Back to home

Privacy Policy

Effective: 9 June 2026Last updated: 16 June 2026

How we collect, use, store, share and protect personal data across Optraction.

Download full Privacy Policy (PDF)

1. Introduction

Welcome to Optraction, a project-first workspace where work, conversations and payments are brought together.

Optraction is a productivity, project-management and business-operations platform owned and operated by Concept Colony Limited, a company registered in the Federal Republic of Nigeria with registration number 9087914.

This Privacy Policy explains how Concept Colony Limited collects, receives, uses, stores, shares, protects, transfers and otherwise processes personal data when individuals:

  • Visit the Optraction website;
  • Create or use an Optraction account;
  • Create, manage or join a workspace;
  • Participate in a project;
  • Use project chats, task boards or time-tracking tools;
  • Create, receive or pay invoices;
  • Create or complete forms;
  • Contact Optraction;
  • Receive invitations or other communications;
  • Participate in beta testing, product research or surveys;
  • Connect an authorised third-party integration;
  • Use any other Optraction service that refers to this Policy.

This Policy also explains the rights available to individuals and the procedures for exercising those rights.

This Privacy Policy is a transparency notice. It does not constitute blanket consent for every form of personal-data processing. Where consent is required for a specific processing activity, Optraction will request it separately and provide a reasonable method for withdrawing it.

2. Who We Are

Optraction is owned and operated by:

  • Legal entity: Concept Colony Limited
  • Company registration number: 9087914
  • Product: Optraction
  • General contact: [email protected]
  • Privacy and Data Protection Officer contact: [email protected]

Concept Colony Limited is responsible for the processing of personal data in circumstances where it determines the purposes and methods of that processing.

3. Scope of This Policy

This Privacy Policy applies to personal data processed through:

  • The Optraction public website;
  • The Optraction web application;
  • Any Optraction mobile application introduced in the future;
  • User accounts and profiles;
  • Personal and business workspaces;
  • Workspace administration tools;
  • Project dashboards;
  • Project chats;
  • Task boards;
  • Time-tracking tools;
  • Form-building and form-submission tools;
  • Invoice and payment pages;
  • Client and Guest portals;
  • Subscription and billing services;
  • Customer-support communications;
  • Beta and early-access programmes;
  • Authorised integrations;
  • Any other Optraction-controlled service that refers to this Policy.

This Policy does not automatically govern websites, applications or services independently operated by third parties. When users interact directly with an external service, that provider's own privacy policy and terms may apply.

4. Definitions

For the purposes of this Privacy Policy:

4.1 Personal Data

"Personal Data" means any information relating to an identified or identifiable natural person. It may include names; email addresses; telephone numbers; profile photographs; account identifiers; IP addresses; device identifiers; professional information; billing information; messages; location information; payment records; and other information capable of identifying an individual directly or indirectly.

4.2 Processing

"Processing" means any operation performed on personal data, including collection, recording, organisation, storage, access, use, analysis, transmission, sharing, updating, restriction, deletion and destruction.

4.3 User Content

"User Content" means information, files, messages, documents and other materials created, uploaded, submitted, shared or stored through Optraction.

4.4 Workspace Customer

"Workspace Customer" means an individual, company, agency, partnership or organisation that creates, controls or pays for an Optraction workspace.

4.5 Workspace Owner

"Workspace Owner" means the individual authorised to manage a workspace, its subscription, members, permissions, projects and settings.

4.6 Team Member

"Team Member" means an internal collaborator invited to participate in a workspace or project.

4.7 Guest or Client

"Guest" or "Client" means an external participant invited to access a limited project, form, invoice, task board, client portal or related information.

4.8 Data Controller

A Data Controller determines why and how personal data will be processed.

4.9 Data Processor

A Data Processor processes personal data on behalf of and according to the instructions of a Data Controller.

5. Our Role as Data Controller and Data Processor

Concept Colony Limited may act as either a Data Controller or a Data Processor, depending on the nature of the information and the circumstances in which it is processed.

5.1 When We Act as a Data Controller

Concept Colony Limited generally acts as a Data Controller for personal data relating to account registration; user profiles; subscription administration; direct billing relationships; platform security; website enquiries; customer support; marketing preferences; product research; beta-programme administration; legal compliance; and our direct relationship with users. In these circumstances, Concept Colony Limited determines why and how the personal data is processed.

5.2 When We Act as a Data Processor

Concept Colony Limited may act as a Data Processor when a Workspace Customer uses Optraction to process personal data relating to clients, employees, Team Members, contractors, Guests, form respondents, invoice recipients, project participants and other individuals added to the workspace.

