Kola

Privacy Policy

Effective date: 1 July 2026

1. Data controller

The data controller responsible for your personal data is Kola Limited, a company registered under the laws of the Federal Republic of Nigeria, with its registered address at 438B Babaji Aliyu Street, Dantata Estate, Arab Road, Abuja, FCT, Nigeria.

This Privacy Policy is issued in compliance with the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025.

2. Data Protection Officer

Our Data Protection Officer (DPO) can be contacted at:

  • Email: dpo@getkola.shop
  • Address: 438B Babaji Aliyu Street, Dantata Estate, Arab Road, Abuja, FCT, Nigeria

3. What we collect and why

We collect personal data only when necessary to provide our Services. Below is a detailed breakdown of the data we collect, the purpose, and the legal basis under the NDPA:

DataPurposeLegal basis
Phone numberAccount registration, OTP login, order notificationsPerformance of contract
Business name, address, areaStorefront display, delivery logisticsPerformance of contract
Bank account details (name, number, bank)Payout settlement via MonnifyPerformance of contract
BVN (Bank Verification Number)Identity verification (KYC)Legal obligation (CBN regulations)
Order history and transaction recordsOrder fulfilment, dispute resolution, financial recordsPerformance of contract, legal obligation
Transaction PIN (hashed)Authorise cash outs and sensitive account changesPerformance of contract
Device information (browser, OS, IP address)Security, session management, fraud detectionLegitimate interest
Product images and descriptionsStorefront catalog displayPerformance of contract
Customer name, phone, delivery addressOrder delivery and communicationPerformance of contract

4. How we use your data

We use your personal data to:

  • Create and manage your Merchant account.
  • Display your storefront and product listings to Customers.
  • Process and facilitate orders and payments through Monnify.
  • Send order notifications and updates via WhatsApp.
  • Verify your identity for KYC and payout purposes.
  • Detect and prevent fraud and unauthorised access.
  • Manage device sessions and secure your account.
  • Respond to support requests and resolve disputes.
  • Comply with legal and regulatory obligations.
  • Improve the Platform based on aggregated, anonymised usage patterns (no individual tracking).

We do not use your personal data for automated decision-making or profiling that produces legal effects.

We may occasionally send you service-related communications such as product updates, feature announcements, or promotional messages via WhatsApp or email. You can opt out of promotional messages at any time by contacting us at support@getkola.shop. Opting out of promotional messages does not affect transactional notifications (such as order updates and security alerts), which are necessary for the operation of the Platform.

5. Third parties we share data with

We share personal data only with service providers necessary to operate the Platform. We do not sell your personal data to anyone.

ProviderPurposeData shared
Monnify (TeamApt / Moniepoint)Payment processing, fund settlement, KYC verificationBank details, BVN, transaction records
WhatsApp (Meta Platforms)Order notifications, customer communicationPhone numbers, order details
Hetzner (cloud hosting)Server infrastructure for the PlatformAll data stored on the Platform (encrypted at rest)
Vercel (frontend hosting)Website and storefront deliveryIP addresses, browser metadata (access logs)

Each provider is bound by their own data processing terms. We have Data Processing Agreements in place with providers who process personal data on our behalf.

6. Cross-border data transfers

Your personal data may be transferred to and processed in countries outside Nigeria:

  • Hetzner operates data centres in Germany and Finland (European Union).
  • Vercel routes requests through edge servers in the United States and other locations.
  • WhatsApp (Meta) processes data in the United States and other jurisdictions.

We ensure appropriate safeguards are in place for all cross-border transfers, including Data Processing Agreements with standard contractual clauses where applicable, in compliance with the NDPA 2023 and GAID 2025.

7. Data security

We implement technical and organisational measures to protect your personal data, including:

  • All data in transit is encrypted using TLS (Transport Layer Security).
  • Transaction PINs are hashed using bcrypt and never stored in plain text.
  • Two-factor authentication (OTP) is required for new device sign-ins.
  • Device session management allows you to view and revoke active sessions.
  • Access to production systems is restricted to authorised personnel only.
  • Data at rest is encrypted on our hosting infrastructure.

While we take reasonable steps to protect your data, no system is completely secure. We cannot guarantee absolute security.

8. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

DataRetention period
Account data (name, phone, business info)Until account deletion + 7 days
Financial transaction records6 years after the transaction (CBN requirement)
Bank account and BVNUntil account deletion (retained by Monnify per CBN rules)
Order history6 years after the transaction
Device sessionsAutomatically expired after 90 days of inactivity
Product images and descriptionsUntil deleted by the Merchant or account closure
Server access logs (IP, browser)90 days

9. Your rights under the NDPA

Under the Nigeria Data Protection Act 2023, you have the following rights:

  • Right of access. You can request a copy of the personal data we hold about you.
  • Right to rectification. You can request correction of inaccurate or incomplete personal data.
  • Right to erasure. You can request deletion of your personal data, subject to legal retention requirements.
  • Right to data portability. You can request your data in a structured, commonly used format.
  • Right to object. You can object to processing based on legitimate interest.
  • Right to withdraw consent. Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint. You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data rights have been violated.

10. How to exercise your rights

To exercise any of the rights listed above, contact our Data Protection Officer at dpo@getkola.shop.

We will respond to your request within 30 days. We may ask you to verify your identity before processing the request. If we cannot fulfil your request (for example, due to legal retention obligations), we will explain why.

You can also delete your account directly from the Settings page in the Merchant dashboard at any time.

11. Children

The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will delete it promptly.

12. Cookies and tracking

The Platform does not use third-party tracking cookies or advertising pixels. We do not run behavioural analytics or retargeting.

Our hosting providers (Vercel, Hetzner) may collect standard server access logs (IP address, browser type, request timestamps) for security and performance purposes. These logs are retained for 90 days and are not used for marketing or profiling.

13. Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach.
  • Notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms.
  • Document the breach, its effects, and the remedial actions taken.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days before they take effect via the Platform or email notification. The “Effective date” at the top of this page will be updated accordingly.

Continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy.

15. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

  • Nigeria Data Protection Commission (NDPC)
    Website: ndpc.gov.ng

We encourage you to contact our DPO first so we can try to resolve your concern directly.

16. Contact us

If you have questions about this Privacy Policy, contact us at: