1. Who we are

Niutoyu(“we”, “us”, “our”) operates a peer-to-peer marketplace for pre-loved fashion in Ghana. For the personal data described in this policy, we act as the data controller within the meaning of Ghana's Data Protection Act, 2012 (Act 843).

You can reach us through the Help Centre for any privacy-related question, including to exercise the rights described in Section 9.

2. What data we collect

We collect information in three ways:

a) Information you give us

• Account: phone number or email, display name, profile photo, city, bio;
• KYC where required: name, mobile-money or bank payout details;
• Listings: photos, descriptions, prices, condition, brand, size;
• Messages: chat content, offers, dispute submissions;
• Reviews and ratings you leave for other users.

b) Information from your transactions

• Order details, delivery address (when you provide one), shipping status;
• Payment metadata from Paystack: reference, status, amount, channel (mobile money / card). We do not see or store your full card number or mobile-money PIN.

c) Information from your use of the service

• Device, browser, IP address (truncated), and approximate location derived from it;
• Pages viewed, items favourited, search queries, and similar usage data;
• Cookies and similar technologies (see Section 6).

3. Why we use it

We use your data only for purposes consistent with running the marketplace:

• Creating and securing your account;
• Listing items, displaying them in search and on profiles, and matching buyers to sellers;
• Processing payments through Paystack and paying out to sellers;
• Operating Buyer Protection, including investigating disputes;
• Sending transactional email (order confirmations, dispatch alerts, dispute notifications) through Resend;
• Sending operational SMS where required, e.g. phone-number sign-in codes;
• Detecting fraud, abuse, and breaches of our Terms;
• Improving the service, including aggregate analytics that do not identify you;
• Complying with legal obligations.

4. Legal basis

Under Act 843, our lawful basis for processing is:

• Performance of a contract: the Terms of Service you accept when using the marketplace;
• Compliance with a legal obligation: for tax, anti-fraud, and regulatory record-keeping;
• Legitimate interests: to keep the platform safe, prevent fraud, debug issues, and improve the product, balanced against your privacy;
• Consent: where you opt in to optional communications or non-essential cookies. You can withdraw consent at any time.

5. Who we share it with

We do not sell your personal data. We share specific data only with third parties who help us run the service:

• Paystack — to process payments. Receives transaction amount, reference, your payment channel, and your name when required by your card or wallet provider.
• Supabase — our database, authentication, and file storage provider. Hosts your account data, listings, photos, and messages on our behalf.
• Resend — sends transactional email on our behalf. Receives your email address and the email content (e.g. order confirmation).
• Vercel — hosts the Niutoyu application. Sees the same request metadata your browser would send to any web server.
• The other party in your transaction — buyers see the seller's display name, city, and rating; sellers see the buyer's shipping details and display name.
• Authorities — where we are legally required to disclose information, for example to comply with a court order or to investigate fraud.

Each provider is bound by a data-processing arrangement requiring them to process your data only on our instructions and to keep it secure.

6. Cookies & similar technologies

We use a small set of cookies and local-storage entries that are strictly necessary to operate the service: keeping you signed in, remembering your filter and sort preferences, and protecting against fraud. We do not currently use third-party advertising or cross-site tracking cookies.

If we add optional analytics in the future, we will ask for your consent before setting non-essential cookies and update this policy.

7. International transfers

Some of the providers listed in Section 5 host their infrastructure outside Ghana — typically in the European Union or the United States. Where data is transferred internationally, we rely on the provider's contractual and technical safeguards, including standard contractual clauses or equivalent mechanisms recognised under Act 843, to ensure your data is protected to a comparable standard.

8. How long we keep it

We keep personal data only as long as we need it:

• Account data — for as long as your account is active, plus a short period after closure for fraud prevention and legal record-keeping;
• Order, payment, and dispute records — for at least 6 years after the order, in line with Ghana's tax and accounting requirements;
• Messages — kept for the lifetime of the conversation; copies may persist in backups for up to 30 days;
• Server logs — typically rotated within 30 to 90 days;
• Marketing communications data — until you unsubscribe.

When the retention period ends, we delete or anonymise the data so it can no longer be tied to you.

9. Your rights

Under Act 843, you have the right to:

• Be informed about how we use your data (this policy);
• Access the personal data we hold about you;
• Have inaccurate data corrected;
• Have data erased where we no longer need it and there is no overriding legal basis to keep it;
• Object to or restrict certain types of processing, including direct marketing;
• Withdraw consent at any time, where consent is the basis for processing;
• Receive a copy of your data in a portable format;
• Lodge a complaint with the Data Protection Commission of Ghana.

To exercise any of these rights, contact us through the Help Centre. We will respond within 30 days.

10. Children

Niutoyu is not directed at children. You must be at least 18 years old to use the service. If we learn that we have collected personal data from a child, we will delete it.

11. Security

We protect your data with technical and organisational measures including encryption in transit (TLS), encryption at rest for our database, role-based access controls, row-level security on every table, signed webhooks for payment events, and audit logs for administrative actions.

No internet service can guarantee absolute security. We will notify affected users and the Data Protection Commission, where required, if we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy and update the “Last updated” date below. Material changes will be notified to you by email or in-app at least 14 days before they take effect, where practicable.

13. Contact

Questions about your privacy or this policy? Reach us through the Help Centre. If you would prefer to contact the Data Protection Commission of Ghana directly, their details are published at dataprotection.org.gh.