Privacy Policy.

How we collect, use, protect, and respect your personal information.

Part I · Who We Are and How to Contact Us

1 · Data Controller identity

This Privacy Policy is issued by Mind+ Facilitation Co. Nig. Ltd., the company that owns and operates the Just Before You Say Yes (JBYSY) platform. We are the Data Controller for all personal information collected through the platform.

2 · How to contact us about your data

For any question, concern, or request relating to your personal information, use the following dedicated channels:

• General privacy enquiries — privacy@jbysy.com
• Data subject rights requests (access, deletion, correction) — privacy@jbysy.com
• Data Protection Officer — privacy@jbysy.com, marked FAO: Data Protection Officer
• Reporting a data breach or security concern — security@jbysy.com
• Postal address for legal notices — 24 Biaduo Street, off Keffi Street, off Awolowo Road, Ikoyi, Lagos, Nigeria

Part II · What Personal Data We Collect and Why

3 · Overview

We collect personal data in three ways: information you give us directly when you register and use the platform; information generated automatically when you complete your assessment; and limited technical information collected by the platform's infrastructure. We do not purchase, obtain, or import personal data from any third-party source.

4 · Data collected from all users

When you create an account, we collect:

• Full name
• Email address
• Phone number (optional at registration; required for some payment methods)
• Password (stored as a cryptographic hash — we never store your plaintext password)
• Date of account creation and last login

When you make a payment, we collect:

• Transaction reference and amount
• Payment method type (card, bank transfer, USSD) — we do not store card numbers or banking credentials, which are processed exclusively by Paystack
• Payment timestamp and confirmation status

When you complete the assessment, we collect:

• Your responses to all 135 questions across 10 modules
• Assessment start time, completion time, and module-level progress data
• Your Composite Readiness Index (CRI) and all module-level scores, generated by automated processing of your responses
• Any N/A responses and the questions to which they apply

5 · Sensitive Personal Data

The JBYSY assessment includes questions that may elicit what the NDPA 2023 classifies as Sensitive Personal Data. For JBYSY users, this includes information relating to:

• Sexual history, sexual expectations, and sexual behaviour — collected through the Intimacy and Sexuality module
• Emotional health and mental well-being — collected through the Emotional Maturity and Conflict Resolution modules
• Personal trauma, relationship history, and past experiences that may reveal health or psychological information — collected through the Personal Background and Readiness module

We process Sensitive Personal Data only on the basis of your explicit, freely-given, specific, and informed consent, obtained through a dedicated consent screen presented before your assessment begins. You may withdraw consent at any time — see clause 22 for how. Sensitive Personal Data is subject to enhanced security measures and is never shared with any third party except as described in Part V or as required by law.

6 · Data collected from couples

Where two individuals complete a Couple Assessment, each partner's data is collected independently and processed separately to generate individual reports, which are then combined to produce the Couple Alignment Report. Each partner's data belongs to that partner individually. Neither partner has access to the other's raw assessment responses; the Couple Alignment Report presents only comparative analysis — not the other partner's verbatim answers. Where one partner withdraws consent, their data will be deleted, and the Couple Alignment Report will no longer be accessible to either partner.

7 · Data collected from counsellors

In addition to standard account data, we collect the following from registered Counsellors:

• Organisation or ministry affiliation, role, and professional context
• Years of counselling experience and professional credentials
• Professional supervisor, lead pastor, or organisational head details (for verification purposes)
• JBYSY Counsellor ID and certification status
• Dashboard activity logs: client access records, report views, and couple credit usage
• Annual subscription renewal history

Counsellors access their clients' personal data through the Dashboard. The terms under which Counsellors may process that data are governed by the Data Sharing Agreement (DSA) executed between each Counsellor and JBYSY. The DSA, not this Privacy Policy, is the primary instrument governing Counsellors' data obligations in their capacity as joint data controllers.

Part III · How and Why We Use Your Data

8 · Lawful bases for processing

We process personal data on the following lawful bases under the NDPA 2023. We do not process your data for any purpose not listed here without first obtaining your specific consent.

