Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account information: First name, last name, email address, phone number, and password when you create an account.
• Profile information: Profile picture, gender, and username you choose to add.
• Address information: Delivery addresses including country, state, city, area, house address, landmark, postal code, and contact details.
• Order information: Items purchased, payment method selected, delivery preferences, and recipient details (including for gift orders).
• Payment information: We do not store your credit card or bank account numbers. Payment processing is handled by third-party providers (Paystack, Flutterwave, Nomba). We store transaction references, amounts, and payment status.
• Communications: Messages you send through our contact form, including your name, email, phone number, subject, and message content.
• Reviews: Product reviews and ratings you submit.

1.2 Information Collected Automatically

• Device information: When you register for push notifications, we store your device’s push notification token (Expo push token) to send you order updates and alerts.
• Usage data: We log request activity for security monitoring, including timestamps and IP addresses.
• Authentication tokens: We generate and store JSON Web Tokens (JWTs) and refresh tokens to maintain your authenticated session.

1.3 Information from Third Parties

• Social login providers: If you sign in with Google or Apple, we receive your name and email address from those services. We do not receive your social media passwords.

2. How We Use Your Information

We use your information to:

• Create and manage your account.
• Process and fulfil your orders, including calculating delivery fees and coordinating with delivery partners.
• Process payments through our third-party payment providers.
• Send you order updates, payment confirmations, and delivery tracking information via push notifications, SMS, WhatsApp, and email.
• Send you one-time verification codes (OTPs) for account verification, password resets, and security purposes.
• Respond to your contact form submissions and customer support inquiries.
• Display your reviews to other users.
• Maintain the security of your account and our Service, including fraud prevention and rate limiting.
• Improve and develop our Service.

3. How We Share Your Information

We share your information only in the following circumstances:

• Payment processors: Paystack, Flutterwave, and Nomba receive transaction details necessary to process your payments.
• Delivery partners: FEZ Delivery receives your delivery address and contact information to fulfil deliveries.
• Communication providers: Termii receives your phone number to send OTP verification codes via SMS and WhatsApp. Our email provider (Nodemailer/Mailgun) receives your email address to send transactional emails.
• Push notification services: Expo receives your device push token to deliver notifications.
• Cloud storage: AWS S3 stores files you upload (such as profile pictures).
• Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.

We do not sell your personal information to third parties.

4. Data Storage and Security

• Your data is stored in secure MongoDB databases.
• Passwords are hashed using bcrypt before storage. We never store or have access to your plaintext password.
• Authentication uses RS256-signed JSON Web Tokens with time-limited expiration.
• API access is protected by rate limiting to prevent abuse.
• All API communications are encrypted via HTTPS.
• File uploads are validated for type and size before storage.
• OTP codes are generated using cryptographically secure methods, are time-limited, and are deleted after use or after a maximum number of failed attempts.

While we implement commercially reasonable security measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

5. Data Retention

• Account data: Retained as long as your account is active. You may request deletion at any time.
• Order and transaction data: Retained for as long as necessary to fulfil orders, process refunds, and comply with legal and financial reporting obligations.
• Authentication tokens: Access tokens expire after 1 hour. Refresh tokens expire after 7 days. Tokens are deleted upon logout.
• OTP codes: Deleted after successful verification or after 10 minutes, whichever comes first.
• Push notification tokens: Deleted when you unregister your device or when they are detected as invalid.
• Contact form messages: Retained until resolved or deleted.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Delete your account and associated personal data.
• Withdraw consent for optional data processing (such as push notifications).
• Object to the processing of your personal data for certain purposes.

To exercise any of these rights, contact us using the details in Section 10.

7. Children’s Privacy

The Service is not intended for use by children under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

8. Cookies and Tracking

The Sira mobile application does not use cookies. We do not use third-party analytics or advertising trackers within the app.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the app or sending you a notification. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us: