Privacy Policy

Effective Date: 15 April 2026 | Version 1.1

1. Introduction and Scope

This Privacy Policy explains how the Ajara Grammar School Old Students Association ("AGSOSA," "the Association," "we," or "us") collects, uses, stores, shares, and protects personal information submitted through the AGSOSA digital platform ("the Platform"). This Policy applies to all users of the Platform, including applicants who have submitted a membership application, verified members who have completed the invitation-based activation process, administrators, and visitors to public-facing areas of the Platform. The Platform operates an application-first membership model: prospective members submit a membership application, which is reviewed by the Association. If approved, the applicant receives a personal invitation to activate their account, set a password, and complete multi-factor authentication (MFA) setup before accessing the member area. No member account is created until an application is approved and the invitation is redeemed. By submitting information through the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with the practices described herein, you should not use the Platform or submit personal information through it.

2. Categories of Personal Data Collected

We collect and process the following categories of personal data, each for specific and justified purposes:

2.1 Application Data

Full official name, preferred or display name, email address, phone number, city, state or region, country, graduation year, set identifier, alternate school name on record (if applicable), verification notes or context, referral source, profession, employer, short bio, areas of interest, and privacy/visibility preferences. This data is collected at the point of application submission and is used for identity verification, membership review, and — if the application is approved — to populate your initial member profile.

2.2 Account and Authentication Data

Email address, password (stored only in hashed form), TOTP multi-factor authentication enrolment data, and session tokens. Account data is created only after an application is approved and the applicant redeems a personal invitation. The Platform does not support Google sign-in or any third-party social authentication. Authentication is exclusively via email/password with mandatory TOTP-based MFA.

2.3 Alumni Verification and Identity Data

Full official name, graduation year, set identifier, alternate school name on record (if applicable), verification notes or context provided to assist the review process, referral source, and roster-claim information. This data is collected to verify your identity as a legitimate alumnus/alumna of Ajara Grammar School and to administer your membership.

2.4 Contact Data

Phone number, city, state or region, and country. This data enables the Association to communicate with you and supports geographic organisation of members.

2.5 Profile and Directory Data

Profession, employer or organisation, biographical summary, profile photograph (collected only after account activation, not at application stage), and areas of interest or engagement preferences. This data supports the alumni directory, networking features, and community engagement. All profile and directory data is voluntary.

2.6 Privacy and Communication Preferences

Your choices regarding profile visibility, contact information visibility, professional information visibility, and communication channel preferences. These preferences control how your information appears to other members and how the Association contacts you.

2.7 Consent and Acknowledgement Records

Timestamps, document version references, declaration type identifiers, action context labels, IP addresses, user agent strings, applicant email, and application identifiers associated with your acknowledgement of this Privacy Policy, the Terms of Use, Community Rules, Application Privacy Notice, accuracy declarations, and verification review acknowledgements. These records are maintained for legal compliance and accountability. Consent records are captured at the point of application submission — before any user account exists — and are linked to the application record and applicant email address.

2.8 Invitation and Activation Data

Invitation tokens, issuance timestamps, expiry timestamps, usage timestamps, revocation records, and activation state. This data is generated when an application is approved and an invitation is issued, and is used to manage the secure account activation process.

2.9 Membership Agreement Execution Records

When you execute the Membership Agreement during account activation, an immutable execution record is created containing your full name, membership code, graduation year, agreement version, incorporated document version identifiers, execution timestamp, IP address, and user agent string. This record serves as durable evidence of your acceptance of the Membership Agreement and all incorporated documents. Execution records cannot be modified or deleted.

2.10 Administrative and Security Data

Application submission timestamps, application status history, verification decision records, reviewer identifiers, review notes, membership status change history, membership validity and standing records, recertification request history, IP addresses and user agent strings recorded at the time of consent, access logs, and MFA enrolment metadata. This data supports platform security, audit requirements, and governance functions.

3. How Your Data Is Used

Your personal data is processed for the following purposes:

3.1 Application Review and Membership Verification

To review your membership application, verify your identity as a genuine alumnus/alumna of Ajara Grammar School by reviewing submitted identity information against available records, roster data, and contextual evidence, and to communicate the outcome of the review process.

3.2 Invitation and Account Activation

To issue a secure, time-limited, personal invitation upon application approval; to facilitate account creation including password setup and mandatory TOTP MFA enrolment; to present and record your execution of the Membership Agreement; and to transition your application data into your member profile upon successful activation.

3.3 Membership Administration

To manage your membership status, assign membership codes (format: ALM-YYYY-NNNN), maintain membership records, administer membership validity cycles and standing, process recertification requests, process status changes, and administer the membership lifecycle including verification, suspension, reactivation, and deactivation.

