Marketplace Privacy Policy
Effective Date: February 17, 2026 · Version: 2.0
This Privacy Policy describes how Eleo (“we”, “us”, or “our”), a company organised under the laws of the Federal Republic of Nigeria, collects, uses, discloses, and protects your personal information when you browse, shop, or interact with the Eleo marketplace at eleo.app, eleo.store, and associated subdomains.
Eleo operates an online marketplace that connects you with independent sellers. This policy covers how we handle your data as a marketplace operator. If you are a seller or merchant using Eleo Suite to manage your business, please refer to the Eleo Suite Privacy Policy.
By creating an account, placing an order, or using the Eleo marketplace, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent as a lawful basis for processing, you may withdraw that consent at any time by contacting us.
1. Information We Collect
1.1 Account Information. When you create an account, we collect your name, email address, and phone number. You may also browse and place orders as a guest, in which case we collect only the information needed to process your order.
1.2 Order and Delivery Information. When you place an order, we collect your delivery address, order details (products, quantities, prices), payment reference, and any notes you include with your order. We also maintain your order history.
1.3 Payment Information. We do not store your credit or debit card details on our servers. Payment processing is handled by Paystack, our payment provider, through secure tokenisation. We store only a payment reference and transaction status to track your order. Paystack processes your card data under their own privacy policy.
1.4 Communication Data. If you communicate with a seller through the platform, we store message content, media files, and message status (sent, delivered, read). Messages deleted by you are soft-deleted and retained for a limited period before permanent removal.
1.5 Device and Technical Information. We collect your IP address, browser type, device type, operating system, and general usage data. If you install our mobile app, we collect device identifiers and Firebase Cloud Messaging (FCM) tokens to send you push notifications about your orders.
1.6 Guest Session Data. If you browse or add items to your cart without creating an account, we generate a guest session identifier to maintain your cart. If you later create an account, your guest cart is merged with your account.
2. How and Why We Use Your Information (Lawful Basis)
Under the Nigeria Data Protection Act 2023 (NDPA), we must have a lawful basis for processing your personal data. Here is how we use your information and the legal grounds we rely on:
Contract Performance: Processing and fulfilling your orders; managing your account; facilitating communication between you and sellers regarding your orders; processing payments through Paystack; handling refunds for failed or cancelled orders; sending order confirmations and delivery updates.
Legitimate Interest: Improving our marketplace and user experience; detecting and preventing fraud; maintaining platform security; providing customer support; sending service-related notifications about your orders.
Consent: Sending promotional emails and marketing offers; delivering push notifications about deals or new stores (where you have opted in).
3. How Your Data Is Shared When You Place an Order
Eleo is a marketplace that connects buyers with independent sellers. When you place an order, certain personal information must be shared with the seller to fulfil your order. It is important that you understand how this works:
3.1 Data shared with sellers. When you place an order, the seller receives your name, email address, phone number, and delivery address. This is necessary for the seller to prepare, pack, and deliver your order. Sellers also see the items you ordered, quantities, and any order notes you provided.
3.2 Seller responsibilities. Once a seller receives your data, they become an independent data controller for that information. This means the seller is responsible for how they use your data beyond order fulfilment. Eleo requires sellers to handle buyer data in compliance with applicable data protection laws, but we cannot control how individual sellers use your data after they receive it. Sellers are contractually prohibited from using your information for purposes unrelated to your order without your separate consent.
3.3 What sellers do not receive. Sellers do not receive your payment card details, your order history with other sellers, your date of birth, or any social media information associated with your account.
3.4 Multi-store orders. If your order includes items from multiple sellers, each seller receives only the information relevant to their portion of the order. No seller can see what you ordered from another seller.
4. Other Information Sharing
We do not sell or rent your personal information to third parties. Beyond sharing with sellers as described above, we may share your information with:
4.1 Paystack (our primary payment processor) to process your payments securely. Paystack operates as an independent data controller under their own privacy policy.
4.2 Google Cloud Platform for data storage and processing infrastructure, including Firestore, Cloud Storage, and Cloud Pub/Sub.
4.3 Firebase for authentication services, push notifications (Firebase Cloud Messaging), and analytics.
4.4 Infobip for delivering WhatsApp notifications where you have opted in. Your phone number is shared for this purpose.
4.5 Legal authorities if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Eleo, our users, or others.
5. International Data Transfers
Your personal data may be transferred to and processed in data centres located outside Nigeria through our use of Google Cloud Platform, Paystack, and other service providers. We ensure that appropriate safeguards are in place, including contractual protections requiring these providers to protect your data to a standard consistent with the Nigeria Data Protection Act 2023 and applicable data protection laws.
6. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
Account data: Retained for the duration of your account and for up to 12 months after account closure. Order and transaction records: Retained for a minimum of 6 years as required by Nigerian tax regulations. Guest session data: Guest carts are automatically expired after 48 hours of inactivity. Chat messages: Retained for 24 months, then permanently deleted. Push notification tokens: Removed automatically when they become invalid or when you uninstall the app. Server logs: Retained for up to 12 months.
7. Your Rights Under the NDPA
Under the Nigeria Data Protection Act 2023, you have the following rights regarding your personal data:
Right of Access. You may request a copy of the personal data we hold about you.
Right to Rectification. You may request that we correct any inaccurate or incomplete personal data.
Right to Erasure. You may request that we delete your personal data, subject to our legal obligations to retain certain records (such as transaction records required for tax compliance).
Right to Restrict Processing. You may request that we limit how we use your data in certain circumstances.
Right to Data Portability. You may request a copy of your data in a structured, commonly used, and machine-readable format.
Right to Object. You may object to the processing of your personal data where we rely on legitimate interest as our lawful basis.
Right to Withdraw Consent. Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. If we cannot comply, we will explain why. You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).
8. Cookies and Tracking Technologies
We use cookies and similar technologies to maintain your shopping session, remember your cart, and analyse how you use the marketplace.
Essential cookies: Required for the marketplace to function (e.g., session management, cart persistence, authentication). These cannot be disabled. Analytics cookies: Used through Firebase Analytics to understand browsing patterns and improve the shopping experience. You can opt out through your browser settings or by contacting us.
9. Data Security
We implement technical and organisational measures to protect your personal information, including encryption of data in transit (TLS), secure payment processing through Paystack, access controls, and authentication via Firebase Auth. However, no method of data transmission or storage is completely secure, and we cannot guarantee absolute security.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach. If the breach poses a high risk to you, we will also notify you directly without undue delay, providing details of the breach, its likely consequences, and the measures we are taking to address it.
11. Children's Privacy
Our marketplace is not intended for children under 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will take steps to delete that information.
12. Refunds and Order Cancellations
When a refund is processed (for example, if a seller cannot fulfil part of your order), we retain the refund transaction record as part of your order history. Refunds are processed through Paystack back to your original payment method. For more details, please see our Refund Policy.
13. Third-Party Links
The marketplace may contain links to third-party websites, including seller websites and social media profiles. We are not responsible for the privacy practices of those third parties and encourage you to review their privacy policies.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if you have an account) or through a prominent notice on the marketplace at least 14 days before the changes take effect. The updated version will be indicated by a revised effective date and version number at the top of this page.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please contact us:
General enquiries: [email protected]
Privacy and data protection: [email protected]
Registered entity: Eleo, a company organised under the laws of the Federal Republic of Nigeria
If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).