Privacy Policy

With Third-Party Service Providers

We work with trusted third-party service providers who perform services on our behalf under strict data processing agreements. These include:

• • Paystack Payments Limited — Payment processing, transaction handling, payout settlement, fraud detection, and card tokenization. Regulated by the Central Bank of Nigeria (CBN). Data shared: transaction amounts, order details, customer payment information, bank account details. Paystack Privacy Policy
• • Meta Platforms, Inc. (WhatsApp Business API) — Delivery of transactional WhatsApp messages including order notifications, payment confirmations, OTP codes, and account alerts. Data shared: phone numbers, message content (order details, payment amounts, verification codes), message delivery status. WhatsApp Business Policy
• • Termii Inc. — SMS delivery for OTP verification codes and fallback notifications when WhatsApp is unavailable. Licensed telecommunications service provider. Data shared: phone numbers, SMS message content (verification codes, critical alerts). Termii Privacy Policy
• • Amazon Web Services (AWS) — Cloud hosting infrastructure, database storage, file storage (product images, store assets), backup and disaster recovery. Data shared: all platform data stored on AWS servers located in AWS data centers. AWS Privacy Policy
• • SendGrid / Mailgun (Email Service Providers) — Transactional and marketing email delivery. Data shared: email addresses, email content, delivery status.
• • Google Analytics — Website analytics, user behavior tracking, performance monitoring. Data shared: anonymized usage data, IP addresses (anonymized), device information, page views. Google Privacy Policy
• • Meta Pixel (Facebook Pixel) — Optional vendor tool for storefront analytics and advertising. Data shared (when vendors enable): page visits, product views, add-to-cart events, purchases, user device/browser data. Meta Privacy Center

These service providers are contractually obligated to protect your data, use it only for the purposes specified by us, and comply with applicable data protection laws including Nigeria's NDPR.

With Other Users (Platform Transparency)

Certain information is visible to other platform users for marketplace functionality: vendor store names, business descriptions, product listings, reviews, and ratings. Buyer names and delivery addresses are shared with vendors to fulfill orders.

For Legal Compliance & Safety

We may disclose information if required by Nigerian law, court order, subpoena, or regulatory authority (including NITDA, CBN, EFCC, or law enforcement). We may also disclose information to: (a) protect our legal rights or defend against legal claims, (b) prevent fraud, security threats, or illegal activity, (c) protect the safety of our users or the public, (d) comply with tax reporting obligations (FIRS), or (e) enforce our Terms of Service.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on the platform before your information is transferred and becomes subject to a different privacy policy.

With Your Consent

We may share information with your explicit consent for specific purposes.

sms OTP & Verification Messages

One-time passwords (OTP) and security codes sent via SMS or WhatsApp for account verification, login authentication, phone number verification, and transaction authorization. These messages are critical for account security and cannot be opted out.

chat WhatsApp Business Notifications

Transactional notifications delivered via Meta WhatsApp Business API including: new order alerts, payment confirmations, payout notifications, order status updates, failed payout alerts, account security notices, and subscription reminders. These messages are sent to your WhatsApp-enabled phone number after you complete phone verification and opt-in. You may manage your WhatsApp notification preferences in your account settings, but disabling all notifications may impact your ability to receive time-sensitive updates about your store operations.

Data Shared with Meta: Your phone number, message content (order details, amounts, status updates), message ID, delivery timestamps, and read receipts are shared with Meta Platforms, Inc. to facilitate message delivery.

textsms SMS Fallback Notifications

When WhatsApp delivery fails or is unavailable, critical notifications (primarily OTP codes and urgent account alerts) will be sent via SMS through Termii Inc. Standard SMS charges from your mobile carrier may apply. SMS messages are limited to essential, time-sensitive communications only.

Data Shared with Termii: Your phone number, SMS message content, and delivery status.

notifications Transactional Emails

Order confirmations, payment receipts, payout notifications, password reset links, account security alerts, billing invoices, and policy updates. You may not opt out of transactional emails as they are essential to service delivery and compliance with consumer protection laws.

mail Marketing Communications (Opt-Out Available)

Product announcements, new feature releases, platform updates, promotional offers, educational content, and vendor success tips. You may opt out at any time by: (a) clicking the "Unsubscribe" link at the bottom of any marketing email, (b) adjusting email preferences in your account settings, or (c) emailing unsubscribe@storvly.com. Opt-out requests are processed within 48 hours.

Google Analytics

We use Google Analytics to collect aggregated, anonymized data about visitor behavior, traffic sources, page performance, and conversion funnels. Data collected includes: page views, session duration, bounce rates, device types, browsers, geographic location (country/city level), and user flow. IP addresses are anonymized. You can opt out by installing the Google Analytics Opt-out Browser Add-on.

Meta Pixel (Facebook Pixel) — Optional Vendor Tool

Vendors may optionally enable the Meta Pixel on their storefront pages to track advertising effectiveness and build custom audiences for Facebook/Instagram ads. When enabled, Meta Pixel collects: page visits, product views, add-to-cart events, purchases, device data, browser data, and cookie identifiers. This data is shared directly with Meta Platforms, Inc. Visitors can opt out via Meta Ad Preferences or by disabling third-party cookies in their browser.

Performance Monitoring

We use error tracking and performance monitoring tools to identify bugs, measure page load times, and diagnose technical issues. These tools may collect error logs, stack traces, request/response data, and session replays (anonymized).

Essential Cookies (Always Active)

Required for platform functionality. Include: session authentication tokens, CSRF protection, shopping cart state, language preferences, and security cookies. These cannot be disabled without breaking core features.

Functional Cookies

Remember your preferences: notification settings, dashboard layout, store theme customizations, and recent searches.

Analytics Cookies

Track usage patterns, measure performance, and generate statistics. Managed by Google Analytics and our internal analytics platform.

Advertising Cookies (Vendor-Controlled)

Set by Meta Pixel when vendors enable it on their storefronts. Used for retargeting and conversion tracking.

Active Account Data

Retained for the duration of your active account plus 90 days after account closure (to handle refunds, chargebacks, and support requests).

Transaction & Financial Records

Retained for 7 years from transaction date to comply with Nigerian tax laws (FIRS), anti-money laundering regulations (EFCC), and accounting standards.

Communications & Support Tickets

Retained for 3 years for dispute resolution, quality assurance, and compliance audits.

Marketing Data & Consent Records

Retained until you withdraw consent or 2 years after last interaction, whichever comes first.

Security Logs & Audit Trails

Retained for 1 year for security monitoring, fraud detection, and incident response.

Anonymized Analytics Data

May be retained indefinitely for research, trend analysis, and service improvement (cannot be linked back to you).

Amazon Web Services (AWS)

Platform data is hosted on AWS infrastructure. While we use AWS regions closest to Nigeria (typically AWS Europe or Middle East), data may be transferred to AWS data centers globally for redundancy, backup, and disaster recovery. AWS complies with international data protection standards including SOC 2, ISO 27001, and GDPR frameworks.

Meta Platforms, Inc. (WhatsApp)

WhatsApp messages are processed by Meta's WhatsApp Business API infrastructure, which operates globally. Meta is headquartered in the United States and subject to U.S. data protection laws. WhatsApp Privacy Policy

Email Service Providers

Transactional emails may be routed through servers located in the United States or Europe operated by SendGrid, Mailgun, or similar providers.

Data Controller

Storvly Nigeria Limited (RC: [Company Registration Number]) acts as the Data Controller for all personal data collected and processed through the platform.

Data Protection Officer (DPO)

For data protection inquiries, complaints, or to exercise your NDPR rights, contact our Data Protection Officer at: dpo@storvly.com

Lawful Basis for Processing

We process your data based on: (a) your consent (e.g., marketing emails, WhatsApp notifications), (b) contractual necessity (to provide services you requested), (c) legal obligation (tax compliance, KYC/AML), and (d) legitimate business interests (fraud prevention, platform security).

Data Subject Rights

You have rights under NDPR including access, rectification, erasure, objection, data portability, and withdrawal of consent. See "Your Rights" section for full details.

NITDA Audit Registration

Storvly maintains ongoing compliance with NITDA's data protection audit and registration requirements.

Technical Safeguards

TLS/SSL encryption for data in transit (HTTPS), AES-256 encryption for data at rest, bcrypt password hashing, encrypted database connections, secure API authentication (OAuth 2.0, JWT tokens), DDoS protection (Cloudflare), firewall configurations, intrusion detection systems (IDS), and regular security patching.

Organizational Safeguards

Role-based access controls (RBAC), multi-factor authentication (MFA) for staff access, background checks for employees with data access, confidentiality agreements, security awareness training, incident response procedures, and third-party security audits.

Payment Security

All payment card data is handled exclusively by Paystack, a PCI-DSS Level 1 certified payment processor. Storvly never stores, processes, or has access to full payment card numbers.

Limitations

While we use industry-standard security measures, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security and are not liable for unauthorized access resulting from circumstances beyond our reasonable control (e.g., sophisticated cyber attacks, zero-day exploits). You are responsible for maintaining the security of your account password and login credentials.

visibility Right of Access

Request a copy of the personal data we hold about you. We will provide this within 30 days in a commonly used electronic format.

edit Right to Rectification

Update or correct inaccurate or incomplete personal information. Most data can be updated directly in your account settings.

delete Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data where: (a) it is no longer necessary for the purposes collected, (b) you withdraw consent and there is no other legal basis, (c) you object and there are no overriding legitimate grounds, or (d) the data was unlawfully processed. Note: we may be required to retain certain data to comply with legal obligations (tax, fraud prevention, dispute resolution).

block Right to Object

Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds that override your interests.

download Right to Data Portability

Receive your personal data in a structured, commonly used, machine-readable format (JSON, CSV) and transmit it to another service provider where technically feasible.

cancel Right to Withdraw Consent

Withdraw your consent for processing at any time (for WhatsApp notifications, marketing emails, etc.) without affecting the lawfulness of processing based on consent before withdrawal.

gavel Right to Lodge a Complaint

File a complaint with NITDA if you believe your data rights have been violated: nitda.gov.ng | Email: info@nitda.gov.ng