Privacy Policy

1. Data Controller

StoreColoni ("we", "us") is the data controller for personal data collected from Vendors (account holders). For data collected from Buyers placing orders, the individual Vendor operating the storefront is the data controller — StoreColoni acts as a data processor on the Vendor's behalf.

Contact our Data Protection Team: privacy@storecoloni.com

2. Data We Collect

2.1 From Vendors (Account Holders)

• Identity data: shop name, full name, email address, WhatsApp phone number
• Account data: password (stored as a one-way hash — we cannot read it), country, store subdomain
• Business data: product listings, prices, categories, store images and banner
• Billing data: transaction references, payment amounts (we do not store card numbers — payments are processed by Flutterwave)
• Usage data: login timestamps, IP addresses, session data, audit log events
• Communications: support ticket messages, chat messages

2.2 From Buyers (via Vendor Storefronts)

• Order data: buyer name, phone number, delivery address, items ordered
• Technical data: IP address (for fraud prevention only), browser type

2.3 Automatically Collected

• Storefront page view counts (aggregated, not tied to individuals)
• Session cookies (strictly necessary for login functionality)
• If Meta Pixel is enabled by the Vendor: Facebook/Meta may collect browsing behaviour data subject to Meta's own privacy policy

3. How We Use Personal Data

Purpose	Legal Basis	Data Used
Providing and operating the Platform	Contract performance	Account data, business data
Processing payments and subscriptions	Contract performance	Billing data, email
Account security and fraud prevention	Legitimate interest	IP logs, login data, audit log
Sending transactional emails (verification, password reset, billing)	Contract performance	Email address
Customer support	Legitimate interest / Contract	Support messages, account data
Platform improvement and analytics	Legitimate interest	Aggregated usage data
Legal compliance	Legal obligation	As required by law
Marketing emails (optional)	Consent	Email address — opt-out available

4. Applicable Data Protection Laws

We comply with data protection laws applicable to our operations and to the jurisdictions of our users, including:

• Nigeria: Nigeria Data Protection Regulation (NDPR) 2019, supervised by NITDA (National Information Technology Development Agency)
• South Africa: Protection of Personal Information Act (POPIA) No. 4 of 2013, supervised by the Information Regulator
• Kenya: Data Protection Act No. 24 of 2019, supervised by the Office of the Data Protection Commissioner (ODPC)
• Ghana: Data Protection Act 2012 (Act 843), supervised by the Data Protection Commission
• Egypt: Personal Data Protection Law No. 151 of 2020, supervised by the Personal Data Protection Centre
• Tanzania: Electronic and Postal Communications Act, Personal Data Protection Regulations 2023
• Rwanda: Law No. 058/2021 on the Protection of Personal Data and Privacy
• Uganda: Personal Data Protection Act 2024
• European Union / UK: GDPR / UK GDPR (for Vendors or Buyers in those regions)

5. Data Sharing & Third Parties

We do not sell your personal data. We share data only in the following circumstances:

• Flutterwave — payment processing. Flutterwave processes card transactions and is subject to PCI-DSS standards and its own privacy policy.
• SMTP Email Provider — for sending transactional emails (verification, password reset, billing notices). Only your email address and the email content are shared.
• Server Infrastructure — our hosting provider stores encrypted server data. Infrastructure is located in the EU/Africa region.
• Law Enforcement — if required by a valid court order, warrant, or binding legal obligation in any jurisdiction in which we operate.
• Business Transfer — in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, with notice to users.

6. International Data Transfers

As a pan-African platform, your data may be processed on servers located in different African countries or in the EU/UK. Where we transfer data across borders, we use appropriate safeguards including Standard Contractual Clauses (SCCs) or rely on adequacy decisions where applicable.

Transfers from Nigeria comply with NDPR cross-border transfer requirements. Transfers from South Africa comply with POPIA Section 72 requirements. Vendors and Buyers in Kenya, Ghana, Rwanda, Uganda, and other jurisdictions benefit from equivalent protections.

7. Data Retention

Data Type	Retention Period
Vendor account data (active accounts)	Duration of account + 90 days after closure
Order data (buyer names, phones, addresses)	3 years (for accounting and legal compliance)
Billing records	7 years (financial regulation requirements)
Login / IP logs	90 days rolling
Support tickets	2 years after resolution
Email communications	2 years
Deleted/anonymised data	Not retained in identifiable form

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Erasure / Deletion — request deletion of your data (subject to legal retention requirements)
• Restriction — request that we limit processing of your data in certain circumstances
• Portability — receive your data in a machine-readable format (available via Settings → Privacy → Export)
• Objection — object to processing based on legitimate interest
• Withdraw Consent — withdraw consent for processing where consent is the legal basis
• Complaint — lodge a complaint with your national data protection authority (see Section 4 for contact details of relevant authorities)

To exercise your rights, email privacy@storecoloni.com. We will respond within 30 days (or within the statutory deadline of your jurisdiction, whichever is shorter).

Vendors: You can export your customer order data and anonymise individual customers directly from Settings → Privacy in your dashboard.

9. Data Security

We implement technical and organisational measures to protect personal data, including:

• Passwords hashed using bcrypt (irreversible — we cannot read your password)
• HTTPS/TLS encryption for all data in transit
• Two-factor authentication (2FA) available for all Vendor accounts
• Role-based access controls (Owner, Manager, Staff)
• Comprehensive audit logging of sensitive actions
• Regular security reviews

No system is 100% secure. In the event of a data breach that is likely to result in high risk to individuals, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware (as required by GDPR) or within the applicable deadline under other laws.

10. Children's Privacy

The Platform is not directed at children under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it promptly.

11. Cookies

We use cookies to operate the Platform. For full details of which cookies we use and how to manage them, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify Vendors by email and through a banner in the dashboard at least 14 days in advance. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact & Supervisory Authorities

StoreColoni Privacy Team: privacy@storecoloni.com

If you are not satisfied with our response, you have the right to contact your national supervisory authority:

• Nigeria: NITDA — nitda.gov.ng
• South Africa: Information Regulator — justice.gov.za/inforeg
• Kenya: Office of the Data Protection Commissioner — odpc.go.ke
• Ghana: Data Protection Commission — dataprotection.org.gh
• Rwanda: RURA — rura.rw