shopa.Privacy Policy

Privacy Policy

Effective Date: 10 May 2026Last Updated: 10 May 2026

1. Introduction & Scope

Shopa (“Shopa,” “we,” “us,” or “our”) is committed to protecting the privacy and personal data of every individual who uses our platform. This Privacy Policy (“Policy”) explains in detail how we collect, use, disclose, store, transfer, and protect personal information when you access or use our website at shopa.sh, our mobile application (iOS and Android), our APIs, our merchant storefronts, and any related services or tools (collectively, the “Platform”).

This Policy applies to all individuals who interact with the Platform, including:

  • Merchants — African business owners and vendors who register, list products, and operate storefronts on the Platform.
  • Buyers — Customers who browse, place orders, or purchase products from Merchant storefronts.
  • Visitors — Anyone who accesses the Platform without creating an account.
  • Staff & Team Members — Individuals invited by a Merchant to manage their store.

This Policy should be read together with our Terms and Conditions. By accessing or using the Platform, you acknowledge that you have read and understood this Policy and the practices described herein. If you do not agree with any part of this Policy, you must not use the Platform.

We have designed this Policy to be transparent, comprehensive, and compliant with applicable data protection laws — including the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), the EU General Data Protection Regulation (GDPR) where applicable, the UK GDPR, and the California Consumer Privacy Act (CCPA) as amended by the CPRA.

2. Definitions

For the purposes of this Policy, the following terms have the meanings set out below:

  • “Personal Data” means any information relating to an identified or identifiable natural person, such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • “Sensitive Personal Data” means Personal Data that is, by its nature, particularly sensitive and merits a higher level of protection — including financial data (such as bank account information and BVN data), identity documents, and biometric data.
  • “Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
  • “Data Controller” means the natural or legal person that determines the purposes and means of Processing Personal Data.
  • “Data Processor” means any natural or legal person that Processes Personal Data on behalf of the Data Controller.
  • “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
  • “NDPA” means the Nigeria Data Protection Act 2023.
  • “NDPR” means the Nigeria Data Protection Regulation 2019.
  • “NDPC” means the Nigeria Data Protection Commission, the supervisory authority for data protection in Nigeria.
  • “GDPR” means the EU General Data Protection Regulation (Regulation (EU) 2016/679).
  • “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).
  • “DPO” means our Data Protection Officer.
  • “BVN” means Bank Verification Number, an identifier issued by the Central Bank of Nigeria.

3. Who We Are (Data Controller)

Shopa is the Data Controller responsible for the Personal Data we collect about you when you create an account, use the Platform, transact, or otherwise interact with us — except in cases where you provide Personal Data to a Merchant during a purchase, in which case the Merchant is the Data Controller for that data and Shopa acts as a Data Processor on the Merchant’s behalf (see Section 10).

For all data protection inquiries, you may contact our Data Protection Officer at privacy@shopa.sh. Full contact details are provided in Section 31.

4. Information We Collect

We collect Personal Data in three ways: (a) information you provide directly to us; (b) information we collect automatically when you use the Platform; and (c) information we receive from third-party sources. The categories of Personal Data we Process are described below.

4.1 Information You Provide Directly

  • Account Registration Data: Full name, business name, username, email address, phone number, password (stored hashed), and one-time password (OTP) verification codes.
  • Profile & Storefront Data: Business category, bio, avatar image, banner image, brand logo, brand colors, brand font, store location, public email, social handles (Instagram, TikTok, WhatsApp, Facebook).
  • Product & Catalog Data: Product names, descriptions, prices, images, stock quantities, categories.
  • Order Data: Buyer name, delivery address, contact phone number, email address, order items, quantities, payment status, fulfillment status.
  • KYC & Identity Data: Last four digits of your Bank Verification Number (BVN), name verification result, BVN match status. We do not store your full BVN.
  • Banking & Payout Data: Bank name, bank account number (masked in our records), Paystack recipient code, Paystack customer code.
  • Communications: Support requests, dispute messages, community submissions (ideas, comments, votes), feedback, and any other content you send to us.
  • Team & Staff Data: Names, emails, and assigned roles of team members invited to manage a Merchant account.
  • Buyer Account Data: Email address, name, optional phone number, order history across multiple Merchants.

4.2 Information Collected Automatically

  • Device & Technical Data: IP address, device type, operating system, browser type and version, mobile network information, device identifiers (advertising IDs), screen resolution, language preferences, and time zone.
  • Usage Data: Pages and storefronts visited, products viewed, time spent on pages, clickstream data, search queries, referring URLs, exit URLs, features used, errors encountered.
  • Authentication Data: Login timestamps, session tokens, refresh tokens, IP addresses associated with sign-ins, device fingerprints.
  • Cookies & Similar Technologies: Session cookies, authentication tokens, preference cookies, and analytics identifiers stored in your browser’s localStorage and cookies.
  • Analytics Data: Aggregated and individual usage metrics for Merchant dashboards (revenue, orders, top products, customer insights, abandoned carts).
  • Log Data: Server logs containing API requests, response codes, processing times, and error traces.

4.3 Information Received from Third Parties

  • Paystack: Payment confirmations, transaction references, masked card information (e.g., last four digits, card brand), bank verification results, Paystack customer codes, Paystack recipient codes, transfer status updates.
  • Cloudinary: Confirmation of image uploads, image URLs, content delivery network metrics.
  • Resend: Email delivery status, bounce and complaint reports.
  • Social Media Platforms: If you choose to connect a social account, public profile information you authorize.
  • Fraud-Prevention Services: Risk scores, fraud signals, and verification results that help us detect suspicious activity.

4.4 Information We Do Not Collect

We deliberately do not collect:

  • Full BVN numbers (only the last four digits are retained).
  • Full payment card numbers, expiry dates, CVV codes, or PIN codes (these are entered directly into Paystack’s PCI-DSS-compliant infrastructure and are never transmitted to or stored on our servers).
  • Biometric data (fingerprints, facial recognition).
  • Precise GPS location (we may infer approximate location from IP address only).
  • Special categories of data such as race, religion, political opinions, health data, or sexual orientation, unless voluntarily disclosed by you in support communications.

5. How We Use Your Information

We use the Personal Data we collect for the following purposes:

  • Account Management: Creating, maintaining, and securing your account; authenticating you when you sign in; verifying ownership through OTP.
  • Service Delivery: Operating the Platform, hosting your storefront, processing orders, facilitating payments, settling payouts, generating invoices, and providing customer support.
  • Identity Verification (KYC): Verifying your identity through Paystack to comply with anti-money-laundering (AML) and counter-financing-of-terrorism (CFT) regulations and to enable withdrawals.
  • Communications: Sending transactional emails (OTP codes, order confirmations, shipping updates), responding to your inquiries, sending receipts, and notifying you of important account activity.
  • Marketing & Announcements: Sending platform announcements, product updates, tips, and promotional offers (you can opt out of marketing communications at any time).
  • Personalization: Tailoring the Platform experience, remembering your preferences, and improving recommendations.
  • Analytics & Insights: Generating Merchant dashboard analytics (revenue trends, top products, customer insights), measuring Platform performance, and producing aggregated reports.
  • Improvement & Research: Understanding how the Platform is used, diagnosing issues, debugging, A/B testing new features, and improving our services.
  • Fraud Prevention & Security: Detecting, preventing, investigating, and responding to fraudulent transactions, account takeovers, abuse, and security incidents.
  • Legal Compliance: Complying with legal obligations, court orders, regulatory requests, tax requirements, and law-enforcement requests.
  • Enforcement: Enforcing our Terms and Conditions, investigating violations, and protecting the rights, property, or safety of Shopa, our Users, or others.
  • Business Operations: Internal record-keeping, financial reconciliation, audit, and corporate governance.
  • Mergers & Acquisitions: If Shopa undergoes a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction (subject to this Policy).

Under the NDPA, NDPR, GDPR, and similar laws, we Process your Personal Data only when we have a valid legal basis to do so. The legal bases we rely on are:

6.1 Performance of a Contract

We Process your Personal Data when necessary to perform our contract with you — including operating your account, processing orders, settling payouts, and providing customer support. Without this data, we cannot deliver the Platform’s core services.

6.2 Consent

We rely on your consent for certain Processing activities, including sending non-essential marketing communications, setting non-essential cookies, and (where required) processing certain categories of data. You may withdraw consent at any time without affecting the lawfulness of Processing carried out before withdrawal.

6.3 Legal Obligation

We Process certain data to comply with legal obligations, including KYC/AML regulations, tax laws, accounting requirements, and responses to lawful requests from regulators, courts, or law-enforcement agencies.

