Privacy Policy

1. Introduction

Spronet Nig Ltd ("Spronet.ng," "we," "us," or "our") operates the Spronet.ng business-to-business (B2B) industrial procurement marketplace accessible at www.spronet.ng and all related sub-domains, mobile applications, and APIs (the "Platform" or "Service").

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data and business information when you access or use our Service. It applies to all Users of the Platform, including Buyers, Dealers (Sellers/Suppliers), and visitors.

This Policy is designed to comply with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and other applicable data protection laws. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy is incorporated into and forms part of our Terms of Service.

2. Data Controller

For the purposes of applicable data protection law, the data controller responsible for your personal data is:

Entity: Spronet Nig Ltd
Email: privacy@spronet.ng
Address: Rivers State, Nigeria

If you have any questions about this Privacy Policy or how we handle your data, please contact our Data Protection Officer at privacy@spronet.ng.

3. Data We Collect

We collect the following categories of data:

3.1 Account and Identity Data

Data Point	Source	Purpose
Full name	Registration / Clerk	Account identification
Email address	Registration / Clerk	Authentication, notifications, communications
User role (Buyer/Dealer)	Registration	Platform access control
Account creation date	Automatic	Account management
Authentication credentials	Clerk (Third-party)	Secure login

3.2 Business Profile Data (Dealers)

Data Point	Purpose
Company name, description	Public business listing
Company logo, banner image	Brand presentation
Business address, city, state	Location matching, delivery coordination
Phone number	Business communication
Website URL	Public profile display
Business email	Verification, business communication
Representative name	Identity verification
Business category, tags	Search matching, RFQ distribution
Bank name, account number, account name	Payment facilitation (displayed only to relevant parties)
Verification status	Trust and safety

3.3 Transaction Data

Sourcing Requests (RFQs): Title, details, category, tags, quantity, budget, deadline, delivery preferences, GPS coordinates, file attachments.
Quotes: Pricing, breakdown, delivery terms, pickup locations, validity dates, notes, attachments.
Orders: Order numbers, amounts, line items, delivery addresses, tracking information, status history, promised and actual delivery dates.
Payment Proofs: Uploaded receipt images, payment amounts, timestamps, dispute information.
Platform Invoices: Success fee amounts, payment status, due dates.

3.4 Communication Data

Negotiation Messages: All messages exchanged within Negotiation Rooms, including text content, counter-offer metadata, and timestamps.
Social Feed: Posts, comments, likes, and tagged content.
Notifications: In-app notification content and read status.

3.5 Location Data

Delivery coordinates: GPS latitude and longitude selected via our map-based location picker for delivery or pickup points.
Saved Locations: Address labels, coordinates, and default preferences saved by Users for reuse.
Business addresses: City, state, and street address provided in Dealer Profiles.

3.6 Product Data

Product names, descriptions, images, pricing, categories, units, minimum order quantities, certifications, stock status, and moderation status.

3.7 Trust and Reputation Data

Handshake Score: Aggregated trust metric derived from transaction behaviour, reviews, responsiveness, and fee payment history.
Score Events: Individual scoring actions with weights, descriptions, and timestamps.
Reviews: Star ratings, written comments, and associated order/buyer/dealer references.

3.8 Technical and Usage Data

IP address, browser type and version, device type, operating system.
Pages visited, features used, time spent, click patterns.
Referral source (how you found the Platform).
Error logs and performance data.

3.9 Boost Campaign Data

Campaign plan, duration, spend amount, impressions, clicks (internal and external), status.

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

Legal Basis	Applicable Processing Activities
Contractual Necessity	Account creation, transaction processing, order management, invoicing, Handshake Score calculation
Consent	Marketing communications, promotional notifications, Boost Campaigns, location data collection via map picker
Legitimate Interest	Fraud prevention, platform security, content moderation, analytics, product matching algorithms, dispute resolution
Legal Obligation	Tax record retention, regulatory compliance, responding to lawful government requests

5. How We Use Your Data

We use the data we collect to:

Provide the Service: Create and manage accounts, process RFQs, facilitate quotes, manage orders, enable negotiations, and coordinate delivery logistics.
Match Buyers with Suppliers: Our matching algorithm analyses RFQ details (title, category, tags, location) against Dealer profiles, products, and expertise to identify the best-fit suppliers.
Calculate Trust Scores: Aggregate transactional data, review ratings, responsiveness, and fee payment history into the Handshake Score to help Users assess trading partner reliability.
Process Payments: Generate Platform Invoices (Success Fees), facilitate Boost Campaign payments via Paystack, and store payment proof documentation.
Content Moderation: Review and moderate product listings, social posts, reviews, and user-reported content to maintain Platform safety and quality.
Communications: Send transactional notifications (new RFQs, quotes, order updates, payment confirmations), system alerts (security, policy changes), and promotional communications (new features, campaigns).
Improve the Platform: Analyse usage patterns, identify bugs, optimise performance, and develop new features.
Prevent Fraud: Detect and prevent fraudulent activity, fake accounts, review manipulation, score gaming, and payment fraud.
Resolve Disputes: Access transaction records, communication logs, and payment proofs to assist in mediation between Users.
Legal Compliance: Comply with applicable Nigerian laws, regulations, and lawful government requests.

6.1 Between Users

Certain data is shared between Users as an inherent part of the marketplace:

Dealer Profiles (company name, description, logo, location, category, verification status, Handshake Score, reviews) are publicly visible on the Platform.
RFQ details are visible to Dealers who receive or view the request, based on the Buyer's chosen distribution method.
Quotes are visible to the Buyer who created the RFQ and to the quoting Dealer.
Negotiation messages are visible only to the Buyer and Dealer involved in the conversation.
Reviews are publicly visible on the Dealer's profile.
Buyer names may be visible to Dealers when submitting RFQs or placing orders.

6.2 Third-Party Service Providers

We share data with the following categories of third-party service providers who process data on our behalf:

Provider	Purpose	Data Shared
Clerk	Authentication and identity management	Email, name, authentication tokens
Paystack	Payment processing for Platform fees and Boosts	Email, payment amounts, transaction references
Supabase	Database hosting and file storage	All Platform data (encrypted at rest)
OpenStreetMap / Nominatim	Map display and address geocoding	Search queries, GPS coordinates (anonymised)
Google Cloud Platform	Application hosting and infrastructure	Application data (encrypted in transit and at rest)

All third-party providers are contractually obligated to process your data only for the purposes specified, in accordance with our instructions, and in compliance with applicable data protection laws.

6.3 Legal and Regulatory Disclosure

We may disclose your data if required to do so by law or in response to:

Valid legal process (court order, subpoena, or warrant).
Requests by Nigerian law enforcement or regulatory authorities acting within their lawful authority.
Protection of the rights, property, or safety of Spronet.ng, our Users, or the public.
Detection and prevention of fraud, security breaches, or illegal activity.

6.4 Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify affected Users of any such transfer and any changes to the data controller's identity.

6.5 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

7. Data Storage and Security

7.1 Storage Location

Your data is stored on secure servers provided by Supabase and Google Cloud Platform. Servers may be located outside Nigeria. Where data is transferred internationally, we ensure that appropriate safeguards are in place in compliance with the NDPA 2023, including adequacy assessments and contractual protections.

7.2 Security Measures

We implement the following security measures to protect your data:

Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256).
Authentication: Multi-factor authentication support via Clerk. Secure session management with token-based access.
Access Control: Role-based access control for administrative functions. Admin actions are logged in a comprehensive audit trail.
Infrastructure: Cloud-hosted on enterprise-grade infrastructure with automated backups, redundancy, and disaster recovery.
Monitoring: Continuous security monitoring, anomaly detection, and automated alerting.

7.3 Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required by the NDPA 2023.
Notify affected Users without undue delay, describing the nature of the breach, the data affected, and the remedial steps taken.
Document the breach and our response for regulatory compliance and internal review.

8. Data Retention

We retain your data for the following periods:

Data Category	Retention Period	Rationale
Account data	Duration of account + 2 years	Account recovery, regulatory compliance
Transaction records (RFQs, Quotes, Orders)	7 years from transaction date	Tax, accounting, and legal compliance
Payment proofs and invoices	7 years	Financial regulatory compliance
Negotiation messages	Duration of account + 1 year	Dispute resolution
Social feed content	Duration of account	Deleted upon account termination
Reviews	Indefinite (anonymised after account deletion)	Trust system integrity
Handshake Score data	Duration of account	Trust calculations
Technical/usage logs	12 months	Security monitoring, performance
Admin audit logs	5 years	Compliance, internal accountability

After the retention period expires, data is securely deleted or anonymised so that it can no longer be associated with you.

9. Your Rights

Under the Nigeria Data Protection Act (NDPA) 2023 and applicable data protection laws, you have the following rights regarding your personal data:

9.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will respond within 30 days of receiving a verified request.

9.2 Right to Rectification

You may request correction of inaccurate or incomplete personal data. Many data fields can be updated directly through your account settings or Dealer Profile.

9.3 Right to Erasure ("Right to Be Forgotten")

You may request deletion of your personal data, subject to the following exceptions:

Data we are required to retain for legal, tax, or regulatory compliance.
Data necessary to complete pending transactions or resolve active disputes.
Aggregated or anonymised data that can no longer identify you.

9.4 Right to Restrict Processing

You may request that we temporarily restrict processing of your personal data while we verify its accuracy or assess a legitimate interest claim.

9.5 Right to Data Portability

You may request a machine-readable copy of the personal data you provided to us, which we will supply in JSON or CSV format.

9.6 Right to Object

You may object to the processing of your personal data for direct marketing purposes at any time. You may also object to processing based on legitimate interests, in which case we will assess whether our interests override your objection.

9.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. You can withdraw consent by adjusting your notification settings, contacting support, or deleting your account.

9.8 How to Exercise Your Rights

To exercise any of these rights, please submit a written request to privacy@spronet.ng. We may require identity verification before processing your request. We will respond within 30 days.

9.9 Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

10. Cookies and Tracking Technologies

10.1 What We Use

We use the following technologies to enhance your experience:

Essential Cookies: Required for authentication, session management, and core Platform functionality. These cannot be disabled.
Authentication Tokens: Managed by Clerk to maintain your login state securely.
Local Storage: Used to store temporary data such as draft sourcing requests and user preferences (e.g., dark mode).
Analytics: We may use analytics tools to understand usage patterns and improve the Service. Analytics data is aggregated and does not identify individual Users.

10.2 Third-Party Cookies

Third-party services integrated into the Platform (Clerk, Paystack) may set their own cookies as described in their respective privacy policies. We do not control these cookies.

11. Children's Privacy

The Service is designed for business use and is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will promptly delete it. If you believe a minor has provided us with personal data, please contact privacy@spronet.ng.

12. International Data Transfers

Your data may be processed and stored on servers located outside the Federal Republic of Nigeria. Our infrastructure providers (Supabase, Google Cloud Platform) operate data centres in various jurisdictions. When transferring data internationally, we ensure:

The receiving jurisdiction provides an adequate level of data protection, as assessed under the NDPA 2023.
Appropriate contractual safeguards (Standard Contractual Clauses or equivalent) are in place.
Technical security measures (encryption, access controls) protect data throughout the transfer and at the destination.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will notify you via email and/or an in-app notification at least fourteen (14) days before the changes take effect.
The "Last Updated" date at the top of this page will be revised.
The updated Policy will be posted on the Platform.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer: privacy@spronet.ng
General Support: support@spronet.ng
Legal: legal@spronet.ng
Company: Spronet Nig Ltd
Address: Rivers State, Nigeria

We aim to respond to all data protection enquiries within 30 days of receipt.

By using Spronet.ng, you acknowledge that you have read and understood this Privacy Policy.