⚠️ Template Disclaimer: This document is a template provided for convenience only. It does not constitute legal advice. Before publishing or relying on it, you must have it reviewed and adapted by a qualified legal practitioner admitted to the Nigerian Bar and, where appropriate, a registered Data Protection Compliance Organisation (DPCO), to ensure it accurately reflects QuickBite's data-processing activities and complies with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and any guidance issued by the Nigeria Data Protection Commission (NDPC).
Last Updated: [DATE] Effective Date: [EFFECTIVE DATE]
This Privacy Policy explains how [LEGAL ENTITY NAME] ("QuickBite", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use the QuickBite mobile applications, websites, and related services (the "Platform"). We are committed to handling your data lawfully, fairly, and transparently, in line with the NDPR, the NDPA, and GDPR-equivalent principles.
By using the Platform, you acknowledge the practices described in this Policy.
1. Data Controller Identity
1.1. The data controller responsible for your personal data is:
[LEGAL ENTITY NAME] (RC [RC NUMBER])
- Address: [REGISTERED ADDRESS]
- Email: [SUPPORT EMAIL]
- Phone: [SUPPORT PHONE]
1.2. Data Protection Officer (DPO). You can contact our DPO for any privacy-related matter:
- Name: [DPO NAME]
- Email: [DPO EMAIL]
- Address: [DPO ADDRESS / as above]
2. Data We Collect
We collect the following categories of personal data:
2.1. Identity & contact data — your name, phone number, email address, and delivery address(es).
2.2. Location & GPS data — your delivery location, and, during an active delivery, location data used to route and track orders (see Section 6).
2.3. Payment data (tokenized) — we do not store your raw card details. Payments are tokenized and processed by PCI-DSS-compliant third-party processors; we retain limited transaction references (e.g., last four digits, transaction status/ID).
2.4. Order & transaction data — your order history, cart contents, sub-orders, fees, refunds, ratings, and reviews.
2.5. Device & usage data — device type, operating system, app version, IP address, identifiers, log data, and interactions with the Platform.
2.6. Cookies & similar technologies — as described in Section 11.
2.7. Vendor/Rider data (where applicable) — for vendors and riders, we additionally collect KYC information such as government-issued ID, NIN, BVN, bank account/settlement details, and business information, for verification, settlement, and compliance.
We collect data you provide directly, data generated through your use of the Platform, and data from third parties such as payment processors and identity-verification providers.
3. Legal Basis for Processing
Under the NDPA/NDPR, we process your personal data on one or more of the following lawful bases:
3.1. Performance of a contract — to create your account, process and deliver your orders, take payment, and provide support (i.e., to deliver the service you requested).
3.2. Consent — where you have given consent, for example for marketing communications, optional cookies, and continuous location tracking. You may withdraw consent at any time (see Section 8).
3.3. Legitimate interests — for purposes such as fraud prevention, platform security, service improvement, analytics, and protecting our legal rights, provided these interests are not overridden by your rights and freedoms.
3.4. Legal obligation — to comply with applicable laws, tax/VAT requirements, regulatory requests, and lawful orders.
3.5. Vital interests / public interest — in rare cases where processing is necessary to protect life or as otherwise permitted by law.
4. Purpose of Processing
We use your personal data to:
4.1. create and manage your account and verify your identity;
4.2. fulfil orders — transmit order details to vendors and assign and route riders;
4.3. process payments, refunds, and settlements;
4.4. provide delivery routing and live tracking;
4.5. provide customer support and handle complaints and disputes;
4.6. detect, prevent, and investigate fraud, abuse, and security incidents;
4.7. send transactional notifications (order status, OTPs) via push, SMS, or email;
4.8. send marketing and promotional communications only where you have separately consented, with an option to opt out at any time;
4.9. analyse and improve the Platform; and
4.10. comply with legal, tax, and regulatory obligations.
5. Third-Party Sharing
We share personal data only as necessary and with the following categories of recipients:
5.1. Vendors — we share order details (items, special instructions, and necessary contact/delivery information) with the vendor fulfilling your order.
5.2. Riders & dispatchers — we share your delivery location, address, and contact number with the assigned rider (or, for non-app riders, with the coordinating dispatcher) to complete delivery.
5.3. Payment processors — e.g., Paystack and/or Flutterwave, to process payments and payouts.
5.4. Identity / KYC verification providers — e.g., providers used to verify NIN and BVN for vendors and riders.
5.5. Analytics & communications providers — analytics tools and SMS/push/email delivery providers (e.g., an SMS/USSD provider for OTPs and rider notifications).
