Privacy Policy

The data controller responsible for your personal data is:

This Privacy Policy is issued in compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023, as well as other applicable data protection laws.

Information You Provide

We collect personal information that you voluntarily provide when you:

• Create an account: Full name, email address, phone number, password
• Complete your profile: Profile photo, location, business information (vendors)
• Make a booking: Event details, dates, delivery addresses, service requirements
• Make a payment: Payment card details (processed and stored by Paystack — we do not store card numbers)
• Verify your identity (vendors): National Identification Number (NIN) or Bank Verification Number (BVN), date of birth, facial photograph for biometric matching
• Register as a vendor: Business name, service descriptions, pricing, bank account details (for Paystack settlements), portfolio images and videos
• Communicate: Messages sent through in-app chat, support enquiries, reviews and ratings
• Plan events: Event names, budgets, guest lists (names and contact details), checklists

Information Collected Automatically

When you access our Platform, we may automatically collect:

• Device information (device type, operating system, device identifiers)
• Log data (IP address, browser type, pages visited, timestamps)
• Location data (with your explicit permission, for finding nearby vendors)
• App usage data (features used, session duration, interaction patterns)
• Push notification tokens (for delivering notifications)

Information from Third Parties

• Google Sign-In / Apple Sign-In: If you register using a social account, we receive your name, email, and profile photo from the provider
• Smile Identity: Identity verification results (verified/not verified status) for vendor verification
• Paystack: Transaction status, payment confirmation, and settlement information

Under the NDPR, we process your personal data on the following lawful bases:

• Consent: When you create an account, opt in to marketing emails, or grant location permissions. You may withdraw consent at any time.
• Contract: Processing necessary to perform our contract with you — e.g., processing bookings, facilitating payments, delivering the services you requested.
• Legitimate Interest: Fraud prevention, platform security, improving our services, and analytics. We balance our interests against your rights.
• Legal Obligation: Compliance with Nigerian law, tax regulations, anti-money laundering requirements, and responding to lawful requests from authorities.

We use your personal data to:

• Provide, maintain, and improve the Platform and its features
• Create and manage your account
• Process bookings, payments, and refunds
• Connect customers with vendors and facilitate communications
• Verify vendor identities through our verification partner
• Send transactional notifications (booking confirmations, payment receipts, status updates)
• Send promotional communications (only with your consent — you can opt out at any time)
• Respond to support enquiries and complaints
• Monitor, detect, and prevent fraud, abuse, and security threats
• Analyse usage patterns to improve the user experience
• Comply with legal and regulatory obligations
• Resolve disputes between users

We share your personal data only as described below. We do not sell your personal data to third parties.

With Other Users

• Customers: Your name, profile photo, and booking details are shared with the vendor you book
• Vendors: Your business name, service listings, ratings, reviews, and verification status are visible to customers
• Event collaborators: If you invite collaborators to an event, they can see event details, guest lists, and checklists

With Service Providers

We share data with trusted third-party service providers who assist us in operating the Platform:

• Paystack (Stripe Inc.): Payment processing. Paystack receives payment card details, transaction amounts, and payer/payee information. Paystack is PCI DSS compliant. Paystack Privacy Policy
• Smile Identity: Vendor identity verification. Smile Identity receives NIN/BVN, date of birth, and facial photographs for biometric matching. Data is processed in accordance with their privacy policy and NDPR requirements. Smile Identity Privacy Policy
• Google / Firebase: Cloud infrastructure, authentication, database, file storage, analytics, and push notifications. See "International Data Transfers" below.
• Email service providers: For sending transactional and marketing emails

For Legal Reasons

We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Celevend, our users, or the public.

Your personal data may be transferred to and processed in countries outside Nigeria. Specifically:

• Google Cloud / Firebase: Our Platform infrastructure runs on Google Cloud servers, which may be located in the United States and other countries. Google Cloud is certified under various international frameworks and provides contractual safeguards for data transfers.
• Paystack (Stripe): Payment data may be processed in countries where Stripe operates.

In accordance with the NDPR, we ensure that any international transfer of personal data is subject to adequate safeguards, including contractual clauses that require the receiving party to protect your data to a standard consistent with Nigerian data protection law. By using the Platform, you consent to these transfers.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law.

• Account data: Retained for the duration of your account and up to 2 years after account closure
• Booking and transaction records: Retained for 7 years for tax and regulatory compliance
• Identity verification data: Verification status is retained; raw NIN/BVN data is processed by Smile Identity and not stored by Celevend
• Chat messages: Retained for the duration of the booking relationship and 1 year after completion
• Support enquiries: Retained for 3 years
• Marketing consent records: Retained for as long as the consent is active, plus 1 year after withdrawal
• Log and analytics data: Retained for up to 2 years

When data is no longer needed, it is securely deleted or anonymised so that it can no longer be associated with you.

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication with Firebase Auth (password hashing, token-based sessions)
• Firestore security rules that restrict data access by user role
• Payment card data handled exclusively by Paystack (PCI DSS compliant) — never stored on our servers
• Regular review of access controls and security practices
• Admin audit logging for all administrative actions

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach in accordance with the NDPR.

Under the Nigeria Data Protection Regulation, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements
• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances
• Right to Data Portability: Request your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests, including direct marketing
• Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at privacy@celevend.com. We will respond within 30 days of receiving your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with the National Information Technology Development Agency (NITDA), the supervisory authority for data protection in Nigeria.

We use cookies and similar technologies on our web platform to:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies: Help us understand how users interact with the Platform (e.g., page views, feature usage). We use Firebase Analytics.
• Preference cookies: Remember your settings and preferences across sessions.

We do not use third-party advertising cookies. You can control cookies through your browser settings. Disabling essential cookies may prevent certain features from functioning.

Our mobile apps use device identifiers and Firebase Analytics to collect anonymised usage data.

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we discover that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@celevend.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via email or a prominent notice on the Platform at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Platform after the updated policy takes effect constitutes your acceptance of the changes.

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data: