Privacy Policy
This Privacy Policy explains how Qrika ("Qrika", "we", "our", or "us") collects, uses, shares and protects your personal data when you use our website, mobile applications and related services (the "Platform"). It applies to all Members - buyers, sellers and visitors - in Nigeria.
Qrika is the data controller for the personal data processed under this Policy, and complies with the Nigeria Data Protection Act 2023 ("NDPA") and, where relevant, the Nigeria Data Protection Regulation 2019 ("NDPR") and guidance issued by the Nigeria Data Protection Commission ("NDPC").
1. Who we are and how to reach us
- Controller: Qrika
- Email: privacy@qrika.app
- Data Protection Officer: privacy@qrika.app
2. What personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, username, email, phone number, password (hashed), date of birth | Provided by you at sign-up |
| Profile & listing data | Profile photo, bio, campus / city, item photos, descriptions, prices | Provided by you |
| Identity & verification | Government ID, BVN, selfie, bank-account name - collected only when required to unlock selling, higher withdrawal limits or dispute escalation | Provided by you; verified via third-party KYC partner |
| Transaction data | Orders, amounts, delivery status, wallet balance, payouts, disputes | Generated through use of the Platform |
| Payment data | Card fingerprint, bank details for payout, Paystack reference codes (we do not store full card numbers or CVVs - these are handled directly by our PCI-compliant payment partner) | Collected via Paystack |
| Communications | In-app chat, support emails, review text | Provided by you |
| Device & usage data | IP address, device type, OS, browser, pages viewed, referrers, timestamps, crash logs | Collected automatically |
| Cookies & similar technologies | Session cookies, analytics identifiers, CSRF tokens | Collected automatically (see section 10) |
| Location data | Approximate location from IP; precise location only if you grant permission for delivery pick-up | Collected automatically or with your consent |
3. How we use your personal data and our legal basis
| Purpose | Legal basis (NDPA s. 25) |
|---|---|
| Create and manage your account; authenticate logins | Performance of a contract |
| Display your listings and profile to other Members | Performance of a contract |
| Process payments, escrow, refunds and payouts | Performance of a contract & legal obligation |
| Arrange delivery and tracking | Performance of a contract |
| Verify identity, prevent fraud, enforce Terms, handle disputes | Legitimate interests & legal obligation |
| Comply with tax, AML and regulatory requirements | Legal obligation |
| Send service messages (order updates, security alerts) | Performance of a contract & legitimate interests |
| Send marketing messages and personalised recommendations | Consent (which you can withdraw at any time) |
| Analytics, product research and Platform improvement | Legitimate interests |
| Respond to legal requests and defend legal claims | Legal obligation & legitimate interests |
4. Who we share data with
We share personal data only with the parties listed below, and only to the extent necessary:
- Other Members - counterparties to a transaction see the name, username, profile photo, listing details, order status, delivery address (for the Seller dispatching an Order), and review text. They do not see your email, phone, payment details or ID documents unless you voluntarily share them.
- Paystack Payments Limited - payment processing, card tokenisation, bank transfers, fraud checks.
- KYC / identity-verification partners - to verify the identity of sellers and high-value buyers when required.
- Delivery and logistics partners - to pick up, ship and deliver items; they receive only the data needed for delivery (name, phone, address).
- Cloud and infrastructure providers - including our hosting provider and Cloudinary (image storage / CDN).
- Analytics and communication tools - for product analytics, crash reporting, and transactional email / SMS delivery.
- Professional advisers - lawyers, auditors and accountants, bound by confidentiality.
- Law enforcement and regulators - where we are legally required to disclose, or where disclosure is necessary to protect life, property or the security of the Platform.
- A successor entity - in the event of a merger, acquisition or sale of assets, subject to continuing protection consistent with this Policy.
We do not sell your personal data to advertisers or data brokers.
5. International transfers
Some of our service providers (for example, cloud hosting and analytics) process data outside Nigeria. Where we transfer personal data outside Nigeria, we do so under the safeguards permitted by the NDPA - typically by relying on jurisdictions that provide an adequate level of protection, or by using contractual clauses and technical safeguards (including encryption in transit and at rest).
6. How long we keep your data
- Account and profile data: for as long as your account is open, plus up to 24 months after closure for fraud-prevention and legal purposes.
- Transaction and financial records: at least 6 years after the transaction, to comply with Nigerian tax and AML record-keeping obligations.
- Identity and KYC documents: up to 6 years after the account is closed.
- Support and dispute records: up to 3 years after the last contact.
- Marketing data: until you withdraw consent or unsubscribe, and then archived for up to 12 months as proof of compliance.
- Server logs and analytics: typically 13 months.
When data is no longer needed, we securely delete or anonymise it.
7. How we protect your data
- TLS / HTTPS encryption for data in transit.
- Encryption at rest for sensitive fields in our databases and cloud storage.
- Salted, hashed password storage; no plain-text passwords.
- Role-based access controls, audit logging, and least-privilege principles for staff access.
- Regular security reviews, dependency patching and backups.
- A formal incident-response procedure for personal-data breaches, including notification to the Nigeria Data Protection Commission and affected Members within 72 hours of becoming aware of a reportable breach, as required by the NDPA.
8. Children
Qrika is not directed at children. You must be at least 18 to register. If we learn that we have inadvertently collected personal data from a child under 18 without parental consent, we will delete it.
9. Your rights under the NDPA
Subject to applicable law, you have the right to:
- Access the personal data we hold about you and receive a copy;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten"), subject to our retention obligations;
- Restrict or object to certain processing, including direct marketing;
- Port your data to another controller in a structured, machine-readable format;
- Withdraw consent at any time, without affecting the lawfulness of processing before the withdrawal;
- Not be subject to a decision based solely on automated processing that produces legal effects on you, without human review;
- Lodge a complaint with the Nigeria Data Protection Commission if you believe your rights have been infringed.
To exercise any of these rights, email privacy@qrika.app. We will respond within 30 days and may ask for identification to verify the request. We do not charge for responding, except where the request is manifestly unfounded or excessive.
10. Cookies and similar technologies
We use cookies and similar technologies to:
- keep you signed in and protect against CSRF (strictly necessary cookies);
- remember your preferences (functional cookies);
- measure how the Platform is used so we can improve it (analytics cookies);
- deliver and measure marketing, where you have consented.
Strictly necessary cookies are always on because the Platform cannot work without them. Analytics and marketing cookies are only set with your consent. You can adjust your preferences in your browser settings, and most browsers let you block or delete cookies.
11. Automated decision-making
We use automated systems for fraud detection, risk scoring and content moderation. These systems can, for example, flag a Listing or temporarily hold a payout. A human reviewer is involved in any decision that has a significant effect on you (such as terminating an account or denying a dispute), and you can always request human review by contacting support.
12. Changes to this Policy
We may update this Privacy Policy from time to time. If a change is material, we will notify you by email and / or in-app notice at least 14 days before it takes effect. The "Last updated" date at the top of this Policy shows when it was last revised.
13. Contact
- Privacy queries and data-rights requests: privacy@qrika.app
- General support: support@qrika.app
- Regulator: Nigeria Data Protection Commission (NDPC)