Privacy Policy
We believe transparency about data is a mark of integrity. Here is exactly what we collect, why we collect it, and how you stay in control.
Plain English Commitment: We've written this policy to be read by real people, not just lawyers. Every section uses clear, direct language — if anything is unclear, please email us.
Ask a question →The data controller
Whispering Codes is a boutique creative studio offering ghostwriting, editorial, and web design services. We operate primarily online and serve clients across more than 40 countries.
Trading name: Whispering Codes
Founder & Data Controller: Maryam Garba
Contact: whisperingcodes@gmail.com
Website: whisperingcodes.com
This Privacy Policy applies to all personal data we collect through our website, service agreements, email correspondence, and any other interactions you have with us. By using our website or engaging our services, you agree to the practices described in this policy.
What we collect
We only collect information that is genuinely necessary to provide our services and communicate with you. We do not collect data speculatively or "just in case."
Information you give us directly
- Your name and email address when you fill in a contact or enquiry form
- Project details, manuscript content, or creative briefs you share with us
- Payment and billing information processed via secure third-party providers
- Correspondence including emails, messages, and feedback you send us
- Information in discovery call notes or project intake questionnaires
Information collected automatically
- Your IP address and approximate geographic location
- Browser type, device type, and operating system
- Pages visited, time spent on site, and referring URLs
- Cookie identifiers (see Section 05 for full cookie details)
Information we do not collect
We never collect sensitive personal data (health records, financial account details, government ID numbers, racial or ethnic origin, political opinions, or biometric data). We never purchase mailing lists or third-party data sets.
How we use it
We use your information only for the purposes listed below. We do not use automated decision-making or profiling, and we never sell your data to third parties.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Responding to enquiries and project proposals | Name, email, project details | Legitimate interest / Pre-contract |
| Delivering ghostwriting, editing & web services | All project-related content | Performance of contract |
| Sending invoices and processing payments | Name, email, billing address | Performance of contract |
| Sending service updates and project status emails | Email address | Performance of contract |
| Sending our newsletter (with your consent) | Name, email address | Consent |
| Improving our website and services | Analytics data (anonymised) | Legitimate interest |
| Complying with legal obligations | As required by law | Legal obligation |
Marketing emails: We will never send you unsolicited marketing. If you subscribe to our newsletter, you can unsubscribe at any time via the link at the bottom of every email, or by emailing us directly.
Our legal basis
We process your personal data in compliance with the Nigeria Data Protection Act 2023 (NDPA) and, where applicable to our international clients, the EU General Data Protection Regulation (GDPR). Our lawful bases for processing are:
- Performance of a contract — where processing is necessary to deliver the services you have engaged us for or to take steps prior to entering a contract with you.
- Legitimate interests — where we have a legitimate business interest in processing your data, provided those interests do not override your rights and freedoms. This includes responding to enquiries and improving our services.
- Consent — where you have freely, specifically, and unambiguously given permission for us to process your data for a specific purpose, such as newsletter subscription.
- Legal obligation — where processing is required to comply with a legal obligation we are subject to, such as maintaining accurate financial records.
Cookies & tracking
Our website uses cookies — small text files stored on your device — to help the site function correctly and to understand how visitors use it. We use only the categories of cookies described below.
| Category | Purpose | Can you opt out? |
|---|---|---|
| Strictly Necessary | Required for the website to function — login sessions, contact forms, security tokens. Cannot be disabled without breaking the site. | No (essential) |
| Functional | Remember your preferences such as language or theme settings to improve your experience. | Yes, via browser settings |
| Analytics (Google Analytics) | Aggregate, anonymised data on page visits and user journeys, used to improve site performance. IP addresses are anonymised. | Yes, via cookie banner |
| Marketing (optional) | Only placed if you opt in via our cookie banner. Used to measure campaign effectiveness — never for third-party ad targeting. | Yes, via cookie banner |
You can manage or disable cookies at any time through your browser settings. Blocking all cookies may affect the functionality of the website. For more information, visit allaboutcookies.org.
