1) Who we are and scope
Storefront operates an e-commerce platform that enables Nigerian businesses to run online stores, accept payments, and manage orders. This Policy applies to the website storefront.ng and any stores we host on subdomains of our platform (the Services).
- Controller: For your account data and visits to our websites, Storefront is the data controller.
- Processor: For shopper data processed on behalf of a merchant (store owner), Storefront acts as a data processor/service provider; the merchant is the controller for that data.
2) The data we collect
A. Account holders (merchants and staff)
- Identity & contact: name, business name, email, phone.
- Profile & settings: store name, branding, preferences, connected channels.
- Auth & security: passwords, login history, device/usage logs, IP address.
- Billing: plan details, invoices, payment confirmations from payment processors.
- Support: messages you send to support or feedback forms.
B. Shoppers & site visitors
- Order & contact: name, email, phone, delivery address, order items and value.
- Payment status: success/failed flags and references (we do not store full card numbers).
- Communications: marketing opt-ins, replies to order notifications.
- Technical: device info, IP address, cookie IDs, pages viewed, and actions (e.g., add-to-cart).
C. Data from third parties
- Payment processors: transaction outcomes, references, and payout notices.
- Analytics & security: performance metrics, anti-fraud and error logs.
- Integrations: minimal details necessary to enable connected services.
We do not knowingly collect special category data or children’s data.
3) Why we use your data (legal bases)
Under the Nigeria Data Protection Act, 2023 (NDPA) and comparable laws, we use personal data to:
- Provide and improve the Services (accounts, hosting, orders, payments, deliveries) — contract; legitimate interests.
- Protect the platform (monitoring, preventing abuse) — legitimate interests; legal obligations.
- Payments & billing (charges, receipts, taxes) — contract; legal obligations.
- Communications (service notices, updates, support) — contract; legitimate interests.
- Marketing (with consent; opt-out anytime) — consent; legitimate interests where permitted.
- Compliance (respond to lawful requests; enforce terms) — legal obligations; legitimate interests.
5) Payments and card data
Payments on stores using Storefront are processed by independent payment processors such as Paystack and Flutterwave. We receive transaction confirmations and references but do not collect or store full card numbers.
7) International transfers
We may store and process data outside Nigeria. Where we transfer personal data internationally, we use appropriate safeguards, such as contractual commitments, consistent with the NDPA and other applicable laws.
8) Data retention
We keep personal data only as long as needed to provide the Services and for legal, accounting, or reporting obligations. When no longer needed, we delete or anonymise it.
9) Your rights (Nigeria)
Under the NDPA you may have rights to access, correct, delete, restrict or object to processing, and to data portability. To exercise these rights, contact us as set out in Contact us. We may need to verify your identity.
If unresolved, you may complain to the Nigeria Data Protection Commission (NDPC).
10) Children’s privacy
Our Services are not intended for children under 13. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us so we can delete it.
11) Security
We use administrative, technical, and organisational measures to protect personal data, including HTTPS encryption in transit, access controls, and regular backups. However, no online service is 100% secure.
12) Merchant responsibilities
- Publish your own customer privacy notice.
- Configure cookie/consent settings and honour customer rights requests.
- Use personal data collected via your store only for lawful purposes and in line with applicable laws and your agreements with Storefront.
13) Third-party services
Our Services may link to or integrate with third-party services (e.g., payment processors, messaging, social platforms). Their privacy practices are governed by their own policies.
14) Facebook/Meta data deletion
If you used Facebook/Meta to sign in or connect a Page/WhatsApp, you can request deletion of your data associated with those integrations by emailing privacy@storefront.ng with the subject “Facebook Data Deletion”. Include your full name, the email or phone used on Storefront, and (if known) your Facebook User ID. We will confirm the request and delete associated data unless we need to retain it to meet legal obligations.
15) Changes to this Policy
We may update this Policy from time to time. We will post updates here and change the “Last updated” date above. Where changes are material, we will take additional steps to notify you.
16) Contact us
Questions or requests about this Policy or your personal data can be sent to privacy@storefront.ng.
17) Sub-processors (overview)
| Category | Provider(s) | Purpose |
|---|---|---|
| Payments | Paystack; Flutterwave | Process payments and send transaction confirmations |
| Infrastructure/Hosting | Railway | Host our websites, databases, and backups |
| Email/SMS | Transactional email providers | Send order updates and support messages |
| Analytics/Security | First-party analytics and error logging | Measure performance; detect fraud and abuse |
We do not disclose full card details to Storefront. Payment providers receive and process such data directly.
© Storefront. All rights reserved.