Data Protection Policy

Back to Legal hub
🔒 Data protection

Data Protection Policy

How we collect, store, share, and destroy personal data, aligned to NDPA / NDPR and platform-specific commitments.

Version 1.2 Effective 1 April 2026

Data Protection Policy

Legal basis

We process personal data under the Nigeria Data Protection Act (2023) and the Nigeria Data Protection Regulation (2019), and where applicable the GDPR. Our Data Protection Officer is registered with the NDPC.

What we collect

  • Identity — full name, date of birth, BVN (hashed), NIN (hashed),

phone (hashed), email, address, ID document image.

  • Financial — bank account, wallet balance, transaction history,

source-of-funds declarations.

  • Project — investment commitments, milestone interactions,

uploaded media.

  • Behavioural — site usage, device fingerprint (limited), IP for

security only.

How we protect it

  • Encryption at rest — AES-256-GCM envelope encryption for all

sensitive documents and PII.

  • Encryption in transit — TLS 1.3 only.
  • Access controls — role-based, region-scoped, with MFA enforced

on every staff session.

  • Audit logging — every access to PII is logged with the actor,

timestamp, and reason code.

  • Network controls — Cloudflare in front, strict CSP with per-request

nonce, Turnstile on authentication endpoints.

  • PII minimisation — we hash phone, BVN and NIN at the edge; the

raw value never reaches our application database.

Who we share with

  • Issuing authorities to verify documents (CAC, state lands

bureaus, LIRS, etc.) — only the specific data the authority needs.

  • Regulators — NFIU, EFCC, SEC Nigeria — only when legally compelled.
  • Payment providers — Paystack, Flutterwave — to process payments;

scope limited to what is required.

  • Auditors — under NDA, for the Trust & Safety Report.

We do not sell personal data and we do not share it with marketing partners.

Your rights

  • Access — request a copy of all data we hold about you.
  • Correction — request corrections to inaccurate data.
  • Erasure — request deletion, subject to legal retention (7 years

for transaction records).

  • Portability — receive your data in a machine-readable format.
  • Objection — object to specific processing.

Exercise these rights at privacy@qonstruct-mart.com or from My account → Privacy in the app. We respond within 30 days.

Questions about this policy? Email legal@qonstruct-mart.com.