Privacy Policy

Section 01

Overview

This Privacy Policy explains how Spots — a platform operated by Digicore — collects, uses, stores, and protects information about you when you use our website at spots.com, our merchant dashboard, our storefront services, and any related APIs or developer tools (collectively, the "Services").

We are committed to protecting your privacy and handling your personal data responsibly, in full compliance with the Nigeria Data Protection Regulation 2019 (NDPR), the Nigeria Data Protection Act 2023 (NDPA), and other applicable data protection laws in jurisdictions where we operate.

Plain English summary: We collect only what we need to run the platform. We do not sell your data. You can ask us to delete your information at any time. This policy applies to everyone — merchants, their customers, developers, and visitors.

Section 02

Who We Are

The data controller responsible for your personal data is:

Digicore (Registered business, Corporate Affairs Commission of Nigeria)

Operating through its product: Spots (spots.com)

Data enquiries: privacy@spots.com

Where Spots processes personal data on behalf of merchants (for example, their customers' order and delivery data), Spots acts as a data processor and the merchant is the data controller. This distinction is governed by our Data Processing Agreement, incorporated by reference into our Terms of Service.

Section 03

Data We Collect

3.1 Data you provide directly

Account registration: name, email address, phone number, business name, and password (stored as a hashed value — never in plain text).
Business profile: business type, operating address, delivery zones, logo, and social links.
Payment details: billing address and payment method. Card details are handled entirely by our payment processors (Paystack, Stripe) and are never stored on our servers.
Custom order briefs: design descriptions, event dates, guest counts, flavour preferences, and any photos or files you upload as part of a custom request.
Consultation bookings: your name, contact details, and the date and time of your appointment.
Support communications: any messages, feedback, or bug reports you send to us.

3.2 Data collected automatically

Usage data: pages visited, features used, session duration, clicks, and navigation paths.
Device and technical data: IP address, browser type and version, operating system, screen resolution, and referring URL.
Transaction data: order IDs, amounts, payment status, delivery addresses, and timestamps.
Log data: server access logs, error logs, and API call records.

3.3 Data received from third parties

Payment processors: transaction status and partial card information (last four digits, card type) for display purposes.
Google Maps API: road distance and geolocation data used to calculate delivery fees. We do not store map queries beyond the current session.
Analytics providers: aggregated and anonymised behavioural data to help us understand how the platform is used.

Section 04

How We Use Your Data

We use the information we collect for the following purposes:

Providing the Services: creating and managing your account, processing orders, calculating delivery fees, sending notifications, and operating the platform's core features.
Developer services: authenticating API keys, managing theme submissions, processing developer payouts, and running the developer portal.
Payments: initiating and confirming payment transactions through Paystack and Stripe. We pass only the minimum required data to these processors.
Communications: sending transactional emails (order confirmations, quote updates, delivery alerts), service announcements, and — where you have opted in — marketing newsletters.
Security and fraud prevention: monitoring for suspicious activity, enforcing rate limits, detecting abuse, and protecting accounts.
Platform improvement: analysing usage patterns to fix bugs, prioritise features, and improve the overall experience.
Legal compliance: meeting our obligations under Nigerian law and any applicable regulations in jurisdictions where our merchants or their customers are located.
Dispute resolution: maintaining records necessary to investigate and resolve complaints or legal claims.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects without your explicit consent.

Section 05

Legal Basis for Processing

Under the NDPA 2023 and NDPR 2019, we rely on the following lawful bases:

Contract performance: processing necessary to provide the Services you have signed up for — account creation, order management, payments, and notifications.
Legitimate interests: security monitoring, fraud prevention, analytics, and platform improvement — where these interests are not overridden by your rights.
Consent: marketing newsletters and non-essential cookies, where you have expressly opted in. You may withdraw consent at any time.
Legal obligation: retaining records required under Nigerian tax, commercial, or regulatory law.

Section 06

Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

Merchants and their customers: merchants can see the order and delivery data of their own customers within their Spots dashboard. Customers can see only their own data.
Payment processors: Paystack and/or Stripe receive billing data necessary to process transactions. Each processor operates under its own privacy policy and applicable PCI-DSS obligations.
Infrastructure providers: cloud hosting, database, and email delivery providers that process data on our behalf under binding data processing agreements.
Google Maps Platform: delivery address data is passed to the Google Maps API to calculate road distance. Google's Privacy Policy applies to this data.
Legal authorities: where we are required to disclose data by a court order, regulatory authority, or applicable Nigerian law — and only to the extent strictly required.
Business transfers: in the event of a merger, acquisition, or sale of Digicore's assets, your data may be transferred to the acquiring entity, subject to equivalent privacy protections. We will notify you of any such transfer.

All third-party service providers are contractually bound to process your data only for the purposes we specify, and to maintain appropriate security measures.

Section 07

Data Retention

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law. Our general retention periods are:

Active account data: held for the duration of your account plus 90 days after account closure, to allow for reactivation or dispute resolution.
Order and transaction records: 7 years, in compliance with Nigerian tax and commercial law requirements.
Support and communication logs: 2 years from the date of the last interaction.
Marketing consent records: held until you withdraw consent, plus 1 year as evidence of the consent.
Server and access logs: 90 days on a rolling basis.

When data is no longer required, we securely delete or anonymise it. Anonymised, aggregated data (which cannot identify you) may be retained indefinitely for statistical purposes.

Section 08

Your Rights

Under the NDPA 2023, NDPR 2019, and other applicable laws, you have the following rights:

Right of access: request a copy of the personal data we hold about you.
Right to rectification: ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): request deletion of your personal data, subject to our legal retention obligations.
Right to restrict processing: ask us to pause processing of your data in certain circumstances.
Right to data portability: receive your data in a structured, machine-readable format.
Right to object: object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent: where processing is based on consent, withdraw it at any time without penalty. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, email us at privacy@spots.com. We will respond within 30 days. We may ask you to verify your identity before acting on your request.

If you are a customer of a Spots merchant (for example, someone who placed a cake order on a bakery's Spots storefront), your request should be directed to that merchant first, as they are the data controller for your order data. We will cooperate with the merchant to fulfil your request.

Section 09

Cookies & Tracking Technologies

We use cookies and similar technologies for the following purposes:

Essential cookies: session management, CSRF protection, and authentication. These are required for the platform to function and cannot be disabled.
Functional cookies: remembering your preferences such as language, currency, and dashboard layout.
Analytics cookies: understanding how visitors use the platform so we can improve it. We anonymise this data where possible.
Cart reservation: we use Redis-backed temporary session tokens (not persistent cookies) to hold product reservations in a buyer's cart for a limited time window.

You can manage cookie preferences through your browser settings or our cookie preference centre. Disabling essential cookies will prevent you from using the platform. For full details, see our Cookie Policy.

Section 10

Children's Privacy

Spots is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us at privacy@spots.com and we will promptly delete it.

Section 11

Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

HTTPS/TLS encryption for all data in transit.
Encrypted storage of sensitive credentials (passwords hashed using bcrypt; API keys stored as hashed tokens).
Database-level isolation — each merchant's data is stored in a separate isolated database, preventing cross-merchant data access.
ACID-compliant transactions for order and inventory operations, preventing data corruption under concurrent load.
Queue-based processing for email and notification delivery — your personal data is not exposed in web-thread memory beyond what is required for a given request.
Role-based access controls limiting Digicore staff access to production data to only what is strictly required.

No system is perfectly secure. In the event of a data breach that poses a risk to your rights, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours and affected users as soon as reasonably practicable, in accordance with the NDPA 2023.

Section 12

International Data Transfers

Our primary operations and data storage are based in Nigeria. However, some of our third-party service providers — including cloud infrastructure and payment processors — may process data in other countries.

Where data is transferred outside Nigeria, we ensure appropriate safeguards are in place, which may include standard contractual clauses, adequacy decisions, or other mechanisms recognised under the NDPA 2023 and NDPR 2019.

As we expand into other African markets, the European Union, and Asia, we will update this section to reflect any new processing locations and the specific safeguards applicable in each jurisdiction.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services we offer, or applicable law. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Display a notice within the Spots dashboard for logged-in users.
Send an email notification to registered merchants where the change is significant.

Your continued use of Spots after the effective date of any update constitutes your acceptance of the revised policy. If you do not agree, you may close your account at any time.

Section 14

Contact & Complaints

For any privacy-related questions, data subject requests, or complaints, please contact Digicore (operators of Spots) at:

Digicore — Operators of Spots

Email: privacy@spots.com

Web: spots.com/contact

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng, or with the relevant supervisory authority in your country of residence.