General Privacy Policy

1.1 This Privacy Policy describes the categories of personal data we collect, how and why we collect it, how we use and share it, the legal basis on which we rely to process data, and your rights with respect to your personal data.

1.2 This Privacy Policy applies to Qart's systems, operations and processes that involve personal data. It applies to both online and offline interactions with Qart.

1.3 By accessing or using the Services you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Services.

1.4 This Privacy Policy does not apply to services, websites or platforms that are not owned or controlled by Qart, including third-party Merchant websites and third-party applications. Merchants and other third parties have their own privacy policies and practices.

2.1 We process personal data for several purposes and rely on different legal bases, including:

• Performance of a contract. To provide the Services you request (for example, to process orders, enable payments, fulfil deliveries, and provide customer support).
• Legal and regulatory compliance. To comply with legal obligations (for example, KYC/AML checks, tax, and reporting obligations).
• Legitimate interests. Where necessary for Qart's legitimate business purposes such as preventing fraud, improving and securing the Services, analysing usage and trends, and protecting Qart's rights. We balance these legitimate interests against your privacy rights.
• Consent. Where required, for example for marketing communications, cookies and certain profiling activities. You may withdraw consent at any time.

2.2 We will only process your personal data for purposes compatible with those listed here and for which we have a lawful basis.

We collect personal data depending on how you use the Services. Categories include:

• Identity & contact data: name, email address, phone number, business name, business address, profile photo and other identifiers.
• Account & authentication data: username, password, device identifiers, login history and security information.
• Transaction & payment data: order details, payment method (card or bank details processed by payment providers), transaction history, refunds and chargebacks.
• KYC & verification data: identity documents, BVN/NIN (where applicable), corporate documentation, proof of address.
• Communications data: messages, emails, call recordings or transcripts with customer support.
• Technical & usage data: IP address, device and browser information, cookies and tracking identifiers, pages visited, session data and analytics.
• Location data: where permitted and with consent, approximate or precise location for delivery and fraud prevention.
• Marketing & preferences: communication preferences, marketing consents and interaction history.
• Other data: information from third parties (e.g., identity verification providers, credit reference agencies) and aggregated/de‑identified data.

We collect personal data in several ways, including:

• Directly from you when you create an account, place orders, contact support, or otherwise provide information.
• Automatically through your use of the Services (e.g., cookies, logs, analytics).
• From third-party partners and service providers (e.g., payment processors, identity verification providers, marketing platforms, public databases).
• From Merchants when you are a customer of a Merchant.

5.1 We use cookies, web beacons, local storage and similar technologies to operate and improve the Services, to secure accounts, to personalise content and advertising, and to measure and analyse use of the Services. A separate Cookie Notice may be provided where required.

5.2 You can control cookie settings via your browser or device settings. Disabling cookies may affect the functionality of the Services.

We use personal data to:

• Provide, maintain and improve the Services;
• Process orders, payments and refunds;
• Operate Wallet and settlement features (where applicable) and manage payouts;
• Verify identity and perform KYC/AML checks;
• Prevent fraud and abuse and manage risk and security;
• Provide customer support and respond to inquiries;
• Personalise and improve user experience and marketing; and
• Meet legal, tax and regulatory obligations.

We may share personal data with:

• Service providers and processors (payment processors, hosting providers, logistics partners, KYC/AML vendors, analytics and marketing platforms) that perform services on our behalf under contract;
• Merchants (order and contact details needed to fulfil purchases);
• Affiliates and group companies to operate and improve the Services;
• Regulators and law enforcement when required by law or to protect rights, property or safety;
• Acquirers and counterparties in corporate transactions (e.g., mergers or asset sales);
• Other parties with your consent.

Where we share personal data with service providers, we require contract terms that protect personal data and restrict processing to the purposes we specify.

8.1. Cross-Border Transfers

You acknowledge and agree that Qart may transfer, store, and process your personal data in jurisdictions outside of Nigeria (including but not limited to the United States, the European Economic Area, and other global locations). These transfers are necessary to provide the Services, facilitate cloud storage, and enable the integration of third-party payment and logistics providers.

8.2. Basis for Transfer and Safeguards

Qart shall only transfer personal data to a foreign country in accordance with the Nigeria Data Protection Act (NDPA) and other applicable data protection laws. To ensure your information remains protected, we rely on the following mechanisms:

• Adequacy Decisions: Transfers to jurisdictions that the NDPC (or relevant authority) has determined provide an adequate level of protection for personal data.
• Standard Contractual Clauses (SCCs): Where data is transferred to jurisdictions without an adequacy decision, we implement robust contractual frameworks with the recipient to ensure they provide a level of protection substantially similar to that required under Nigerian law.
• Binding Corporate Rules or Statutory Instruments: Use of approved codes of conduct or certification mechanisms as recognized by the NDPC.
• Explicit Consent or Necessity: In specific instances where safeguards are not in place, we may rely on your explicit consent or the necessity of the transfer for the performance of our contract with you.

8.3. Third-Party Compliance

Qart requires all third-party service providers (including logistics and payment partners) to provide documented evidence of their technical and organizational measures to protect personal data during international processing.

9.1. Qart shall retain your personal data only for the duration necessary to fulfill the purposes outlined in this Privacy Policy. In determining the appropriate retention period, we consider the volume and sensitivity of the data, the potential risk of harm from unauthorized use, and applicable legal requirements. Specifically:

• Transaction Records: Financial and transaction-related data are retained for a minimum of seven (7) years to comply with Nigeria's tax laws and the Money Laundering (Prevention and Prohibition) Act.
• Account Information: We retain your profile data for as long as your Account is active. Following account closure, we may retain certain data for up to six (6) years to defend against potential legal claims under the applicable Statutes of Limitation.
• Marketing Data: Information used for marketing communications is retained until you opt-out or withdraw your consent.

9.2. Notwithstanding Section 9.1, Qart may retain personal data for longer periods where such retention is:

• Required by a statutory or regulatory obligation (e.g., Central Bank of Nigeria "Know Your Customer" requirements);
• Necessary for the establishment, exercise, or defense of legal claims; or
• Required for historical, statistical, or scientific research purposes, provided that the data is appropriately pseudonymized.

9.3. Once the retention period expires, or upon a valid request for erasure (where applicable), Qart shall ensure the data is:

• Permanently Deleted: Using industry-standard secure wiping technologies that prevent data recovery.
• Anonymized: Irreversibly altered so that the data subject can no longer be identified, in which case the data ceases to be "personal data" and may be used for analytical purposes.

10.1 We implement organisational, technical and administrative measures designed to protect personal data against unauthorised access, loss or disclosure. Examples include encryption in transit, access controls, vulnerability management and security monitoring.

10.2 While Qart employs rigorous security standards, you acknowledge that no method of transmission over the internet or electronic storage is 100% secure. You are responsible for maintaining the confidentiality of your account credentials and for the security of the devices you use to access the platform.

11.1. In accordance with the Nigeria Data Protection Act (NDPA) and the NDPR, you have the following legally enforceable rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you and to be informed of the purposes for which it is processed.
• Right to Rectification: You may request that we correct or update any inaccurate, incomplete, or outdated personal data without undue delay.
• Right to Erasure ("Right to be Forgotten"): You may request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn your consent.
• Right to Restriction of Processing: You may request that we "freeze" the processing of your data in certain circumstances, such as while we verify its accuracy.
• Right to Data Portability: You have the right to receive your data in a structured, commonly used, and machine-readable format, and to have it transmitted to another data controller where technically feasible.
• Right to Object: You may object to the processing of your data for direct marketing purposes or where the processing is based on "legitimate interests."
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before the withdrawal.

11.2. To exercise any of these rights, please contact us with the details provided in Section 15.

Our Services are not directed at children under 18. We do not knowingly collect personal data from children under 18. If we become aware of such collection, we will delete the data as required by applicable law.

Our Services may link to third-party websites or services. This Privacy Policy does not apply to those websites; you should review their privacy notices.

We may update this Privacy Policy from time to time. We will post changes on the Website with the revised effective date. Material changes will be communicated as required by law.

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

[INSERT LEGAL ENTITY NAME]
[INSERT ADDRESS]
Email: [INSERT PRIVACY / LEGAL EMAIL]