Privacy Policy

1. Introduction

Welcome to IbomMarket, a product of Ibom Market Global Limited ("we", "us", "our"). We are committed to protecting your privacy and ensuring the security of your personal information in compliance with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, the General Data Protection Regulation (GDPR) (where applicable to users in the European Economic Area), and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our website, mobile applications (including Progressive Web App and native apps), and all related services including our marketplace, hotel booking, restaurant ordering, services directory, messaging, payment processing, and AI-powered features.

By accessing or using IbomMarket, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: Name, email address, phone number, password, profile photo, and bio
• Identity verification documents: National Identification Number (NIN), Bank Verification Number (BVN), government-issued ID, passport, or driver's licence submitted for identity verification. NIN is cryptographically hashed before storage; raw NIN values are not retained
• Biometric data: Facial images or biometric templates provided through third-party identity verification services (Smile Identity, Paystack Identity) for liveness checks and document matching
• Store and business information: Business name, category, address, bank account details (for payout processing), operating hours, and branch locations
• Listing content: Product descriptions, photos, videos, pricing, condition, specifications, and location
• Booking information: Check-in/check-out dates, guest count, special requests, and dietary preferences
• Order information: Delivery address, order items, customisations, measurements (for custom orders), and special instructions
• Financial information: Bank account details (for seller payouts and marketer withdrawals). We do not store credit/debit card numbers; card payments are processed by Monnify
• Communications: Messages sent through our messaging system, reviews, ratings, reports, dispute filings, feedback, and customer support inquiries
• Voice data: Voice recordings when using voice search functionality, processed to extract search queries
• Custom order specifications: Body measurements, design preferences, and personalisation details for custom orders
• Marketer/affiliate information: Referral activity, promotional methods, and payout preferences

2.2 Information Collected Automatically

• Device information: Device type, model, operating system, browser type and version, screen resolution, and unique device identifiers
• Device fingerprints: Hardware and software characteristics used to identify your device for security purposes (fraud prevention, impossible travel detection, known device management)
• IP address: Used for approximate geolocation, security monitoring, rate limiting, and AML compliance
• Location data: GPS coordinates (when you grant location permission) for nearby listings, delivery radius calculation, and location-based search; approximate location derived from IP address
• Usage data: Pages visited, features used, search queries, items viewed, time spent on pages, click patterns, and navigation paths
• Interaction data: Product impressions, views, clicks, saves/favourites, shares, and contact actions
• Authentication logs: Login timestamps, authentication methods used, login success/failure, and associated IP addresses
• Performance data: App crash reports, error logs, load times, and diagnostic data collected via Sentry
• Cookies and local storage: Session tokens, preference settings, consent choices, and cached data. See our Cookie Policy for details
• Push notification tokens: Device tokens for delivering push notifications via Firebase Cloud Messaging
• Camera and photo data: Images captured through the app for listings, profile photos, or image-based search (only when you grant camera permission)

2.3 Information from Third Parties

• Social login providers: Google (name, email, profile photo) when using Google One-Tap or social login
• Payment processor (Monnify): Transaction status, payment confirmation, and basic transaction reference data
• Identity verification providers (Smile Identity, Paystack): Verification results, risk scores, and document authenticity assessments
• Bot detection (Google reCAPTCHA Enterprise): Risk scores and interaction signals to distinguish humans from bots
• Sanctions and watchlist databases: Screening results for AML/CFT compliance
• Firebase: Authentication data, push notification delivery status, and analytics

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating Our Services

• Create and manage your account and profile
• Display your listings, store, and public profile to other users
• Facilitate communication between buyers and sellers
• Process transactions, orders, and bookings
• Process seller payouts and marketer commissions
• Deliver food orders and track deliveries
• Enable search, filtering, and discovery of products and services
• Provide location-based features and services

3.2 AI-Powered Features

• Process voice input for voice search functionality (voice data is processed in real time and not stored long-term)
• Analyse images for image-based search and product matching
• Generate personalised recommendations based on browsing and purchase history
• Enhance listing images using AI image enhancement tools
• Suggest optimal pricing based on market data analysis
• Generate SEO-optimised listing descriptions
• Analyse sentiment in reviews and feedback

3.3 Safety, Security & Compliance

• Verify user identity and prevent identity fraud
• Detect, prevent, and investigate fraudulent, suspicious, or illegal activity
• Monitor transactions for AML/CFT compliance and file regulatory reports
• Screen users against sanctions lists, PEP databases, and watchlists
• Moderate content (listings, messages, reviews) using AI and human review
• Detect and block bots, scrapers, and automated abuse
• Track devices and detect impossible travel for account security
• Check passwords against known breach databases (comparison only; passwords are never stored in plaintext)
• Enforce rate limits and prevent brute-force attacks

3.4 Communication

• Send transactional notifications (order confirmations, booking updates, payment receipts, security alerts)
• Send service announcements and platform updates
• Send promotional communications (with your consent, opt-out available)
• Deliver push notifications for messages, orders, and relevant activity
• SMS notifications for OTP verification, order updates, and critical alerts via Twilio
• Email notifications via SendGrid/Resend for account and transaction communications

3.5 Improvement and Analytics

• Analyse usage patterns to improve platform features and user experience
• Monitor platform performance and diagnose technical issues
• Conduct research and analysis to develop new features
• Train and improve AI models (using anonymised or aggregated data where possible)
• Generate seller analytics dashboards and performance insights

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent: Where you have given us explicit consent (e.g., marketing communications, voice search, camera access, biometric verification, cookie preferences). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal
• Contractual necessity: Where processing is necessary to fulfil our contract with you (e.g., providing marketplace services, processing orders and bookings, managing your account, facilitating payments)
• Legitimate interest: Where processing is necessary for our legitimate business interests, including fraud prevention, platform security, service improvement, and analytics, provided these interests are not overridden by your fundamental rights and freedoms
• Legal obligation: Where processing is required to comply with applicable laws, including AML/CFT regulations (Money Laundering Prevention Act 2022, NFIU regulations), tax obligations, court orders, and regulatory requirements
• Vital interest: In rare cases, to protect the vital interests of you or another person (e.g., safety emergencies reported through the platform)

5. Information Sharing & Disclosure

We may share your information in the following circumstances:

5.1 With Other Users

Your public profile (name, photo, verification badge), listings, store information, reviews, and approximate location are visible to other users. Messaging between users shares message content with the recipient. Order and booking details are shared with the relevant seller, host, or restaurant operator to fulfil the transaction.

5.2 With Service Providers & Partners

We share data with third parties who perform services on our behalf, bound by data processing agreements:

5.3 Legal & Regulatory Disclosure

• When required by law, court order, or government request
• To comply with AML/CFT obligations (SARs filed with NFIU, CTRs, sanctions screening)
• To law enforcement (Nigeria Police, EFCC, other relevant authorities) when we have a good-faith belief that disclosure is necessary to prevent or investigate criminal activity
• To protect the rights, property, or safety of IbomMarket, our users, or the public

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We do not sell your personal information to third parties for marketing or advertising purposes.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS
• Encryption at rest: Sensitive data (passwords, NIN hashes, authentication tokens) is encrypted or hashed using industry-standard algorithms
• Access controls: Role-based access control (RBAC) with principle of least privilege for staff access to user data
• Row-Level Security (RLS): Database-level policies ensuring users can only access their own data
• HttpOnly cookies: Authentication tokens stored in HttpOnly cookies to prevent XSS-based token theft
• CSRF protection: Cross-Site Request Forgery tokens on all state-changing operations
• Security headers: Helmet.js security headers including CSP, X-Frame-Options, and HSTS
• Rate limiting: Request throttling to prevent brute-force and denial-of-service attacks
• WAF protection: Web Application Firewall to filter malicious traffic
• Input validation: Server-side validation and sanitisation of all user inputs
• Regular security audits: Periodic security assessments and vulnerability testing
• Incident response procedures: Documented procedures for detecting, responding to, and reporting data breaches
• Employee training: Staff training on data protection and security practices

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6.1 Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach. If the breach is likely to result in high risk to you, we will also notify you without undue delay, describing the nature of the breach, the likely consequences, and the measures we are taking to address it.

7. Your Rights

Under the NDPA 2023 and GDPR (where applicable), you have the following rights regarding your personal information:

• Right of Access (DSAR): Request a copy of your personal data. You can initiate a data export from the Compliance Hub
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and personal data, subject to legal retention requirements
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
• Right to Restrict Processing: Request limitation of how we process your data in certain circumstances
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw previously given consent at any time
• Right to Human Review: Request human review of decisions made solely by automated processing that significantly affect you
• Right to Lodge a Complaint: File a complaint with the Nigeria Data Protection Commission (NDPC) or your local supervisory authority

To exercise these rights, contact us at privacy@ibommarket.com or use the self-service tools in the Compliance Hub. We will respond to your request within 30 days. We may ask for identification to verify your request. Exercising your rights will not result in discrimination or reduced service quality.

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

When you delete your account, we will delete or anonymise your data within 30 days, except where retention is required by law (e.g., financial records, AML records). Anonymised, aggregated data that cannot identify you may be retained indefinitely for analytics and research purposes.

9. Automated Decision-Making & Profiling

We use automated systems to support certain decisions on our platform:

• Content moderation: Automated scanning of listings, images, and user-generated content to detect prohibited items, misleading descriptions, or policy violations. Flagged content may be removed automatically or queued for human review
• Fraud detection: Automated analysis of transaction patterns, account behaviour, login locations, and device fingerprints to identify and prevent fraud. May result in temporary account holds pending review
• AML risk scoring: Automated risk assessment based on transaction history, identity verification status, and screening results. High-risk scores may trigger enhanced due diligence or reporting
• Bot detection: Google reCAPTCHA and custom systems to distinguish genuine users from bots, which may block or challenge suspicious traffic
• Search ranking: Automated algorithms determine the order of search results based on relevance, listing quality, seller performance, and promotion status
• Pricing suggestions: AI-generated pricing recommendations based on market data and comparable items (advisory only)
• Recommendation engine: Personalised product and service suggestions based on browsing history and preferences

You have the right to request human review of any decision made solely by automated means that significantly affects you (e.g., account suspension, listing removal, transaction blocking). To request a review, contact us at privacy@ibommarket.com.

10. Children's Privacy

IbomMarket is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@ibommarket.com.

11. Cross-Border Data Transfers

Your information may be transferred to and processed in countries other than Nigeria, including the United States, European Union, and Australia, where our infrastructure providers and partners operate. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): Approved contractual terms that bind data recipients to equivalent data protection obligations
• Data Processing Agreements (DPAs): Contracts with all third-party processors mandating compliance with applicable data protection standards
• Adequacy assessments: We assess the data protection standards of recipient countries before transferring data
• Technical safeguards: Encryption in transit and at rest for all cross-border transfers

These transfers comply with the NDPA 2023 provisions on cross-border data transfer and GDPR Article 46 where applicable.

12. Data Protection Officer (Interim)

We have designated Samson Simeon, Managing Director as our Interim Data Protection Officer pending any appointment of a dedicated full-time DPO or external data protection adviser where required by law or as we scale. The interim DPO oversees our data protection practices and serves as your primary contact for NDPA-related questions and requests. If you have questions, concerns, or wish to exercise your data protection rights:

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated policy with a new "Last Updated" date
• Notify you via email, in-app notification, or both
• Where required by law, obtain your renewed consent before applying changes to your data

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

14. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights:

If you are unsatisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or, where applicable, your local data protection supervisory authority.