Privacy Policy

Fasvia is a smart attendance management platform developed and operated by Nelbion Group, a technology venture based in Nigeria currently in the process of formal registration. Fasvia provides GPS-verified, fraud-proof attendance tracking services to universities, colleges, and other educational institutions across Africa.

For all data protection enquiries, contact us at: fasvia.nelbion@gmail.com or write to Nelbion Group at nelbiongroup@gmail.com. We are committed to protecting the privacy of every student, lecturer, and administrator who uses our platform, and we process personal data only in accordance with applicable Nigerian and international data protection law.

We collect the following categories of personal data to provide the Fasvia attendance management service:

• Identity Data: Full legal name, matric number or staff ID, university email address, and department affiliation — used to create and authenticate your account.
• Biometric Data: A facial photograph captured live at the point of registration. This photograph is used solely for identity verification during attendance marking sessions.
• Location Data: GPS coordinates captured precisely at the moment a student marks attendance or a lecturer starts a session. We do not track your location continuously.
• Device Data: A device fingerprint built from your screen resolution, device model, user agent string, operating system version, timezone, and language settings — used to bind your account to your registered device for fraud prevention.
• Academic Data: Your department, faculty, academic level, registered courses for the current session, attendance records, and academic session dates.
• Usage Data: Login timestamps, session activity logs, dispute records, and any manual attendance adjustment records.
• Course Form Data: Information extracted via optical character recognition (OCR) from your uploaded course registration form — including course codes, course titles, and the student identification data visible on the form.

We collect only the minimum data necessary to provide and improve the attendance management service. We do not collect financial data, health data (beyond biometric for identity verification), or data unrelated to academic attendance.

Under the Nigeria Data Protection Act 2023 (NDPA) and the EU General Data Protection Regulation (GDPR) where applicable, we are required to have a lawful basis for processing your personal data. Our lawful bases are as follows:

• Biometric Data — Explicit Consent: We process your facial photograph only on the basis of your explicit, freely given consent provided at the point of registration. You may withdraw this consent at any time by contacting us, which will result in deactivation of biometric verification features for your account.
• Location Data — Legitimate Interest: We capture GPS coordinates at the moment of attendance marking on the basis of our and your institution's legitimate interest in preventing attendance fraud and ensuring the accuracy of academic records.
• Academic and Identity Data — Performance of Contract: Collecting your identity and academic data is necessary to perform the attendance management contract between Fasvia and your institution. Without this data, the service cannot function.
• Device Data — Legitimate Interest: Device fingerprinting is processed on the basis of our legitimate interest in preventing unauthorised account access, impersonation, and fraud.
• Usage Data — Legitimate Interest: Activity logs are processed on the basis of our legitimate interest in maintaining service security and resolving disputes accurately.

We use your personal data exclusively for the following purposes, all of which are directly related to providing the Fasvia attendance management service:

• Verifying your identity at the point of marking attendance through silent facial comparison
• Confirming your physical presence within the GPS-defined classroom geofence before registering your attendance
• Generating accurate, tamper-resistant attendance records for your institution's academic purposes
• Detecting and preventing attendance fraud — including proxy marking, GPS spoofing, and device sharing
• Providing lecturers and department administrators with accurate attendance reports and analytics
• Improving classroom GPS boundary accuracy over time through anonymised location learning across sessions
• Sending attendance warning notifications when your attendance falls below the 75% threshold required by your institution
• Resolving attendance disputes when raised by students or lecturers

We do not use your data for advertising, profiling unrelated to academic attendance, or sale to any third party. We do not make automated decisions about your academic standing — all consequential decisions are made by your institution based on attendance data we provide.

Facial photographs and face comparison data are classified as special category data under the NDPA 2023 and GDPR. We treat this data with the highest level of care and apply additional protections beyond our standard data handling practices.

You have the right to withdraw consent for biometric processing at any time by emailing fasvia.nelbion@gmail.com with the subject "Biometric Data Deletion Request". Upon receipt, your facial photograph will be permanently deleted within 7 business days. Withdrawing consent will disable face-verification features on your account, and your institution may require manual verification in its place.

Biometric photographs are updated at the start of each academic session. Photographs from previous sessions are permanently deleted within 30 days of a new session beginning.

GPS classroom boundaries are learned automatically over time, with increasing precision over the first five sessions in each classroom. This boundary data is stored as anonymous geometric coordinates and is not associated with any individual student's location history.

We never sell your personal data. We share data only with the following parties, strictly for the purposes described:

• Supabase: Our database and storage infrastructure provider. All data is processed under a Data Processing Agreement. Data is stored on Supabase servers with Row Level Security (RLS) enforced, ensuring no data leakage between users or institutions.
• Face++: The facial comparison API used for biometric identity verification. We transmit face comparison data encrypted over HTTPS for each verification. Face++ does not retain comparison data after processing.
• Vercel: Our hosting and deployment provider. Vercel processes HTTP request metadata only and has no access to your personal data stored in our database.
• Your Institution (Lecturers and Department Admins): Attendance records are visible to the lecturers who own the session and to authorised department administrators at your registered institution — solely for academic administration purposes.
• Law Enforcement: We will disclose data to law enforcement agencies only when lawfully required to do so under Nigerian law, and only to the extent strictly required by that legal obligation.