In these circumstances, the Workspace Customer may be the Data Controller, while Concept Colony Limited processes the information to provide the requested platform functions. Where Optraction acts as a Data Processor, some privacy requests may need to be directed to the Workspace Customer that controls the relevant information. We may assist the Workspace Customer with valid privacy requests where required by applicable law or a Data Processing Agreement.

5.3 Workspace Customer Responsibilities

Workspace Customers are responsible for having a lawful basis for uploading and using personal data; providing appropriate privacy information to affected individuals; obtaining consent where required; limiting collection to information reasonably necessary; assigning appropriate workspace permissions; preventing unauthorised access; responding to data-subject requests; complying with applicable employment, privacy and commercial laws; and avoiding unnecessary collection of sensitive personal data. A separate Data Processing Agreement may apply to certain business or enterprise customers.

6. Data Protection Officer

Concept Colony Limited will designate and maintain a suitably qualified Data Protection Officer, whether as an internal officer or through an external service arrangement. The Data Protection Officer will be responsible for supporting and monitoring Optraction's compliance with applicable privacy and data-protection requirements, including advising management, monitoring compliance, reviewing data-processing activities, maintaining records of processing, supporting privacy impact assessments, handling rights requests and complaints, supporting breach investigations, advising on international transfers, and communicating with the Nigeria Data Protection Commission where required.

The Data Protection Officer may be contacted at [email protected]. Until the appointment details of a named Data Protection Officer are published, this email address will remain the official contact point for privacy and data-protection matters.

7. Data-Protection Principles

Optraction aims to process personal data according to the following principles:

  • Lawfulness, fairness and transparency — using an appropriate lawful basis and in a manner reasonably understandable to affected individuals.
  • Purpose limitation — collected for specific, explicit and legitimate purposes and not used incompatibly with those purposes.
  • Data minimisation — collecting only the information reasonably necessary for the relevant purpose.
  • Accuracy — taking reasonable steps to maintain accurate and complete personal data.
  • Storage limitation — not retained for longer than necessary, subject to the three-year general retention period and legal exceptions.
  • Confidentiality, integrity and availability — reasonable safeguards against unauthorised access, alteration, loss, disclosure or destruction.
  • Accountability — maintaining appropriate records, policies and procedures to demonstrate compliance.
  • Duty of care — considering the likely impact of processing on affected individuals and applying proportionate safeguards.

8. Information We Collect

The information collected depends on how an individual interacts with Optraction.

8.1 Account and Profile Information

When a user creates or accesses an account, we may collect full name, username, email address, telephone number, profile photograph, job title, professional role, company or organisation name, country or region, time zone, language preference, password or authentication information, notification preferences, workspace settings and account status. Passwords are not stored in readable form; they are protected through appropriate password-hashing and authentication controls.

8.2 Workspace and Membership Information

When a user creates or joins a workspace, we may process workspace name, business information, user role, membership status, project assignments, permissions, invitation history, workspace activity, administrative actions, seat allocation, subscription status and access records.

8.3 Project and Collaboration Information

When users create or participate in projects, we may process project names, descriptions, client information, deadlines, milestones, project status, chat messages, comments, decisions, approvals, attachments, member assignments, activity history and automated system updates. Project information may be visible to authorised participants according to the permissions selected by the Workspace Owner.

8.4 Task and Workflow Information

We may process task titles, descriptions, assigned users, due dates, priorities, statuses, comments, attachments, completion records, editing history and automated workflow activity.

8.5 Time-Tracking Information

Where time tracking is used, we may process timer start and stop times, manually recorded entries, duration, task or project association, entry descriptions, the user responsible and editing or approval history. Workspace Customers are responsible for ensuring their use of time tracking complies with applicable employment, contractor and privacy requirements.

8.6 Form Information

When users create or complete forms, we may process form titles, questions, responses, names, contact details, project requirements, service requests, uploaded documents, consent selections, submission dates, payment-related information and form activity. The user who creates a form is responsible for ensuring it has a lawful purpose and does not collect excessive or unlawful information.

8.7 Invoice and Payment Information

When invoicing and payment features are used, we may process invoice numbers, client names, client email addresses, billing addresses, service descriptions, amounts, currency, due dates, tax information, payment status, transaction references, payment dates, refund information, chargeback information, limited payer details and Paystack transaction responses.

8.8 Files and Attachments

Users may upload documents, images, videos, audio files, contracts, briefs, presentations, spreadsheets, design files, reports and other project materials. Users must have the authority and an appropriate lawful basis to upload information relating to other individuals.

8.9 Communications with Optraction

We may collect information when users contact us by email, request customer support, submit a complaint, request a refund, report a security issue, respond to a survey, participate in product research, submit feedback or join a beta programme.

8.10 Technical and Security Information

Our systems and hosting infrastructure may automatically generate technical information such as IP address, browser type, device type, operating system, login time, session identifier, authentication status, failed login attempts, approximate region derived from IP address, server requests, error information, security events and diagnostic information. This information is used primarily to operate, secure and troubleshoot Optraction.

9. Information About Invitees and Non-Users

A person may receive an Optraction communication without previously creating an account. A Workspace User may provide another person's information to invite them to a project, add them as a client, send an invoice, request completion of a form, share a project update or grant limited Guest access.

We may receive and process the person's name, email address, telephone number (where provided), the identity of the inviting user, the reason for the invitation, the relevant workspace/project/form/invoice, and delivery and response information. We use this information to provide the requested invitation or service. An invitee may contact [email protected] to raise an objection, request information or ask that appropriate action be taken regarding their personal data.

10. Sensitive Personal Data

Optraction is not intended to serve as a primary system for storing highly sensitive personal data. Sensitive information may include information relating to health; genetics; biometrics used for identification; religious or philosophical beliefs; political opinions; trade-union membership; race or ethnic origin; sexual life or orientation; criminal allegations or convictions; government identity documents; and financial-account credentials.

Users should not upload sensitive personal data unless it is reasonably necessary, they have an appropriate lawful basis, required privacy notices have been provided, required consent has been obtained, access is properly restricted and appropriate security measures have been applied. Optraction may restrict or remove sensitive information where its processing creates an unacceptable privacy, security or legal risk.

11. How We Use Personal Data

We may process personal data to provide Optraction (accounts, authentication, workspaces, projects, tasks, chats, time-tracking, invoices, forms, invitations, Guest access and user preferences); for subscription and billing administration; for payment processing via Paystack; for security and fraud prevention; for customer support; for product development and improvement (using aggregated, de-identified or limited information where reasonably possible); for essential service communications; for marketing communications where legally permitted; and for legal compliance.

Users may not be able to opt out of essential service communications while maintaining an active account, but may opt out of marketing messages without losing access to essential service communications.

12. Lawful Bases for Processing

Depending on the processing activity, we may rely on one or more of the following lawful bases:

  • Contract — necessary to create an account, provide platform features, manage a subscription, process an invoice, provide support or perform our agreement with a user.
  • Consent — for optional marketing, non-essential cookies, certain sensitive-data processing, optional research, particular future integrations and activities requiring express permission. Consent may be withdrawn at any time, subject to applicable law.
  • Legal obligation — to comply with tax laws, accounting rules, court orders, regulatory duties, data-protection obligations, fraud-prevention requirements and other applicable laws.
  • Legitimate interests — where reasonably necessary to secure Optraction, prevent fraud, improve reliability, provide business support, protect legal rights, understand performance and maintain records. We consider necessity, likely impact and available safeguards first.
  • Vital interests — in limited emergencies, to protect a person's life or safety.
  • Other lawful grounds — where recognised under applicable data-protection law.

13. Paystack Payment Processing

Optraction uses Paystack as its payment-processing provider. When a payment is initiated, Paystack may collect or process payer name, email address, telephone number, payment-card information, bank or payment-method information, IP address, device information, transaction amount, currency, transaction reference and fraud and risk information. Payment-card details may be entered directly into Paystack's payment environment.

Optraction may receive limited payment information, including transaction reference, transaction status, amount, currency, date and time, payer name, payer email, masked payment-method information and refund or chargeback status. Optraction does not intend to store complete payment-card numbers or card security codes. Paystack may process certain information independently under its own privacy policy, legal obligations and payment-security requirements.

14. Hosting and Cloud Infrastructure

Optraction uses third-party cloud hosting and infrastructure services to operate the website, application, databases, files, backups and related systems. The hosting provider may process account information, workspace data, project data, uploaded files, technical records, security logs, database records and backup copies, and may act as a Data Processor on behalf of Concept Colony Limited.

We will seek to ensure hosting and infrastructure providers are subject to appropriate confidentiality obligations, data-processing terms, security requirements, access limitations, incident-notification obligations and international-transfer safeguards where applicable. The name and processing location of the confirmed production hosting provider should be included in Optraction's service-provider or subprocessor register.

15. Cookies and Tracking Technologies

At the date of this Policy, Optraction does not use third-party advertising cookies, behavioural advertising tools, remarketing pixels, social-media tracking pixels, cross-site behavioural tracking or third-party analytics for advertising profiling.

Optraction may use strictly necessary first-party cookies and browser-storage technologies to maintain secure login sessions, authenticate accounts, protect forms, remember essential preferences, support basic platform functionality and remember cookie choices.

If non-essential analytics, advertising or tracking technologies are introduced, this Privacy Policy and the Cookie Policy will be updated, the provider and purpose will be disclosed, retention periods will be explained, consent will be requested where required, and users will be provided with appropriate controls. For more detail, see our Cookie Policy.

16. How We Share Personal Data

Optraction does not sell personal data. We may share personal data with authorised workspace participants (Workspace Owners, Team Members, Guests, Clients and project participants, depending on permissions); with Paystack for payments, confirmation, refunds, fraud prevention and reconciliation; with hosting and infrastructure providers; with other service providers (email delivery, authentication, customer support, security monitoring, file storage, error monitoring, communications and AI-assisted functions, each receiving only what is reasonably necessary); for integrations requested by users; with professional advisers; with legal authorities where reasonably necessary; and in connection with a business transaction such as a merger, acquisition, investment, restructuring, financing or sale, subject to appropriate confidentiality safeguards.

17. International Data Transfers

Optraction's hosting, payment or service providers may process information outside Nigeria. Where personal data is transferred internationally, we will seek to establish an appropriate lawful transfer basis and reasonable safeguards. Depending on the circumstances, these may include adequacy determinations, approved contractual safeguards, standard contractual clauses, recognised transfer agreements, binding corporate rules, legally recognised exceptions, explicit consent where appropriate, and additional technical and organisational safeguards. We may assess the destination country, the nature and sensitivity of the information, the recipient's security measures, applicable privacy protections, risks to affected individuals, and available contractual and technical protections.

18. Data Retention

Optraction applies a general retention period of three years. Unless a shorter or longer period is required by law or justified by a specific purpose, personal data may be retained for up to three years after the account is closed, the workspace is deleted, the user's relationship with Optraction ends, the relevant project is completed, the relevant transaction or interaction occurs, or the information is last actively required.

Specific categories — account and profile information, workspace and project information, invoice and payment information, form submissions, invitations, support and privacy communications, security logs and backups — are each retained in line with this period and any applicable legal exceptions. A valid deletion request may result in earlier deletion where no legal obligation, payment dispute, legal claim or other lawful basis requires continued retention. Invoice and payment records may be kept longer where required by tax, accounting, payment-provider, fraud-prevention or legal obligations. Deleted information may remain temporarily in secure, restricted backups until the backup cycle completes. When information is no longer required, we take reasonable steps to delete, anonymise, aggregate or securely destroy it.

19. Security Measures

Optraction maintains a baseline information-security programme intended to protect the confidentiality, integrity and availability of personal data. Measures applied or required for the production platform include encryption in transit (HTTPS/TLS); encryption at rest where supported; password hashing with unique salts; role-based, least-privilege access control; administrative account protection including multi-factor authentication where available; session security; secure cloud configuration; secure software development; vulnerability and patch management; logging and monitoring; secure backups and recovery; staff and contractor controls; service-provider reviews; incident-response procedures; and data minimisation and deletion.

These security measures are reviewed periodically and adjusted according to the nature of the information, available technology and identified risks. No electronic platform can guarantee absolute security.

20. Personal-Data Breaches

A personal-data breach may include accidental or unlawful destruction, loss, alteration, disclosure, access or unavailability of personal data. Where Optraction becomes aware of a suspected breach, we will take reasonable steps to investigate, contain the risk, identify affected systems and individuals, assess likely consequences, preserve records, take corrective action, inform affected Workspace Customers where appropriate, notify the Nigeria Data Protection Commission within the legally required period where applicable, notify affected individuals where legally required, and review measures to prevent recurrence.

Where applicable, a qualifying personal-data breach will be reported to the Nigeria Data Protection Commission within 72 hours of becoming aware of it. Report suspected privacy or security incidents immediately to [email protected].

21. Workspace Owner and Administrator Access

Workspace Owners and authorised administrators may be able to access workspace information, view member profiles, review projects and activity, manage permissions, export records, remove members, delete projects, control integrations and manage subscriptions. Information created within a business workspace may be controlled by the relevant Workspace Customer. Where a user leaves an organisation, their access may be removed, the organisation may retain business records, project messages may remain in the workspace, work records may remain available to authorised administrators, and the user may lose access to workspace content.

