Privacy Policy

1. Overview

Delight Technologies Limited ("Delight", "we", "us") is committed to protecting your personal data. This Privacy Policy explains what data we collect when you use the Delight mobile application, web application, and website (the "Platform"), how we use it, and your rights under the Nigeria Data Protection Act 2023 (NDPA) and subsidiary regulations.

By using the Platform, you consent to the collection and processing of your personal data as described in this Policy. If you do not consent, please do not use the Platform.

2. Data Controller

The data controller responsible for your personal data is:

Delight Technologies Limited
[Your Registered Address], Lagos, Nigeria
Data Protection Officer: dpo@delightapp.ng

3. What We Collect

3.1 Information You Provide

• Account data: Full name, email address, phone number, password (hashed).
• Profile data: Date of birth (optional), dietary preferences, event preferences.
• Booking data: Event details, dates, guest counts, budgets, venues, special requests.
• Payment data: Transaction records, payment method type, billing details. Note: full card numbers are processed by our payment providers (NexaPay, BTCPay) and are never stored on our servers.
• Communication data: Messages sent via the AI Concierge, WhatsApp, email, or in-app chat.
• Media: Photos or documents you upload for event inspiration, venue references, or cake designs.

3.2 Information Collected Automatically

• Device data: Device type, operating system, browser type, screen resolution.
• Usage data: Pages visited, features used, session duration, click patterns.
• Location data: Approximate location derived from IP address (city-level). We do not collect precise GPS data unless you explicitly enable it for delivery coordination.
• Log data: IP addresses, access timestamps, error logs.

3.3 Information from Third Parties

• Payment processors: Transaction confirmation, payment status.
• Referral sources: If you were referred by another user, we receive the referral code.

4. Legal Basis for Processing

Under the NDPA 2023, we process your personal data on the following lawful bases:

• Consent: You provide explicit consent when creating an account and agreeing to these terms. You may withdraw consent at any time.
• Contractual necessity: Processing is necessary to perform our contract with you (fulfilling Bookings, processing payments, delivering Services).
• Legitimate interest: Processing is necessary for our legitimate business interests (fraud prevention, service improvement, analytics) provided these do not override your fundamental rights.
• Legal obligation: Processing is required to comply with Nigerian law (tax records, regulatory reporting, anti-money laundering).

5. How We Use Your Data

• Service delivery: To process and fulfil your Bookings, coordinate with Vendors, and communicate about your orders.
• Account management: To create and maintain your account, authenticate your identity, and provide customer support.
• Payments: To process payments, issue invoices, manage escrow funds, and handle refunds.
• AI Concierge: To provide personalised recommendations, budget estimates, and event planning assistance through our AI chatbot.
• Communication: To send booking confirmations, status updates, receipts, and — with your consent — promotional messages.
• Improvement: To analyse usage patterns, improve our Platform and Services, train our AI models, and develop new features.
• Safety & fraud: To detect, prevent, and address fraud, security incidents, and technical issues.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

6. AI & Automated Processing

Our Platform uses artificial intelligence in several ways:

• AI Concierge chat: Your messages are processed by third-party AI providers (Anthropic, and potentially Google or OpenAI) to generate responses. These providers process your messages under their own data processing agreements with us, and are contractually prohibited from using your data for their own training purposes.
• Recommendations: We use AI to suggest packages, vendors, and pricing based on your stated preferences and budget.
• Image analysis: If you upload photos for event inspiration, AI may analyse them to extract relevant themes and styles.

No fully automated decisions with legal or significant effects are made without human review. All AI-generated quotes require human confirmation before becoming binding.

7. Data Sharing & Third Parties

We share your personal data only as follows:

• Vendors: Relevant booking details (event date, location, guest count, special requirements) are shared with Vendors assigned to your Booking. Vendor access is limited to what is necessary for service delivery.
• Payment processors: NexaPay (for Naira payments) and BTCPay Server (for cryptocurrency payments) process your transaction data under their respective privacy policies.
• Cloud infrastructure: Data is stored on servers provided by Supabase (PostgreSQL), Upstash (Redis), and Cloudflare (media files), all operating under data processing agreements.
• AI providers: Chat messages are processed by Anthropic (Claude AI). Messages are transmitted via encrypted API and are not retained by the provider beyond the immediate processing window.
• Email services: Transactional emails are sent via Resend.
• Analytics: We may use Sentry for error tracking. Analytics data is aggregated and anonymised where possible.
• Legal requirements: We may disclose data to law enforcement or regulatory authorities when required by law, court order, or to protect the safety of our users or the public.

We do not sell your personal data to third parties. Ever.

8. Data Storage & Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption of data in transit (TLS 1.3) and at rest.
• RSA-signed JWT authentication tokens with automatic expiry.
• Bcrypt password hashing with application-level pepper.
• Brute force protection with automatic account locking.
• Role-based access control limiting employee access to data.
• Regular security reviews and dependency updates.
• Audit logging of sensitive operations (login, payment, data access).

While we take all reasonable precautions, no system is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify you and the Nigeria Data Protection Commission (NDPC) within 72 hours as required by the NDPA.

9. Data Retention

• Account data: Retained for as long as your account is active, plus 2 years after account deletion to comply with tax and legal obligations.
• Booking data: Retained for 6 years after completion for accounting, tax, and dispute resolution purposes.
• Payment records: Retained for 6 years as required by Nigerian tax law.
• AI chat logs: Retained for 12 months for service quality and AI improvement, then anonymised or deleted.
• Analytics data: Aggregated and anonymised after 24 months.
• Marketing consent records: Retained for as long as consent is active, plus 3 years.

You may request earlier deletion of your data (see Section 10), subject to our legal retention obligations.

10. Your Rights

Under the Nigeria Data Protection Act 2023, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right not to be subject to automated decisions: Request human review of any significant automated decision.

To exercise any of these rights, contact our Data Protection Officer at dpo@delightapp.ng. We will respond within 30 days. Identity verification may be required.

11. Children's Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take immediate steps to delete it. If you believe a child has provided us with personal data, please contact dpo@delightapp.ng.

12. International Data Transfers

Some of our service providers operate outside Nigeria (e.g., cloud infrastructure in the EU/US, AI processing in the US). When your data is transferred internationally, we ensure adequate protection through:

• Data processing agreements with Standard Contractual Clauses.
• Selection of providers certified under recognised data protection frameworks.
• Encryption of all data in transit.

Such transfers are conducted in compliance with the NDPA 2023 provisions on international data transfer (Part IV).

13. Cookies

Our website uses cookies and similar technologies. For full details, see our Cookie Policy.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The "Last updated" date at the top indicates the most recent revision.

15. Contact & Complaints

For privacy-related questions, requests, or complaints:

Data Protection Officer
Delight Technologies Limited
Email: dpo@delightapp.ng
Phone: +234 813 220 1263
Address: Lagos, Nigeria

If you are unsatisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):

Website: ndpc.gov.ng
Email: info@ndpc.gov.ng