Data Protection Policy (v1.3)
> This version supersedes v1.2 for activities on or after 1 July 2026. > The headline change: new sections covering biometrics, the audit-v2 > hash-chain, the professionals directory, mortgage data sharing, phone > authentication, device fingerprinting and FIRS / WHT reporting. Existing > commitments around NDPA / NDPR compliance, encryption, access controls > and your subject rights are unchanged.
Legal basis
We process personal data under the Nigeria Data Protection Act (2023), the Nigeria Data Protection Regulation (2019), and — for users in the EU — the GDPR. Our Data Protection Officer is registered with the Nigeria Data Protection Commission (NDPC) and reachable at dpo@qonstruct-mart.com.
What we collect — full inventory
Identity & verification
- Full name, date of birth, gender, address, BVN (hashed), NIN (hashed),
email and phone (hashed).
- Government ID document image (encrypted at rest with envelope encryption).
- Biometric template — face vector derived from a SmartSelfie video
for KYC and high-risk-site check-in. We store the irreversible vector, not the raw video. Vendor: Smile Identity (NDPR-registered).
- Liveness signals — head pose, blink, depth cues from the same
selfie session. Used once, then discarded.
Financial
- Bank account number + bank name, BVN-validated for ownership.
- Wallet balance + every transaction.
- Source-of-funds declaration for top-ups above ₦5M.
- WHT (Withholding Tax) certificates generated against your TIN.
- Mortgage application — household income, dependents, employment
letter, 6 months of statements. Shared only with the specific lender you select.
Professional profile (new)
- Trade(s), service states, hourly / day-rate hints, portfolio photos +
videos, credentials (CAC, COREN, ARCON, NIESV, NBA, SURCON, NIQS, CITN, NABCEP, manufacturer certs).
- Public-by-design if you publish a profile: display name, kind,
headline, bio, city, state coverage, tier badge, rolling ratings.
- Private to you unless explicitly shared: credential document scans
(we show the issuer + reference number only), bank account, contact details.
Project & investment
- Projects you post, bids you submit, commitments you make, votes you
cast, evidence you upload, comments you write.
- Coordinator site-visit photos + GPS coordinates at gated milestone
decisions.
Behavioural & device
- Session activity, pages visited, feature usage.
- Device fingerprint — a hashed identifier covering screen, OS,
font + WebGL hash. Used only to detect session hijacking. Cannot be reversed into the underlying values.
- Mobile App Attestation — verifies the app is genuine. Apple App
Attest (iOS) or Google Play Integrity (Android). No PII in payload.
- IP address — kept for 90 days for security investigation, then
truncated to /16.
Communications
- Email, SMS and push notifications you receive from us.
- SIM-swap signals — phone-line carrier observed at OTP send vs
observed at OTP verify. Used to refuse a flagged session.
How we protect it
- Encryption at rest — AES-256-GCM envelope encryption for all
sensitive documents and PII. Each tenant has its own data-encryption key (DEK) wrapped by a master KEK.
- Encryption in transit — TLS 1.3 only.
- Audit-v2 hash chain — every action that touches PII is recorded
in a tenant-scoped hash chain. The chain head is publicly notarised monthly so we can prove no record has been altered.
- Access controls — role-based, region-scoped, MFA on every staff
session, passkeys preferred for users.
- Mobile parity — device-bind on sign-in + per-request fingerprint
verification + attestation. The same MFA token (x-mfa-token) governs safety-critical actions on web and mobile.
- Network controls — Cloudflare in front, strict CSP with per-request
nonce, Turnstile on authentication endpoints, SSRF allowlist on outbound HTTP.
- PII minimisation — we hash phone, BVN and NIN at the edge; the
raw value never reaches our application database.
- Cooling-off holds — actions of high consequence (changing email,
withdrawing > ₦5M, replacing passkey) sit in a hold for 12–48 hours while we notify all your devices.
Who we share with — exhaustive list
| Recipient | What we share | Why | Legal basis | |---|---|---|---| | Smile Identity | BVN, NIN, selfie | KYC + face check-in | Consent + contract | | Paystack / Flutterwave | Name, email, amount, txn ref | Card / transfer processing | Contract | | Termii / Sendchamp | Phone, message body | SMS delivery | Contract | | Selected mortgage lender | Full application + supporting docs | Loan underwriting | Consent | | NFIU / EFCC / SEC Nigeria | Specific records | Legal compulsion | Legal obligation | | FIRS | TIN, taxable amount, WHT due | Tax filing | Legal obligation | | CAC / state lands / LIRS | Specific identifiers | Document verification | Legal obligation | | External auditors (KPMG / PwC tier) | Reviewed subset under NDA | Audit assurance | Legitimate interest |
We do not sell personal data and we do not share it with marketing partners. We do not train AI models on your private data. Our Co-pilot operates over your data session-by-session and does not retain it past the response.
Retention
| Data class | Retention | Why | |---|---|---| | Auth + session logs | 90 days | Security investigation | | IP addresses (full) | 90 days | Security investigation | | Transaction records | 7 years | NFIU / FIRS requirements | | Audit-v2 events | 7 years | Investor protection | | KYC documents | 7 years post-account-closure | NDPR + NFIU | | Biometric face vector | While account active + 90 days | NDPR Article 13 | | Coordinator site-visit photos | While the investment is active + 3 years | Investor evidence | | Professional credentials | While profile is published + 1 year | Buyer recourse | | Welcome-email engagement | 18 months | Programme tuning |
Your rights (NDPR Section 23)
- Access — request a copy of all data we hold about you, in JSON +
the original document files. Delivered within 30 days.
- Correction — fix inaccurate data. We update derived fields too.
- Erasure — delete your account. Subject to the 7-year regulatory
hold on transaction records (those are archived, not deleted).
- Portability — receive your data in a machine-readable format
(JSON + ZIP of documents).
- Objection — opt out of welcome emails, marketing notifications,
and the public professional profile (you can keep the bookable account without appearing in the directory).
- Complaint — to our DPO first, then to NDPC (ndpc.gov.ng)
if unsatisfied.
Exercise these rights at privacy@qonstruct-mart.com or from My account → Privacy in the app.
Children
Qonstruct-Mart is not for under-18s. We do not knowingly process the data of children. If you suspect we have, write to dpo@qonstruct-mart.com and we will delete it.
Cross-border transfer
Production data is hosted in Lagos (af-west-1). The only routine cross-border transfers are to Smile Identity (Nigeria + Kenya — same sub-region), Cloudflare (global edge — TLS-terminated only, no application data), and our payment processors (compliant under their own NDPR registrations). We do not transfer raw PII to the EU, US, or elsewhere without a specific legal-basis agreement and your consent.
Changes to this policy
We will notify you in-app and by email at least 30 days before any material change. The old version remains accessible at /legal/data-protection-policy (v1.2). The audit-v2 record of which version was in effect at any given date is verifiable on demand.