receiptly

Legal · v1.0

Privacy Policy

Last updated: 27 April 2026

Receiptly Nigeria Ltd is the data controller for the personal data described below. This policy applies to the Receiptly website, the Receiptly merchant and buyer mobile apps (iOS and Android), and our APIs. It explains what we collect, why, and the rights you have under the Nigeria Data Protection Act 2023 and the NDPR.

1. What we collect

  • Phone number & email — used as the primary identifier for merchants and buyers. Phone numbers are stored normalised plus as a one-way SHA-256 hash.
  • Display name — the name you provide during signup or in app settings.
  • Business details — for merchants, the business name, BRI-ID, owner name, business email, location, and the CAC document uploaded during verification.
  • Bank account & KYC data — for merchants who configure payouts: account number, bank name, and the verified account holder name returned by our bank verification provider.
  • Receipt data — item lines, amounts, issue timestamp, and buyer phone hash for every receipt issued through the platform.
  • Push notification token — an opaque token issued by Apple Push Notification service or Firebase Cloud Messaging so we can send receipt alerts to your device. We do not collect ad identifiers.
  • Device & usage — IP, device model, OS version, session timestamps, and basic telemetry to protect against fraud and abuse. We do not track you across other apps or websites.

1b. Mobile app permissions

The Receiptly mobile app requests the following device permissions only when needed for a specific feature, and only with your explicit consent:
  • Camera — to scan QR codes on receipts and to capture business or product photos. Images are processed on-device and only uploaded if you submit them.
  • Photo library — to attach a receipt image, a logo, or a CAC document. We only access the image you select.
  • Notifications — to alert you when a new receipt is issued to your wallet or when a buyer flags a receipt. You can revoke this in your OS settings at any time.
We do not request location, contacts, microphone, or background tracking permissions.

2. Why we use it

We process personal data to (a) deliver receipts to the intended buyer, (b) let merchants manage their receipt history, (c) verify merchant identity via CAC documents, (d) detect and prevent fraud, and (e) communicate service-critical updates.

3. Lawful basis

Our bases are performance of a contract (issuing and storing receipts you requested), legitimate interest (fraud prevention), and consent (marketing messages, which you can opt out of at any time).

4. Sharing

We do not sell personal data. We share only with processors who help us run the service — SMS providers, cloud infrastructure, and email delivery — under written data processing terms. We may disclose data where required by law or to protect our rights.

5. Retention

Receipt records are retained for 7 years to match the statutory bookkeeping requirement in Nigeria. Account metadata is deleted within 30 days of account closure, except where retention is required by law. Fraud logs are kept for 2 years.

6. Your rights

You can request access, correction, or deletion of your personal data; object to processing; withdraw consent; and lodge a complaint with the Nigeria Data Protection Commission (NDPC). See our NDPR page for exactly how to exercise each right.

6b. Deleting your account

You can permanently delete your Receiptly account at any time directly from the mobile app: Settings → Delete Account. For merchants this removes the business profile, BRI-ID, API key, bank/KYC data and all issued receipts. For buyers this removes your profile and unlinks any receipts in your wallet. Deletion is immediate and irreversible. If you cannot access the app, email privacy@receiptly.ng and we will process the request within 30 days.

7. Security

Receipts are signed with per-merchant asymmetric keys. Passwords and PINs are stored as bcrypt hashes. Cookies are httpOnly and, in production, secure and SameSite=strict. We rotate signing keys on incident and on a fixed 12-month cadence.

8. Cross-border transfers

Some of our processors operate servers outside Nigeria (the EU and the US). Where data leaves Nigeria, we rely on the adequacy assessments and contractual safeguards permitted under the Nigeria Data Protection Act 2023.

9. Children

Receiptly is not directed to users under 18. We do not knowingly collect data from children. If you believe a child has been signed up, contact us and we will delete the record.

10. Contact our DPO

For any privacy request, email privacy@receiptly.ng or write to our Data Protection Officer at Receiptly Nigeria Ltd, Lagos, Nigeria.