our") operates this Website (https://powerlabstech.com/) and provides a range of innovative energy management and optimization solutions to our Customers (collectively referred to as the "Services").

This Privacy Policy explains how we collect, use, process, and protect your personal data collected through our Website and in the provision of our Services, in accordance with the Nigeria Data Protection Act (NDPA) and its subsidiary legislations, including the Nigeria Data Protection Regulation (NDPR). This policy supplements our Terms and Conditions and any other notices we may provide on specific occasions.

1. Purpose of This Privacy Policy

The purpose of this Privacy Policy is to inform you about how PowerLabs collects, processes, and protects your personal data through our Website and when you engage with our Services. Our commitment is to safeguard your privacy rights and ensure that Nigerian businesses remain competitive in international trade through sound data protection practices.

2. Our Role as Data Controller and Data Processor

• Data Controller: PowerLabs acts as the Data Controller with respect to personal information you provide directly to us (e.g., contact details, inquiry information, account details) and certain aggregated data used for website and product improvement. We determine the purposes and means of processing this data.
• Data Processor: In providing our energy management and optimization solutions (which may include the Pai app and device), PowerLabs may also act as a Data Processor on your behalf concerning operational data collected from devices at your premises (e.g., energy consumption, device metrics). In such cases, we process this data strictly according to your instructions as our customer (the Data Controller).

3. Information We Collect

We collect various types of information to provide and improve our Website and Services. The scope of information we may collect includes:

• Personal Information: Data that can be used to identify you directly or indirectly. This includes information you provide when you make an inquiry via our website, submit a request for information, register for our Services, create an account, report a problem, or make a complaint.
• Service Usage Data: Operational and usage data generated through your interaction with and use of our energy management and optimization Services.

Specific Types of Information We May Collect, Use, and Store:

• "Identity Data": Your first name, last name, gender, title, photographic identification, National Identification Number, and Identification Card (where relevant for account verification, service delivery, or specific regulatory requirements).
• "Contact Data": Your business address, email address, and telephone number.
• "Account Information": Usernames, passwords, and similar security data used to access your PowerLabs account for our Services.
• "Service Operational Data": Real-time and historical data from energy management devices and related systems at your premises. This includes information on electricity availability, voltage, phase, current, frequency, and related metrics regarding power sources and sinks. This data is essential for delivering energy monitoring, optimization, and identifying potential issues within the Services. It may also include crash/error data for improving overall service experience.
• "Location Data": Your address and coordinates, providing specific information on your location as a customer, relevant for the provision and deployment of our physical Services and devices. This may also include IP-based location data when visiting our website for analytics purposes.
• "General Website Data": Information collected automatically when you visit our website, such as your IP address, browser type, operating system, referral source, pages viewed, and access times. This also includes information you provide via website forms when you submit inquiries or request more information about our products and services.
• "Interaction Data": Data about your usage of our Website and Services, including features accessed, actions taken, and feedback provided. This helps us understand user behavior and improve our Website and Services (often aggregated or anonymized).
• Automated Profiling and Analytics: In delivering our Services, PowerLabs may use automated tools to analyze energy usage data to detect patterns, provide personalized insights, and optimize service performance. These processes do not result in any decisions that significantly affect you without human intervention. You may object to profiling by contacting our DPO.

4. How We Collect Your Personal Data

We collect personal data about you from various sources:

• Directly from You: When you provide information through our website forms, during registration for Services, inquiries, support requests, or direct communications.
• From Your Use of Our Website and Services: Data collected automatically through cookies and similar technologies when you visit our Website, and operational data generated through your interaction with and use of our energy management solutions.
• From Third Parties: We may collect data from certain third-party services that integrate with our platform or assist in delivering our Services, with your consent where required.

5. Lawful Basis for Our Use of Your Personal Data

We will only use your personal data to the extent permitted by law. Under the Nigeria Data Protection Act (NDPA) and NDPR, personal data may be processed under any of the following lawful bases:

• Consent: Where you have given your explicit consent for us to process your personal data for one or more specific purposes (e.g., for direct marketing communications). You have the right to withdraw your consent at any time, and we will inform you if such withdrawal affects our ability to provide certain Services.
• Contractual Necessity: Where processing is necessary for the performance of a contract to which you are a party (e.g., to provide you with PowerLabs Services you have subscribed to).
• Legal Obligation: Where we need to comply with a legal obligation (e.g., regulatory reporting requirements).
• Vital Interest: Where processing is necessary to protect your vital interests or the vital interests of another individual.
• Public Interest: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in PowerLabs.

While we primarily collect and process your data with your consent for many Services, we may rely on any of the identified lawful bases depending on the circumstance.

6. Sharing and Disclosure of Your Personal Data

We may share your personal data with:

• Affiliates: Any of our PowerLabs subsidiaries or affiliated entities.
• Third-Party Vendors and Service Providers: Consultants and service providers who perform duties on our behalf and require access to your information (e.g., cloud hosting providers, analytics services, marketing platforms). These third parties are contractually obligated through Data Processing Agreements (DPAs) to protect your personal information in accordance with our instructions and applicable laws, and are not permitted to use it for their own purposes.
• Legal Compliance: To comply with legal obligations, respond to lawful requests (e.g., subpoenas, court orders), or protect our rights, property, or safety, or those of our users, clients, or others.
• Business Transactions: In connection with mergers, acquisitions, or other business transactions involving the sale or transfer of our business or assets.

7. International Data Transfers

In effectively carrying out our services, we may use third-party services that may be located within or outside Nigeria. These services are crucial for our operations and include, but are not limited to:

• Internet connectivity
• Cloud storage
• Data analytics
• Data security
• Software development

When transferring your data to these third parties, we are strictly guided by the Nigeria Data Protection Act (NDPA), specifically Part VIII of the Act. This means we ensure that such transfers comply with the NDPA's requirements for safeguarding your personal data, even when it leaves Nigerian jurisdiction.

The categories of third parties we may share your data with are those that provide the services listed above.

8. Data Security Measures

PowerLabs is committed to safeguarding your personal data through a multi-layered approach that incorporates robust technical, organizational, and physical security measures. While no transmission over the internet is completely secure, we implement strict procedures and security features to prevent unauthorized access once we have collected your information.

Our Security Measures Include:

• Data Encryption: All personal and operational data is encrypted both at rest (when stored) and in transit (during transmission) using industry-standard protocols.
• Access Controls: Strict role-based access control (RBAC) ensures that only authorized personnel and users have access to data relevant to their specific roles and responsibilities, adhering to the principle of least privilege.
• Network Security: We implement firewalls, intrusion detection/prevention systems, and conduct regular vulnerability scanning to protect our network infrastructure.
• Secure Development Lifecycle: Security best practices are integrated into our software development process, including secure coding, regular code reviews, and penetration testing.
• Data Backup & Recovery: We perform regular backups of all critical data and have established recovery procedures to ensure data availability and integrity in case of unforeseen events.
• Anonymization/Pseudonymization: Where feasible and appropriate for analytics or product improvement, data is anonymized or pseudonymized to minimize direct identifiability.
• Data Protection Officer (DPO): A designated Data Protection Officer oversees our NDPR/NDPA compliance and data protection strategy.
• Employee Training: All employees with access to personal data undergo mandatory data protection and privacy training, reinforced by ongoing awareness programs. Our Staff Handbook also captures essential data protection clauses.
• Incident Response Plan: We have a defined protocol for detecting, responding to, and mitigating data breaches, including timely notification to affected parties and regulatory bodies as required by law.
• Data Processing Agreements (DPAs): We establish formal agreements with all third-party service providers and vendors to ensure they adhere to equivalent data protection standards.
• Data Retention Policies: Defined policies dictate how long different types of data are stored, ensuring data is not retained longer than necessary for the purposes collected or as required by law.
• Physical Security Measures: As a cloud-native platform, we leverage the advanced physical security measures of our reputable cloud infrastructure providers (e.g., Google Cloud Platform or AWS), which include controlled access, surveillance, and environmental controls for their data centers.

9. Data Retention

We retain your personal data only for the period necessary to fulfill the purposes for which it was collected, or as required by legal, regulatory, administrative, or operational requirements. We only retain information that allows us to comply with legal and regulatory requests, meet business and audit requirements, respond to complaints and queries, or address disputes or claims. When data is no longer required, we securely destroy it.

10. Third-Party Sites and Services

Our Website and Services may contain links to third-party websites, products, and services. Our products and Services may also utilize or offer products or services from third parties. Information collected by these third parties is governed by their respective privacy practices, and we will not be liable for any breach of confidentiality or privacy of your information on such third-party websites or services.

11. Your Legal Rights (Data Subject Rights)

In addition to being able to control the data you directly provide to us, you may exercise any of the below rights with respect to your data as per the NDPA/NDPR:

1. Right to Information: Request information about any of your personal data we are processing and request access to your personal information.
2. Right to Rectification: Request correction of personal information that we hold about you to make it more accurate or to reflect changes in circumstances.
3. Right to Restriction of Processing: Request us to refrain from certain processing activities or restrict the extent of our collection or processing of your data.
4. Right to Erasure (Right to be Forgotten): Request partial or complete erasure of your personal information under certain conditions.
5. Right to Object: Object to our processing of your personal information, particularly where we are processing for direct marketing purposes or for tasks carried out in the public interest.
6. Right to Object to Automated Decision-Making: Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you.
7. Right to Data Portability: Request the transfer of your personal information to another party in a structured, commonly used, and machine-readable format.
8. Right to Lodge a Complaint: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated. Contact details for the NDPC can be found on their official website. In addition to contacting the Nigeria Data Protection Commission (NDPC), you also have the right to seek redress through Nigerian courts in accordance with Section 72 of the NDPA if you believe your data protection rights have been violated.
9. Right to Data Subject Access Request (DSAR): You have the right to request access to your personal information that we hold. This is known as a Data Subject Access Request (DSAR). When you make a DSAR, you can ask for:

• Confirmation that we are processing your personal data.
• A copy of the personal data we hold about you.
• Other information about our processing, such as the purposes of processing, the categories of personal data concerned, and the recipients to whom the personal data has been or will be disclosed.
  To make a DSAR, please contact our Data Protection Officer (DPO) at dataprotection@powerlabstech.com. We will respond to your request within one (1) month, as required by the Nigeria Data Protection Act (NDPA). Please note that in some cases, we may need to extend this period by a further two (2) months if your request is complex or you have made a number of requests. We will keep you informed if this is the case.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. Furthermore, if you discover any inaccuracies in your personal information, please promptly notify us. We might, however, continue to process your data if there are valid legal or operational reasons or overriding legitimate grounds.

Exercising Your Data Rights

You can easily make a request or exercise any of your data protection rights by getting in touch with our dedicated team. Simply contact our Data Protection Officer (DPO) at dataprotection@powerlabstech.com.

We're committed to upholding your rights and will make every reasonable effort to respond to your request promptly and efficiently. Our aim is always to comply with your wishes, provided they align with the Nigeria Data Protection Act (NDPA) and our internal policies.

12. Cookie Consent Mechanism

Our Website and Platform utilize cookies and similar technologies to enhance user experience, analyze platform usage, and for other operational purposes. By continuing to use our Services, you consent to the use of cookies in accordance with this Privacy Policy. You can manage your cookie preferences through your browser settings or via the cookie consent banner presented upon your first visit.

13. Children’s Privacy

PowerLabs does not knowingly collect or process personal data from children under the age of 18 without verified consent of a parent or guardian. Where we become aware that a child’s data has been collected without such consent, we will take steps to delete it. Parents or guardians who believe we may have collected their child’s data without consent should contact us immediately via: dataprotection@powerlabstech.com.

14. Data Protection Impact Assessments

In compliance with the NDPA, PowerLabs carries out Data Protection Impact Assessments (DPIAs) for any new or high-risk data processing activity. These assessments help us identify and mitigate potential risks to data subjects’ rights and ensure that our processing remains lawful, fair, and transparent.

15. Data Breach Notification

In the event of a data breach that is likely to result in significant harm or impact to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) and affected data subjects in accordance with Section 41 of the NDPA. Our breach response protocol includes investigation, containment, remediation, and notification as required.

16. Changes to This Policy

We may change this Policy from time to time to reflect changes in our practices or for legal or regulatory reasons. If we make any material changes, we will update the "Last Updated" date at the bottom of this policy and publish the updated version on our website. We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your personally identifiable information.

17. Contact Details

If you have any questions about this privacy policy, our privacy practices, or wish to exercise any of your legal rights, please contact us using the details below. We will respond to your request within the timeframes prescribed by the NDPA:

Full name of legal entity: Powerstart Integrated Technologies Limited
Data Protection Email: dataprotection@powerlabstech.com
General Email Address: hello@powerlabstech.com

This privacy policy was last updated on the 24th of June, 2025