1. Introduction

KwiqServe ("we", "our", or "us") is committed to protecting the privacy and personal data of everyone who uses our platform. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have under the Nigeria Data Protection Act 2023 (NDPA).

This policy applies to all users of the KwiqServe platform, including Customers who scan QR codes and place orders, and Venue Partners who receive orders through our system.

2. Personal Data We Collect

2.1 Data You Provide Directly

• Order details: items selected, quantities, special instructions, and order history.
• Payment information: transaction reference, payment method type, amount paid. We do not store full card numbers, CVVs, or bank account details - these are processed by our third-party payment processor.
• Contact information: where provided voluntarily (e.g., for receipts or feedback), this may include your name, email address, or phone number.

2.2 Data Collected Automatically

• Device information: device type, operating system, browser type and version, screen resolution.
• Usage data: pages viewed, time spent on the platform, order flow interactions, QR codes scanned.
• Location data: approximate location derived from your IP address. We do not collect precise GPS location.
• Cookies and similar technologies: session identifiers and analytics cookies to improve the Service. See Section 9 for details.

2.3 Data from Third Parties

• Payment confirmation data from our payment processor (transaction status, reference numbers).
• Venue Partner data relating to order fulfilment status.

3. Lawful Basis for Processing

Under the NDPA, we process your personal data on one or more of the following legal bases:

• Contract Performance: Processing necessary to fulfil your Order and provide the Service (NDPA Section 25(a)).
• Consent: Where you have given specific, informed, and unambiguous consent - for example, for marketing communications or non-essential cookies (NDPA Section 25(b)).
• Legitimate Interest: Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring platform security, where these interests do not override your fundamental rights (NDPA Section 25(c)).
• Legal Obligation: Processing necessary to comply with applicable Nigerian laws, regulations, or lawful requests from authorities (NDPA Section 25(d)).

4. How We Use Your Personal Data

• To process and fulfil your Orders, including transmitting order details to the relevant Venue Partner.
• To process payments and issue transaction confirmations or receipts.
• To provide customer support and respond to enquiries or complaints.
• To improve and optimise the Service, including analysing usage patterns and troubleshooting technical issues.
• To detect, prevent, and address fraud, security breaches, or other harmful activities.
• To comply with legal obligations, including tax reporting and regulatory requirements.
• To send you service-related communications (e.g., order confirmations, platform updates). These are not marketing messages and do not require separate consent.
• With your consent, to send you promotional offers, recommendations, or marketing communications. You may withdraw this consent at any time.

5. Artificial Intelligence, Analytics, and Future Data Use

KwiqServe may use aggregated and anonymised data to develop insights and improve the Service. This section describes our current and planned use of data analytics and artificial intelligence (AI) technologies.

5.1 Current Use

• Aggregated order analytics: we analyse order volumes, popular items, peak ordering times, and average order values at a venue level. This data is anonymised and cannot be used to identify individual customers.
• Service performance monitoring: we track platform uptime, load times, payment success rates, and error rates to maintain and improve the Service.

5.2 Planned Future Use

As KwiqServe evolves, we may introduce the following AI-powered features. Where any of these features involve processing your personal data in new ways, we will update this Privacy Policy and, where required by the NDPA, seek your consent before implementation:

• Personalised recommendations: Suggesting menu items based on your past orders or popular choices at the venue. This would involve processing your individual order history.
• Demand forecasting: Using aggregated order data to help Venue Partners predict busy periods and optimise stock. This uses anonymised data only.
• Smart menu optimisation: Analysing aggregated ordering patterns to help Venue Partners improve their menu layout and pricing. This uses anonymised data only.
• Fraud detection: Using automated systems to identify potentially fraudulent transactions or unusual payment patterns. This may involve automated decision-making about individual transactions.

5.3 Automated Decision-Making

Where we use automated decision-making that produces legal effects or similarly significant effects concerning you (such as declining a transaction for suspected fraud), you have the right to request human review of the decision, to express your point of view, and to contest the decision. Contact us at the details provided in Section 12 to exercise this right.

5.4 Your Control Over AI Features

You will always have the ability to opt out of personalised features that rely on your individual data. Opting out will not affect your ability to use the core ordering and payment functionality of the Service.

6. Who We Share Your Data With

• Venue Partners: We share your order details (items, quantities, special instructions) with the Venue Partner where you place your Order, so they can prepare and fulfil it. We share the minimum information necessary for order fulfilment.
• Payment Processors: Your payment data is transmitted to our third-party payment processor to authorise and complete transactions. Our current payment processor is [OPay / to be confirmed]. We do not store your full payment credentials.
• Service Providers: We may share data with trusted third-party service providers who assist us in operating the Service (e.g., hosting providers, analytics services). These providers are contractually obligated to process your data only on our behalf and in accordance with this Privacy Policy and the NDPA.
• Legal and Regulatory: We may disclose your data where required by law, regulation, legal process, or enforceable governmental request, including requests from the Nigeria Data Protection Commission (NDPC), law enforcement, or tax authorities.
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

We do not sell your personal data to third parties. We do not share your personal data with advertisers.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:

• Order and transaction data: Retained for a minimum of 6 years after the transaction date, as required by Nigerian tax and financial regulations.
• Usage and analytics data: Retained in identifiable form for up to 12 months, after which it is anonymised or deleted.
• Marketing consent records: Retained for as long as the consent remains valid, plus 3 years after withdrawal for record-keeping purposes.
• Cookie data: Retained for the duration specified in our Cookie Notice (see Section 9).

When personal data is no longer required, we will securely delete or anonymise it in accordance with our data retention schedule.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL protocols.
• Secure hosting infrastructure with access controls and monitoring.
• Regular security assessments and vulnerability testing.
• Access to personal data restricted to authorised personnel on a need-to-know basis.
• Incident response procedures for identifying and addressing data breaches.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay, in accordance with the NDPA.

9. Cookies and Tracking Technologies

KwiqServe uses cookies and similar technologies when you access the Service. Cookies are small text files stored on your device that help us provide and improve the Service.

Essential Cookies: Required for the Service to function (e.g., session management, order cart functionality). These do not require your consent.

Analytics Cookies: Used to understand how customers interact with the Service, identify popular features, and diagnose technical issues. These require your consent.

Preference Cookies: Used to remember your preferences (e.g., language, previous venue). These require your consent.

When you first access the Service, a cookie consent banner will be displayed. You may accept or decline non-essential cookies. You may change your preferences at any time through the cookie settings accessible from the Service.

We do not use advertising or tracking cookies. We do not engage in cross-site tracking.

10. Your Rights Under the NDPA

Under the Nigeria Data Protection Act 2023, you have the following rights in relation to your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure: You have the right to request deletion of your personal data, subject to our legal retention obligations.
• Right to Restrict Processing: You have the right to request that we limit how we use your data in certain circumstances.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right Regarding Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except where permitted by law.

To exercise any of these rights, please contact us at the details provided in Section 12. We will respond to your request within 30 days. If we need additional time, we will inform you of the reason for the delay.

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

11. Cross-Border Data Transfers

KwiqServe primarily processes and stores data within Nigeria. Where it is necessary to transfer personal data outside Nigeria (for example, where a service provider's infrastructure is located abroad), we will ensure that:

• The receiving country provides an adequate level of data protection as determined by the NDPC; or
• Appropriate safeguards are in place, such as standard contractual clauses or binding corporate rules; or
• You have provided explicit consent to the transfer after being informed of the potential risks.

12. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at the details below.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. Material changes will be communicated through a prominent notice on the Service before they take effect. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: