Privacy Policy

Henry Onyx Studio (a division of Henry Onyx Limited) is the data controller for personal data processed through studio.henryonyx.com and the linked Client portal. Our designated privacy contact is privacy@henryonyx.com.

We collect the minimum personal data required to deliver Studio engagements:

• Identifiers: name, business name, email address, phone or WhatsApp number.
• Engagement data: brief content, references, brand assets, project files, and message history.
• Financial data: invoice records, bank reference numbers, and payment proof images you upload. We do not store full bank account numbers beyond what appears on uploaded proof.
• Account data: shared Henry Onyx account identifiers, role memberships, sign-in events.
• Technical data: IP address, browser fingerprint at sign-in, device type, time-zone — used for security and abuse prevention.

We process personal data on the following legal bases under the NDPA 2023:

• Performance of contract — to deliver the engagement you reserved or commissioned.
• Legitimate interests — to keep the Studio platform secure, fight fraud, and improve the service. We balance these interests against your rights.
• Legal obligation — to keep finance records for tax and audit purposes.
• Consent — for optional things like marketing emails, where consent can be withdrawn at any time.

Personal data is held in an encrypted, access-controlled managed database, with row-level security enforcing that you only ever see your own records. File uploads (brand assets, payment proof, deliverables) are kept in restricted-access encrypted storage. Backups are encrypted at rest.

We use industry-standard encryption in transit (TLS 1.2+) for every page and API call.

We share data only with subprocessors that are contractually bound to process it on our instructions:

• Supabase — database, authentication, and storage.
• Cloudinary — encrypted media storage.
• Vercel — application hosting.
• Resend — transactional email delivery.
• WhatsApp Cloud API — for engagement updates if you opt in.
• Anthropic / OpenAI — never used for personal data; only used for non-personal copy assistance with strict prompt boundaries.

Some of our subprocessors operate from outside Nigeria. We rely on the NDPA's provisions for international data transfer, including standard contractual clauses where applicable, and we choose providers with strong data-protection programmes.

Engagement records are kept for the life of the project and for seven (7) years after the final invoice — to comply with finance and tax retention requirements. Authentication logs are kept for twenty-four (24) months. Marketing-list opt-ins are kept until you withdraw consent. Once a retention period ends, we delete or fully anonymise the records.

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Erase data we no longer have a legal basis to hold (subject to retention periods above).
• Restrict or object to certain processing activities.
• Receive your data in a portable format.
• Withdraw consent for any consent-based processing at any time.
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC).

We use a minimal set of first-party cookies for authentication, session continuity, and theme preference. We use privacy-respecting analytics that do not assemble cross-site profiles. We do not sell or share data with advertising networks.

Studio engagements are entered into by businesses, not minors. We do not knowingly process personal data of anyone under eighteen (18). If you believe we have done so by mistake, contact us and we will delete the records.

If a personal data breach occurs that is likely to affect your rights, we notify the NDPC within seventy-two (72) hours and notify the affected data subjects without undue delay.

Privacy enquiries and data subject requests: privacy@henryonyx.com.

We respond to verified requests within thirty (30) days.