Privacy notice

1. Introduction

Egen Games is operated by Elitesgen Academy. We process personal data to run a competition and events platform for Nigerian schools, clubs, academies, gyms, and community groups. This notice explains what we collect, why we collect it, and the rights you have under the Nigeria Data Protection Regulation (NDPR) 2019 as supervised by the Nigeria Data Protection Commission (NDPC).

Elitesgen Academy is the data controller for personal data submitted through egengames.com and our mobile apps.

2. Data we collect

Registration data

• Full name, date of birth, gender (if relevant to the division)
• Phone number, email, and (optionally) school or club
• For minors: a guardian phone number, guardian relationship, and signed consent record

Payment data

• Last 4 digits of the card you paid with, the issuer, and a payment reference. We do not store the full card number; the tokenization happens at Paystack's PCI-DSS environment.
• Settlement bank account details for organizers

Competition data

• Scores, times, ranks, division placements, and standings across the events you participate in or run
• WhatsApp share-card metadata: title, score, division

Device + usage data

• IP address (truncated for analytics), browser type, device model
• Page views, scoring actions, and basic interaction events used to improve the platform

3. How we use data

• To register you for and run the events you sign up for
• To process payments and disburse organizer settlements
• To publish results, standings, and WhatsApp share cards
• To help you reset access if you lose your phone
• To debug platform issues and improve the product (aggregated and pseudonymized wherever possible)
• To meet our legal and regulatory obligations

4. Lawful basis

Under the NDPR we process personal data on one of the following bases:

• Consent. For non-essential processing such as marketing emails, analytics cookies, and publication of minor results.
• Contract. For the core of what the platform does: account creation, event registration, scoring, payments, and settlements.
• Legal obligation. For tax records, anti money-laundering checks on settlement, and responses to lawful requests from Nigerian authorities.
• Legitimate interests. For platform security, fraud prevention, and product analytics that don't infringe on user rights.

5. Minors data

We require a verified guardian to register any participant under 18. The guardian holds the account and provides consent.

• Minor profiles default to private. They don't appear in the public athlete directory unless the guardian explicitly opts in.
• Publication of a minor's results on a public leaderboard requires a separate per-event consent.
• We do not target minors with marketing or behavioural advertising.

Full safeguarding rules live at legal/minors.

6. Cookies

See our cookies notice for the full list. The marketing site uses only essential cookies in V1.

7. Sharing data with processors

We use a small number of third parties to run the platform. Each is bound by a data-processing agreement.

• Paystack (Nigeria) — payment processing and card tokenization
• Brevo (Sendinblue, EU) — transactional and optional marketing email delivery
• Sentry (US) — error tracking and crash reports for platform reliability
• Vercel (US) — public marketing and dashboard hosting
• Railway (US) — backend API and database hosting

8. International transfers

Some of our processors run servers outside Nigeria (Vercel, Railway, Sentry, Brevo). Where personal data leaves Nigeria, we rely on processor-level data-protection commitments and NDPR-aligned safeguards. Database storage is provisioned in the closest available region (typically EU or US East) until a Nigerian region becomes available with our providers.

9. Retention periods

• Registration data: retained for 5 years after your last activity, then deleted or anonymized.
• Payment data: retained for 7 years per CBN guidance on financial records.
• Scoring and results: retained indefinitely for ranking, historical record, and athlete career trail. Athletes can request redaction of their own results.
• Server logs: 30 days. Debug traces in Sentry: 90 days.

10. Your rights under NDPR

You have the right to:

• Access the personal data we hold about you
• Rectify data that is wrong or incomplete
• Erase data, subject to retention and legal obligations
• Port your data to another service in a machine-readable format
• Object to processing on the basis of legitimate interests
• Withdraw consent at any time for processing that relies on consent
• Complain to the Nigeria Data Protection Commission (NDPC)

11. How to exercise your rights

Email [email protected] from the address on your account. We verify the request, then respond within 30 days. We may ask for additional ID for sensitive requests like full account deletion.

12. Security measures

• TLS 1.2 or higher on every request between your device and our servers
• JWT access tokens with refresh-token rotation; sessions expire automatically
• Database-level row encryption for sensitive PII columns
• Role-based access controls on internal admin tooling; least privilege by default
• Quarterly security reviews and dependency audits

13. Breach notification

If we discover a personal-data breach that is likely to result in a risk to your rights, we will notify the affected users and the Nigeria Data Protection Commission within 72 hours of becoming aware. The notification will describe what happened, what data was affected, and the steps we are taking.

14. Contact + Data Protection Officer

Our Data Protection Officer can be reached at [email protected]. For general questions about this notice, email [email protected] or use our contact page.