Privacy Policy — Pricetracker

🔒

Your privacy matters to us. This Privacy Policy explains what personal data PriceTracker collects, why we collect it, how we use it, and what rights you have under the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025 — the current, operative legal framework in Nigeria since 19 September 2025.

Last updated: 1 March 2026 · Effective date: 1 March 2026

PriceTracker is a community-driven, non-commercial price tracking Progressive Web Application (PWA) serving Nigerian consumers. As the operator of this platform, we act as the Data Controller as defined under Section 65 of the NDPA 2023.

Field	Details
Service Name	PriceTracker
Operator	Mark Peschke (private individual, non-commercial)
Contact Email	info@pricetracker.ng
Privacy Enquiries	privacy@pricetracker.ng
Legal Framework	NDPA 2023 + GAID 2025
DCPMI Status	We are not currently classified as a Data Controller of Major Importance under the NDPA 2023. Should our processing activities reach the applicable regulatory thresholds, we will comply with all resulting registration obligations with the NDPC.

Legal Basis (Constitution): Processing under this policy is also governed by Section 37 of the Constitution of the Federal Republic of Nigeria 1999, which guarantees the right to privacy. Nothing in this policy authorises processing that violates this constitutional right (GAID 2025, Article 3.2).

Data Minimisation Commitment: We collect only what is strictly necessary to provide the service. We have no advertising, no behavioural tracking, and no third-party analytics.

2.1 Data Provided by You

📧 Email Address

Account authentication, password reset, critical service notifications

Contract performance ✓ Required

👤 Username

Community identity and attribution of price reports

Contract performance ✓ Required

🔑 Password

Account security — stored using a strong, industry-standard one-way hashing algorithm. Plain-text passwords are never stored or accessible.

Contract performance ✓ Required

📍 Location (text, manual entry)

Showing relevant local market prices. Entered manually as text only — we never access your device GPS.

Consent ⚙ Optional

🏷️ Price Reports & Activity Points

Building the community price database — publicly visible with your username. Points earned for contributions are stored in your account and visible only to you.

Contract / Legitimate interest ⚙ Optional

🔔 Watchlist

Monitoring price changes for products you choose to watch — stored in your account only, not shared

Contract performance ⚙ Optional

🛒 Shopping Lists

Personal shopping organisation — stored in your account only, not shared

Contract performance ⚙ Optional

2.2 Data Collected Automatically

Data	Purpose	Retention
Security audit logs (login events, IP address, timestamp)	Fraud prevention, anomaly detection, NDPA breach notification obligations	90 days
IP address (contained in audit logs above)	Security incident investigation and abuse prevention	90 days — legal basis: Legitimate Interest (NDPA s.25(e))
Password reset token	Verifying identity during password reset — single use, invalidated immediately after use	Maximum 1 hour or until used
Session token	Keeping you logged in	Until logout or expiry
Essential cookies only	Session management	Session / persistent as required

No GPS tracking. Location data is entered manually as text (e.g. "Lagos, Surulere"). We never access your device's GPS or location services.

2.3 Sensitive Personal Data

We do not intentionally collect sensitive personal data as defined in Section 30 of the NDPA 2023 (including health data, biometrics, political opinions, religious beliefs, or financial account data). If you inadvertently include such data in a price report or comment, please contact us for immediate deletion.

2.4 Children and Minors

PriceTracker is not directed at persons under 18 years of age. In compliance with the Child Rights Act 2003 and NDPA Section 31, we do not knowingly collect data from minors. Registration requires confirmation of being 18 or above. If we discover a minor has registered, the account and all associated data will be deleted immediately.

All processing is carried out on one of the following lawful bases under NDPA 2023, Section 25:

Contract Providing and maintaining your account and the price tracking service
Legal Obligation Complying with Nigerian law, including breach notification duties under NDPA Section 40
Legitimate Interest Preventing fraud, abuse, and security incidents — balanced against your rights
Consent Optional features such as location-based price filtering; you may withdraw consent at any time

We never: sell your data, share it with advertisers, use it for profiling, or process it for any purpose unrelated to the PriceTracker service. The only data shared with third parties is your email address with Mailgun solely for transactional email delivery, and data stored on our hosting infrastructure with Smartweb — both as described in Section 5.

Cookies & Tracking (GAID 2025, Article 19)

Pursuant to GAID 2025 Article 19, we use only essential cookies — specifically session management cookies required to keep you logged in. No analytics, advertising, or tracking cookies are deployed. Essential cookies do not require prior consent under GAID 2025, but we disclose them here in full transparency.

In line with the storage limitation principle (NDPA Section 24(e)), we retain data only as long as necessary:

Data Category	Retention Period	Reason
Account data (email, username, password)	Duration of account + 30 days after deletion request	Service provision; grace period for accidental deletion
Price reports (public)	Indefinitely while account is active; anonymised or deleted on account closure	Community database integrity
Shopping lists	Until manually deleted or account closure	User preference
Watchlist entries	Until manually deleted or account closure	User preference
Security audit logs	90 days	Fraud detection; breach notification obligations
Session tokens	Until logout or automatic expiry	Authentication
Backup copies	Maximum 30 days after deletion from production	Disaster recovery

5.1 What We Share

Price reports you submit are publicly visible (product name, price, market, date, and your username) — this is the core function of the service. All other personal data is not shared.

5.2 Service Providers (Data Processors)

We engage the following limited service providers to process data on our behalf:

Provider	Purpose	Data Transferred
Mailgun	Transactional email delivery (account verification, password reset)	Email address only — subject to Mailgun's standard Data Processing Agreement under GDPR
Smartweb Nigeria Limited	Web hosting and server infrastructure	All data stored on the platform, with the exception of email addresses processed separately by Mailgun — servers located in Nigeria. As a Nigerian company, Smartweb is subject to the NDPA 2023 and applicable Nigerian data protection law.

5.3 Cross-Border Data Transfers (NDPA Part VIII)

We use Mailgun as a transactional email service provider to ensure reliable delivery of account verification and password reset emails. This is necessary because emails sent directly from Nigerian .ng domains are frequently rejected or filtered as spam by major email providers such as Gmail, resulting in users not receiving critical account emails. Mailgun's infrastructure is located on EU-based servers, which ensures these emails reach you reliably.

This transfer is permitted under NDPA Section 43 on the basis of necessity to perform the service you requested (account registration and authentication). Only your email address is transferred to Mailgun for this sole purpose. As Mailgun operates under the EU General Data Protection Regulation (GDPR), which imposes data protection standards comparable to or exceeding those of the NDPA 2023, the NDPC would consider this an adequate level of protection for the purposes of cross-border transfer assessment. Your data is not used by Mailgun for any other purpose.

No other international transfers are made. If we introduce additional cross-border transfers in future, this policy will be updated and you will be notified.

5.4 Legal Disclosure

We may disclose data to Nigerian authorities, law enforcement, or courts where required by law, lawful court order, or to protect the safety of our users — strictly within the limits of applicable Nigerian law.

We implement appropriate technical and organisational measures as required by NDPA Section 38 and GAID 2025 Article 7:

Password hashing — passwords are stored using a strong, industry-standard one-way hashing algorithm; plain-text passwords are never stored or accessible
Encryption at rest — sensitive data fields are encrypted in our database using current industry-standard encryption
Request forgery protection on all state-changing operations
Access controls & account protection to prevent unauthorised access attempts
Security audit logging for anomaly detection and incident response
Encryption in transit — all data between your device and our servers is encrypted
Strict browser security policies to prevent common web-based attacks

Data Breach Notification (NDPA Section 40)

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the NDPC within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

Under NDPA 2023, Part VI, you have the following rights. These rights are free of charge and we will respond within 30 days:

📋

Right of Access (s.34)

Request a copy of your personal data and information on how we process it

✏️

Right to Rectification (s.35)

Correct inaccurate or incomplete data — most can be updated in your account settings

🗑️

Right to Erasure (s.36)

Delete your account and associated personal data ("right to be forgotten")

📦

Right to Data Portability (s.34)

Receive your data in a structured, machine-readable format

🚫

Right to Object (s.37)

Object to processing based on legitimate interest at any time

⏸️

Right to Restriction (s.38)

Request that we restrict processing while a dispute is resolved

↩️

Withdraw Consent (s.25)

Withdraw consent for optional processing (e.g. location) at any time without penalty

🤖

Automated Decisions (s.33)

We make no solely automated decisions with legal or significant effect on you

How to exercise your rights: Email us at privacy@pricetracker.ng with subject line "Data Subject Request". We will verify your identity and respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng — an official Nigerian government body.

Where we rely on consent as the lawful basis for processing (e.g. location-based filtering), you may withdraw this consent at any time through your account settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

By registering for an account, you acknowledge that you have read and understood this Privacy Policy. Consent to processing is obtained at registration via an explicit, unchecked opt-in checkbox — no pre-ticked boxes, no implied consent (GAID 2025, Article 19 principles applied broadly).

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to your registered address) and/or by displaying a prominent notice on the app at least 14 days before the changes take effect. The "Last Updated" date at the top of this page will always reflect the most recent revision.

Continued use of PriceTracker after the effective date of any update constitutes acceptance of the revised policy. If you do not agree, you may delete your account before the effective date.

This policy is designed to comply with the following legal instruments:

Nigeria Data Protection Act (NDPA) 2023 — primary legislation, signed 12 June 2023
NDPA General Application and Implementation Directive (GAID) 2025 — operative since 19 September 2025; supersedes the NDPR 2019
Constitution of the Federal Republic of Nigeria 1999, Section 37 (Right to Privacy)
Child Rights Act 2003 — protection of minors' data
Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended) — security obligations

Note on NDPR 2019: Following the issuance of GAID 2025 (effective 19 September 2025), the NDPR 2019 has ceased to be the operative legal instrument for data protection in Nigeria. This policy is aligned with the current NDPA + GAID framework.

Contact & Complaints

For any questions about this policy or to exercise your rights, please contact us:

General info@pricetracker.ng

Privacy privacy@pricetracker.ng

Regulator Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng