CDS Logo
HomeAboutWork
My Account

Legal

Privacy Policy

How CDS Space collects, uses, shares, and protects personal data when you access cdsspace.pro, cdsspace.com, our dashboards, or engage our branding, design, development, and print services.

Effective date: 20 April 2026

1. Who We Are

CDS Space (“CDS Space”, “we”, “us”, “our”) is a branding, design, and digital production studio operating from Nigeria and serving clients globally. For the purposes of the Nigeria Data Protection Act, 2023 (“NDPA”), the EU/UK General Data Protection Regulation (“GDPR”), Rwanda Law No. 058/2021, the California Consumer Privacy Act/California Privacy Rights Act (“CCPA/CPRA”), and the Personal Information Protection Law of the People’s Republic of China (“PIPL”), we are the Data Controller of personal data processed through our websites and services.

Contact (controller & data protection enquiries):
Email: support@cdsspace.pro

2. Scope of This Policy

This Policy applies to all users of the CDS Space websites, client dashboards, staff admin portal, invoicing tools, contractor onboarding forms, and any related services (collectively, the “Services”). It is drafted to comply primarily with Nigerian law and is adapted to meet the core obligations of data-protection regimes in Rwanda, the United Kingdom, the European Union, the United States (including California), and the People’s Republic of China. Where a specific jurisdiction grants you stronger rights than those described here, that higher standard applies to you.

3. Personal Data We Collect

3.1 Data you provide directly

  • Account data — full name, email address, password (hashed), phone number, company name, country.
  • Profile data — avatar, job title, billing address, business description.
  • Project data — briefs, creative assets, files, brand words, messages you send through our chat or support channels.
  • Payment data — billing details processed through our payment providers. We do not store full card numbers on our servers.
  • Career / contractor data — CV, portfolio links, work history, identification documents submitted when applying to join us.

3.2 Data collected automatically

  • Device & usage data — IP address, browser type, device identifiers, pages viewed, referring URL, timestamps.
  • Cookies and similar technologies — session cookies, authentication tokens (Supabase sb-* cookies, our cds_oauth_* cookies), and limited analytics cookies. See Section 10.
  • Log data — error logs, security events, and API request logs.

3.3 Data from third parties

  • Google Sign-In — when you sign in with Google, we receive your name, email, Google account ID, and profile picture. We do not receive your Google password.
  • Payment processors — transaction reference, payment status, and limited billing identifiers.
  • Public sources — for business-to-business outreach, we may process publicly available professional contact information.

We do not intentionally collect sensitive personal data (health, religion, political views, biometric data) unless you voluntarily share it in connection with a project, and we do not require it to provide the Services.

4. Why We Use Your Data (Purposes & Legal Bases)

Under the NDPA, GDPR, Rwanda’s data protection law, and PIPL, we must have a valid legal basis for every processing activity.

PurposeLegal basis
Create and manage your account; authenticate you.Performance of a contract; consent (for Google Sign-In).
Deliver branding, design, web, and print services you order.Performance of a contract.
Process payments, issue invoices, and keep tax records.Legal obligation (tax and anti-money-laundering laws); contract performance.
Customer support and in-app chat.Contract performance; legitimate interests.
Protect the Services against fraud, abuse, and security incidents.Legitimate interests; legal obligation.
Send service emails (receipts, updates, security alerts).Contract performance; legitimate interests.
Send marketing emails about our work and offers.Consent (you can withdraw at any time).
Review career and contractor applications.Steps prior to entering into a contract; consent.

For users in China, where PIPL requires separate consent for specific processing activities (such as cross-border transfers and the processing of sensitive personal information), we obtain that consent through distinct in-product prompts.

5. Who We Share Data With

We do not sell your personal data. We share it only with the categories of recipients below, and only to the extent needed for the purposes in Section 4:

  • Service providers (processors) — hosting and infrastructure (Vercel Inc., USA), database and authentication (Supabase Inc., USA/EU), Google OAuth (Google LLC, USA), email delivery (Google Workspace / SMTP), file storage, and analytics providers.
  • Payment processors — to take payment and refund transactions.
  • Professional advisors — accountants, auditors, and lawyers, under duties of confidentiality.
  • Authorities — where required by a valid legal request under Nigerian law or another applicable jurisdiction (for example, the Nigeria Data Protection Commission, tax authorities, or a court).
  • Corporate transactions — in connection with a merger, acquisition, or sale of assets, subject to equivalent protection of your data.

Every processor is bound by a written data-processing agreement that obliges them to process your data only on our instructions and to keep it secure.

6. International Data Transfers

CDS Space is based in Nigeria. Our infrastructure providers are primarily located in the United States and the European Union. This means your data may be transferred to, and processed in, countries outside your country of residence.

  • From Nigeria (NDPA): transfers are made only to jurisdictions that provide an adequate level of protection, or under appropriate safeguards (standard contractual clauses, binding corporate rules, or your explicit consent).
  • From the EU and UK (GDPR / UK GDPR): we rely on European Commission / UK adequacy decisions where available, and on UK IDTA or EU Standard Contractual Clauses (2021) for other transfers.
  • From Rwanda (Law No. 058/2021): transfers are made with the prior authorisation of the National Cyber Security Authority where required, or under appropriate safeguards.
  • From China (PIPL): we obtain your separate consent for cross-border transfers and, where applicable, conduct a Personal Information Protection Impact Assessment and adopt the CAC Standard Contract.
  • From California (CCPA/CPRA): we disclose categories of personal information disclosed for a business purpose as set out in Section 12.

You can request a copy of the safeguards in place for any specific transfer by writing to support@cdsspace.pro.

7. How Long We Keep Your Data

  • Account data: for as long as your account is active, plus up to 24 months after closure to handle disputes and legal obligations.
  • Project and creative files: for the duration of the engagement, plus a further 7 years for tax and contractual record-keeping in Nigeria.
  • Payment & tax records: at least 6 years, as required by Nigerian tax law, and longer where required by your jurisdiction.
  • Marketing data: until you withdraw consent or unsubscribe, then removed from active lists.
  • Career applications: up to 12 months after a hiring decision, unless you ask us to delete them sooner.
  • Server & security logs: up to 12 months, then aggregated or deleted.

8. Your Rights

Subject to the law applicable to you, you have the following rights over your personal data:

  • Access — ask for a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure / Deletion — ask us to delete data we no longer need to hold.
  • Restriction — ask us to pause processing in certain circumstances.
  • Objection — object to processing based on our legitimate interests, including direct marketing.
  • Portability — receive your data in a structured, machine-readable format and transmit it elsewhere.
  • Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint — with the Nigeria Data Protection Commission (NDPC), your local supervisory authority in the EU/UK, the National Cyber Security Authority of Rwanda, the California Attorney General, or the Cyberspace Administration of China.
  • Non-discrimination (California) — we will not deny you service, charge you a different price, or provide a lower quality of service because you exercised a CCPA/CPRA right.
  • Opt-out of sale / sharing (California) — we do not sell your personal information, and we do not share it for cross-context behavioural advertising.
  • Right to know personal information processing (China, PIPL) — including the right to copy, correct, delete, and, in the event of death, for your next of kin to exercise your rights.

To exercise any right, email support@cdsspace.pro. We will respond within 30 days (or the shorter period required by your jurisdiction), and may ask you to verify your identity before we act.

9. How We Protect Your Data

We maintain administrative, technical, and physical safeguards designed to protect your data, including:

  • Transport Layer Security (HTTPS/TLS) on all web traffic.
  • Password hashing and OAuth 2.0 with nonce and state verification.
  • Role-based access control for the staff admin portal.
  • Principle of least privilege for databases and storage buckets.
  • Regular patching and dependency updates.
  • Logging and monitoring of authentication and authorisation events.
  • Written agreements with all processors.

In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify the Nigeria Data Protection Commission and, where required, you, within 72 hours of becoming aware of it, in accordance with the NDPA and any other applicable law.

10. Cookies & Similar Technologies

We use the following categories of cookies:

  • Strictly necessary — session and authentication cookies (sb-*, cds_oauth_state, cds_oauth_nonce, cds_oauth_next) that are required for sign-in and security. These cannot be disabled.
  • Functional — to remember your preferences.
  • Analytics — to understand how the Services are used, in aggregate form.

You can control non-essential cookies through your browser settings and, where shown, our in-product cookie banner. Withdrawing consent will not affect any service you are logged into.

11. Children

Our Services are intended for users aged 18 and over. We do not knowingly collect personal data from children under 13 (United States, COPPA), under 16 (EU/UK GDPR, where national law sets that age), or under 18 (Nigeria NDPA, for our commercial services). If you believe we have collected data from a child, please contact us and we will delete it.

12. Additional Disclosures for California Residents

In the 12 months before the effective date above, we have collected and disclosed the following categories of personal information under CCPA/CPRA: identifiers, customer records, commercial information, internet/network activity, geolocation (approximate, from IP), and professional/employment information (for applicants).

We have not sold or shared personal information for cross-context behavioural advertising. California residents may submit verifiable requests under the “Your Rights” section and may designate an authorised agent to act on their behalf.

13. Additional Disclosures for Users in China

Where PIPL applies, the following additional points apply to you:

  • We process personal information only with your separate consent where PIPL requires it (for example, for cross-border transfers and processing of sensitive personal information).
  • You can request that we designate a local representative for PIPL matters by contacting us.
  • You may request that we stop processing your personal information or that your personal information be transferred to another provider in line with PIPL requirements.

14. Automated Decision-Making

We do not use your data for automated decision-making that produces legal effects or similarly significant effects concerning you. Where that changes, we will update this Policy and, where required, request your explicit consent.

15. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you by email or through an in-product notice at least 14 days before the change takes effect, and we will update the effective date above. Your continued use of the Services after the effective date means you accept the updated Policy.

16. How to Contact Us

For any question about this Policy or how we handle your data, contact:

CDS Space — Data Protection
Email: support@cdsspace.pro

Note: This document is provided as a good-faith compliance framework based on publicly available statutes as of the effective date. It is not legal advice. Before relying on it, have it reviewed by qualified counsel in each jurisdiction where you operate.

Let’s Build Your Brand

Start here
Book a Consultation
CDS Logo

CDS Space helps brands and product teams design, build, and scale digital experiences with clarity and speed.

Menu

  • Home
  • About
  • Work
  • Contact

CDS Studio

  • Best Brand
  • BrandMe
  • Brand Brief
  • Partnership
  • Rollup Banners
  • Merch
  • Links

Community

  • Career
  • X
  • TikTok
  • Facebook
  • Instagram
  • LinkedIn
  • Youtube
  • WhatsApp

Offices

  • Rwanda - RW

    Coming soon

© 2026 CDS Space | Branding Agency. All rights reserved

Privacy PolicyTerms of Service