Privacy Policy

1.Who We Are

CollabBuy is a collaborative commerce platform operated by MaestroHive Solutions Limited, a company registered in the Federal Republic of Nigeria. In this Privacy Policy, "CollabBuy", "we", "us", and "our" refer to MaestroHive Solutions Limited. "You" and "your" refer to any individual who accesses or uses our platform, mobile application, or website at collabbuy.com.

MaestroHive Solutions Limited is a data controller as defined under the NDPA 2023. We determine the purposes and means of processing personal data collected through the CollabBuy platform. We are registered with the Nigeria Data Protection Commission (NDPC) as a data controller.

2.Information We Collect

2.1 Information You Provide Directly

• Identity information: First name, last name, username
• Contact information: Phone number, email address
• Verification information: Bank Verification Number (BVN) or National Identification Number (NIN) for KYC compliance, government-issued ID where required
• Financial information: Bank account details you provide when funding your wallet or adding seller payment details to a collab. We verify account names via our payment partner's account lookup API
• Profile information: Profile photograph and biographical details you choose to add

2.2 Information Generated Through Platform Use

• Transaction data: Collab participation records, contribution amounts, payment references, escrow lock and release records, wallet balances and transaction history
• Activity data: Collabs created, joined, or viewed; reviews given and received; reputation score; collab status changes
• Location data: General location used to show you nearby collabs, only when you explicitly grant permission
• Communication data: Messages sent within the platform

2.3 Information Collected Automatically

• Device information: Device type, operating system, unique device identifiers
• Log data: IP address, access times, pages viewed, error logs, request metadata
• Usage data: Features used, session duration, crash reports

3.How We Use Your Information

We use your personal information for the following purposes:

• Account creation and management: To register your account, verify your identity, and maintain your profile
• Platform operation: To enable you to create, join, and complete collaborative purchase transactions through our platform
• Payment processing and escrow: To facilitate wallet funding, escrow locking and release, and direct bank transfers to sellers on completion of PIN authorisation
• Security and fraud prevention: To detect, investigate, and prevent fraudulent transactions, unauthorised access, money laundering, and other illegal activity
• Regulatory compliance: To meet obligations under Nigerian law including AML/CFT requirements, CBN guidelines, EFCC Act obligations, and the NDPA 2023
• Communications: To send OTP verification codes, transaction confirmations, collab status updates, and service notifications via SMS and push notification
• CollabSafe: To send safety messages to trusted contacts you designate, with your explicit prior consent, when you use the CollabSafe feature
• Customer support: To respond to enquiries, complaints, and to assist in dispute resolution
• Platform improvement: To analyse usage patterns, identify technical issues, and improve the CollabBuy service

4.Legal Basis for Processing

Under the NDPA 2023, we process your personal data on the following lawful bases:

• Contractual necessity: Processing required to provide the CollabBuy service you have agreed to use, including account management, payment processing, escrow operations, and collab facilitation
• Legal obligation: Processing required to comply with Nigerian law, including KYC and AML obligations under CBN guidelines, reporting obligations under the EFCC Act, and the Money Laundering (Prevention and Prohibition) Act 2022
• Legitimate interests: Processing for fraud prevention, platform security, and service improvement, where our interests are not overridden by your fundamental rights and freedoms
• Consent: Processing for optional features including CollabSafe identity sharing and marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing

5.Financial Data and Escrow

CollabBuy facilitates the holding of user funds in escrow between the point of contribution and the point of seller payment. The following applies to your financial data:

• All monetary values are stored as integer amounts in kobo to ensure absolute precision. No floating-point arithmetic is applied to any financial value
• Every wallet transaction generates an immutable record showing the balance before and after the movement. These records cannot be altered or deleted
• Escrow funds are locked at the point of joining a collab and cannot be moved by any individual user, by the collab creator, or by CollabBuy staff outside the authorised platform flow
• Seller bank account details entered into the platform are visible to all members of the specific collab for verification purposes. They are not shared outside that group
• We store only the last four digits of account numbers in application logs. Complete account numbers are never recorded in log files
• Payment infrastructure is provided through our licensed BaaS and payment service partners operating under CBN authorisation. Their data handling practices are governed by their respective privacy policies

6.CollabSafe and Member Identity Sharing

CollabSafe is an optional safety feature that allows collab members to send group transaction details to a trusted contact outside the platform before completing an in-person collab.

• Consent to CollabSafe identity sharing is sought separately from general account registration and is not a condition of using the platform
• Members who do not consent appear as "Member [N] — details withheld by request" in other members' CollabSafe messages
• CollabSafe messages are delivered via SMS or WhatsApp to phone numbers provided by the sending member. Recipients are not CollabBuy users and their handling of the information they receive is not governed by CollabBuy
• A completion message is sent automatically to the same contact when the bank transfer is confirmed by our payment partner's webhook. We do not send further messages after that
• CollabSafe records are retained for 12 months from the date of the relevant transaction and then permanently deleted

7.Sharing Your Information

We do not sell your personal data to any third party. We do not share your personal data for third-party marketing purposes. We share your information only in the following circumstances:

7.1 Licensed Service Providers

We share data with third-party providers who assist us in operating the platform under contractual data processing agreements. These include payment processors, BaaS infrastructure providers, SMS delivery services, cloud infrastructure providers, and identity verification services. Each provider processes data only as instructed by CollabBuy and is required to maintain appropriate security measures compliant with applicable Nigerian law.