5.6. Cloud hosting & infrastructure providers — for storing and processing data securely (see Section 10).
5.7. Professional advisers, authorities, and successors — legal/financial advisers, regulators, law-enforcement (where legally required), and parties to a corporate transaction (e.g., merger or acquisition), subject to confidentiality.
We do not sell your personal data. We require third parties to protect your data and to use it only for the purposes for which it was shared.
6. Location Data
6.1. We use location data to show nearby vendors, set delivery addresses, route riders, and provide live order tracking.
6.2. Continuous GPS during delivery. During an active delivery, we may process the rider's continuous GPS location to enable real-time tracking and accurate drop-off. Customer location is used to identify the delivery point and improve routing.
6.3. You can control location permissions through your device settings. Disabling location may limit features such as automatic address detection and live tracking.
7. Data Retention
7.1. We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, including to satisfy legal, accounting, tax, or reporting requirements.
7.2. Indicative retention periods:
- Account data: for the life of your account and up to [RETENTION PERIOD, e.g., 24 months] after closure;
- Order & transaction records: at least [RETENTION PERIOD, e.g., 6–7 years] to meet tax/financial-record obligations;
- KYC records (vendors/riders): for the duration of the relationship and the period required by applicable law thereafter;
- Marketing data: until you withdraw consent or object.
7.3. When data is no longer required, we securely delete or anonymise it.
8. Your Rights (NDPA/NDPR)
Subject to applicable law, you have the right to:
8.1. Access — request a copy of the personal data we hold about you;
8.2. Rectification — request correction of inaccurate or incomplete data;
8.3. Erasure — request deletion of your data where there is no overriding legal basis to retain it;
8.4. Restriction — request that we limit processing in certain circumstances;
8.5. Portability — request your data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible;
8.6. Objection — object to processing based on legitimate interests, and to direct marketing at any time; and
8.7. Withdraw consent — withdraw any consent you previously gave, without affecting the lawfulness of processing before withdrawal.
To exercise any right, contact our DPO at [DPO EMAIL]. We will respond within the timeframe required by law (and in any event without undue delay). We may need to verify your identity before acting on a request.
9. Data Security
9.1. We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption of sensitive data at rest where appropriate, access controls and role-based permissions, network security, and audit logging.
9.2. Payment card data is tokenized and handled by PCI-DSS-compliant processors; we do not store raw card numbers.
9.3. While we work to protect your data, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials and OTPs confidential.
10. International Transfers
10.1. Some of our service providers (e.g., cloud hosting, analytics, communications) may store or process data on servers located outside Nigeria — for example [AWS / Hetzner / Cloudflare / Google Cloud — specify actual providers and regions].
10.2. Where we transfer personal data outside Nigeria, we do so in accordance with the NDPA/NDPR, ensuring an adequate level of protection through measures such as adequacy decisions, contractual safeguards (e.g., standard contractual clauses/data-processing agreements), or your explicit consent where required.
11. Cookies & Tracking
11.1. We use cookies and similar technologies on our website and app to enable core functionality, remember preferences, maintain sessions, measure performance, and (with consent) support analytics and marketing.
11.2. Types of cookies/technologies we use:
- Strictly necessary — required for the Platform to function;
- Functional — remember your preferences;
- Analytics/Performance — help us understand usage; and
- Marketing — used (with consent) to deliver relevant promotions.
11.3. Consent mechanism. Where required, we obtain consent for non-essential cookies via a cookie banner/settings, and you can change your choices at any time through the cookie settings or your browser/device controls.
12. Children's Data
12.1. The Platform is intended for users aged 18 and over; users aged 13–17 may use it only with parental/guardian consent. We do not knowingly collect personal data from children under 13.
12.2. If we learn that we have collected personal data from a child under 13 without appropriate consent, we will delete it promptly. If you believe a child has provided us data, contact [DPO EMAIL].
13. Breach Notification
13.1. We maintain procedures to detect, report, and investigate personal-data breaches.
13.2. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of it, where required by law, and will inform affected individuals without undue delay where the breach poses a high risk to them.
14. Changes to this Policy & Contact
14.1. Changes. We may update this Policy from time to time. We will post the updated version on the Platform, revise the "Last Updated" date, and, for material changes, provide notice through the Platform, email, or SMS where appropriate.
14.2. Contact us. For any privacy question, request, or complaint:
[LEGAL ENTITY NAME]
- Data Protection Officer: [DPO NAME]
- DPO email: [DPO EMAIL]
- Support email: [SUPPORT EMAIL]
- Address: [REGISTERED ADDRESS]
- Website: [WEBSITE URL]
14.3. Right to lodge a complaint. If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at [NDPC CONTACT / website: ndpc.gov.ng].
QuickBite — Fast. Fresh. Delivered. Last Updated: [DATE] · Effective Date: [EFFECTIVE DATE]