Privacy Policy

1. Who We Are (Data Controller)

For the purposes of the Nigeria Data Protection Act 2023, the Data Controller responsible for your personal data is:

2. Personal Data We Collect

We collect personal data only where it is necessary for a legitimate purpose. The categories of personal data we collect include:

3. Lawful Basis for Processing

Under the NDPA 2023, we process your personal data on the following lawful bases:

• Contract Performance: Processing necessary to fulfil the contract between you and Korè (account creation, transaction processing, escrow management, dispute resolution).
• Consent: Where you have freely given specific, informed, and unambiguous consent (e.g., marketing communications, optional analytics).
• Legal Obligation: Where processing is required to comply with applicable Nigerian law (e.g., FIRS tax reporting, NDPC registration, EFCC/NFIU anti-money laundering requirements).
• Legitimate Interests: Where necessary for our legitimate business interests (fraud prevention, Platform security, product improvement), provided these interests are not overridden by your rights and freedoms.

4. How We Use Your Personal Data

We use your personal data for the following purposes:

• Account Management: Creating, verifying, and maintaining your account;
• Transaction Processing: Processing orders, managing escrow payments, disbursing funds to Sellers, and issuing refunds to Buyers;
• Identity Verification: Verifying the identity and credentials of Sellers to maintain a trusted marketplace;
• Dispute Resolution: Reviewing evidence and facilitating resolution of disputes between Buyers and Sellers;
• Platform Improvement: Analysing usage data to improve features, performance, and user experience;
• Communications: Sending transactional notifications (order confirmations, payment receipts, dispute updates) and — with your consent — promotional communications;
• Security and Fraud Prevention: Detecting, investigating, and preventing fraudulent transactions, account takeovers, and prohibited conduct;
• Legal Compliance: Meeting our obligations under Nigerian law, including FIRS tax reporting, anti-money laundering (AML) obligations under the Money Laundering Prevention and Prohibition Act 2022, and data protection compliance under the NDPA 2023; and
• Customer Support: Responding to enquiries, complaints, and support requests.

5. Data Sharing and Third-Party Disclosure

We do not sell your personal data to any third party. We may share your personal data with the following categories of third parties only where necessary and on a need-to-know basis:

• Payment Processors: Paystack and/or Flutterwave, for the processing of escrow payments, refunds, and disbursements. These processors are bound by their own privacy policies and applicable CBN regulations;
• Logistics Partners: Third-party delivery companies integrated into the Platform, who receive the delivery address and order details necessary to complete a delivery;
• Identity Verification Providers: Third-party KYC providers used to verify Seller identities, who receive only the minimum data necessary for verification;
• Cloud Service Providers: Infrastructure providers (including Supabase and cloud hosting services) that host the Platform and its data, who process data under appropriate data processing agreements;
• Legal and Regulatory Authorities: Where required by Nigerian law, court order, or regulatory authority (including NDPC, FIRS, EFCC, NFIU, or law enforcement), we may disclose personal data without prior notice to you; and
• Professional Advisors: Legal counsel, accountants, and auditors, subject to professional confidentiality obligations.

Where we share data with any third party acting as a Data Processor on our behalf, we ensure a data processing agreement is in place that requires them to protect your data in accordance with the NDPA 2023.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by Nigerian law. Our standard retention periods are as follows:

After the applicable retention period, your data will be securely deleted or anonymised so that it can no longer be associated with you.

7. Your Rights Under the NDPA 2023

Under the Nigeria Data Protection Act 2023, you have the following rights with respect to your personal data:

• Right of Access: You may request a copy of all personal data we hold about you;
• Right to Rectification: You may request that inaccurate or incomplete personal data be corrected;
• Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data, subject to our legal retention obligations;
• Right to Restriction of Processing: You may request that we restrict the processing of your data in certain circumstances;
• Right to Data Portability: You may request your personal data in a structured, commonly used, machine-readable format;
• Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes; and
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please submit a written request to privacy@kore.ng. We will respond within 30 days of receiving a verifiable request. You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe your rights have been violated.

8. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL protocols;
• Encryption of sensitive data at rest;
• Role-based access controls limiting staff access to personal data on a need-to-know basis;
• Regular security assessments and vulnerability testing;
• Secure cloud infrastructure with automated backups; and
• Staff training on data protection and security practices.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the NDPC within 72 hours of becoming aware of the breach, as required by the NDPA 2023.

9. Cookies and Tracking

The Platform uses cookies and similar tracking technologies to improve your experience. We use the following types of cookies:

• Essential Cookies: Required for the Platform to function (authentication, session management, cart/escrow state). Cannot be disabled.
• Analytics Cookies: Used to understand how Users interact with the Platform (pages visited, time on site, error tracking). Used with your consent.
• Preference Cookies: Store your settings and preferences (language, notification preferences). Used with your consent.

You may manage your cookie preferences through your browser settings or through our cookie consent banner. Disabling non-essential cookies will not affect your ability to use core Platform features.

10. Children's Privacy

The Korè Platform is not directed at children under the age of 18. We do not knowingly collect personal data from persons under 18. If we become aware that we have collected personal data from a minor without verifiable parental consent, we will take immediate steps to delete that information. If you believe we may have collected data from a minor, please contact us at privacy@kore.ng.

11. Cross-Border Data Transfers

Where we transfer personal data outside Nigeria (for example, to cloud infrastructure providers or payment processors with servers outside Nigeria), we ensure that such transfers comply with the NDPA 2023. We transfer data only to countries or organisations that provide an adequate level of data protection, or where appropriate safeguards (such as data transfer agreements) are in place.

12. Third-Party Links

The Platform may contain links to third-party websites or services (including logistics partners, payment processors, and social media platforms). This Privacy Policy applies only to the Korè Platform. We are not responsible for the privacy practices of any third-party websites. We encourage you to review the privacy policies of any external sites you visit.

13. Marketing Communications

With your consent, we may send you promotional emails, SMS, or WhatsApp messages about new features, offers, or products on the Platform. You may opt out of marketing communications at any time by clicking "Unsubscribe" in any email, or by contacting us at info@kore.ng. Opting out of marketing communications will not affect transactional notifications (such as order confirmations and payment receipts), which are necessary for the operation of your account.

14. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. Where changes are material, we will notify you by email or through a prominent notice on the Platform at least 14 days before the updated Policy takes effect. Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the revised Policy.

15. Contact and Complaints

For any privacy-related enquiries, requests to exercise your rights, or complaints, please contact: