Privacy Policy

"Winipat" refers to the operator of the Winipat platform at winipat.com. For data protection enquiries, contact us at support@winipat.com.

Account information:

• Full name, email address, phone number
• Date of birth (where required for age verification)
• Profile photo (optional)
• Role (buyer, seller, logistics partner)

Seller KYC information:

• Business name and description
• Pickup address (street, city, state)
• Government-issued ID document
• Bank account details (account number, bank name, account holder)
• Optional utility bill (electricity, waste, or water) showing the pickup address — used to verify seller location

Transactional data:

• Orders, payments, payouts, refunds, and dispute history
• Product listings, reviews, ratings, and messages
• Delivery addresses and tracking information

Technical data (automatic):

• Device type, browser, operating system, screen size
• IP address and approximate location (city-level)
• Pages visited, time spent, click paths
• Cookies (see Section 5)

• To provide the Platform and process your orders, payments, and disputes
• To verify identity and prevent fraud (KYC, anti-money laundering)
• To communicate with you about orders, account changes, and security alerts
• To improve the Platform — analytics, debugging, feature development
• To comply with legal obligations (tax, regulator requests, court orders)
• To send marketing communications (only with your consent; you can opt out any time)

We share your data only with parties that need it to deliver the service:

• Sellers and buyers — limited info needed to complete an order (your name, delivery address, contact for the logistics partner)
• Payment provider (Paystack) — to process card payments and bank transfers
• Logistics partners — pickup/delivery details for the orders they handle
• Service providers — Supabase (database hosting), Vercel (web hosting), email delivery services
• Regulators & law enforcement — when required by Nigerian law

We never sell your personal data to third parties for marketing.

We use the following categories of cookies:

• Essential cookies — keep you signed in, remember your cart. These cannot be disabled.
• Functional cookies — remember your preferences (currency display, language).
• Analytics cookies — help us understand how the Platform is used. You can opt out via the cookie banner.

• Active account data: retained while your account is active
• Transactional records: retained for 7 years after the last transaction (tax + audit requirements)
• KYC documents: retained for 5 years after account closure (anti-money laundering)
• Marketing preferences: retained until you opt out
• Closed account: most data deleted within 90 days of closure request; transactional + KYC retained per above

Under NDPR and applicable Nigerian law, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion of your data (subject to retention obligations above)
• Withdraw consent for processing where consent was the legal basis
• Object to direct marketing
• Receive a copy of your data in a portable format
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC)

To exercise any of these rights, email support@winipat.com. We will respond within 30 days.

We protect your data using TLS encryption in transit, encryption at rest, role-based access control, and audit logging. Payment card data is never stored on Winipat systems — it is handled directly by our PCI-DSS-compliant payment provider.

No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify you and the NDPC within 72 hours.

Winipat is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we will delete it.

Our infrastructure may store data on servers outside Nigeria (e.g. Supabase's EU region). We ensure equivalent protection via contractual safeguards and only transfer data to jurisdictions that meet NDPR adequacy standards.

We may update this Policy. Material changes will be notified by email and via an in-app banner at least 14 days before they take effect.