22. User Rights

Depending on applicable law and the circumstances, individuals may have the rights to be informed; of access; to correction; to deletion (which may be limited where retention is necessary for legal obligations, tax or accounting requirements, fraud prevention, payment disputes, security, legal claims or another person's lawful rights); to restriction; to object (including to direct marketing); to withdraw consent (applying to future processing); to data portability; concerning significant automated decisions (including human review and the opportunity to challenge a result); and to complain to Optraction or to the Nigeria Data Protection Commission.

23. Exercising Privacy Rights

Requests should be submitted to [email protected] and should include, where possible, the individual's name, the relevant account email, the workspace involved, the right being exercised, a description of the request and information needed to locate the relevant records. We may request reasonable identity verification before disclosing, changing or deleting information.

Where Optraction acts as a Data Processor, we may refer the request to the relevant Workspace Customer, notify and assist them, and explain why that customer controls the relevant information. We will respond within the period required by applicable law.

24. Marketing Preferences

Users may opt out of marketing communications by using the unsubscribe option contained in the communication or by contacting [email protected]. Opting out of marketing will not stop essential communications relating to security, account administration, billing, invitations, invoice delivery, project activity, legal notices and service operation. Optraction does not sell personal data to advertisers.

25. Automated Processing and Artificial Intelligence

Optraction may introduce automation or AI-assisted features for project summaries, task suggestions, workflow recommendations, draft messages, reporting, categorisation, security monitoring, fraud prevention and productivity insights.

At the date of this Policy, Optraction does not make decisions producing legal or similarly significant effects solely through automated processing, does not use private workspace content to train general-purpose AI models, and does not use AI to determine access to employment, credit, insurance or public benefits. Where AI functions are introduced, their purpose will be explained, relevant information use disclosed, appropriate controls provided, and significant outputs kept subject to human review. Private User Content will not be used to train a general-purpose AI model without clear notice, an appropriate lawful basis, required consent and reasonable safeguards.

26. Children and Minors

Optraction is primarily intended for businesses, agencies, freelancers, professionals, clients and service teams. Individuals under 18 should not independently create or control a paid workspace, purchase a subscription, or enter into a binding commercial agreement through Optraction. A minor may participate only where their participation is lawful, appropriate parental, guardian, school, employer or organisational authorisation exists, the Workspace Customer is authorised to provide access, and reasonable safeguards are applied. We do not knowingly target children with behavioural advertising or profiling.

27. Third-Party Services

Optraction may integrate with or link to external services. Third-party services may process personal data under their own privacy policies, terms, security practices, retention rules and legal obligations. Optraction does not control the independent processing activities of external providers. Users should review the privacy information of third-party services before connecting or using them.

28. Privacy by Design and Impact Assessments

Optraction will seek to consider privacy and data protection when designing new features, payment tools, integrations, AI systems, public-sharing tools, analytics services and high-risk processing activities. Where required or appropriate, Optraction may conduct a Data Privacy Impact Assessment before introducing processing likely to create a significant risk to individuals, considering necessity, proportionality, data minimisation, access controls, retention, security, international transfers, risks to vulnerable individuals and available safeguards.

29. Changes to This Privacy Policy

We may update this Privacy Policy to reflect platform changes, new features, new integrations, changes to Paystack or another provider, a confirmed hosting provider, new AI functionality, legal developments, security improvements and changes to processing purposes. The revised version will display an updated date. Where a change materially affects how personal data is processed, we may notify users through email, in-app messages, dashboard notices, website notices or another appropriate method. Where consent is required for a new activity, Optraction will request that consent rather than treating continued use as automatic consent.

30. Complaints

Privacy complaints may be submitted to [email protected] and should include the individual's name, relevant account email, relevant workspace, a description of the concern, supporting information and the requested resolution. We will investigate and respond within applicable legal timeframes. Individuals may also lodge a complaint with the Nigeria Data Protection Commission. Nothing in this Policy limits a person's right to seek an available legal remedy.

31. Governing Privacy Framework

This Privacy Policy is intended to be interpreted consistently with the Constitution of the Federal Republic of Nigeria, the Nigeria Data Protection Act 2023, applicable directives issued by the Nigeria Data Protection Commission, and applicable cybersecurity and consumer-protection requirements. Nothing in this Policy limits mandatory privacy rights available under laws that apply to an individual.

32. Contact Information

For privacy questions, rights requests, security concerns or complaints, contact:

  • Concept Colony Limited
  • Registration number: 9087914
  • Product: Optraction
  • Privacy and DPO contact: [email protected]
  • General contact: [email protected]
  • Registered business address: Lagos, Nigeria