6.4 Legitimate Interests

We Process some data based on our legitimate interests, balanced against your rights and freedoms. These interests include:

  • Operating, maintaining, and improving the Platform.
  • Preventing fraud, abuse, and security incidents.
  • Conducting analytics to understand usage and inform product decisions.
  • Defending and asserting our legal rights.
  • Communicating with you about service changes and announcements.

6.5 Vital Interests & Public Interest

In rare cases, we may Process Personal Data to protect the vital interests of you or another person (for example, to respond to an emergency) or where Processing is necessary in the public interest.

7. How We Share Your Information

We do not sell your Personal Data. We share Personal Data only in the limited circumstances described below.

7.1 With Merchants (When You Are a Buyer)

When you place an order, your name, delivery address, contact details, and order details are shared with the relevant Merchant so they can fulfill your order. Merchants act as independent Data Controllers for the buyer information they receive (see Section 10).

7.2 With Service Providers (Data Processors)

We share Personal Data with carefully selected third-party service providers who process data on our behalf under written agreements requiring confidentiality and adequate data protection. These providers are detailed in Section 8.

7.3 With Legal & Regulatory Authorities

We may disclose Personal Data when legally required, such as in response to subpoenas, court orders, NDPC investigations, tax authority requests, or law-enforcement requests — provided the request is lawful and proportionate.

7.4 In Connection with Business Transactions

If Shopa is involved in a merger, acquisition, sale of all or a portion of its assets, financing round, or similar transaction, your Personal Data may be transferred as part of that transaction. We will provide notice before your Personal Data becomes subject to a different privacy policy.

7.5 To Protect Rights, Property & Safety

We may disclose Personal Data where we believe in good faith that disclosure is necessary to enforce our Terms, investigate potential violations, prevent fraud, address security or technical issues, or protect the rights, property, or safety of Shopa, our Users, or the public.

7.6 With Your Consent

We may share Personal Data with other parties when you have given us your explicit consent to do so.

8. Third-Party Processors

We work with the following third-party Data Processors to deliver the Platform. Each is contractually bound to handle your Personal Data securely and in accordance with applicable laws.

ProviderPurposeData SharedLocation
PaystackPayment processing, identity verification (KYC), payoutsName, email, phone, BVN (last four), bank details, transaction dataNigeria
ResendTransactional & OTP email deliveryEmail address, email contentUnited States / EU
CloudinaryImage hosting, optimization, content deliveryUploaded images (product photos, avatars, banners)Global CDN
RailwayBackend hosting, PostgreSQL database, Redis cacheAll Platform data (encrypted at rest and in transit)United States / EU
VercelWeb hosting, static asset deliveryIP address, request logsGlobal edge network

We periodically review our processor agreements and may add, change, or remove processors as the Platform evolves. Where required by law, we will update this Policy to reflect material changes.

9. Cookies & Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files placed on your device by a website. We also use related technologies such as web storage (localStorage, sessionStorage), pixels, and similar identifiers (collectively, “Cookies”).

9.2 Types of Cookies We Use

  • Strictly Necessary Cookies: Required to operate the Platform — including authentication tokens (access tokens, refresh tokens), session identifiers, and CSRF protection. These cannot be disabled while using the Platform.
  • Functional Cookies: Remember your preferences (language, dark mode, sidebar state, dismissed banners).
  • Analytics Cookies: Help us understand how the Platform is used so we can improve it (page views, feature usage, error rates).
  • Performance Cookies: Measure load times, response times, and overall Platform performance.

9.3 Managing Cookies

Most browsers allow you to refuse or delete cookies through their settings. Please note that disabling strictly necessary cookies will prevent you from using core Platform features such as signing in.

10. Merchant Handling of Buyer Data

When a Buyer places an order, the relevant Merchant receives the Buyer’s name, delivery address, phone number, email, and order details. For this data:

  • The Merchant is the Data Controller for buyer data they receive.
  • Shopa acts as a Data Processor on behalf of the Merchant, hosting and transmitting that data through the Platform.
  • Merchants are independently responsible for complying with applicable data protection laws — including providing their own privacy notices, honoring data-subject rights, and implementing appropriate security safeguards.
  • Merchants must use buyer data only to fulfill orders, provide customer support, and comply with their legal obligations. Merchants must not use buyer data for unsolicited marketing without obtaining valid consent.

Buyers concerned about how a specific Merchant handles their data should contact that Merchant directly. Buyers may also report concerns to us at privacy@shopa.sh, and we will investigate and take appropriate action if a Merchant is found to be misusing buyer data.

11. KYC & Identity Verification Data

To enable withdrawals and comply with Nigerian financial regulations, Merchants must complete KYC verification. The KYC process involves:

  • You submit the last four (4) digits of your BVN through the Platform.
  • Paystack’s identity service uses these digits, in combination with your name, to verify your identity against the Central Bank of Nigeria’s BVN registry.
  • Paystack returns a verification result (matched, mismatched, or rejected) to us.
  • We store only: the last four digits of your BVN, the verified name returned by Paystack, the verification status, and the timestamp.

We do not store, log, or transmit your full BVN at any point. We retain KYC verification records for as long as your account is active and for an additional period required by AML/CFT regulations after account closure.

12. Payment Card Information

All payment card transactions on the Platform are processed by Paystack, a fully PCI-DSS-compliant payment processor licensed by the Central Bank of Nigeria. When you enter card details:

  • Your full card number, expiry date, CVV, and PIN are never transmitted to or stored on our servers.
  • Card data is captured directly by Paystack’s secure payment interface or via tokenized server-to-server flows.
  • We receive and store only non-sensitive transaction metadata: a transaction reference, masked card information (e.g., last four digits, card brand, country), and the transaction status.
  • For recurring payments (subscriptions), Paystack issues us a token (an authorization code) that allows us to charge the same card on schedule. You can revoke this authorization at any time from your dashboard or by contacting us.

13. Wallet & Financial Data

We maintain a wallet balance and transaction ledger for each Merchant. This includes:

  • Order-level settlements (gross amount, commission deducted, net amount credited).
  • Withdrawal requests, including amount, destination bank, status, and any failure reasons.
  • Bank account details linked to your account (account name, account number, bank name, and Paystack recipient code).
  • Transaction history for audit, reconciliation, and tax-compliance purposes.

Bank account numbers are stored in our database but masked when displayed in the dashboard. We retain financial records for the periods required by Nigerian tax and accounting laws (typically a minimum of seven years) even after account closure.

14. Storefront Public Information

Merchant storefronts at shopa.sh/[username] are publicly accessible. Information that Merchants choose to display on their storefront — including business name, bio, avatar, banner, product listings, prices, store location, and public social handles — is treated as public information and is not subject to the same confidentiality protections as private account data. Merchants should not display Personal Data they wish to keep private.

Storefronts are also indexed by search engines via our sitemap, which means storefront content may appear in search results. Merchants who do not wish to be indexed may contact us at privacy@shopa.sh to discuss available options.

15. Communications & Marketing

15.1 Transactional Communications

We send transactional communications related to your account and use of the Platform. These are essential to providing the service and cannot be opted out of while you maintain an active account. Examples include OTP verification codes, order confirmations, payment receipts, shipping updates, security alerts, and legal notices.

15.2 Marketing Communications

From time to time, we may send you marketing communications about Platform features, tips, promotional offers, or product updates. You may opt out of marketing communications at any time by:

  • Clicking the “unsubscribe” link in any marketing email.
  • Adjusting your notification preferences in your account settings.
  • Emailing privacy@shopa.sh.

15.3 Email Sending Domains

We send email from the following addresses. Each is operated by Shopa and managed through Resend:

  • noreply@shopa.sh — OTP verification codes, transactional emails (do not reply).
  • orders@shopa.sh — Order confirmations, shipping updates, fulfillment notices.
  • support@shopa.sh — Customer support, dispute resolutions.
  • hello@shopa.sh — Welcome messages, onboarding, marketing.
  • privacy@shopa.sh — Data protection inquiries, rights requests.

16. Push & In-App Notifications

With your permission, we may send push notifications to your device for events such as new orders, plan expiry warnings, withdrawal status updates, and platform announcements. You can disable push notifications at any time through your device settings or your account’s notification preferences.

We also display in-app notifications within the Platform. Some in-app notifications (such as security alerts and required account actions) cannot be dismissed or disabled.

17. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. Specific retention periods include:

Data CategoryRetention Period
Account & profile dataFor the duration of the account, plus 12 months after closure
Order & transaction records7 years (Nigerian tax/accounting requirements)
KYC verification records5 years after the end of the business relationship (AML/CFT)
Wallet & payout records7 years
Server & access logs90 days (rolling)
Marketing preferences & opt-outsIndefinitely (to honor opt-outs)
Support communications3 years
Audit logs (admin actions)7 years

After the applicable retention period expires, we will delete or irreversibly anonymize your Personal Data, unless retention is required by law, by legitimate business need (e.g., active dispute or investigation), or for the establishment, exercise, or defense of legal claims.

18. Data Security

We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, loss, or destruction. These measures include:

  • Encryption in transit: All communications between your device and our servers are encrypted using TLS 1.2 or higher.
  • Encryption at rest: Databases and backups are encrypted using industry-standard algorithms.
  • Password security: Passwords are stored hashed using bcrypt or an equivalent algorithm; we never store plaintext passwords.
  • OTP generation: One-time passwords are generated using cryptographically secure random number generation (Node.js crypto.randomInt).
  • Access controls: Role-based access control (RBAC) limits employee access to Personal Data on a need-to-know basis.
  • Authentication tokens: Short-lived access tokens with rotating refresh tokens, signed and verified using industry-standard JWT.
  • Audit logging: Sensitive actions performed by administrators and team members are logged for accountability.
  • Rate limiting & abuse prevention: API rate limits, suspicious-activity monitoring, and IP-based throttling.
  • Vulnerability management: Regular dependency updates, security scanning, and patch management.
  • Incident response: Documented procedures for detecting, responding to, and reporting security incidents.
  • Vendor due diligence: Security assessments and contractual safeguards with all third-party processors.

Despite these measures, no system can be guaranteed 100% secure. We urge you to: (a) use a strong, unique password; (b) keep your OTP codes confidential; (c) sign out from shared devices; and (d) notify us immediately at privacy@shopa.sh if you suspect unauthorized access to your account.

19. International Data Transfers

Our primary infrastructure is hosted on Railway and Vercel, which operate data centers in multiple regions including the United States and the European Union. Your Personal Data may be transferred to, stored, and Processed in countries outside Nigeria.

When we transfer Personal Data outside Nigeria, the EEA, the UK, or other jurisdictions with comprehensive data-protection laws, we rely on lawful transfer mechanisms, including:

  • Adequacy decisions, where the destination country provides adequate protection.
  • Standard Contractual Clauses (SCCs) approved by the relevant supervisory authority.
  • Binding Corporate Rules where applicable.
  • Your explicit consent, where required.

We assess the protections offered by destination countries and impose contractual safeguards to ensure that your Personal Data continues to receive adequate protection during and after transfer.

20. Your Privacy Rights

Subject to applicable law, you have the following rights in relation to your Personal Data:

  • Right of Access: Obtain confirmation of whether we Process your Personal Data and request a copy of that data.
  • Right of Rectification: Request correction of inaccurate or incomplete Personal Data.
  • Right of Erasure (“Right to Be Forgotten”): Request deletion of your Personal Data in certain circumstances (e.g., when no longer necessary, when consent is withdrawn).
  • Right to Restriction: Request that we limit Processing of your Personal Data in certain circumstances.
  • Right to Data Portability: Receive your Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to Object: Object to Processing based on legitimate interests, direct marketing, or profiling.
  • Right to Withdraw Consent: Where Processing is based on consent, withdraw consent at any time.
  • Right Not to Be Subject to Automated Decisions: Not be subject to a decision based solely on automated Processing that produces legal or similarly significant effects (see Section 25).
  • Right to Lodge a Complaint: Lodge a complaint with the relevant supervisory authority (see Section 30).

21. How to Exercise Your Rights

To exercise any of your rights, please:

  • Email privacy@shopa.sh with the subject line “Privacy Rights Request.”
  • Include your full name, registered email address, account username (if applicable), and a clear description of the right you wish to exercise.
  • For security purposes, we may ask you to verify your identity before processing your request.

We will respond to your request within thirty (30) days. In complex cases, we may extend this period by up to two additional months and will notify you of the extension and the reasons for the delay.

We do not charge a fee for exercising your rights, except where requests are manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or refuse to act.

If we cannot fulfill your request, we will explain why and inform you of your right to lodge a complaint with the supervisory authority.

22. Specific Rights Under NDPR & NDPA (Nigeria)

If you are a Nigerian data subject, the Nigeria Data Protection Act 2023 (NDPA) and Nigeria Data Protection Regulation 2019 (NDPR) grant you the rights described in Section 20. In addition:

  • You have the right to be informed about the Processing of your Personal Data.
  • You have the right to demand information on the third parties to whom your data has been disclosed.
  • You have the right to object to Processing for direct marketing without justification.
  • You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your rights have been violated.

23. Specific Rights Under GDPR (EEA & UK)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the GDPR (or UK GDPR) applies to our Processing of your Personal Data. In addition to the rights in Section 20, you have:

  • The right to lodge a complaint with your local data protection supervisory authority.
  • Where Processing is based on consent or contract and is carried out by automated means, the right to data portability in a structured, commonly used, machine-readable format.

For users in the EEA/UK, our EU representative may be appointed in due course where required under Article 27 of the GDPR.

24. Specific Rights Under CCPA (California)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

  • Right to Know: Request the categories and specific pieces of Personal Information we have collected about you, the sources, the purposes for collection, and the third parties with whom we share it.
  • Right to Delete: Request deletion of Personal Information we have collected about you, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate Personal Information.
  • Right to Opt Out of Sale or Sharing: We do not sell or share your Personal Information for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: Request that we limit the use of your sensitive Personal Information to that which is necessary to perform our services.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

25. Automated Decision-Making

We use automated systems for certain limited purposes, including:

  • Fraud detection: Risk scoring of transactions and account activity to flag suspicious behavior for human review.
  • Subscription gating: Automated enforcement of plan limits and feature access based on your active subscription.
  • KYC verification: Automated matching of submitted information against the BVN registry through Paystack.
  • Order routing: Automated assignment of orders to the correct Merchant.

These automated processes do not produce legal or similarly significant effects without human oversight. For decisions that meaningfully affect your account (such as suspension, termination, or rejection of withdrawals), a human reviews the automated output before action is taken. You have the right to request human review of any decision you believe was made solely by automated means.

26. Children’s Privacy

The Platform is not directed to children under the age of eighteen (18). We do not knowingly collect Personal Data from children. If you are under 18, you may not register an account or use the Platform.

If we become aware that we have collected Personal Data from a child without verified parental consent, we will take steps to delete that data promptly. Parents or guardians who believe their child has provided us with Personal Data should contact privacy@shopa.sh.

The Platform may contain links to third-party websites, applications, and services (including social media platforms such as Instagram, TikTok, WhatsApp, Facebook, and X). This Policy does not apply to those third parties. We are not responsible for the privacy practices, content, or security of any third-party site or service. We encourage you to read the privacy policies of any third party before sharing Personal Data with them.

28. Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of affected Users, we will:

  • Notify the relevant supervisory authority (such as the NDPC) within seventy-two (72) hours of becoming aware of the breach, where required by law.
  • Notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, providing clear information about the nature of the breach, likely consequences, and the measures taken or proposed to address it.
  • Document all breaches, including their effects and the remedial action taken, even where notification is not required.

29. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or the Platform itself. When we make material changes, we will:

  • Notify you via email and/or through a prominent notice on the Platform at least fourteen (14) days before the changes take effect.
  • Update the “Last Updated” date at the top of this Policy.
  • Where required by law, obtain your consent to material changes before they apply to you.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree with the changes, you must stop using the Platform and may close your account in accordance with our Terms.

30. Complaints & Regulatory Authority

If you believe we have not handled your Personal Data in accordance with this Policy or applicable law, please first contact us at privacy@shopa.sh. We take all complaints seriously and will work to resolve them promptly.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority. For Nigerian Users, the supervisory authority is:

  • Authority: Nigeria Data Protection Commission (NDPC)
  • Website: ndpc.gov.ng

EEA, UK, and other Users may contact their local data protection authority. A list of EEA authorities is available at edpb.europa.eu.

31. Contact Our DPO

For any questions, concerns, or requests regarding this Policy, your Personal Data, or your privacy rights, please contact our Data Protection Officer:

  • Company: Shopa
  • Website: shopa.sh
  • Data Protection Officer: privacy@shopa.sh
  • General Support: support@shopa.sh

By using the Shopa Platform, you acknowledge that you have read, understood, and agree to the collection, use, and other Processing of your Personal Data as described in this Privacy Policy.

Last updated: 10 May 2026