Legal

Privacy Policy

Last updated: May 24, 2026Goodiebag Digital Ltd, Port Harcourt, Nigeria

1. Introduction

Goodiebag, operated by Goodiebag Digital Ltd, Port Harcourt, Nigeria ("we," "us," or "our"), operates at getgoodiebag.com and through the Goodiebag mobile application ("the App") available on Android and iOS. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service. When you use Goodiebag, we process your information as described in this Privacy Policy and in accordance with applicable data protection law.

2. Information We Collect

Information you provide:

  • Sender information: Name, email address, phone number, and payment details when you create a Goodiebag.
  • Recipient information: Name and phone number when you claim from a Goodiebag.
  • Payout information: Bank name and account name when you claim and receive funds.
  • Communications: Messages you send to our support team.

Information retained for compliance:

  • Account deletion audit record: When you delete your account, we create an internal record containing your original email address, phone number, and account identifier. This record is stored securely, is not publicly accessible, and is used solely to respond to law enforcement requests, fraud investigations, or regulatory inquiries. It is not used for marketing or shared with third parties for any commercial purpose.

Information collected automatically:

  • Device information: Browser type, device type, and a device fingerprint (visitor ID via FingerprintJS) for fraud prevention. Device fingerprinting is used to detect duplicate claims, scripted activity, PIN brute forcing, and suspicious claim patterns. It is not used to sell personal data or to serve third-party behavioural advertising.
  • Usage data: Pages visited, claim interactions, and transaction activity.
  • Local storage: We store your email address in your browser's localStorage for up to 30 days so you do not have to re-enter it on return visits. This data never leaves your device unless you actively use it to interact with the Service. You can clear it at any time by clearing your browser's local storage.
  • Cookies: Essential cookies for Service functionality. We do not use advertising cookies unless disclosed and permitted through your cookie preferences. We do not currently use advertising cookies on the Service. We may use limited analytics tools or similar technologies to understand aggregate website traffic and improve the Service.

Information collected through the mobile app:

  • Device push token: Collected via expo-notifications when you grant notification permission. Used only to send you claim updates for bags you created. Stored in our database linked to your account. You can revoke this at any time by disabling notifications for the Goodiebag app in your device settings.
  • Auth session token: Stored on-device in your device's encrypted secure storage (expo-secure-store). Used to keep you signed in between sessions. Never transmitted except as an authorisation header to getgoodiebag.com APIs.
  • Phone number saved in app profile: Stored locally on your device and used to fetch your received claim history. Not shared with third parties.

Information from third parties:

  • Payment processing: Paystack provides payment confirmation, account name verification, and transfer status.

3. How We Use Your Information

  • To provide the Service: Process payments, route gifts to recipients, verify claims, and process recipient payouts through Paystack and supported payment partners.
  • To prevent fraud: Device fingerprinting, phone number verification, and duplicate claim detection.
  • To communicate: Send transaction confirmation emails, push notifications for bag activity (app users only), respond to support inquiries, and provide Service updates.
  • To improve the Service: Analyze usage patterns to enhance features and user experience.
  • To comply with law: Meet regulatory requirements, respond to legal requests, and enforce our Terms.

4. Lawful Basis for Processing

We process personal data only where we have a lawful basis to do so. Depending on the activity, our lawful basis may include performance of a contract, compliance with legal obligations, legitimate interests, consent, fraud prevention, dispute handling, or protection of users and the Service.

Processing ActivityPersonal Data InvolvedLawful Basis
Creating and managing a GoodiebagSender name/contact details, payment reference, Goodiebag detailsPerformance of contract; legitimate interests
Processing payments and payoutsPayment references, payout details, transaction records, recipient phone number, bank/payment partner dataPerformance of contract; legal obligation; legitimate interests
Recipient claim verificationPhone number, claim status, device/browser signals, IP address, claim historyPerformance of contract; fraud prevention; legitimate interests
Fraud prevention and abuse controlDevice fingerprint, IP address, browser signals, failed attempts, suspicious activity logsLegitimate interests; legal obligation; security
Customer supportMessages, screenshots, transaction references, contact detailsPerformance of contract; legitimate interests
Transaction record retentionPayment, payout, refund, claim, and audit recordsLegal obligation; legitimate interests
Account deletion requestsIdentity/contact data, deletion request records, retained audit logsLegal obligation; legitimate interests
Push notificationsDevice push token, notification preferencesConsent or user request
Analytics and service improvementAggregated usage data, page visits, device/browser data, approximate location where applicableLegitimate interests or consent where required
Marketing communications, if anyEmail address, name, communication preferencesConsent or legitimate interests where permitted

5. How We Share Your Information

We do not sell your personal information. We share limited data with trusted service providers where necessary to operate Goodiebag:

Service Provider / CategoryPurpose
Paystack or payment partnersPayment processing, payout processing, refunds, transaction verification, dispute handling
Supabase or database providersSecure storage of user, transaction, claim, and product data
Vercel or hosting providersHosting, deployment, logs, performance, and security
Resend or email providersTransactional emails, receipts, support communications
Analytics providersAggregate usage analytics and service improvement
Fraud prevention toolsDuplicate claim prevention, abuse detection, security monitoring
Professional advisersLegal, accounting, tax, compliance, audit, and dispute support
Regulators, law enforcement, or courtsWhere required by law, valid process, fraud prevention, or compliance obligation

App distribution platforms: Apple Inc. (App Store) and Google LLC (Google Play) distribute the Goodiebag mobile application. They receive app usage data per their own platform policies, which are separate from this policy.

6. Data Security

We implement appropriate technical and organisational measures to protect your information:

  • All data is encrypted in transit using HTTPS/TLS.
  • Payment processing is handled by Paystack, a PCI-DSS Level 1 certified provider. We do not store your full card details.
  • PINs are hashed and never stored in plain text.
  • Database access is restricted through row-level security policies.
  • Device fingerprints are used only for fraud prevention, not for advertising or cross-site tracking.
  • Mobile app auth sessions are stored in your device's encrypted secure storage and are not accessible to other applications.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

  • Transaction records: Payment references, transfer references, claim amounts, and timestamps are retained for a minimum of 5 years as required by Nigerian financial regulations and CBN Anti-Money Laundering guidelines. This data is retained even after account deletion, because financial regulators require it.
  • Claim records: The phone number, bank name, transfer reference, and amount associated with each claim are retained for a minimum of 5 years for fraud prevention and AML compliance. These records are never publicly accessible and are used only for regulatory reporting or law enforcement responses.
  • Account deletion audit record: When you delete your account, we store your email address, phone number, and account identifier in a secure, non-public audit log. This record is retained for 7 years for regulatory compliance and fraud investigation purposes.
  • Display information: Your name as shown on bags you dropped is replaced with "Deleted User" when you delete your account.
  • Device fingerprints: Retained for the lifetime of the associated claim record for fraud auditing.
  • Browser localStorage: Email address stored for up to 30 days, or until you clear your browser storage.
  • Device push tokens: Deleted automatically when you delete your account.
  • Support communications: Retained for 2 years after resolution.

The legal basis for retaining financial and fraud-related data after account deletion is our obligation to comply with Nigerian law (NDPA 2023, FCCPA, and CBN AML/CFT regulations) and our legitimate interest in preventing financial crime. You may request a summary of what data we hold about you at any time by emailing support@getgoodiebag.com.

8. Your Rights

Subject to applicable law and identity verification, you may request access to, correction of, deletion of, restriction of, or information about the personal data we hold about you. You may also object to certain processing or withdraw consent where processing is based on consent.

Under the Nigeria Data Protection Act (NDPA) 2023, you have the right to:

  • Access your personal data.
  • Request correction of inaccurate data.
  • Request deletion of your data, subject to legal retention requirements.
  • Restrict or object to processing of your data.
  • Data portability where technically feasible.
  • Withdraw consent where processing is consent-based.

Some records, including payment, payout, refund, fraud-prevention, dispute, tax, accounting, and legal compliance records, may need to be retained even after an account deletion request.

How to delete your account:

You can delete your account in two ways:

  • Self-service (instant): In the Goodiebag app, go to Profile, scroll to the Danger Zone section, and tap "Delete account." On the website, sign in and visit getgoodiebag.com/account.
  • By email: Email support@getgoodiebag.com with subject "Delete my account" and your account email address. We will action the request within 14 days.

What account deletion does and does not do:

  • Deleted immediately: Your sign-in credentials, display name on bags, and push notification tokens.
  • Retained for compliance: Financial transaction records including payment references, claim records (phone, bank details, transfer references), and amounts. These are required by Nigerian financial law and cannot be erased on request. They are stored securely and are not visible to other users or shared for commercial purposes.
  • Retained in audit log: Your original email address and phone number are kept in a secure, non-public record for up to 7 years to allow us to respond to fraud investigations and law enforcement requests.

To exercise any other data right, contact us at support@getgoodiebag.com.

9. Cookies and Local Storage

Goodiebag uses cookies and similar technologies as described in our Cookie Policy.

We use essential cookies, local storage, device signals, and similar technologies where necessary to operate the Service, remember claim/session information, maintain security, prevent fraud, and improve user experience.

We do not use advertising cookies unless disclosed and permitted through your cookie preferences. We do not currently use advertising cookies on the Service.

We may use limited analytics tools, such as Google Analytics or similar services, to understand aggregate website traffic, page usage, device/browser patterns, and service performance. Where required by applicable law, analytics cookies or similar technologies will be managed through your cookie preferences or browser settings as described in our Cookie Policy.

We may use local storage, device signals, and similar technologies for security, fraud prevention, claim protection, account functionality, and preference management.

We also use your browser's localStorage to remember your email address for up to 30 days, so you do not have to re-enter it when returning to your dashboard. This data is stored only on your device and is not transmitted to any server unless you actively use the Service. You can delete it at any time through your browser settings.

FingerprintJS is used solely for fraud prevention: it generates a visitor ID from your browser characteristics and does not track you across websites or build an advertising profile.

10. Children's Privacy

Goodiebag is a cash gifting platform for adults. We do not knowingly collect information from children under 18. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

11. International Data Transfers

Your data is stored in Supabase (hosted on AWS infrastructure) and processed by Paystack in Nigeria. Transactional emails are delivered via Resend. Vercel serves our application through a global CDN, which may cache public content at edge locations. Personal data and transaction records are not cached on the CDN.

Some of our service providers may store or process data outside Nigeria. Where this occurs, we take reasonable steps to ensure that personal data is protected through appropriate contractual, technical, organisational, or legal safeguards.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service. Continued use after changes are posted constitutes acceptance. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy-related questions or to exercise your data rights, contact us at support@getgoodiebag.com.

Goodiebag Digital Ltd

Port Harcourt, Nigeria

support@getgoodiebag.com