Privacy Policy

Effective date: June 2026

1. Introduction

MyCampusPadi (“MyCampusPadi”, “we”, “us”, or “our”) is a mobile and web platform that connects Nigerian university students (Buyers) with on- and near-campus businesses (Vendors). This Privacy Policy explains what personal data we collect when you use the MyCampusPadi mobile app, web admin, and related services (the “Services”), how we use that data, who we share it with, and the rights you have over it.

This Policy is issued by MyCampusPadi Ltd, registered in Nigeria at Abraka, Delta State, Nigeria. We are the data controller of your personal data unless stated otherwise.

This Policy is prepared with reference to the Nigeria Data Protection Act, 2023 (“NDPA”), the Nigeria Data Protection Regulation, 2019 (“NDPR”) issued by the National Information Technology Development Agency (NITDA) where still relevant, and guidance issued by the Nigeria Data Protection Commission (“NDPC”).

2. Information we collect

We collect personal data in three ways: (a) information you give us directly, (b) information we collect automatically when you use the Services, and (c) information we receive from third parties.

2.1 Information you provide

Account details: full name, email address, phone number, password (stored only as a salted bcrypt hash).
Profile information: profile photo and your campus affiliation (for example, DELSU, UNILAG).
Vendor business information (if you register as a Vendor): business name, business address, business category, opening hours, business photo, listings, and Know-Your-Customer (“KYC”) documents such as an identity verification selfie and a government-issued ID for verification.
Order information: items ordered, prices, delivery address, and any special instructions.
Communications: messages exchanged in chat or dispute messages, attachments uploaded to a dispute (for example, photos of an item).
Support correspondence: information you send when you contact us by email or in-app support.

2.2 Information we collect automatically

Device information: device model, operating system version, app version, language settings.
Approximate location: your campus or city, used to show you nearby Vendors.
Precise location (GPS coordinates): only collected while you actively use a feature that requires it, such as recording a fitness track session or providing a delivery address. Background tracking, when used, requires your explicit opt-in.
Usage and diagnostics: in-app actions, crash logs, error traces, and performance metrics, collected to keep the Services running.
Push notification tokens: the Expo Push Token and/or Firebase Cloud Messaging token assigned to your device so that we can deliver notifications.

2.3 Information from third parties

Payment confirmations: when you pay through Flutterwave or Paystack, we receive a transaction reference, status, and limited transaction metadata. We do not receive or store your full card details.
Health data: only when you explicitly connect Apple HealthKit or Google Fit during a track session do we receive summary metrics such as heart rate and calories burned for that session.
Push delivery receipts: confirmations from Expo Push, Apple Push Notification Service, and Firebase Cloud Messaging.

3. How we use your information

We use your personal data only for the purposes set out below. We do not sell your personal data.

To create and operate your account, including authenticating logins and recovering access.
To enable the marketplace: showing you Vendors in your campus, processing your orders, supporting order chat, and tracking deliveries.
To process payments through Flutterwave and Paystack, and to issue refunds where due.
To run optional features you opt in to: event ticketing, in-app wallet, and fitness or run tracking.
To send transactional notifications (order updates, dispute updates, security alerts).
To send service announcements and, where permitted, marketing messages, which you may opt out of at any time.
To monitor performance, detect and debug crashes, and improve the Services.
To prevent, detect, and investigate fraud, abuse, or violations of our Terms of Use.
To resolve disputes between Buyers and Vendors through our moderation process.
To comply with our legal obligations, including responding to lawful requests from regulators and law enforcement agencies in Nigeria.

4. Legal bases for processing under the NDPA

Under the NDPA, we must have a lawful basis for processing your personal data. The bases we rely on are:

Consent: for optional features such as health-data tracking, marketing messages, and background location tracking. You may withdraw consent at any time.
Performance of a contract: to provide the Services you have signed up for, including processing orders and payments.
Legitimate interests: to keep the Services secure, prevent fraud, debug crashes, and develop and improve features. We balance these interests against your rights and freedoms.
Legal obligation: to retain transaction records for tax, anti-money-laundering, and other compliance requirements, and to respond to lawful regulatory requests.
Vital interests / public interest: only in exceptional circumstances, such as a life-safety emergency.

We do not sell your data. We share personal data only with the parties listed below, only to the extent necessary, and under contractual or legal protections.

5.1 Other users of the Services

Buyers and Vendors can see information necessary to complete an order: name (or display name), order details, delivery address, and chat messages on that order.
Vendor staff invited by a Vendor owner can see orders and chats assigned to their Vendor.

5.2 Service providers and processors

The following processors act on our behalf or supply infrastructure to the Services. Their roles and locations are:

Processor	Role	Location
Flutterwave	Payment processing	Nigeria
Paystack	Payment processing (parallel/backup)	Nigeria
Termii	SMS OTP delivery (one-time passwords)	Nigeria
Sentry	Crash and error tracking	United States
Expo Push Service	Push notification dispatch (iOS and Android)	United States
Firebase Cloud Messaging (Google)	Push notification delivery on Android	United States
Apple Push Notification Service	Push notification delivery on iOS	United States
In-house Reverb (Pusher-protocol)	Real-time chat and order updates (self-hosted)	United States
PostgreSQL database	Primary data storage (self-hosted)	United States
S3-compatible object storage	Image storage (profile, business, listing, dispute photos)	United States

Each processor is contractually required to handle your data only on our documented instructions and to apply appropriate security safeguards.

5.3 Legal and safety disclosures

We may disclose personal data where we reasonably believe it is necessary to: (a) comply with a court order, warrant, or other binding legal request from a Nigerian authority; (b) enforce our Terms of Use; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, safety, or property of MyCampusPadi, our users, or the public.

5.4 Business transfers

If we are involved in a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred as part of that transaction. We will notify affected users.

6. Cross-border data transfers

Some of our processors are located outside Nigeria, in particular in the United States (Sentry, Expo Push Service, Firebase Cloud Messaging, Apple Push Notification Service). Where we transfer personal data outside Nigeria, we will rely on one of the lawful transfer mechanisms recognised by the NDPA, including:

transfers to jurisdictions recognised by the NDPC as providing adequate protection;
contractual safeguards with the receiving processor, such as data processing agreements that include data protection clauses;
your explicit informed consent, where required.

We limit cross-border transfers to data strictly necessary for the relevant feature (for example, only the push token and notification payload are sent to Expo, FCM, or APNs).

7. Data retention

We retain personal data only for as long as needed to provide the Services or to meet our legal obligations. Indicative periods are:

Account data: for as long as your account is active, plus [12] months after deletion or last activity.
Transaction and order records: [6] years from the transaction date, to comply with tax and financial-record requirements.
Order chat messages: [12] months from the order completion date.
Dispute messages and attachments: [24] months from dispute closure.
Tracking and fitness session data: [12] months from the session date, retained only as summary metrics.
Push notification tokens: until you uninstall the app or sign out, plus [90] days.
Crash and diagnostic logs: [90] days, then deleted or aggregated.
KYC documents: for the period the Vendor account is active, plus [5] years from account closure to meet anti-fraud and regulatory obligations.

All retention periods are subject to a longer hold where required by law or by an active investigation or dispute.

8. Your rights under the NDPA

Subject to the NDPA, you have the following rights over your personal data:

Right of access: to ask whether we are processing your data and to receive a copy of it.
Right of rectification: to ask us to correct inaccurate or incomplete data.
Right to erasure: to ask us to delete your data where the legal basis for processing no longer applies.
Right to restrict processing: to ask us to limit how we use your data in certain circumstances.
Right to data portability: to receive your data in a structured, commonly used, machine-readable format.
Right to object: to object to processing based on our legitimate interests, including direct marketing.
Right to withdraw consent: where we rely on your consent, you may withdraw it at any time without affecting prior processing.
Right to lodge a complaint: with the Nigeria Data Protection Commission (NDPC), as set out in section 17 below.

To exercise any of these rights, contact us at privacypolicy@mycampuspadi.com. We will respond within the timeframes required under the NDPA, normally within one month of receipt of a valid request.

9. Children’s privacy

MyCampusPadi is intended for users aged 16 years and above. We do not knowingly collect personal data from children under 13. For users between 13 and 17 years of age, processing may require verifiable parental or guardian consent in line with the NDPA and any applicable child-protection legislation.

If you believe a child under 13 has registered, please contact privacypolicy@mycampuspadi.com, and we will take prompt action to remove the account and associated data.

10. Security

We apply appropriate technical and organisational measures to protect your data, including:

TLS encryption for all data in transit between the app, the web admin, and our servers.
At-rest encryption on database and object-storage volumes.
Passwords stored only as salted bcrypt hashes; we never store passwords in plain text.
Least-privilege role-based access controls for staff who can access production systems.
Audit logging on sensitive actions, including KYC reviews, dispute resolutions, and admin operations.
Crash and error monitoring through Sentry to identify and remediate issues quickly.

No security measure is perfect. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the NDPC in line with our obligations under the NDPA.

11. Cookies and similar technologies

The mobile app does not use web cookies. The web administration console (used by MyCampusPadi staff, Vendors and moderators) uses strictly necessary session cookies for authentication and for keeping you signed in. We do not use advertising or third-party tracking cookies.

12. Push notifications

We use push notifications to inform you about order status updates, chat messages, dispute progress, ticketing scans, wallet activity, and important account or security events. You can disable push notifications for the app at any time in your device settings (iOS Settings > Notifications, or Android Settings > Apps > Notifications).

13. Location data

We use location data only for purposes you would reasonably expect:

Approximate location, to filter Vendors to your campus area.
Precise location, to provide delivery routing and to record a fitness or run session.
Background location, only when you explicitly opt in for an active tracking session; you can revoke this permission in your device settings at any time.

We do not sell location data to third parties, and we do not use it for advertising.

14. Health and fitness data

If you choose to connect Apple HealthKit or Google Fit during a tracking session, we receive only the summary metrics relevant to that session (for example, heart rate range, calories burned, distance, and duration). We:

never share health data with Vendors, advertisers, or other third parties;
never use health data for marketing;
retain only summary metrics, not raw biometric streams;
delete a session’s health data on your request or in line with the retention periods in section 7.

You can disconnect HealthKit or Google Fit at any time in the device-level settings for those platforms.

15. Changes to this Policy

We may update this Policy from time to time, for example, to reflect new features, new processors, or changes in law. We will post the updated Policy in the app and update the “Last updated” date. Where changes are material, we will give you reasonable advance notice through an in-app notice, push notification, or email.

16. Contact us

If you have any questions, complaints, or requests in relation to your personal data, you can contact:

Email: privacypolicy@mycampuspadi.com
Postal address: Abraka, Delta State, Nigeria

17. Complaints and supervisory authority

If you believe our handling of your data does not comply with the NDPA, we encourage you to contact us first so we can address the issue. You also have the right to lodge a complaint with the Nigeria Data Protection Commission:

Nigeria Data Protection Commission (NDPC)
Website: https://ndpc.gov.ng
Email: info@ndpc.gov.ng
Address: No. 12 Dr. Clement Isong Street, Asokoro, Abuja, Nigeria