Privacy Policy

Your privacy matters to us. This Privacy Policy explains what information we collect when you use Chopa, why we collect it, and how we keep it safe.

1. Who we are

Chopa (“we”, “us”) is the data controller for information collected through our Telegram bot, dashboard, and website. You can reach us at hello@chopa.app.

2. Information we collect

We collect the following categories of information:

• From customers: Telegram username and ID, phone number, delivery address, location coordinates (when shared), and order history.
• From restaurants: Business name, owner name, email address, phone number, address, bank details for Paystack payouts, and menu content.
• Payments: Paystack handles card and account details. We only receive a transaction reference and confirmation status — we do not store full card numbers.
• Usage data: Pages visited, buttons clicked, device and browser information. We use PostHog for product analytics. Where required, we obtain consent before placing analytics cookies.
• Error and crash data: When something goes wrong, we may capture stack traces and request metadata via Sentry to help us fix bugs.

3. How we use your information

• To process orders and coordinate delivery between you and the restaurant.
• To process payments and remit funds to restaurants.
• To send order-status updates via Telegram.
• To improve the Service, fix bugs, and develop new features.
• To detect and prevent fraud or abuse.
• To comply with our legal obligations.

4. Legal bases (NDPA / GDPR)

Under the Nigeria Data Protection Act 2023 and equivalent regimes, we rely on the following legal bases for processing your data:

• Contract: to fulfil your order and operate your restaurant account.
• Legitimate interest: to keep the Service safe, prevent fraud, and improve our product.
• Consent: for optional analytics and marketing communications.
• Legal obligation: for tax, accounting, or law-enforcement requests.

5. Who we share data with

We do not sell your personal data. We share it only with the following third parties, and only for the purposes described:

• Restaurants and riders — to fulfil your order.
• Paystack — to process payments.
• Telegram (Telegram Messenger Inc.) — because messaging is delivered via Telegram's platform.
• Supabase — our database and storage provider (data hosted on infrastructure that may be outside Nigeria).
• Vercel — for application hosting.
• Resend — for transactional email delivery.
• PostHog — for anonymised product analytics.
• Sentry — for error monitoring.
• Africa's Talking — for SMS / USSD where applicable.
• Law-enforcement or regulators — where required by valid legal process.

6. International transfers

Some of our service providers (e.g. Vercel, Supabase, Sentry) operate servers outside Nigeria. We use providers that maintain industry-standard security and contractual protections, but data may be processed in other jurisdictions. By using the Service you consent to this transfer.

7. How long we keep your data

• Order records: kept for 7 years for tax and accounting purposes.
• Telegram session data: deleted after 30 days of inactivity.
• Restaurant account data: kept while your account is active and for 90 days after closure (then anonymised).
• Error and analytics logs: retained for up to 90 days.

8. Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your data (where we are not legally required to keep it).
• Object to or restrict certain processing.
• Withdraw consent for analytics or marketing at any time.
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC).

To exercise any of these rights, email privacy@chopa.app. We will respond within 30 days.

9. Cookies and tracking

Our website uses essential cookies for authentication and session management. Optional analytics cookies (PostHog) are loaded only after consent, where required by law. You can clear cookies at any time from your browser settings.

10. Security

We use HTTPS encryption in transit, encrypted database storage, industry-standard password hashing (bcrypt), and access controls to protect your data. No system is perfectly secure — if you suspect your account has been compromised, contact us immediately.

11. Children

Chopa is not intended for children under 18. We do not knowingly collect data from children. If you believe a child has used the Service, please contact us so we can delete the data.

12. Changes to this policy

We may update this Privacy Policy as our practices evolve or laws change. Material updates will be communicated by email or via the dashboard. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact

Questions about your privacy? Email privacy@chopa.app.

This Privacy Policy is a starting template and not a substitute for legal advice. We recommend reviewing it with a qualified Nigerian attorney before relying on it in production, particularly to confirm compliance with the Nigeria Data Protection Act 2023.