Privacy Policy

At Earnstack, we are committed to protecting your privacy and personal data in compliance with the Nigeria Data Protection Regulation (NDPR) 2019. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cashback loyalty platform. Please read this policy carefully. By accessing or using Earnstack, you agree to the collection and use of information in accordance with this policy.

1. Data Controller and Processor

Under the NDPR:

• Business Customers: When you use Earnstack as a business, you are the Data Controller for your customer data. You determine the purposes and means of processing your customers' personal data.
• Earnstack: We act as a Data Processor on your behalf. We process your customer data only according to your instructions and for the purpose of providing our cashback loyalty services.
• End Customers: Individuals participating in your loyalty program are Data Subjects. Their rights are protected under NDPR, and we assist you in fulfilling your obligations to them.

2. Information We Collect

We collect different types of information depending on your relationship with us:

For Businesses:

• Account Information: Business name, registration number, owner/representative details, contact information, bank details for subscription payments.
• Operational Information: Store locations, products/services, pricing, transaction methods, business preferences.
• Financial Information: Subscription payment details, transaction volumes, cashback funding information.
• Communication Data: Emails, support requests, feedback, and other correspondence.

For End Customers (processed on behalf of Businesses):

• Identification Data: Name, phone number, email address (as provided to the Business).
• Transaction Data: Purchase history, amounts, dates, items purchased, cashback earned and redeemed.
• Loyalty Data: Cashback balance, reward preferences, redemption history.
• Device Data: IP address, browser type, device information (collected automatically for security and analytics).

3. How We Use Information

We use collected information for the following purposes:

• Service Provision: To operate and maintain the Earnstack platform, process cashback calculations, manage customer rewards.
• Business Management: To manage subscriptions, process payments, provide customer support, send service notifications.
• Analytics and Improvement: To analyze platform usage, improve our services, develop new features (using anonymized, aggregated data).
• Security and Compliance: To protect against fraud, ensure platform security, comply with legal obligations under Nigerian law.
• Communication: To send important updates, respond to inquiries, provide technical support.

4. Legal Basis for Processing

Under NDPR, we process personal data based on the following legal grounds:

• Contractual Necessity: Processing necessary to fulfill our service agreement with Businesses.
• Legitimate Interests: Processing for our legitimate business interests, balanced against data subjects' rights.
• Legal Compliance: Processing necessary to comply with Nigerian laws and regulations.
• Consent: For specific purposes where consent is required and obtained (e.g., marketing communications).

5. Data Sharing and Disclosure

We do not sell personal data. We may share information in the following circumstances:

• With Service Providers: We engage trusted Nigerian and international service providers for hosting, payment processing, SMS delivery, and customer support. All providers are bound by data protection agreements.
• For Legal Compliance: We may disclose information if required by Nigerian law, court order, or governmental authorities.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, customer information may be transferred as a business asset.
• With Consent: We share information with third parties when we have explicit consent.

6. Data Security

We implement appropriate technical and organizational measures to protect personal data:

• Encryption: Data in transit is encrypted using TLS/SSL protocols. Sensitive data at rest is encrypted.
• Access Controls: Strict access controls and authentication mechanisms.
• Regular Audits: Security assessments and penetration testing.
• Employee Training: Regular data protection training for all staff.
• Incident Response: Procedures for detecting, reporting, and investigating data breaches in compliance with NDPR requirements.

7. Data Retention

We retain personal data only as long as necessary:

• Business Data: Retained for the duration of the subscription plus 7 years for tax and compliance purposes.
• Customer Data: Retained as long as the Business maintains an active account, plus 1 year after account termination to facilitate data export.
• Transaction Records: Retained for 7 years as required by Nigerian financial regulations.
• Backup Data: Regularly deleted according to our data retention schedule.

8. Data Subject Rights (NDPR Rights)

Under NDPR, data subjects have the following rights. As a Data Processor, we assist Businesses in fulfilling these rights for their customers:

• Right to Access: Individuals can request access to their personal data.
• Right to Rectification: Individuals can request correction of inaccurate data.
• Right to Erasure: Individuals can request deletion of their data under certain conditions.
• Right to Restrict Processing: Individuals can request limitation of data processing.
• Right to Data Portability: Individuals can request their data in a structured, machine-readable format.
• Right to Object: Individuals can object to certain types of processing.
• Right to Withdraw Consent: Where processing is based on consent, individuals can withdraw consent at any time.

9. International Data Transfers

As a Nigerian-focused service, we primarily process data within Nigeria. However, some service providers may be located outside Nigeria. In such cases, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the Nigeria Data Protection Bureau, or we ensure the country provides an adequate level of data protection as determined by Nigerian authorities.

10. Cookies and Tracking Technologies

We use cookies and similar technologies:

• Essential Cookies: Required for platform functionality, authentication, and security.
• Analytics Cookies: Help us understand how users interact with our platform.
• Preference Cookies: Remember user settings and preferences.
• Users can control cookie preferences through browser settings. Disabling essential cookies may affect platform functionality.

11. Children's Privacy

Our Services are not directed to individuals under 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information. Businesses using our service must not collect data from children without appropriate parental consent as required by Nigerian law.

12. Data Protection Officer

In compliance with NDPR requirements for significant data processing, Earnstack has appointed a Data Protection Officer (DPO). The DPO oversees our data protection strategy and implementation. You can contact our DPO at:
Email: dpo@earnstack.com
Address: Data Protection Officer, Earnstack, Lagos, Nigeria

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. We will notify Businesses of material changes via email at least 30 days before changes take effect. We encourage you to review this policy regularly to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: support@earnstack.ng
Address: Earnstack, Ibadan, Nigeria
Phone: +234 703 380 9561

For NDPR-related complaints, you may also contact the Nigeria Data Protection Bureau.