Privacy Policy

Last updated: 3 April 2026·OyaLinkup Ltd

1. Introduction

OyaLinkup Ltd (“OyaLinkup”, “we”, “our”, “us”) is the data controller for personal data processed through our platform. We operate a ward-based opportunity network connecting Nigerian seekers with trusted providers.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website and services. We comply with the Nigeria Data Protection Act 2023 (Act No. 37) and its subsidiary legislation.

By creating an account or using OyaLinkup, you confirm that you have read and understood this policy and consent to the processing of your personal data as described herein.

Key points:

  • We collect only the data necessary to operate the platform
  • We do not sell your personal data to third parties
  • You control your visibility and can exercise your data rights at any time
  • We use Amazon Web Services and Cloudflare as processors for deployed infrastructure and traffic security
  • You can delete your account and your personal data at any time
  • We comply with the Nigeria Data Protection Act 2023 (NDPA) and the Child's Right Act 2003

2. Who We Are

Data Controller: OyaLinkup Ltd

Contact for data protection enquiries: privacy@notify.oyalinkup.com

Regulator: Nigeria Data Protection Commission (NDPC), ndpc.gov.ng

OyaLinkup Ltd is registered with the Corporate Affairs Commission (CAC) under RC number 9488622. Registered address: No. 1, Bawalane Centre Igboro, Ilorin, Kwara State, Nigeria.

3. Information We Collect

We follow the principle of data minimisation (NDPA §24(c)); we only collect data that is necessary, relevant, and adequate for the purposes described in this policy.

3.1 Account Information

  • First name and email address (required at registration)
  • Phone number (optional, can be added after registration)
  • Password: hashed using Argon2id; never stored in plain text and never accessible to our team
  • Date of birth (optional, used for age-restricted content verification)
  • Gender (optional, can be set to private in your visibility settings)
  • Profile photo (optional, uploaded to our media storage provider)
  • Display name / nickname (optional)

3.2 Location Data

  • State, Local Government Area (LGA), and ward (selected by you during setup)
  • Location is used to power discovery and show you relevant providers in your ward and beyond
  • We do not collect GPS coordinates, real-time location, or device location permissions
  • You control whether your location is visible to other users via Privacy Settings

3.3 Business Information (business accounts only)

  • Business name, category, description, and headline
  • Business address, LGA, ward, and operating hours
  • Portfolio images, catalog items (titles, descriptions, pricing, photos)
  • Business logo and banner images
  • Social media handles (optional)
  • Bank account details are not collected; we do not process payments

3.4 Communications Data

  • Messages sent between users and businesses through the platform's messaging system
  • Inquiry content submitted through business profile pages
  • Message content is used only to deliver communications and for platform safety monitoring

3.5 Usage and Technical Data

  • Pages visited, features used, and search queries
  • Device type, browser type, and operating system
  • IP address (used for security, fraud detection, and approximate geographic context; not stored permanently)
  • Session duration and interaction patterns
  • Server logs retained for 90 days

4. How We Use Your Data

We use your personal data for the following purposes:

  • Providing the platform: creating and maintaining your account, enabling discovery, facilitating messaging between users and businesses
  • Ward-based discovery: matching your location to relevant providers in your ward and beyond, and showing your public profile to seekers in your area (subject to your visibility settings)
  • Trust and safety: verifying account authenticity, detecting fraudulent activity, and moderating content that violates our Terms of Use
  • Communications: sending transactional notifications (new messages, account alerts, system updates); we do not send marketing emails without your explicit consent
  • Platform improvement: understanding how features are used to improve the service; usage data is analysed in aggregate where possible
  • Legal compliance: complying with applicable Nigerian law, including responding to lawful requests from regulatory authorities

5. Lawful Basis for Processing

Under NDPA §25, data processing must have a lawful basis. Our bases are as follows:

  • Consent (§25(1)(a)): registration, optional profile fields (gender, date of birth, display name), profile visibility settings, and any future marketing communications. You may withdraw consent at any time.
  • Contract performance (§25(1)(b)(i)): processing your account information, location data, and communications data is necessary to provide the service you signed up for.
  • Legitimate interests (§25(1)(b)(v)): fraud prevention, platform security, abuse detection, and aggregate service analytics, where these interests do not override your fundamental rights and freedoms.
  • Legal obligation (§25(1)(b)(ii)): complying with applicable Nigerian law and lawful regulatory requirements.

6. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data. Data is shared only as described below.

6.1 With Other Users

  • Your public profile (first name, avatar, joined date, review count) is visible to other users if your profile is set to public in Privacy Settings
  • Business profiles and catalog items are visible to all users including guests
  • Messages are visible only to the two parties involved in the conversation

6.2 Third-Party Processors

We engage the following data processors under NDPA §29. Each processor operates under a Data Processing Agreement and is contractually bound to handle your data only on our instructions.

ProcessorRoleLocation
Amazon Web ServicesMedia storage, application hosting infrastructure, and encrypted backup storage for deployed environmentsAfrica (Cape Town)
Cloudflare, Inc.CDN, DDoS protection, DNS proxy, and traffic securityUnited States (global edge)
ResendTransactional email delivery — account notifications, verification emails, and platform communications sent to usersIreland (EU)
Google LLCGoogle Maps JavaScript API (Places library) loaded site-wide for address search and location selection. The Get Directions feature on business profiles opens an outbound link to Google Maps and is governed by Google's own privacy policy.United States (global)

Data processed by Amazon Web Services is hosted in the Africa (Cape Town) region. Where data is transferred outside Nigeria, we ensure appropriate safeguards are in place under NDPA §43, including contractual protections with each processor.

6.3 Law Enforcement and Regulatory Authorities

  • We may disclose personal data to Nigerian law enforcement or regulatory authorities where required by a valid legal order, court order, or applicable Nigerian law
  • We will notify you of such disclosure where we are legally permitted to do so

7. Cross-Border Data Transfers

Your data is primarily stored and processed on OyaLinkup infrastructure hosted on Amazon Web Services in the Africa (Cape Town) region.

Where data is transferred outside Nigeria, it is primarily through Cloudflare's global edge and security network while delivering the service. Such transfers are lawful under NDPA §43(b) because they are necessary for the performance of the contract between you and OyaLinkup and are subject to appropriate technical and contractual safeguards.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected (NDPA §24(d)).

  • Active account data: retained for as long as your account is active and in use
  • Deleted account data: personal profile information is cleared within 30 days of account deletion; minimal audit records (not linked to your identity) may be retained for up to 2 years for platform integrity purposes
  • Business profile data: retained for 6 months after a business account is deactivated, then permanently deleted
  • Message data: retained while the conversation thread is active; deleted when both parties' accounts are closed
  • Server logs: 90 days, then automatically purged

9. Your Rights Under the NDPA

Under Part VI of the Nigeria Data Protection Act 2023, you have the following rights as a data subject. To exercise any of these rights, contact us via our contact page. We will respond within 30 days.

  • Right of access (§34): request confirmation of whether we process your data, and receive a copy of it in a commonly used electronic format
  • Right to rectification (§34(c)): request correction of inaccurate, incomplete, or misleading personal data
  • Right to erasure (§34(d)): request deletion of your personal data where it is no longer necessary for the purpose collected, or where you withdraw consent and no other lawful basis applies
  • Right to restrict processing (§34(e)): request that we limit how we use your data while a request is being resolved or an objection is pending
  • Right to withdraw consent (§35): withdraw your consent to processing at any time; withdrawal does not affect the lawfulness of processing that occurred before withdrawal
  • Right to object (§36): object to processing based on legitimate interests, including profiling for direct marketing
  • Right to data portability (§38): receive your personal data in a structured, machine-readable format and have it transmitted to another controller where technically feasible
  • Right against automated decision-making (§37): not be subject to decisions based solely on automated processing that produce significant legal effects. We do not currently use automated decision-making on your account.

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe your data rights have been violated.

10. Children and Minors

OyaLinkup is open to all age groups. Access is available to users aged 13 and above, in line with NDPA §31(5) which recognises 13 as the threshold for electronic information and services directed at children.

  • Under 13: We do not knowingly collect personal data from children under 13. If we become aware that a user is under 13, we will delete their account and data without delay.
  • Ages 13–17: Users under 18 are considered children under the Child's Right Act 2003. Parental or guardian consent is required for data processing (NDPA §31(1)). We apply appropriate mechanisms to verify age and consent.
  • Age-restricted categories: Certain business categories (such as alcohol retailers, adult services, and tobacco) require users to confirm they are 18 or older at the point of making an inquiry or contact. General browsing and discovery remain available to all eligible users.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction (NDPA §39).

  • All data in transit is encrypted via HTTPS/TLS
  • Passwords are hashed with Argon2id, an industry-standard algorithm; plain-text passwords are never stored or accessible
  • Access to production systems is restricted to authorised personnel only
  • Cloudflare provides DDoS protection and traffic security at the network layer
  • We conduct periodic reviews of our security measures and controls

While we take security seriously, no system is completely immune to risk. We encourage you to use a strong, unique password and to notify us immediately if you suspect unauthorised access to your account.

12. Data Breach Notification

In the event of a personal data breach, we will act in accordance with NDPA §40:

  • We maintain a breach register documenting all incidents, their effects, and remedial actions taken
  • Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware
  • Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly in plain, clear language without undue delay, including the nature of the breach and steps you can take to protect yourself

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. The “Last updated” date at the top of this page will reflect the most recent revision.

For material changes (those that significantly affect how we process your data or your rights), we will notify you via email or through a prominent in-app notice before the changes take effect. Continued use of the platform after such notice constitutes acceptance of the updated policy.

14. Contact and Complaints

For any questions about this Privacy Policy, to exercise your data rights, or to raise a data protection concern:

If you are not satisfied with our response, you have the right to escalate your complaint to the Nigeria Data Protection Commission (NDPC):