Introduction
Yellofern (“Yellofern”, “the Company”, “we”, “us”, or “our”) builds digital platforms and related services that help businesses run commerce and operations with less friction. Protecting the people behind that data (i.e. customers, merchants, partners, staff, and visitors) is a core operating standard for us, not an afterthought.
This Data Protection Policy Notice (“Notice”) is issued under the Nigeria Data Protection Act, 2023 (“NDPA” or “the Act”), together with guidance from the Nigeria Data Protection Commission (“NDPC”) and any applicable subsidiary rules. It sets out the categories of personal data we handle, the reasons for processing, how information is safeguarded, and the rights you can exercise.
Scope and Acceptance
This Notice covers personal data processed through Yellofern websites, products, applications, support channels, and broader business activities. It applies whether you are browsing as a visitor, creating an account, onboarding as a merchant, applying for a role, or working with us as a vendor or partner.
By accessing or using Yellofern services, you acknowledge that we will process personal data as described here. Where the law requires a specific consent (for example, certain marketing or cross-border transfers), we will ask for that consent separately and you may withdraw it later without affecting processing that was already lawfully completed.
Where a written agreement with your organisation applies (such as a data processing agreement), that contract governs processing we perform on that organisation's behalf, and this Notice complements (but does not replace) those terms.
Definitions
- “Data Controller”
- means a person who, alone or jointly with others, determines the purposes and means of processing personal data.
- “Data Processor”
- means a person who processes personal data on behalf of, or at the direction of, a data controller.
- “Data Subject”
- means an individual to whom personal data relates.
- “Personal Data”
- means any information relating to an individual who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to that individual.
- “Sensitive Personal Data”
- means personal data relating to an individual's genetic and biometric data, race or ethnic origin, religious or other beliefs, health status, sex life, political opinions, or affiliations, trade union membership, and other data the NDPC may prescribe as sensitive from time to time.
- “Processing”
- means any operation performed on personal data, whether automated or not, including collection, recording, organisation, storage, use, disclosure, or destruction.
Who We Are
Under the NDPA, Yellofern is a Data Controller when we decide why and how personal data is processed (i.e. typically when we collect it) through our own sites, product accounts, hiring processes, or direct business operations. We act as a Data Processor when merchants or business clients instruct us to process personal data on their platforms under a data processing agreement.
Personal Data We Collect
The information we hold depends on how you interact with us. It may include:
- Identity and contact data: full name, email address, phone number, residential or business address, date of birth.
- Account and authentication data: usernames, passwords (hashed), account preferences, verification documents.
- Transaction data: order and purchase history, payment references, billing details, invoices. Yellofern does not store full card numbers; payments are handled by licensed third-party payment processors.
- Business and merchant data: company registration details, business address, tax identification, product and inventory information, banking details for settlement purposes.
- Technical and usage data: IP address, device identifiers, browser type, operating system, log-in timestamps, cookies and similar technologies, pages visited, and platform usage patterns.
- Communications data: messages with support, sales, or partnership teams, survey responses, and feedback.
- Employment and recruitment data: CVs, references, qualifications, next-of-kin details, and payroll information for applicants and staff.
We do not knowingly collect Sensitive Personal Data unless it is strictly necessary for a specific, lawful purpose and a valid legal basis under Section 30 of the NDPA, such as explicit consent, has been established.
How We Collect Personal Data
- From you, when you open an account, place an order, submit a form, speak with support, or apply for a role.
- Through our systems, via cookies, analytics, and related technologies while you use our websites or platforms.
- From trusted third parties, including payment processors, identity verification providers, business partners, and lawful public sources, where permitted.
Purpose and Lawful Basis for Processing
Under Section 24 of the NDPA, we process personal data lawfully, fairly, and transparently, and only for clear, legitimate purposes. Our lawful bases under Section 25 include:
Consent
Where you have given clear, informed, and freely given consent for a defined purpose.
Contractual necessity
To perform a contract with you, or to take steps you request before entering one, for example, account setup or order fulfilment.
Legal obligation
To meet obligations such as tax, anti-money laundering, or regulatory reporting.
Vital interest
To protect someone's life or physical safety.
Public interest or official function
Where activities are carried out in the public interest.
Legitimate interest
For interests such as fraud prevention, platform security, and service improvement, provided these do not override your fundamental rights and freedoms.
How we put this into practice: account management, transactions, merchant onboarding, customer support, security monitoring, product improvement, consented marketing, legal compliance, and employment administration.
Marketing Communications
We may send product updates, event invitations, or promotional messages when you have opted in, or where another lawful basis applies. We do not sell your personal data to third parties for their own advertising.
You can stop marketing emails at any time using the unsubscribe link in the message, or by writing to our Data Protection Officer at [email protected]. Service or transactional notices needed to run your account may still be sent even after you opt out of marketing.
Disclosure and Sharing of Personal Data
We do not sell personal data. We may share it with:
- Service providers and sub-processors that support our operations, such as cloud hosting, payment processing, and support tools, under written agreements aligned with Section 28 of the NDPA.
- Merchant or business clients, where we process data on their behalf as part of platform services.
- Regulators, law enforcement, or courts when required by law or valid legal process.
- Professional advisers (auditors, insurers, legal counsel) on a need-to-know basis.
- A successor organisation, if Yellofern merges, is acquired, or restructures, subject to equivalent data protection safeguards.
Cross-Border Transfer of Personal Data
If personal data leaves Nigeria, the transfer must satisfy Sections 41 to 43 of the NDPA. That typically means the destination offers an adequate level of protection through law, binding corporate rules, contractual clauses, a code of conduct, or a certification mechanism, or you have given explicit consent after being told about the possible risks.
Data Retention
We keep personal data only as long as needed for the purposes collected, including legal, accounting, and reporting requirements, in line with Section 24(1)(e) of the NDPA.
- Account and transaction data: kept for the business relationship and a further period to meet statutory and tax duties.
- Marketing data: kept until consent is withdrawn or you object to processing.
- Recruitment data: kept for the hiring process and a limited period afterwards, unless you join the team.
- Technical and log data: kept for a limited period needed for security and diagnostics.
As a general rule, collected personal data is retained for up to 5 years unless a shorter or longer period is required for a particular purpose or by law. When the retention period ends, we securely delete, anonymise, or archive the data under our internal disposal procedures.
Data Subject Rights
Subject to conditions and exceptions in the NDPA, you may exercise the following rights:
Right to be informed
Clear information about how your data is collected and used.
Right of access
Confirmation of whether we process your data, and a copy of it.
Right to rectification
Correction of inaccurate or incomplete data.
Right to erasure
Deletion where data is no longer needed, consent is withdrawn, or processing is unlawful.
Right to restrict processing
Limits on how we use your data in certain cases.
Right to data portability
Your data in a structured, commonly used, machine-readable format, and transfer to another controller where feasible.
Right to object
Objection to processing based on legitimate interest or for direct marketing.
Right to withdraw consent
At any time, without affecting prior lawful processing.
Automated decisions
Freedom from solely automated decisions that produce legal or similarly significant effects, without appropriate safeguards.
Right to complain
Lodge a complaint with the NDPC or seek redress in a Nigerian court of competent jurisdiction.
Send verified requests to our Data Protection Officer. We aim to acknowledge receipt within 5 business days and complete a substantive response within 30 days of verifying your identity and the request, or sooner where the NDPA and its regulations require a shorter period. Complex requests may take longer; if so, we will explain why and update you on progress.
Data Security
We apply technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, consistent with Section 39 of the NDPA. These include:
- Encryption in transit and, where appropriate, at rest.
- Access controls and role-based permissions.
- Regular security testing, monitoring, and vulnerability assessments.
- Staff training and confidentiality undertakings.
- Written data processing agreements with service providers.
Data Breach Notification
If a personal data breach is likely to risk the rights and freedoms of data subjects, Yellofern will notify the NDPC without undue delay, and within the timeframe in Section 40 of the NDPA. Where the breach is likely to create a high risk for affected people, we will also inform those individuals without undue delay, describing what happened and the steps taken or planned in response.
Children's Data
Our platforms are not directed at children under 18 without parental or guardian consent, in line with Section 31 of the NDPA. If we learn that we collected a child's personal data without the required consent, we will take reasonable steps to delete it.
Third-Party Sites and Services
Yellofern services may link to or integrate with websites, apps, or tools that we do not operate. Those parties have their own privacy practices. This Notice does not cover how they collect or use information. We encourage you to review their policies before sharing personal data with them. We are not responsible for the content or privacy practices of third-party services outside our control.
Remedies and Escalation
If you believe we have mishandled your personal data or fallen short of this Notice, contact our Data Protection Officer first so we can investigate. Where a concern is upheld, we will take proportionate steps such as correcting records, restricting or stopping processing, or securely deleting data, within a reasonable period, usually within 30 days of concluding our review, subject to legal holds or other constraints outside our control.
If you remain dissatisfied after contacting us, you may escalate to the Nigeria Data Protection Commission or seek redress before a court of competent jurisdiction in Nigeria.
Changes to This Notice
We may revise this Notice when our practices or the law change. Material updates will be posted on our website or platform, and the “Last Reviewed” date at the top will be refreshed. Continued use of our services after an update means you should review the revised Notice so you stay informed.
How to Contact Us
Questions, concerns, or rights requests about this Notice or our processing of personal data can be sent to our Data Protection Officer:
Data Protection Officer