All sub-processors are contractually bound to process your data only as instructed by Fasvia and to apply appropriate technical and organisational security measures.

We retain your personal data only for as long as is necessary to fulfil the purposes described in this policy, and in accordance with our legal obligations. Our specific retention periods are as follows:

• Active student data: Retained for the full duration of your enrolment at your institution, plus 2 years after your expected graduation date to facilitate academic transcript verification.
• Attendance records: Retained for 7 years from the date of the academic session — necessary to maintain the academic integrity of institutional records and support dispute resolution.
• Biometric photographs: Updated at the start of each academic session. Photographs from the previous session are permanently and irreversibly deleted within 30 days of the new session commencing.
• Dispute records: Retained for 5 years from the date the dispute was raised, to provide an audit trail for institutional and legal purposes.
• Deleted accounts: All personal data associated with a deleted account is erased within 30 days of receiving a valid account deletion request, except where retention is required by Nigerian law or academic regulations.

When data reaches the end of its retention period, it is securely and permanently deleted from all Fasvia systems and any associated backups within a 30-day processing window.

Under the Nigeria Data Protection Act 2023 (NDPA 2023), you have the following rights regarding your personal data. These rights apply to all Fasvia users, regardless of your nationality or institution.

• Right to Access: You may request a copy of all personal data we hold about you at any time.
• Right to Rectification: You may request correction of any inaccurate or incomplete personal data held about you.
• Right to Erasure: You may request deletion of your personal data, subject to our legal retention obligations and your institution's academic records requirements.
• Right to Withdraw Consent: Where processing is based on consent (biometric data), you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to Data Portability: You may request your attendance records in a structured, machine-readable format (CSV or JSON) for use with compatible systems.
• Right to Object: You may object to processing based on legitimate interest. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe we have processed your data unlawfully.

We implement comprehensive technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration, or disclosure:

• All data stored in our database is encrypted at rest using AES-256 encryption
• All data transmitted between the Fasvia app and our servers is encrypted in transit using TLS 1.3
• Supabase Row Level Security (RLS) policies ensure that users can access only their own data — no cross-user or cross-institution data leakage is architecturally possible
• Device fingerprinting binds each student account to a single registered device, preventing unauthorised access via credential sharing
• Mock location detection and emulator detection are active on all platforms — suspicious activity triggers an automatic fraud flag
• Passwords are never stored in plain text — all passwords are hashed using bcrypt with an appropriate cost factor before storage
• Regular internal security reviews are conducted, and vulnerabilities are remediated promptly upon discovery
• Access to production data by Nelbion Group staff is limited to authorised personnel on a strict need-to-know basis

In the event of a data breach that affects your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours and notify affected users without undue delay, as required by NDPA 2023.

Fasvia may be used by students who are under 18 years of age in some institutions. We treat all student personal data, regardless of age, with the highest level of protection and in strict accordance with applicable law.

For students under 16 years of age, institutions are responsible for obtaining verifiable parental or guardian consent prior to onboarding those students onto the Fasvia platform, in accordance with the requirements of NDPA 2023. Fasvia requires institutions to confirm in their service agreement that this obligation has been met.

If you are a parent or guardian and believe your child's data has been processed without appropriate consent, please contact us immediately at fasvia.nelbion@gmail.com. We will investigate and take appropriate action, which may include deletion of the minor's data.

Fasvia uses a minimal and transparent approach to cookies and browser storage:

• Session cookies: Used solely for authentication — to maintain your logged-in session securely. These expire at the end of your browser session or upon log-out.
• Browser localStorage: Used only to cache pending attendance records for offline support — this data is synced to the server and cleared upon successful sync.
• No advertising cookies: We use zero third-party advertising or tracking cookies.
• No tracking pixels: We do not embed third-party tracking pixels or beacons on any Fasvia page.
• No individual analytics tracking: Any usage analytics we collect are fully anonymised and cannot be used to identify individual users.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We classify changes as either material or minor.

For material changes — those that significantly affect how we use your data or your rights — we will notify you by email at the address associated with your account and by in-app notification, at least 14 days before the changes take effect. Your continued use of Fasvia after the effective date of the updated policy constitutes your acceptance of the changes.

For minor changes — such as corrections, clarifications, or administrative updates — we will update the "Last updated" date at the top of this page. The most current version of this policy is always available on the Fasvia website.

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact us:

If you are not satisfied with our response to your complaint, you have the right to escalate your complaint to the Nigeria Data Protection Commission (NDPC):

• Website: ndpc.gov.ng
• The NDPC is the supervisory authority responsible for enforcing the Nigeria Data Protection Act 2023