How it works Pricing Log in Claim your store →
Legal

Privacy Policy

Last updated: 1 January 2025 · Compliant with the Nigeria Data Protection Regulation (NDPR) 2019

Short version: We collect only what we need to run your store and improve the platform. We do not sell your data. You can delete your account and all your data at any time. We comply with the Nigeria Data Protection Regulation (NDPR).

1. Overview

carts.ng ("we", "us", "our") is committed to protecting the personal data of everyone who uses our platform — sellers and their customers. This Privacy Policy explains what data we collect, why, how we use it, and your rights under the Nigeria Data Protection Regulation (NDPR) 2019 and other applicable laws.

By using carts.ng, you agree to the practices described in this policy. If you have any questions, you can reach us at hello@carts.ng.

2. What data we collect

Data you provide directly

DataWhen
Name, email address, phone numberWhen you create an account
Store handle, store name, store descriptionWhen you set up your store
Product names, descriptions, photos, pricesWhen you list products
Customer order details (name, phone, delivery address)When a buyer places an order in your store
Notification and preference settingsWhen you update your account settings

Data we collect automatically

DataPurpose
IP address, browser type, device typeSecurity and fraud prevention
Pages visited, actions taken in the appProduct improvement and bug fixing
Date and time of activitySecurity logs

Data from third-party services

If you sign up or log in using Google, we receive your name and email address from Google. We do not receive your Google password.

If you use our AI features, your voice input or product text is processed by our AI provider to generate descriptions. We do not store the raw voice input after processing.

3. How we use your data

We use the data we collect to:

  • Operate your store — display your products, receive orders, send you notifications
  • Provide AI features — generate product descriptions from your voice or text input
  • Communicate with you — send order notifications, account emails, and (with your consent) product updates
  • Improve the platform — understand how features are used and fix issues
  • Ensure security — detect fraud, protect accounts, comply with legal obligations

We process your data based on:

  • Contract — to perform the service you signed up for
  • Consent — for optional features like push notifications and marketing emails (you can withdraw consent at any time)
  • Legitimate interests — for security and product improvement
  • Legal obligation — where required by Nigerian law

4. Who we share data with

We do not sell your data. We share data only with the following categories of third parties, and only to the extent necessary:

  • Cloud infrastructure (Google Firebase) — stores your data securely in Google's cloud. Google processes data under its own privacy policy and our data processing agreement with them.
  • Email delivery (Resend) — used to send order notification emails to you. Resend receives the email address and message content only.
  • AI services — your product text or voice input is sent to our AI provider for processing. We use contractual protections to prevent your data being used to train third-party AI models.
  • Analytics — we may use privacy-respecting analytics tools. Where we do, we configure them to minimise data collection and disable cross-site tracking.
  • Law enforcement — where required to comply with a valid legal order from a Nigerian authority.

Your customers' order data (name, address, phone) is visible only to you as the store owner. We do not share it with any third party other than those listed above.

5. Storage and security

Your data is stored on Google Firebase infrastructure, hosted in data centres that meet industry security standards. We implement:

  • Encryption in transit (HTTPS/TLS) for all data
  • Encryption at rest for stored data
  • Access controls — only authorised personnel can access production data
  • Firestore security rules that ensure sellers can only access their own store data

No security system is perfect. In the event of a data breach that may affect your rights, we will notify you and the Nigeria Data Protection Bureau within the timeframes required by law.

6. Data retention

We keep your data for as long as your account is active. If you delete your account:

  • Your store is taken offline immediately
  • Your personal data and store data are deleted within 30 days
  • Order data may be retained for up to 12 months in anonymised or aggregated form to comply with financial record-keeping obligations
  • We may retain logs for up to 90 days for security purposes

7. Your rights

Under the NDPR and applicable law, you have the following rights:

Right to access Request a copy of the personal data we hold about you.
Right to rectification Ask us to correct inaccurate or incomplete data.
Right to erasure Ask us to delete your personal data. You can do this by deleting your account.
Right to object Object to processing based on legitimate interests, including marketing.
Right to portability Export your product catalogue and order history from Settings.
Right to withdraw consent Turn off optional data processing (e.g. push notifications) at any time in Settings.

To exercise any right, email hello@carts.ng. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

8. Cookies

carts.ng uses a small number of cookies and similar technologies:

  • Authentication cookies — used to keep you logged in. These are strictly necessary and cannot be disabled without logging out.
  • Preference cookies — store settings like notification preferences in your browser's local storage.
  • Analytics — if used, are configured to set no cross-site cookies and to anonymise IP addresses.

We do not use advertising cookies or allow third-party advertisers to set cookies on our platform.

9. Children

carts.ng is not directed at children under 18. We do not knowingly collect data from people under 18. If you believe a child has created an account, please contact us and we will delete it.

10. International data transfers

Your data is primarily stored in Google Firebase, which may involve storage in data centres outside Nigeria. Where data is transferred outside Nigeria, we ensure appropriate safeguards are in place through contractual protections in line with the NDPR's requirements for cross-border data transfers.

11. Changes to this policy

We may update this policy from time to time. When we make significant changes, we will notify you by email. The date at the top of this page shows when it was last updated. Your continued use of carts.ng after changes take effect means you accept the updated policy.

12. Contact and complaints

If you have any questions about this policy or how we handle your data:

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Bureau (NDPB), which supervises compliance with the NDPR. More information is available at ndpb.gov.ng.

© 2025 carts.ng. All rights reserved. This policy applies to carts.ng and the carts.ng mobile application.