9 · What we do not do with your data

9A · Research use of assessment data

JBYSY may conduct, commission, or participate in psychometric research and validation studies using Assessment data, for the purpose of establishing the scientific validity and reliability of the JBYSY Assessment instrument. The following conditions govern all research use of personal data without exception:

• Research participation is voluntary — you may decline or withdraw at any time without affecting your access to any Service or Report;
• Your separate explicit consent is required before any of your data is used for research purposes — we will not use your data for research simply because you have accepted the Terms or completed the Assessment;
• All data used in research is anonymised and aggregated before analysis — no individual will be identified in any output, academic publication, or conference submission;
• Where research data includes Sensitive Personal Data, your explicit consent to research participation is required in addition to your general service consent;
• We may share anonymised, aggregated research data with trusted academic partners — we will never share identifiable personal data with any research partner.

The lawful basis for research processing is scientific research purposes under the NDPA 2023, combined with your separate explicit research consent. Research consent is obtained through a dedicated, clearly labelled opt-in presented during the account registration flow, after and separately from your acceptance of these Terms. You may withdraw research consent at any time by contacting privacy@jbysy.com. Withdrawal does not affect the lawfulness of any research processing carried out before the withdrawal.

Part IV · Automated Processing and the CRI

10 · How the CRI is generated

Your Composite Readiness Index (CRI) and all module-level scores in your report are generated by an automated algorithm without any human review of individual responses before the report is produced. This is what the NDPA 2023 calls automated decision-making.

The algorithm works as follows, at a general level:

• Your responses on the 4-point scale are assigned numerical values;
• Your responses are processed through a proprietary scoring methodology that assigns values to each response in accordance with the item's design;
• Where applicable, the algorithm applies appropriate handling to questions for which a response was not provided, so as to preserve the integrity of the calculation;
• Module scores are combined using a proprietary weighting methodology that reflects the relative importance of different areas to overall marital readiness;
• The output is your CRI, expressed on a standardised scale.

The CRI is a structured conversation tool. It is designed to surface patterns and themes for pastoral discussion — not to determine whether you should or should not marry.

11 · Safeguarding Flags

The assessment includes automated safeguarding logic. Where certain patterns in your responses indicate a potential risk to your wellbeing — for example, patterns associated with relational harm, coercive control, or severe emotional distress — the platform generates a Safeguarding Flag.

Safeguarding Flags are visible only to your registered JBYSY Counsellor through the Counsellor Dashboard. They are never communicated to you directly by the platform, and they are never communicated to your partner without your Counsellor's careful pastoral judgment. The existence of a Safeguarding Flag in your report does not mean you are at risk — it means the platform has detected a pattern that warrants a private pastoral conversation. Your Counsellor carries the sole responsibility for responding to any flag.

Platform safeguarding escalation. Where JBYSY, as platform operator, becomes directly and credibly aware — through a support communication or other reliable means — of an imminent and serious risk to the physical safety of a User, we may disclose such information as is strictly necessary and proportionate to a competent authority, including the Nigeria Police Force, NAPTIP, or child protection agencies, on the basis of the vital interests of the affected individual under the NDPA 2023. We will, where it is safe and practicable to do so, notify the affected User of any such disclosure. This provision operates independently of and does not diminish the Counsellor's primary safeguarding responsibility.

12 · Your rights regarding automated processing

Because your CRI is generated by automated means, you have specific rights under the NDPA 2023:

• The right to be informed that automated processing has taken place, which we satisfy through this clause;
• The right to request a plain-language explanation of the logic and factors that produced your CRI and report findings;
• The right to request that a human member of the JBYSY team review the technical accuracy of your score computation, where you believe a material error has occurred.

A human review covers the technical accuracy of the scoring calculation only. It is not a re-assessment of your responses or an opportunity to change your results based on a preferred outcome. To request an explanation or human review, contact privacy@jbysy.com. We will respond within 14 days.

Part V · Who We Share Your Data With

13 · Data sharing — overview

We share your personal data only in the circumstances described in this Part. We do not share data for any purpose other than this. All recipients are bound by contractual obligations or legal duties of confidentiality.

14 · Sharing with your registered counsellor

If you register a JBYSY Counsellor's ID on your account, your report — including module scores, your CRI, and any applicable Safeguarding Flag — will be accessible to that Counsellor through the Counsellor Dashboard. By linking a Counsellor's ID to your account, you consent to that Counsellor accessing your report data. You may unlink a Counsellor at any time through your account settings, which will remove their access to your report going forward.

Counsellors access your data in their capacity as joint data controllers and are bound by a Data Sharing Agreement with JBYSY. We do not share Sensitive Personal Data with Counsellors in a form that identifies your specific responses — Counsellors see module scores and report narrative, not your verbatim answers.

15 · Sharing with technology service providers

We use the following third-party technology providers to operate the platform. These providers process data on our behalf as part of delivering the service:

All technology providers are selected on the basis of their security standards and contractual commitments. We require all providers to process data only on our instructions and not for any other purpose.

16 · International data transfers

Supabase, Namecheap, and Resend are based in the United States of America. Your personal data — including your assessment responses and Sensitive Personal Data — is transferred to and stored on servers in the United States as part of normal platform operation. Nigeria has not designated the United States as an adequate jurisdiction under section 43 of the NDPA 2023. We transfer your data to these providers on the basis of your explicit consent to the transfer, given at the point of account registration after disclosure of the receiving country.

We require all international recipients to maintain security standards and contractual commitments equivalent to those required under Nigerian law. If you do not consent to the international transfer of your data, you will not be able to use the platform, as the technical infrastructure requires data to be processed on these servers.

17 · Sharing required by law

We may disclose personal data where required to do so by a lawful order from a Nigerian court, the NDPC, the Economic and Financial Crimes Commission (EFCC), or any other competent authority. We will notify you of such a disclosure where we are legally permitted to do so. We will never disclose data in response to informal or unverified requests — all compelled disclosures are reviewed by our legal team before submission.

Part VI · How Long We Keep Your Data

18 · Data retention schedule

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. Our standard retention periods are:

Upon account deletion, all personal data is scheduled for deletion within 30 days, except payment transaction records and any data we are required to retain by law, which are anonymised and held for the statutory period. Counsellor Dashboard data is retained for 30 days after subscription expiry before deletion, to allow for renewal. A Counsellor who does not renew within 30 days of expiry will have their Dashboard data deleted permanently.

Part VII · Your Rights Under the NDPA 2023

19 · Your data protection rights

Under the Nigeria Data Protection Act 2023, you have the following rights in respect of your personal data. These rights apply to all users — Individuals, Couples, and Counsellors.

20 · Response timeframes

We will respond to all verified data subject rights requests within 30 days of receipt. Where a request is complex or we receive a large volume of requests simultaneously, we may extend this period by a further 30 days, in which case we will notify you within the initial 30-day period and explain the reason for the extension. We may need to verify your identity before processing a rights request. We do not charge a fee for processing rights requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act.

Part VIII · Consent and How to Withdraw It

21 · How we obtain consent

We obtain your consent to process Sensitive Personal Data through a dedicated consent screen presented before the assessment begins. This screen explains what Sensitive Personal Data the assessment will collect, how it will be used, who may access it, and how you may withdraw consent. By clicking "I consent and wish to proceed" on the consent screen, you give your explicit, freely-given, specific, and informed consent. Your consent to Sensitive Personal Data processing is separate from your acceptance of the Terms of Service — accepting the Terms does not constitute consent to Sensitive Personal Data processing.

22 · Withdrawing consent

You may withdraw your consent to the processing of Sensitive Personal Data at any time by contacting privacy@jbysy.com or using the consent management option in your account settings. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

If you withdraw consent while your assessment is in progress, we will be unable to complete report generation. Any fee paid for an assessment that cannot be completed due to consent withdrawal is subject to our standard no-refund policy — consent withdrawal does not constitute a Verified System Failure. If you withdraw consent after your report has been generated, we will delete your Sensitive Personal Data in accordance with the retention schedule, but we are unable to un-generate a report that has already been produced and viewed.

Part IX · How We Protect Your Data

23 · Security measures

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• Encryption in transit — all data transmitted between your device and our platform uses TLS 1.2 or higher;
• Encryption at rest — all data stored in our database is encrypted at rest using AES-256;
• Row-level security — our database architecture ensures that each user can only access their own data; controls are enforced at the database layer, not only at the application layer;
• Scoring logic isolation — all assessment scoring computation is performed server-side only; no scoring logic or response data is exposed in client-side code;
• Counsellor access logging — all access to client reports through the Counsellor Dashboard is logged with timestamp, Counsellor ID, and report accessed;
• Access controls — internal access to personal data is restricted to authorised personnel on a need-to-know basis;
• Penetration testing — the platform undergoes security testing before launch and at periodic intervals thereafter.

24 · Data breach response

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the NDPC within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to your rights and freedoms — for example, where Sensitive Personal Data has been exposed — we will notify you directly without undue delay, describing the nature of the breach, the data affected, the likely consequences, and the measures we are taking to address it. If you believe your account has been compromised or you are aware of a security vulnerability, contact security@jbysy.com immediately.

Part X · Children and Minimum Age

25 · Age restriction

The JBYSY platform is intended exclusively for persons aged 18 years and above. We do not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and believe that a person under 18 has registered an account, contact privacy@jbysy.com immediately — we will delete the account and all associated data upon verification. If we discover that a user is under 18, we will immediately suspend the account and delete all associated data without notice.

Part XI · Cookies and Technical Data

26 · Cookies and session data

The platform uses cookies and similar technologies to manage user sessions, maintain login state, and ensure the platform functions correctly. These are strictly necessary cookies — the platform cannot function without them. We do not use advertising cookies, tracking pixels, or third-party behavioural analytics cookies on the JBYSY platform.

We use platform analytics to understand aggregate usage patterns — for example, which modules users spend most time on, and where users tend to pause or abandon the assessment. This data is anonymised and aggregated before analysis and is never used to identify individual users.

The following technical data is collected automatically when you use the platform:

• Device type and operating system (to optimise display and performance)
• Browser type and version
• IP address (retained for security and fraud detection; not associated with your assessment data)
• Session duration and page interaction data

Do Not Track signals. The JBYSY platform does not currently respond to Do Not Track (DNT) browser signals. We will review this position in line with DNT standards and any applicable regulatory guidance in Nigeria as they develop.

Part XII · Changes to This Policy

27 · Policy updates

We may update this Privacy Policy from time to time. Where a change is material — meaning it affects how we process your data, reduces your rights, or changes the purposes for which we use your data — we will notify you by email at least 14 days before the change takes effect. Non-material changes (typographical corrections, updated contact information, or clarifications that do not affect your rights) may be made at any time without prior notice. The current version of this Privacy Policy is always available at jbysy.com/privacy. Your continued use of the platform after a material change takes effect constitutes your acceptance of the updated Policy.

Part XIII · How to Complain

28 · Internal complaint process

If you are unhappy with how we have handled your personal data, we ask that you contact us first at privacy@jbysy.com so that we have the opportunity to address your concern. We will acknowledge your complaint within 5 working days and aim to resolve it within 30 days. Where resolution requires more time, we will keep you informed of progress.

29 · Complaint to the NDPC

If you are not satisfied with our response, or if you believe we are processing your data in violation of the NDPA 2023, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC). The NDPC can be contacted through its website at ndpc.gov.ng or at its offices in Abuja, Nigeria. There is no charge for lodging a complaint with the NDPC.

Part XIV · Glossary

Mind+ Facilitation Co. Nig. Ltd. · Just Before You Say Yes — Privacy Policy v1.1 · Your data is held in trust. We treat it that way.
Questions: privacy@jbysy.com · RC 1029540 · 24 Biaduo Street, off Keffi Street, off Awolowo Road, Ikoyi, Lagos, Nigeria