Ifiok respects your privacy. This policy explains what personal data we collect when you use Ifiok, why we collect it, how long we keep it, and the rights you have under the Nigeria Data Protection Act 2023 (NDPA) and adjacent regulations.
We are the data controller for the information described here. You can reach us at support@ifiok.ng for any privacy-related question.
What we collect
Account data. Name, email, phone number, and a hashed password when you sign up. Used to authenticate you and to contact you about your orders. Lawful basis: contract (NDPA § 27).
Order data. Items in your cart, delivery address, design files and proofs you upload, payment references (we do not store full card numbers — that lives with Paystack and Flutterwave). Lawful basis: contract.
Communications. Messages you send via the in-app chat, WhatsApp, or support tickets. Used to help you and to keep an audit trail of any dispute. Lawful basis: contract + legitimate interest (NDPA § 28).
Cookies and trackers
We use four categories of cookies, listed in detail on our Cookie Policy: Functional, Analytics, Marketing, and Device security. Functional cookies (sign-in, language, consent state) are always on. The other three you can accept or reject when you first visit; you can change your choice at any time.
Analytics processing
When you opt in to analytics, we record which pages you visit and which key actions you take (signup, add-to-cart, checkout, design editor open). The purpose is to understand which features are useful so we can improve them.
We never see your raw IP address — we hash it before storage. Session identifiers are random and cannot be tied back to your name without your account.
Scope: Ifiok surfaces only — ifiok.ng, designs.ifiok.ng, docs.ifiok.ng, the admin console, and the printer dashboard. Recipients: Ifiok internal only — no third-party analytics service receives this data today. Retention: 14 months, then automatically deleted by a daily purge job. If we add a third-party analytics service in the future (such as Google Analytics or Mixpanel), we will update this list before any data is shared with them and your existing consent will be re-confirmed.
Marketing communications
When you opt in to marketing, we may send you optional emails, SMS, or WhatsApp messages about offers, new features, and product updates. Lawful basis: explicit consent (NDPA § 27).
Every marketing message includes an unsubscribe link or a STOP keyword. You can also withdraw consent globally from your account preferences at any time.
Device security and fingerprinting
When you opt in to device security, we compute a hashed fingerprint of your browser to detect account takeover and repeat fraud. Lawful basis depends on purpose: legitimate interest (NDPA § 28) for fraud prevention; explicit consent (NDPA § 27) when the data feeds analytics aggregates.
How it works. We use the open-source FingerprintJS library (Apache 2.0), which runs entirely in your browser — no third-party service receives your fingerprint. The library produces a stable visitor id from browser-environment signals (e.g. canvas rendering, available fonts, audio stack). That id is hashed on our servers before it is stored; we never persist the raw id. No fingerprint cookie is written on your device.
What we detect. Patterns that indicate fraud: the same device across many user accounts (e.g. one device that has signed in as five different customers), a fingerprint that changes mid-session (which can indicate spoofing), and bot-like user agents. We do not use the data for any other purpose.
Access. Only super-administrators at Ifiok can query the fingerprint queue. Every access is logged. Retention: 24 months from the last time the device is seen, then automatically deleted. Sharing: we do not share device fingerprints with any third party and do not use them for advertising or cross-site tracking.
You can withdraw consent at any time from the cookie banner. Once withdrawn, we stop capturing new fingerprints immediately and existing rows age out under the retention schedule above. To request earlier deletion, write to us at support@ifiok.ng.
Sub-processors
We use the following service providers to deliver core functions. Each is contractually bound to process data only on our instructions.
- Paystack and Flutterwave — payment processing
- Resend — transactional and marketing email delivery
- Twilio / Termii — SMS delivery
- Meta WABA — WhatsApp Business messaging
- Vercel — web hosting (frontend)
- Neon — managed PostgreSQL (EU region)
- Railway — API hosting
- Cloudflare R2 — file storage (designs, proofs, KYC documents)
If we add or remove a sub-processor that materially changes where your data is processed, we will update this list and notify signed-in users in advance.
International data transfers (NDPA § 41)
Some of the sub-processors above operate outside Nigeria (Neon is hosted in the EU; Meta, Cloudflare R2, Vercel, and Railway operate from the US or globally). These transfers are made under the safeguards required by NDPA § 41 (each processor's contractual data-processing terms). Specific transfer mechanisms are documented in our internal Records of Processing Activities (ROPA) and available on request to NDPC.
Your rights (NDPA §§ 26-34)
Under NDPA 2023, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account (a 30-day grace period applies)
- Restrict or object to certain processing
- Port your data to another service
- Withdraw any consent you previously gave
Most of these are self-service from your account dashboard (Privacy & Data section). For the rest, email support@ifiok.ng and we will respond within 30 days.
If you believe we have not honoured a right, you may complain to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
Data retention
| Data | Retention |
|---|---|
| Account profile | Lifetime of the account; 30-day grace then deletion on request |
| Order + payment records | 6 years (CAMA + tax law) — customer FK nulled on delete, financial row retained |
| Analytics events | 14 months |
| Device fingerprints | 24 months from last seen |
| Activity / audit logs | Indefinite (Cybercrime Act § 38) |
| KYC documents (printers) | 7 years post account close (anti-fraud) |
Connecting your Google Drive (optional)
If you run out of Ifiok storage, you can choose to connect your own Google
Drive so your designs keep saving to your personal Drive instead of being
blocked. This is entirely optional and only happens if you choose to connect
and approve Google's permission screen.
When you connect, Ifiok requests the drive.file permission only. This lets
Ifiok create and manage only the files it creates in your Drive — your saved
designs and their images, kept in an "Ifiok Designs" folder. Ifiok cannot see,
read, or access any of your other Google Drive files.
We store an encrypted Google authorization token so we can keep saving your
designs to your Drive; we never receive or store your Google password. You can
disconnect at any time from your Ifiok dashboard, which revokes Ifiok's access.
Ifiok's use and transfer of information received from Google APIs will adhere to
the Google API Services User Data Policy,
including the Limited Use requirements.
Changes to this policy
We will post any material change here and bump the version number. For changes that affect what we collect, what we use it for, or who we share it with, we will notify signed-in users by email or in-app banner before the change takes effect.
This is a starter draft pending Nigerian-lawyer review. Final wording supersedes when the review completes. Contact: support@ifiok.ng.