Privacy Policy

This policy applies to four groups of people:

Under Nigerian data protection law (NDPR 2019 and NDPA 2023), we are required to have a lawful basis for processing personal information. We rely on the following:

• Contractual necessity — to process your orders, manage your account, or pay out your earnings as a merchant.
• Legal obligation — for financial record-keeping, identity verification, and responding to lawful requests from competent authorities.
• Legitimate interest — where we have a genuine business reason that does not unfairly override your privacy rights. Examples include fraud prevention, platform security, and internal analytics.
• Consent — for optional activities such as marketing communications. You may withdraw consent at any time.

Information you provide

When you create an account or use the Platform, we collect:

• Your name, email address, and phone number
• A password — stored as a secure hash; never in plain text
• A profile picture, if you choose to provide one or import it via Google or Apple sign-in

Information collected automatically

When you use the Platform, we automatically collect:

• Device information — device type, operating system, app version, and device identifiers
• Network information — IP address and mobile network details
• Usage data — features and pages accessed, session duration, navigation paths, error logs
• Push notification tokens — your APNs token (iOS) or FCM token (Android)

Information from third parties

• If you sign in with Google or Apple, we receive your name, email address, and profile picture
• We receive payment confirmation data from Paystack upon completion of a transaction
• We may receive interaction data when you engage with our demand intelligence system on social media

This section applies to people using the Paylo Marketplace app.

Account registration

We collect your name, email address, and password — or your Google or Apple identity if you use SSO.

Payments

Paylo never receives your card number or CVV. Payment details are entered directly into Paystack's secure environment. Upon successful payment, we store only a card token issued by Paystack, together with: card type, last four digits, expiry date, issuing bank, and card country.

Buyer protection

When buyer protection is enabled, a fee of 0.5% of your order subtotal (minimum ₦100, maximum ₦10,000) is collected. This fee is held in escrow and returned to your Paylo Credits balance upon delivery confirmation or automatically after seven days.

Visual search

If you upload a photo to search for products, your image is transmitted to Google Cloud Vision and Replicate for analysis. Paylo does not store your image. Only the search results are returned.

This section applies to people using the Paylo Business app.

Identity verification and payouts (KYC)

Payouts are not available until identity verification is complete. For this purpose, we collect:

• A government-issued ID (NIN card, driver's licence, or international passport)
• Bank account details — account holder name, NUBAN account number, bank name and code
• Business registration details where applicable — company name and CAC registration number
• Optionally, social media profile URLs for brand verification purposes

Transaction records and compliance

Unverified merchants are subject to a ₦500,000 monthly transaction cap. We maintain a detailed audit log of every payment split, escrow state change, and payout event associated with your storefront. This log is retained indefinitely for financial and regulatory compliance purposes.

Across all user types, we use personal information for the following purposes:

• Operating, maintaining, and improving the Platform
• Processing orders, payments, and merchant payouts
• Detecting and preventing fraud and unauthorised access
• Responding to customer and merchant support requests
• Complying with Nigerian law and regulatory requirements
• Conducting internal analytics and product research

We do not sell your personal information. We do not use your data to train third-party AI models. We do not permit advertisers to target you by name or identity on the Platform.

Paylo operates a demand intelligence system that monitors public social media activity to identify product and service intent signals.

What we do not do

• We do not create Paylo accounts on behalf of individuals without their express action
• We do not collect private messages or non-public content
• We do not store personal profile information beyond what is publicly visible

Your rights as a Social User

If you believe your public content has been captured by our system and you wish to have it removed, contact us at legal@usepaylo.com. We will respond within 30 days.

Between customers and merchants

When a transaction occurs, merchants receive your name, contact details, delivery address, and order details — sufficient to fulfil the order. Card details are never shared with merchants.

For legal and regulatory reasons

We may disclose your information where required by a court order, lawful government request, or applicable Nigerian legislation — including to the CBN, NITDA, NDPC, or NFIU where relevant.

The following companies process personal data on our behalf:

We retain your data only for as long as necessary for the purpose it was collected, or as required by law.

You have the following rights in relation to your personal information:

Access

You may request confirmation of whether we hold data about you and obtain a copy of that data.

Correction

Most personal information can be updated directly within the app. Contact us for information you cannot amend yourself.

Deletion

You may request deletion of your account and associated personal data. We will anonymise your information immediately and delete it permanently within 30 days.

Portability

You may request a copy of your data in a structured, commonly used format. Use the "Download Your Data" feature in the app, or email legal@usepaylo.com.

Withdrawal of consent

Where processing is based on your consent, you may withdraw that consent at any time without affecting processing carried out before withdrawal.

We will respond to all rights requests within 30 days. Contact us at legal@usepaylo.com or write to Greyline Innovations Limited, Abuja, Nigeria.

• Encryption in transit — all data transmitted between your device and our servers is protected using TLS/SSL
• Encryption at rest — data stored within Supabase (AWS) is encrypted using AES-256
• Password hashing — passwords are hashed using bcrypt and are never stored in plain text
• Access controls — internal access to personal data is restricted to team members who require it
• Payment security — all card data is handled exclusively by Paystack. We do not receive or store raw card numbers or CVV codes.

Paylo is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we hold data belonging to a minor, we will delete it promptly. Contact us at legal@usepaylo.com if you believe we have inadvertently collected data from someone under 18.

Your data is stored on servers located in London, United Kingdom and West Europe (AWS infrastructure, provisioned via Supabase). Users in Nigeria should be aware that their data is transferred to and processed in these regions when they use the Platform.

By using Paylo, you consent to this transfer. We take steps to ensure that such transfers are carried out in accordance with applicable data protection standards.

Paylo is fully committed to compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023.

You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data has been handled unlawfully. More information: ndpc.gov.ng

Our Data Protection Officer is reachable at legal@usepaylo.com.

We may update this policy periodically to reflect changes to our practices, technology, or legal obligations. Where changes are material, we will notify you by email, in-app notification, or a prominent notice on the Platform prior to the changes taking effect.

Your continued use of Paylo following notification of changes constitutes acceptance of the updated policy.

Greyline Innovations Limited

RC No. 9126295, Abuja, Nigeria

We aim to respond to all privacy-related enquiries within 30 days.