3.4 Alumni Directory and Community Features

To populate your member profile within the alumni directory and enable community features such as set-based networking, professional connections, and engagement opportunities — subject to your privacy and visibility settings.

3.5 Communication

To send you application status notifications, invitation and activation emails, executed agreement copies, important membership notices, recertification reminders, Association governance communications, and platform operations updates. Optional engagement and marketing communications are sent only with your explicit consent and can be withdrawn at any time.

3.6 Governance and Institutional Functions

To support Association governance activities including elections, resolutions, committee operations, and formal decision-making processes where membership verification is required.

3.7 Platform Security and Integrity

To protect the Platform against unauthorised access, prevent fraud and abuse, enforce the Terms of Use and Community Rules, manage MFA verification, and maintain the integrity of Association records.

3.8 Legal and Regulatory Compliance

To comply with applicable laws, respond to lawful requests from authorities, establish or defend legal claims, and maintain records required for the Association's legal and regulatory obligations.

4. Visibility and Privacy Settings

The Platform provides granular privacy controls that allow you to determine how your information appears to other members. By default, all visibility settings are configured to the most privacy-protective option. Your profile is not visible to other members until you are verified and you choose to enable visibility. Specifically, profile visibility, phone number visibility, city/location visibility, and professional information visibility all default to hidden. You may adjust these settings at any time through your account privacy preferences. Approval of your application does not automatically make your profile visible to other members. Verification and directory visibility are separate controls. Even after verification and activation, your profile remains hidden from the directory unless you affirmatively enable profile visibility. Applicants whose applications are pending review are never visible in the member directory or to other members.

5. Application-Stage Data Handling

When you submit a membership application, your data is stored in an application record. At this stage, no user account exists. Your data is accessible only to authorised administrators for the purpose of reviewing your application. If your application is approved and you activate your account, your application data is used to populate your initial member profile. If your application is rejected, your application record and associated consent logs are retained for the retention period specified in this Policy. Profile photographs are not collected at the application stage. They may be uploaded only after account activation, during onboarding or profile editing.

6. Internal Access and Role-Based Handling

Access to member data within the Platform is governed by role-based access controls. Ordinary verified members can only see other members' information that those members have chosen to make visible. Administrators (Executive Committee members and Super Administrators) have access to member profile data, application records, verification history, invitation records, consent logs, and agreement execution records as necessary to perform their governance and administrative functions. Set Representatives may have access to information about members within their set as required for set coordination. All administrators and role-holders are expected to handle member data responsibly, in accordance with this Policy, and solely for legitimate Association purposes.

7. Data Retention

Your personal data is retained for as long as your membership remains active and for a reasonable period thereafter to fulfil the purposes described in this Policy. Specifically: • Account and identity data is retained for the duration of your membership and for a minimum of five years following account closure to support governance records and dispute resolution. • Consent and acknowledgement records are retained indefinitely as legal compliance evidence. • Membership Agreement execution records are retained indefinitely as legally binding contractual records. • Application and verification records are retained indefinitely as part of the Association's institutional records. • Rejected application records are retained for a minimum of twenty-four months. • Invitation records are retained for audit and institutional recordkeeping purposes. • Administrative audit logs are retained for a minimum of seven years. Where you request deletion of your account, we will delete or anonymise your personal data to the extent possible, subject to the retention obligations described above and in the Data Rights notice.

8. Your Rights

You have the following rights in relation to your personal data:

8.1 Access and Correction

You may access your personal data through your account settings at any time. You may update or correct inaccurate information directly through the Platform or by contacting the Association.

8.2 Data Export

You may request a machine-readable export of the personal data you have submitted to the Platform. Export requests will be fulfilled within a reasonable timeframe.

8.3 Deletion

You may request deletion of your account and associated personal data. Deletion is subject to the retention limitations described in Section 7, and certain data may be retained in anonymised or aggregated form, or where retention is required for legal, governance, or recordkeeping purposes.

8.4 Withdrawal of Consent

Where processing is based on your consent (such as optional communications), you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data transmission, secure password storage using industry-standard hashing, mandatory TOTP-based multi-factor authentication for all member accounts, role-based access controls, invitation-based account activation with time-limited tokens, and audit logging of sensitive operations. However, no method of electronic storage or transmission is perfectly secure, and we cannot guarantee absolute security.

10. Children and Minors

The Platform is intended for alumni of Ajara Grammar School and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data through the Platform, please contact the Association so that we can take appropriate action.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Each version will be identified by a version number and effective date. Material changes will be communicated to members through the Platform. Your continued use of the Platform following notification of changes constitutes acceptance of the revised Policy. Previous versions of this Policy are maintained in our records for reference.

12. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact the Association at: Ajara Grammar School Old Students Association Ajara-Vetho, Lagos State, Nigeria RC: 8356642 Tel: +234 806 008 8495