Who else sees your data
We do not sell, rent, or trade your personal data. We share it only with trusted service providers who are contractually required to protect it, and only to the extent necessary.
- Payment processors (Stripe / Paystack): Securely handle payment transactions. We never store full card details on our servers.
- Email service providers (Google Workspace / Mailchimp): Used to send project correspondence and, with your consent, newsletters.
- Cloud storage (Google Drive): Used to store and share project files with you during active engagements. Files are access-controlled.
- Analytics (Google Analytics): Provides anonymised website usage statistics. IP addresses are anonymised before processing.
- Hosting providers: Our website is hosted on servers that maintain industry-standard security certifications.
- Legal or regulatory authorities: Where required by law, court order, or to protect the rights and safety of individuals.
International transfers: Some of our service providers are based outside Nigeria. Where we transfer data internationally, we rely on standard contractual clauses, adequacy decisions, or equivalent protections to safeguard your information.
How long we keep it
We retain personal data only for as long as is necessary for the purposes it was collected, or as required by law. Our general retention periods are:
| Data Type | Retention Period | Reason |
|---|---|---|
| Active project files & correspondence | Duration of engagement + 2 years | Ongoing support and dispute resolution |
| Invoice and payment records | 7 years | Legal / tax compliance |
| Enquiry form submissions (non-clients) | 6 months | Follow-up communications |
| Newsletter subscriber data | Until you unsubscribe | Consent-based — revocable at any time |
| Website analytics data | 26 months (anonymised) | Performance analysis |
| Ghostwriting manuscripts (client content) | As agreed in your contract | Typically deleted after sign-off |
When data is no longer required, it is securely deleted or anonymised. You may request early deletion at any time by contacting us (subject to any legal retention obligations).
Your data rights
Under the Nigeria Data Protection Act 2023 and applicable international law, you have the following rights regarding your personal data. We will respond to all legitimate requests within 30 days.
Request a copy of the personal data we hold about you, along with information on how it is used.
Request that we correct any inaccurate or incomplete personal data we hold about you.
Request deletion of your personal data where there is no compelling reason for us to continue processing it.
Ask us to limit how we process your data while a complaint is being resolved or while you verify accuracy.
Receive your personal data in a structured, commonly used format, and transfer it to another controller.
Object to processing based on legitimate interests or direct marketing. We will stop unless we can demonstrate compelling grounds.
Where processing is based on your consent, you may withdraw it at any time without affecting prior lawful processing.
Lodge a complaint with the Nigeria Data Protection Commission (NDPC) or your local data protection authority.
To exercise any of these rights, please email us at whisperingcodes@gmail.com with "Data Rights Request" in the subject line. We may ask you to verify your identity before actioning your request.
How we protect your data
We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction.
- All data is transmitted over encrypted HTTPS connections using TLS 1.2 or higher
- Access to client files is restricted to team members who need it to deliver your project
- Payment information is processed by PCI-DSS compliant third-party providers — we never store card details
- Cloud storage is protected by two-factor authentication and access controls
- We conduct periodic reviews of our data handling practices and security measures
- All team members who handle personal data are bound by confidentiality obligations
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by law.
No method of transmission over the internet is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. We encourage you to use strong, unique passwords and to contact us immediately if you suspect any unauthorised access to your data.
Children's privacy
Our services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at whisperingcodes@gmail.com and we will delete it promptly.
When this policy changes
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Post a clear notice on our website for at least 30 days
- Notify active clients by email of any significant changes
We encourage you to review this policy periodically. Your continued use of our website or services after a policy update constitutes your acceptance of the revised policy.
Previous versions: If you would like to review a previous version of this Privacy Policy, please contact us and we will provide it on request.
Get in touch
If you have any questions about this Privacy Policy, want to exercise a data right, or have a concern about how we handle your information, please reach out. We'll always respond promptly and honestly.
Whispering Codes Data Team
All data-related enquiries are handled personally by Maryam Garba, our founder and data controller. Expect a response within 2 business days.