Data Protection Policy (v1.3 — pre-beta)

Back to Legal hub
🔒 Data protection

Data Protection Policy (v1.3 — pre-beta)

Updated for beta launch. Adds biometrics, audit-v2, professionals directory, mortgage data sharing, phone-number authentication, device fingerprinting and FIRS reporting.

Version 1.3 Effective 1 July 2026

Data Protection Policy (v1.3)

> This version supersedes v1.2 for activities on or after 1 July 2026. > The headline change: new sections covering biometrics, the audit-v2 > hash-chain, the professionals directory, mortgage data sharing, phone > authentication, device fingerprinting and FIRS / WHT reporting. Existing > commitments around NDPA / NDPR compliance, encryption, access controls > and your subject rights are unchanged.

Legal basis

We process personal data under the Nigeria Data Protection Act (2023), the Nigeria Data Protection Regulation (2019), and — for users in the EU — the GDPR. Our Data Protection Officer is registered with the Nigeria Data Protection Commission (NDPC) and reachable at dpo@qonstruct-mart.com.

What we collect — full inventory

Identity & verification

  • Full name, date of birth, gender, address, BVN (hashed), NIN (hashed),

email and phone (hashed).

  • Government ID document image (encrypted at rest with envelope encryption).
  • Biometric template — face vector derived from a SmartSelfie video

for KYC and high-risk-site check-in. We store the irreversible vector, not the raw video. Vendor: Smile Identity (NDPR-registered).

  • Liveness signals — head pose, blink, depth cues from the same

selfie session. Used once, then discarded.

Financial

  • Bank account number + bank name, BVN-validated for ownership.
  • Wallet balance + every transaction.
  • Source-of-funds declaration for top-ups above ₦5M.
  • WHT (Withholding Tax) certificates generated against your TIN.
  • Mortgage application — household income, dependents, employment

letter, 6 months of statements. Shared only with the specific lender you select.

Professional profile (new)

  • Trade(s), service states, hourly / day-rate hints, portfolio photos +

videos, credentials (CAC, COREN, ARCON, NIESV, NBA, SURCON, NIQS, CITN, NABCEP, manufacturer certs).

  • Public-by-design if you publish a profile: display name, kind,

headline, bio, city, state coverage, tier badge, rolling ratings.

  • Private to you unless explicitly shared: credential document scans

(we show the issuer + reference number only), bank account, contact details.

Project & investment

  • Projects you post, bids you submit, commitments you make, votes you

cast, evidence you upload, comments you write.

  • Coordinator site-visit photos + GPS coordinates at gated milestone

decisions.

Behavioural & device

  • Session activity, pages visited, feature usage.
  • Device fingerprint — a hashed identifier covering screen, OS,

font + WebGL hash. Used only to detect session hijacking. Cannot be reversed into the underlying values.

  • Mobile App Attestation — verifies the app is genuine. Apple App

Attest (iOS) or Google Play Integrity (Android). No PII in payload.

  • IP address — kept for 90 days for security investigation, then

truncated to /16.

Communications

  • Email, SMS and push notifications you receive from us.
  • SIM-swap signals — phone-line carrier observed at OTP send vs

observed at OTP verify. Used to refuse a flagged session.

How we protect it

  • Encryption at rest — AES-256-GCM envelope encryption for all

sensitive documents and PII. Each tenant has its own data-encryption key (DEK) wrapped by a master KEK.

  • Encryption in transit — TLS 1.3 only.
  • Audit-v2 hash chain — every action that touches PII is recorded

in a tenant-scoped hash chain. The chain head is publicly notarised monthly so we can prove no record has been altered.

  • Access controls — role-based, region-scoped, MFA on every staff

session, passkeys preferred for users.

  • Mobile parity — device-bind on sign-in + per-request fingerprint

verification + attestation. The same MFA token (x-mfa-token) governs safety-critical actions on web and mobile.

  • Network controls — Cloudflare in front, strict CSP with per-request

nonce, Turnstile on authentication endpoints, SSRF allowlist on outbound HTTP.

  • PII minimisation — we hash phone, BVN and NIN at the edge; the

raw value never reaches our application database.

  • Cooling-off holds — actions of high consequence (changing email,

withdrawing > ₦5M, replacing passkey) sit in a hold for 12–48 hours while we notify all your devices.

Who we share with — exhaustive list

| Recipient | What we share | Why | Legal basis | |---|---|---|---| | Smile Identity | BVN, NIN, selfie | KYC + face check-in | Consent + contract | | Paystack / Flutterwave | Name, email, amount, txn ref | Card / transfer processing | Contract | | Termii / Sendchamp | Phone, message body | SMS delivery | Contract | | Selected mortgage lender | Full application + supporting docs | Loan underwriting | Consent | | NFIU / EFCC / SEC Nigeria | Specific records | Legal compulsion | Legal obligation | | FIRS | TIN, taxable amount, WHT due | Tax filing | Legal obligation | | CAC / state lands / LIRS | Specific identifiers | Document verification | Legal obligation | | External auditors (KPMG / PwC tier) | Reviewed subset under NDA | Audit assurance | Legitimate interest |

We do not sell personal data and we do not share it with marketing partners. We do not train AI models on your private data. Our Co-pilot operates over your data session-by-session and does not retain it past the response.

Retention

| Data class | Retention | Why | |---|---|---| | Auth + session logs | 90 days | Security investigation | | IP addresses (full) | 90 days | Security investigation | | Transaction records | 7 years | NFIU / FIRS requirements | | Audit-v2 events | 7 years | Investor protection | | KYC documents | 7 years post-account-closure | NDPR + NFIU | | Biometric face vector | While account active + 90 days | NDPR Article 13 | | Coordinator site-visit photos | While the investment is active + 3 years | Investor evidence | | Professional credentials | While profile is published + 1 year | Buyer recourse | | Welcome-email engagement | 18 months | Programme tuning |

Your rights (NDPR Section 23)

  • Access — request a copy of all data we hold about you, in JSON +

the original document files. Delivered within 30 days.

  • Correction — fix inaccurate data. We update derived fields too.
  • Erasure — delete your account. Subject to the 7-year regulatory

hold on transaction records (those are archived, not deleted).

  • Portability — receive your data in a machine-readable format

(JSON + ZIP of documents).

  • Objection — opt out of welcome emails, marketing notifications,

and the public professional profile (you can keep the bookable account without appearing in the directory).

  • Complaint — to our DPO first, then to NDPC (ndpc.gov.ng)

if unsatisfied.

Exercise these rights at privacy@qonstruct-mart.com or from My account → Privacy in the app.

Children

Qonstruct-Mart is not for under-18s. We do not knowingly process the data of children. If you suspect we have, write to dpo@qonstruct-mart.com and we will delete it.

Cross-border transfer

Production data is hosted in Lagos (af-west-1). The only routine cross-border transfers are to Smile Identity (Nigeria + Kenya — same sub-region), Cloudflare (global edge — TLS-terminated only, no application data), and our payment processors (compliant under their own NDPR registrations). We do not transfer raw PII to the EU, US, or elsewhere without a specific legal-basis agreement and your consent.

Changes to this policy

We will notify you in-app and by email at least 30 days before any material change. The old version remains accessible at /legal/data-protection-policy (v1.2). The audit-v2 record of which version was in effect at any given date is verifiable on demand.

Questions about this policy? Email legal@qonstruct-mart.com.