receiptly
NDPR-COMPLIANT

NDPR & NDPA compliance

Receiptly is registered under the Nigeria Data Protection Regulation (NDPR) 2019 and aligned with the Nigeria Data Protection Act 2023. This page is the one-stop disclosure of how we honour each right the law gives you.

1. Our NDPC registration

Receiptly Nigeria Ltd is a registered Data Controller with the Nigeria Data Protection Commission (NDPC). Our Data Protection Officer (DPO) is privacy@receiptly.ng.

2. Your rights at a glance

Under the NDPA 2023 you have the right to (a) know what data we hold, (b) correct inaccurate data, (c) delete data we no longer need, (d) object to processing, (e) restrict processing while a dispute is resolved, (f) port your data to another service, and (g) withdraw consent without affecting past processing.

3. How to exercise a right

Email privacy@receiptly.ng from the phone number registered on the account, or use the in-app “Export my data” and “Delete my account” controls under Settings. We respond within 30 days. If we need more time we will tell you and explain why.

4. Data we keep, and for how long

  • Receipts — 7 years after issue (statutory bookkeeping retention).
  • Account metadata — deleted within 30 days of account closure.
  • Verification documents (CAC) — retained while the merchant account is active, then 24 months.
  • Fraud logs — 24 months.
  • OTP codes — 10 minutes, then purged.

5. Security measures

  • Per-merchant Ed25519 signing keys with 12-month rotation.
  • Passwords and PINs stored as bcrypt hashes (cost 10).
  • All traffic over TLS 1.2+; HSTS enabled in production.
  • Admin access protected by two-factor authentication.
  • Role-based access control with audit logs for admin actions.

6. Data breach procedure

In the event of a personal data breach likely to result in risk to your rights, we will (a) notify the NDPC within 72 hours, and (b) notify affected users without undue delay through the contact channel on file.

7. Complaints

If you are not satisfied with our handling of a privacy request you may lodge a complaint directly with the Nigeria Data Protection Commission:
Nigeria Data Protection Commission (NDPC)
No. 2 Ikoyi Road, Abuja, Nigeria
Web: ndpc.gov.ng