Privacy Policy

We collect information that helps us provide and continuously improve our services:

• Personal Information: Name, email address, username, phone number, and contact details provided during registration.
• Business Information: Business name, address, phone number, description, and photos submitted in business listings (publicly visible by design).
• Usage Analytics: IP address, browser information, device type, pages visited, and interaction patterns to enhance user experience.
• Business Page Interactions: When you visit a business listing, we record interaction events (tab views, contact button clicks, photo views) linked to the business — not to your personal account.
• User Content: Reviews, comments, and other content you voluntarily share on the platform.

• Account Management: To create, maintain, and secure your NaijaBased account.
• Platform Enhancement: To continuously improve site functionality, performance, and user experience.
• Communication: To send important account notifications, security alerts, and (with consent) platform news.
• Safety & Moderation: To enforce our community guidelines, prevent spam, and maintain a safe environment.
• Personalised Experience: To customise content recommendations and features based on your preferences.
• Order Fulfilment: To process and track orders placed through the platform.
• Vendor Insights: To provide business owners with anonymised, aggregated statistics about visitor interactions with their listing pages.

We use carefully selected cookies and analytics tools to ensure platform performance and understand how our services are used:

Authentication Cookies

• Session Token (nb_token): Secure, HttpOnly cookie to maintain your login session. Never accessible to JavaScript. Passwords are bcrypt-hashed and never stored in plain text.
• User Profile (nb_user): Stores your display name and role for UI personalisation across NaijaBased properties.

Third-Party Analytics

• Google Tag Manager (GTM-NSR79777): Loads our analytics scripts. Acts as a container — no personal data is sent to Google by GTM itself.
• Google Analytics 4 (Measurement ID: G-R5LWCTXPFF): Tracks page views, sessions, device types, and user journeys to help us understand overall site performance. Data is anonymised and processed by Google LLC under their privacy policy.
• Microsoft Clarity (Project ID: wsl41xhpjl): Records anonymised session replays and generates heatmaps for admin-level UX research only. Data is processed by Microsoft Corporation under their privacy policy.

Business Page Interaction Tracking

When you visit a business listing page, we record interaction events (tab switches, contact button clicks, photo views, and similar actions) in our own database. This data is:

• Tied to the business listing — not to your personal account or identity.
• Grouped by an anonymous session ID stored in your browser's sessionStorage (cleared when you close the tab).
• Shared with the business owner in aggregated, anonymised form (e.g., "47 WhatsApp clicks this week").
• Retained for 24 months then automatically deleted.

Analytics Opt-Out: To exclude your device from all NaijaBased analytics and interaction tracking, open your browser's developer console on any NaijaBased page and run: localStorage.setItem('nb_no_track', '1'). This persists on your device until cleared. To re-enable tracking: localStorage.removeItem('nb_no_track').

You can also disable cookies in your browser settings, though this will affect login functionality.

We do not sell your personal data. Limited sharing occurs only when necessary:

• Service Providers: Trusted partners assisting with hosting, email delivery (Brevo), and SMS notifications (Termii) under strict data protection agreements.
• Google LLC: Receives anonymised usage data via Google Analytics 4 (loaded through Google Tag Manager). Governed by Google's Privacy Policy.
• Microsoft Corporation: Receives anonymised session recording data via Microsoft Clarity for admin UX research. Governed by Microsoft's Privacy Statement.
• Business Owners: Aggregated, anonymised interaction statistics from their own listing pages only. No personally identifiable visitor information is ever shared with business owners.
• Legal Compliance: When required by applicable Nigerian laws or valid legal processes from authorities.
• Business Transitions: In connection with mergers or acquisitions, with continued privacy protection.
• Community Protection: To protect the safety and rights of NaijaBased users or the public as permitted by law.

• Access & Update: View and modify your profile information at any time through Settings.
• Account Deletion: Request complete account and data removal by contacting privacy@naijabased.fun.
• Communication Control: Manage email preferences — opt out of marketing while keeping essential security updates.
• Data Transparency: Request a copy of your personal data and an explanation of how it is used.
• Portability: Request your data in a structured, machine-readable format.
• Analytics Opt-Out: Exclude your device from interaction tracking at any time using the method described in section 3 above.
• NDPR Rights: Additional rights under Nigerian law are detailed in section 6 below.

NaijaBased operates in compliance with the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act 2023, administered by the National Information Technology Development Agency (NITDA).

Data Controller: NaijaBased is the data controller for all personal information collected through this platform. Contact our designated privacy officer at privacy@naijabased.fun.

Your Rights Under Nigerian Law

• Right to Access: Obtain confirmation that we hold your personal data and receive a copy of it.
• Right to Rectification: Have inaccurate or incomplete personal data corrected without undue delay.
• Right to Erasure: Request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.
• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Right to Object: Object to the processing of your data for direct marketing or analytics purposes.
• Right to Portability: Receive your data in a structured, commonly used, machine-readable format and transfer it to another service.
• Right to Lodge a Complaint: If you believe your data protection rights have been violated, you may file a complaint with NITDA: nitda@nitda.gov.ng or visit nitda.gov.ng.

To exercise any of the above rights, contact privacy@naijabased.fun. We will acknowledge your request within 7 days and provide a full response within 30 days, in accordance with NDPR requirements.

Legal Basis for Processing: We process your data on the basis of (a) performance of our contract with you (account management, order fulfilment), (b) legitimate interests (platform security, aggregate analytics), and (c) your consent (marketing communications, which you may withdraw at any time).

We implement multi-layered security measures to protect your information:

• All data in transit is protected with industry-standard SSL/TLS encryption.
• Passwords are bcrypt-hashed and never stored in plain text.
• Authentication tokens are stored in secure, HttpOnly cookies not accessible to JavaScript.
• Role-based access controls limit which personnel can view sensitive information.
• We conduct regular security reviews of our infrastructure.

While we employ strong security measures, we encourage you to use a strong, unique password for your NaijaBased account.

• Account Data: Retained for as long as your account is active. Deleted within 30 days of an account deletion request.
• Business Listing Data: Retained for the duration the listing is live, plus 90 days after removal.
• Business Page Interaction Events: Retained for 24 months from the date of collection, then automatically and permanently deleted.
• Google Analytics Data: Governed by Google's data retention settings (currently 14 months of event-level data).
• Microsoft Clarity Data: Governed by Microsoft's retention policy (currently 90 days of session recordings).
• Anonymised Aggregate Data: May be retained indefinitely as it cannot be linked to any individual.

We may update this Privacy Policy from time to time. Significant changes will be communicated via email and a notice on the platform. The date at the top of this page reflects the most recent update. Continued use of NaijaBased after changes constitutes acceptance.

For privacy-specific questions or to exercise your data rights: privacy@naijabased.fun. For general support: support@naijabased.fun.