Zaelo Hub Technologies Limited ("Zaelo Hub," "we," "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, process, store, and share your information in compliance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation (NDPR) 2019, and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention).
1. Data Controller
The data controller responsible for your personal data is:
Zaelo Hub Technologies Limited
Lagos, Nigeria
Email: privacy@zaelohub.com
2. Information We Collect
2.1 Information You Provide
- Account Information: Full name, email address, phone number, password (hashed), and profile photo.
- Merchant Information: Store name, store description, store logo, business documents submitted during merchant verification.
- Identity Verification: Selfie photos and liveness check data used for face verification (processed and not permanently stored as raw biometric data).
- Transaction Information: Delivery addresses, payment details, wallet balances, transaction history, and Transaction PIN (encrypted).
- Communications: Messages sent via in-app chat, dispute descriptions, and contact form submissions.
2.2 Information Collected Automatically
- Device Information: Browser type, operating system, device identifiers, IP address.
- Usage Data: Pages viewed, products searched, time spent on pages, click patterns.
- Cookies & Local Storage: Authentication tokens, user preferences, recently viewed products.
2.3 Information from Third Parties
- Payment Processors: Transaction confirmations and payment status from Flutterwave.
- Social Login Providers: Basic profile information from Google when you sign in via Google OAuth.
3. Legal Basis for Processing
Under the NDPA 2023, we process your data based on the following lawful grounds:
- Consent: You consent to data processing when you create an account and accept these terms.
- Contract Performance: Processing is necessary to fulfil our obligations (e.g., processing payments, delivering escrow services).
- Legitimate Interest: Fraud prevention, platform security, and service improvement.
- Legal Obligation: Compliance with Nigerian financial regulations, tax laws, and court orders.
4. How We Use Your Information
- Facilitate Transactions: Process orders, escrow payments, wallet deposits, and withdrawals.
- Identity Verification: Confirm user identity for merchant applications and high-value transactions.
- Communication: Send order updates, dispute notifications, and system alerts.
- Fraud Prevention: Detect and prevent fraudulent activities, money laundering, and suspicious account behaviour, in compliance with the Money Laundering (Prevention and Prohibition) Act 2022.
- Service Improvement: Analyse usage patterns to improve user experience, fix bugs, and develop new features.
- Legal Compliance: Respond to lawful requests from law enforcement and regulatory authorities.
5. Data Sharing & Third Parties
We do not sell your personal data. We share data only in these limited cases:
- Payment Processors: Flutterwave receives your name, email, and payment amount to process transactions.
- Cloud Hosting: Our infrastructure is hosted on secure, reputable cloud platforms with data processing agreements in place.
- Dispute Resolution: When a dispute is filed, relevant transaction and communication data may be shared with all parties involved and Zaelo Hub mediators.
- Law Enforcement: We may disclose data when required by a valid court order or subpoena under Nigerian law.
6. Data Retention
- Account Data: Retained for as long as your account is active plus 2 years after account deletion (for legal and regulatory compliance).
- Transaction Records: Retained for 6 years as required by Nigerian tax and financial regulations.
- Chat Messages: Retained for the duration of the transaction plus 1 year.
- Face Verification Data: Processed in real-time and not permanently stored as raw biometric data. Verification results (pass/fail) are retained.
7. Data Security
We implement industry-standard security measures including:
- Encryption of data in transit (TLS/SSL) and at rest.
- Hashed passwords using bcrypt with appropriate salt rounds.
- Encrypted Transaction PINs.
- JWT-based authentication with secure token rotation.
- Rate limiting on sensitive endpoints to prevent brute-force attacks.
- Regular security audits and vulnerability assessments.
8. Your Rights Under the NDPA 2023
As a data subject under Nigerian law, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion of your data (subject to legal retention requirements).
- Right to Restrict Processing: Request that we stop processing your data in certain circumstances.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interest.
- Right to Withdraw Consent: Withdraw consent at any time (this does not affect the lawfulness of prior processing).
To exercise any of these rights, contact us at privacy@zaelohub.com. We will respond within 30 days as required by the NDPA.
9. Cookies
Zaelo Hub uses essential cookies and local storage for:
- Authentication: Keeping you logged in securely.
- Preferences: Storing theme (dark/light mode) and language preferences.
- Cart Data: Persisting your shopping cart across sessions.
We do not use third-party tracking or advertising cookies.
10. International Data Transfers
Your data is primarily processed within Nigeria. If data is transferred outside Nigeria (e.g., to cloud infrastructure providers), we ensure adequate data protection through:
- Data processing agreements with adequate safeguards.
- Compliance with the NDPA 2023 cross-border data transfer requirements.
- Alignment with the African Union Malabo Convention principles.
11. Children's Privacy
Zaelo Hub is not intended for children under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a child has provided us with personal data, we will delete it promptly, in compliance with the Child Rights Act 2003.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Complaints
If you believe your data rights have been violated, you may:
- Contact our Data Protection Officer at privacy@zaelohub.com.
- Lodge a complaint with the Nigeria Data Protection Commission (NDPC).
14. Contact Us
For privacy-related questions: