Privacy Policy

Short version: Zylo is a commerce platform for Nigerian SMEs. We collect the minimum data necessary to run your store, process payments through Paystack, and keep the Services secure. We do not sell your data. Card details never touch our systems. You have strong rights under the NDPA — including access, correction, erasure, portability and the right to complain to the Nigeria Data Protection Commission (NDPC).

Where this Policy uses terms such as “personal data”, “data subject”, “data controller”, “data processor”, and “processing”, they have the meanings given to them in the NDPA.

The data controller for Zylo merchant accounts is {{COMPANY_NAME}} ({{CAC_RC_NUMBER}}), a company incorporated in Nigeria with its registered office at {{REGISTERED_ADDRESS}}.

For data collected from a Shopperthrough a Merchant's storefront (name, email, shipping address placed at checkout), Zylo acts as a data processor on behalf of the Merchant, who is the data controller for their own customer relationship. This Policy describes both roles where relevant.

We collect and process the following categories of data:

Merchant account data

Name, email, phone number, password (hashed), business name, CAC number where provided, and — where required to accept payments — BVN or NIN as requested by Paystack for KYC purposes. We never store raw BVN / NIN values; verification is carried out by Paystack.

Store content

Product catalog, prices, descriptions, images, categories, settings and branding uploaded by you to operate your storefront.

Order data

Order records including line items, quantities, totals, applied discounts, fulfilment status, and any notes. Stored for the Merchant to manage their business.

Shopper data

Name, email address, phone number (optional), shipping address and order history — provided by Shoppers at checkout on a Merchant's storefront. We process this data on the Merchant's instructions.

Payment data

Card numbers, CVVs, PINs and bank-account credentials never touch Zylo systems. Payment instruments are collected and stored by Paystack, which is PCI DSS Level 1 certified. We only receive the transaction metadata returned to us by Paystack (reference, amount, status, channel, last four digits of the card, and any tokenised authorisation for recurring charges).

Device & usage data

IP address, browser user-agent, device identifiers, timestamps, referring pages, and events generated as you use the dashboard (e.g. login, product saved). Used for security, debugging and analytics.

Communications

Support emails, in-app chat messages, feedback forms, and any attachments you send us. We retain these so we can resolve your issue and reference it if you contact us again.

We use personal data to:

• create and secure your Zylo account, authenticate logins, and prevent account takeover;
• operate the Platform — host your store, serve your storefront to Shoppers, process orders, send transactional email;
• process Transactions through Paystack (we pass the data needed to complete and reconcile a payment);
• send you service-critical notices (e.g. password reset, security alert, billing reminder, policy update);
• provide customer support and investigate reported bugs or abuse;
• detect and prevent fraud, chargeback abuse, and misuse of the Services;
• generate aggregated, de-identified statistics about Platform usage to improve the product;
• comply with a legal obligation or respond to a lawful request.

We do not sell your personal data, and we do not use it to serve you third-party behavioural advertising.

Under the NDPA we must have a lawful basis for every processing activity. We rely on the following bases:

• Performance of a contract — to provide the Services you have signed up for under our Terms.
• Legal obligation — where we are required by Nigerian law (for example, tax records retention, responding to court orders, or AML / counter-fraud obligations via Paystack).
• Legitimate interests — to keep the Services secure, prevent fraud, carry out basic product analytics, and understand how merchants use the Platform, provided those interests are not overridden by your rights and freedoms.
• Consent — for optional activities such as marketing emails, non-essential analytics, or when we ask you a specific opt-in question. You can withdraw consent at any time (see Section 10).

We share personal data only with trusted processors, each engaged under a written data-processing contract that limits what they can do with it:

We may also disclose personal data where required by law, regulation, court order, or in response to a valid request from a Nigerian public authority.

In the event of a merger, acquisition, or sale of substantially all of our assets, personal data may be transferred to the successor entity, subject to the protections in this Policy.

Some of our processors listed above are located outside Nigeria. Where we transfer personal data outside Nigeria, we do so in accordance with Section 41 of the NDPA by relying on one or more of the following safeguards:

• a transfer to a jurisdiction that the NDPC has recognised as providing an adequate level of protection;
• Standard Contractual Clauses or equivalent contractual terms committing the processor to protection substantially similar to the NDPA;
• a Transfer Impact Assessment documenting additional technical measures (such as encryption in transit and at rest) where required; or
• your explicit consent, where applicable.

You may request a summary of the safeguards in place for a specific transfer by emailing {{PRIVACY_EMAIL}}.

We keep personal data only as long as necessary for the purposes it was collected for, or as required by law:

• Active account data — for as long as your account is active, plus 3 years after closure to handle post-termination queries and defend legal claims.
• Order & transaction records — 7 years from the date of the Transaction, in line with Federal Inland Revenue Service record-keeping guidance.
• Security and access logs — 90 days, then rotated out.
• Deleted customer records — soft-deleted for a 30-day recovery window so accidental deletions can be reversed, then hard-deleted.
• Support correspondence — 2 years from the last message in the thread.

Where a statutory, tax, or accounting obligation requires a longer retention period, we will keep the data only for as long as that obligation requires and protect it appropriately.

As a data subject in Nigeria, you have the following rights in respect of your personal data:

• Right of access — to obtain confirmation that we process your data and a copy of it.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure — to have your data deleted where the NDPA allows (subject to retention obligations listed in Section 8).
• Right to restrict processing — to ask us to pause processing in certain circumstances.
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format, or have us transfer it to another controller where technically feasible.
• Right to object — to processing based on our legitimate interests.
• Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Right not to be subject to automated decision-making — we do not make automated decisions with legal or similarly significant effects on you.
• Right to lodge a complaint — with the Nigeria Data Protection Commission (NDPC).

To exercise any right above, email our Data Protection Officer at {{DPO_EMAIL}}with the subject line “NDPA rights request” and a short description of what you're asking for. We may need to verify your identity before acting on a request.

We will respond to your request within 30 days of receiving it. If your request is particularly complex, we may extend that period by a further 30 days and will let you know if we need to.

Requests are handled free of charge, except where they are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act.

We use a small number of strictly necessary cookies (for authentication and cart state), some functional cookies that remember your preferences, and — only where enabled — a product analytics cookie. We do not use advertising or retargeting cookies.

For the full list, lifetimes and how to manage them, see our Cookie Policy.

We take the security of your data seriously and apply a layered defence:

• TLS encryption for all data in transit.
• Encryption at rest for databases and object storage provided by our processors.
• Row-Level Security (RLS) on every merchant-owned database table to enforce tenant isolation at the database level.
• Multi-factor authentication support for merchant accounts.
• Password hashing with a modern memory-hard algorithm; passwords are never logged or transmitted in the clear.
• Principle of least privilege for internal access; audit logs for privileged actions.
• Regular dependency scanning, static analysis, and vulnerability monitoring.
• Documented incident-response plan rehearsed periodically.

No system is perfectly secure. If you believe you have discovered a vulnerability in the Services, please report it responsibly to fagbelustephen@gmail.com so we can investigate.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will, in accordance with Section 40 of the NDPA:

• notify the Nigeria Data Protection Commission without undue delay and, where feasible, within 72 hours of becoming aware of the breach; and
• notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, describing the nature of the breach, its likely consequences, and the measures being taken.

The Services are not directed at persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a person under 18 without verified parental consent, we will close the account and delete the data.

We have designated a Data Protection Officer to oversee compliance with the NDPA. You can reach them at:

• Name: {{DPO_NAME}}
• Email: {{DPO_EMAIL}}
• Postal: {{REGISTERED_ADDRESS}}

We may update this Policy from time to time. For any material change we will give you at least 30 days' notice by email and an in-dashboard announcement before the change takes effect. The “Last updated” date at the top of this page will always reflect the most recent version.

If you have a question about this Policy or how we handle your data, contact us at {{PRIVACY_EMAIL}} or fagbelustephen@gmail.com.

You also have the right to lodge a complaint directly with the Nigeria Data Protection Commission:

• Website: ndpc.gov.ng
• Email: info@ndpc.gov.ng