Privacy Policy

Effective date: [01/09/2025]

Who we are (Data Controller): (ReCircle Campus Ventures),(16 ENOBONG NYA STREET, IKOT-AKPANABIA, UYO, AKWA IBOM STATE, NIGERIA) ("ReCircle Campus", "we","us", "our").

Contact for privacy questions/DPO: privacy@recirclecampus.com (If/when we are classifies as a Data Controller/Processor of Major Importance under NDPA, we will publicly designate a DPO and publish their contact.)

This Privacy Policy explains how we collect, use, share, secure, and retain personal data when you use the ReCircle Campus mobile app and services (the “App” and “Service”). It applies to all users (including buyers, sellers, campus partners, and business sellers) in Nigeria and across Africa. While grounded in the Nigeria Data Protection Act 2023, this Policy is also designed to align with applicable data protection laws in other African jurisdictions and international best practices, to ensure a consistent standard of transparency, accountability, and user protection.

We process personal data in line with the NDPA principles (fairness, lawfulness, transparency, purpose limitation, data minimization, storage limitation, accuracy, confidentiality/integrity/availability, accountability, duty of care).

1.The data we collect

We collect the minimum data necessary to run a safe, student-first marketplace.

Account and identity

Name, email (student/academic email where supported), phone, password (hashed)
University, matriculation/student ID, graduation year (if provided)
Profile photo/avatars

KYC/AML (where required by payment partners)

Government ID, selfie/face match, date of birth, address
Note: KYC is primarily performed via our approved payment partners; we receive only what's required to operate the Service, prevent fraud, and release payouts.

Transaction and escrow

Listings (titles, photos, descriptions, pricing)
In-app messages, offers, cart, purchase history
Escrow status, QR/OTP verification, receipts, refunds/disputes metadata

Payments (processed by vetted providers)

Tokenized card/wallet references, payout account IDs, PSP references
We do not store raw card/bank details on our servers.

Device/technical

Device identifiers, IP address, app version, crash logs, basic diagnostics

Approximate location (for campus pick-up zones if you enable it)

Marketing preferences and feedback

Notification and email preferences, survey responses, ratings/reviews

We do not intentionally collect special category data (e.g., health, religion). If such data appears in a chat or listing, we will delete it where feasible.

2.Purposes and Legal bases

We rely on one or more lawful bases recognized by the NDPA (consent, contract, legal obligation, vital interests, legitimate interests). Examples:

Create and manage your account; enable listings, purchases, and sales
Legal basis: contract necessity; legitimate interests (running a student marketplace)
In-app payments, escrow, QR/OTP release, payouts, refunds
Legal basis: contract necessity; legal obligation (KYC/AML with payment partners)
Safety, trust and fraud prevention (KYC checks, misuse monitoring, dispute handling)
Legal basis: legitimate interests; legal obligation (where applicable)
Customer support and communications (service emails, receipts, changes to terms)
Legal basis: contract necessity; legitimate interests
Product improvement, analytics (non-identifying/aggregated where possible)
Legal basis: legitimate interests
Marketing (optional, you can opt out at any time)
Legal basis: consent (where required); legitimate interests (service updates to existing users)
Legal compliance and enforcement (responding to lawful requests, audits, NDPC requests)
Legal basis: legal obligation

3. Payments, escrow and KYC (how it affects your privacy)

All transactions occur in-app via vetted payment providers (e.g., Paystack, Flutterwave, InterSwitch). You also agree to their privacy terms when paying or receiving payouts.
Escrow: Buyer funds are held until the hand-off is verified by scanning/entering a onetime QR/OTP. We store that verification event (time, parties, listing) to release funds and resolve disputes later.
KYC/AML: Payment partners may require identity verification to prevent fraud and financial crime; we receive status/metadata and limited identity data needed to operate the marketplace and meet legal obligations.

4. Sharing your data (who sees what)

We share only what's necessary, with:

Payment and KYC providers (process payments, verify identity, perform AML/CFT)
Cloud/hosting, storage, security and analytics providers (operate/secure the App)
Customer support tools and communications (help desk, email/SMS push)
University/campus partners (to operate campus pick-up zones, enforce campus rules, manage safety notices)
Law enforcement, NDPC, regulators, or to comply with legal process.
Business sellers/brand partners (only what's necessary to fulfil your order and handle disputes)

We do not sell your personal data

5. International transfers

Our service providers may host or process data outside Nigeria. When we transfer personal data cross-border, we use safeguards recognized under NDPA s.41 (e.g., adequacy via law, Binding Corporate Rules, standard/contractual clauses, approved codes of conduct or certifications) to ensure an adequate level of protection before any transfer.

6. How long we keep data (retention)

We keep data only as long as necessary for the purposes above, including to meet legal/accounting/AML obligations and to resolve disputes.

Examples:

Account data: as long as your account is active(and for a reasonable period after closure for compliance, fraud prevention, and dispute handling).
KYC/transaction/payment records: per applicable law and our payment partners requirements.
Listing and message data: in line with dispute windows, safety needs, and our retention policy.

When data is no longer needed, we securely delete or anonymize it.

7. Your NDPA rights

Under NDPA you may have the right to: be informed; access; rectification; erasure (“be forgotten”); restriction; data portability; object to processing; not be subject to solely automated decision-making; and to report to the supervisory authority (NDPC). We will respond within NDPA timelines. To exercise your rights, email privacy@recirclecampus.com (we may ask for verification).

8. Automated decisions and profiling

We may use automated checks (e.g., fraud/risk signals, duplicate listing detection). You have the right not to be subject to a decision based solely on automated processing that has legal or similar significant effects, and you can request human review.

9. Security

We use appropriate technical and organizational measures to protect personal data, including multi-factor authentication (MFA) for account and administrative access, encryption in transit, role-based access controls, least-privilege permissions, audit logging, and regular staff training. While no platform can guarantee absolute security, these safeguards significantly reduce the risk of unauthorized access. We also encourage you to enable MFA where available and to keep your device and credentials safe.

10. Children

The Service is intended for users 18+. We do not knowingly collect data from minors. If you believe a minor has provided data, contact privacy@recirclecampus.com and we will take appropriate action (e.g., delete/limit processing).

11. Marketing and communications

Service messages: (receipts, policy updates, security alerts) are essential, and you'll receive them.
Marketing messages(news, offers) are optional; you can opt out in-app or via unsubscribe links at any time

12. Cookies, SDKs and similar tech

Our App and site use privacy-respecting analytics SDKs/cookies to understand performance and improve features (e.g., crash analytics, session diagnostics). You can manage certain permissions in your device settings; some features may not work without them.

13. Breach response and notifications

If we become aware of a personal data breach that is likely to pose a risk to your rights and freedoms, we will notify the NDPC and, where required, affected users in accordance with the NDPA (including the 72-hour requirement for controllers, where applicable). We also require our processors to notify us without undue delay.

14. Third-party links and content

The App may link to third-party sites/services we don't control. Their privacy practices are governed by their own policies.

15. Changes to this Policy

We may update this Policy to reflect new features, providers, or legal guidance (including NDPC directives/GAID). We'll notify you via the App/email when material changes occur and indicate the “Effective date” above.