Bitesbanq

Introduction

Welcome to BitesBanq ("we", "our", or "us"). BitesBanq is a food savings and marketplace platform operated by Bitesbanq Limited, a company incorporated under the Companies and Allied Matters Act (CAMA) 2020 in the Federal Republic of Nigeria.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you access or use our website at bitesbanq.com, our mobile application, and any related services (collectively, the "Platform").

This Policy is issued in compliance with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and all applicable guidelines issued by the Nigeria Data Protection Commission (NDPC). By accessing or using the Platform, you confirm that you have read, understood, and agree to the terms of this Privacy Policy.

If you do not agree with this Policy, you must discontinue use of the Platform immediately.

Who We Are (Data Controller)

For the purposes of applicable Nigerian data protection law, Bitesbanq Limited have registered Individual Data Controller in respect of personal data collected through the Platform.

Registered Name: Bitesbanq Limited

Registered Address: Jo, Federal Republic of Nigeria

Email: privacy@bitesbanq.com

Data Protection Officer (DPO): dpo@bitesbanq.com

We have designated a Data Protection Officer (DPO) as required under Section 32 of the NDPA 2023. You may contact our DPO at any time regarding matters relating to the processing of your personal data.

Information We Collect

We collect personal data from you in the following categories, depending on how you interact with our Platform:

a) Information You Provide Directly

Full name, email address, phone number, and city/state of residence
Username and password upon account registration
Payment and billing information (processed via PCI-DSS compliant third-party processors)
Profile information, food preferences, and dietary restrictions
Communications you send us via contact forms, email, or in-app chat
Vendor onboarding information (business name, CAC registration number, bank details)

b) Information Collected Automatically

Device identifiers (device type, operating system, browser type, IP address)
Usage data (pages visited, features used, clicks, time on page)
Location data (if you grant permission, to show nearby vendors and delivery options)
Cookies and similar tracking technologies (see Section 9)
Transaction history and purchasing behaviour on the Platform

c) Information from Third Parties

Identity and credit information from payment gateways and financial institutions
Social media profile information (if you register using a social sign-in)
Analytics and marketing data from advertising partners
Fraud prevention signals from security service providers

We only collect personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, in accordance with the data minimisation principle under Section 24(1)(c) of the NDPA 2023.

How We Use Your Information

We use the personal data we collect for the following purposes:

Account creation and management — to register you on the Platform and maintain your account
Service delivery — to process orders, facilitate marketplace transactions, manage your Savings Wallet, and deliver Buy-Now-Pay-Later services
Payments processing — to authorise, settle, and reconcile financial transactions in compliance with CBN payment system guidelines
Customer support — to respond to your enquiries, complaints, and service requests
Communications — to send you service updates, transaction receipts, promotional offers, and newsletters (where you have consented)
Personalisation — to tailor your experience, recommend products, and provide relevant content based on your preferences
Security and fraud prevention — to detect, investigate, and prevent fraudulent, abusive, or unlawful activities on the Platform
Analytics and product improvement — to understand user behaviour and improve our features, performance, and design
Legal compliance — to comply with applicable laws, regulatory obligations, court orders, and lawful requests from government authorities
Marketing — to send you promotional communications where you have opted in, and to run targeted advertising campaigns

Legal Basis for Processing

Under the Nigeria Data Protection Act 2023, we are required to identify a lawful basis for each processing activity. Our lawful bases are:

Consent (Section 25, NDPA 2023)

Where you have freely given, specific, informed, and unambiguous consent — e.g., for marketing emails and cookies. You may withdraw consent at any time without detriment.

Contractual Necessity

Processing necessary to enter into or perform a contract with you — e.g., processing payments and fulfilling orders.

Legal Obligation

Processing required to comply with a legal or regulatory obligation applicable to us — e.g., anti-money laundering (AML) record-keeping under EFCC Act and CBN AML/CFT Regulations.

Legitimate Interests

Processing necessary for our legitimate business interests or those of a third party, where your interests and rights do not override those interests — e.g., fraud detection, platform security, and analytics.

Vital Interests

Processing necessary to protect your vital interests or those of another person — e.g., in emergency situations.

Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are determined by:

Account data: Retained for the duration of your account and for five (5) years after account closure, in compliance with financial record-keeping requirements under CBN regulations and the FIRS Act.
Transaction records: Retained for a minimum of six (6) years as required by the Money Laundering (Prevention and Prohibition) Act 2022 and CBN AML/CFT Regulations.
Marketing data: Until you withdraw consent or opt out of marketing communications.
Support communications: For two (2) years from the date of the last communication.

Upon expiry of applicable retention periods, personal data is securely deleted or anonymised in a manner that prevents re-identification.

Your Rights as a Data Subject

Under the Nigeria Data Protection Act (NDPA) 2023, you have the following rights in respect of your personal data. To exercise any of these rights, contact us at privacy@bitesbanq.com. We will respond within 30 days of receiving a verifiable request.

Right of Access (Section 34)

Request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification (Section 35)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Section 36)

Request deletion of your personal data where it is no longer necessary, or where consent has been withdrawn and there is no other lawful basis for processing.

Right to Restriction (Section 37)

Request that we restrict processing of your personal data in certain circumstances.

Right to Data Portability (Section 38)

Receive your personal data in a structured, commonly used, and machine-readable format, and request transfer to another controller.

Right to Object (Section 39)

Object to processing based on legitimate interests or for direct marketing purposes, including profiling.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

Right Against Automated Decision-Making

Not to be subject to a decision based solely on automated processing, including profiling, that significantly affects you.

Note: We may request proof of identity before processing your request to prevent unauthorised disclosure of your data.

Cross-Border Data Transfers

We operate primarily within Nigeria. However, some of our third-party service providers are located outside Nigeria, which may result in your personal data being transferred to, stored in, or processed in other countries.

Where we transfer personal data outside Nigeria, we do so only in accordance with Section 43 of the NDPA 2023 and applicable NDPC regulations, which requires that:

The destination country provides an adequate level of data protection;
Appropriate safeguards are in place (e.g., Standard Contractual Clauses, binding corporate rules, or adequacy decisions); or
You have provided explicit consent to the transfer after being informed of the risks.

Our primary cloud service providers maintain data residency options and are bound by data processing agreements that meet NDPA standards.

Cookies & Tracking Technologies

We use cookies and similar technologies (such as web beacons, pixels, and local storage) to operate the Platform and enhance your experience.

Strictly Necessary Cookies

Essential for the Platform to function. These cannot be disabled. Examples: authentication tokens, session management, CSRF protection.

Analytics Cookies

Used to understand how visitors interact with the Platform (e.g., Google Analytics, where enabled via NEXT_PUBLIC_GA_ID). Data is aggregated and anonymised.

Preference Cookies

Store your settings and preferences (e.g., language, currency) to personalise your experience.

Marketing Cookies

Used to deliver relevant advertising and track campaign effectiveness. Only enabled with your explicit consent.

You may manage or withdraw consent for non-essential cookies at any time via your browser settings. Note that disabling certain cookies may affect Platform functionality.

Security of Your Data

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:

Encryption of data in transit using TLS 1.2 or higher
Encryption of sensitive data at rest
Access controls and role-based permissions for staff
Regular security audits and vulnerability assessments
Multi-factor authentication for administrative access
Incident response procedures and data breach notification protocols

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, and will notify you without undue delay where required under Section 40 of the NDPA 2023.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Children's Privacy

The Platform is not directed at children under the age of 18 years. We do not knowingly collect personal data from minors. In accordance with the Child Rights Act 2003 and NDPA 2023, we require users to be at least 18 years of age or the age of majority in their jurisdiction to use the Platform independently.

If you believe that we have inadvertently collected personal data from a child under 18 without verifiable parental or guardian consent, please contact us immediately at privacy@bitesbanq.com and we will take steps to delete such data promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Post the updated Policy on this page with a revised "Last Updated" date
Send you an in-app notification or email if the changes are significant
Where required by law, seek your fresh consent

We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Policy.

Lodging a Complaint

If you believe that we have violated your rights under applicable data protection law, we encourage you to contact us first so that we can resolve your concern:

Data Protection Officer: dpo@bitesbanq.com

Privacy Team: privacy@bitesbanq.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):

Nigeria Data Protection Commission (NDPC)

Website: ndpc.gov.ng

Email: info@ndpc.gov.ng

Address: Plot 2, Luanda Street, Wuse Zone 5, Abuja, FCT, Nigeria