7.2 Other Collab Members

When you join a collab, your first name, profile photo, contribution amount, and contribution percentage are visible to other members of that specific collab. Your full bank account details are never shared with other members. Seller bank details added by the collab creator are shared with all members of the relevant collab for verification purposes only.

7.3 Legal and Regulatory Obligations

We may disclose your information to Nigerian regulatory bodies, law enforcement agencies, and courts when required to do so by law or lawful order, including but not limited to the CBN, EFCC, NFIU, FCCPC, and the NDPC. We will notify you of any such disclosure where we are legally permitted to do so prior to disclosure.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity. We will notify you at least 30 days before such a transfer and before your data becomes subject to a different privacy policy. You retain the right to request deletion of your data before the transfer takes effect.

8.Data Retention

We retain personal data only for as long as necessary to provide the CollabBuy service and to comply with our legal obligations:

• Account data: Retained for the duration of your account and for 7 years after account closure, in accordance with Nigerian financial record-keeping requirements
• Transaction and financial records: Retained for 7 years from the date of transaction, as required under CBN AML/CFT guidelines
• Audit logs: Retained for 7 years as an immutable financial record. These records cannot be modified or deleted
• KYC documents: Retained for 5 years after the end of the customer relationship, as required by applicable law
• CollabSafe records: Retained for 12 months from the relevant transaction date, then permanently deleted
• Marketing consent records: Retained until consent is withdrawn and for 3 years thereafter for compliance records

When retention periods expire, we securely delete or anonymise your personal data. Anonymised, non-identifiable aggregate data may be retained indefinitely for analytical purposes.

9.Your Rights Under the NDPA 2023

The Nigeria Data Protection Act 2023 grants you the following rights over your personal data:

• Right of access: You may request a copy of the personal data we hold about you, free of charge
• Right to rectification: You may request correction of inaccurate or incomplete personal data we hold about you
• Right to erasure: You may request deletion of your personal data where there is no lawful basis for continued retention, subject to our legal obligations to retain financial and transaction records
• Right to restriction: You may request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data
• Right to data portability: You may request a copy of your data in a structured, commonly used, machine-readable format
• Right to object: You may object to processing based on our legitimate interests where your interests, rights, and freedoms override those interests
• Right to withdraw consent: Where processing is based on consent, including CollabSafe sharing and marketing communications, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal

To exercise any of these rights, submit a request to privacy@collabbuy.com. We will acknowledge your request within 72 hours and respond fully within 30 days. Where your request is complex or we receive multiple requests from you, we may extend this period by a further 30 days with notice to you.

If you are dissatisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

10.Security

We implement technical and organisational security measures appropriate to the risk, in accordance with the NDPA 2023 and CBN cybersecurity requirements. These include:

• Encryption of all data in transit using TLS 1.2 or higher
• User passwords stored as bcrypt hashes. Plain text passwords are never stored anywhere in our system
• Payment authorisation PINs stored as SHA-256 cryptographic hashes only. Plain text PINs never exist anywhere in our system at any point
• Role-based access controls limiting staff access to personal and financial data on a strict need-to-know basis
• Immutable audit logging of all financial actions, collab state changes, and sensitive data access events
• Rate limiting and brute force protection on all authentication and payment endpoints
• Automated webhook signature verification before any database operations are performed on incoming payment events
• Regular security reviews and access audits

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the NDPC within 72 hours of becoming aware of the breach, as required by Section 40 of the NDPA 2023. Our breach notification will include the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach.

11.International Data Transfers

CollabBuy uses cloud infrastructure and third-party software services that may process your data outside Nigeria. The NDPA 2023 and GAID 2025 require that international data transfers occur only where adequate protection is ensured. When we transfer personal data internationally, we ensure that:

• The receiving country or organisation provides a level of data protection consistent with the NDPA 2023
• Appropriate contractual safeguards, including standard data processing clauses, are in place with all international service providers
• We maintain a register of all international data transfers as required by the NDPA GAID 2025

A list of international service providers involved in processing your data is available on request by writing to privacy@collabbuy.com.

12.Third-Party Services and Links

The CollabBuy platform may contain links to third-party websites or integrate third-party services. CollabBuy is not responsible for the privacy practices, content, or security of any third-party sites or services. We encourage you to review the privacy policies of any third-party services you access through or in connection with CollabBuy. Third-party service providers that process your data on our behalf are bound by contractual obligations to handle your data in accordance with applicable law. Third-party sites or services you access independently of CollabBuy are governed solely by their own terms.

13.Children

CollabBuy is not directed at persons under 18 years of age. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a person under 18, please notify us immediately at privacy@collabbuy.com and we will take prompt steps to delete that information.

14.Changes to This Policy

We may update this Privacy Policy from time to time as our practices change, as we introduce new features, or as required by law. Where changes are material to how we process your data, we will notify you through the CollabBuy app, by email, or by SMS at least 14 days before the changes take effect.

The updated policy will show the revised "Last updated" date at the top of this page. Your continued use of CollabBuy after the effective date of any changes constitutes your acceptance of the updated policy. If you do not accept the updated policy, you must stop using the platform and may request deletion of your account by contacting privacy@collabbuy.com.

15.Contact and Complaints

For questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data: