Privacy Policy

Chavica ("we", "us", or "our") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you visit chavica.com or use our website builder platform.

We operate in compliance with the Nigeria Data Protection Regulation (NDPR) and, where applicable, the General Data Protection Regulation (GDPR). By using our Platform, you consent to the practices described in this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please discontinue use of the Platform. Questions or concerns? Contact our Data Protection Officer at dpo@chavica.com.

We collect information that you provide directly to us, information collected automatically, and information from third-party sources.

INFORMATION YOU PROVIDE DIRECTLY • Account registration: name, email address, password (stored as a bcrypt hash — we never store plaintext passwords) • Profile information: display name, profile picture • Billing information: payment details processed by Bachs (we do not store raw card data) • Site content: all content you create and publish through the editor • Domain registration: contact details required by ICANN for domain registration • Support communications: any messages you send to our support team • Onboarding preferences: your selected site type and brand name during sign-up

INFORMATION COLLECTED AUTOMATICALLY • Usage data: pages viewed, features used, time spent on the platform • Device data: browser type, operating system, screen resolution, IP address • Page views: visitor analytics for your published sites (aggregated, no personal profiling) • Log data: server logs including request times, error codes, and referring URLs • Cookies and similar tracking technologies (see Section 6)

INFORMATION FROM THIRD PARTIES • Bachs: payment status, checkout success/failure events via webhooks • Our domain registration partner: domain registration status and expiry dates

We use the information we collect for the following purposes:

PROVIDING THE SERVICE • Creating and managing your account • Publishing and hosting your websites on our infrastructure • Processing payments and managing subscriptions • Registering and managing domain names on your behalf • Sending transactional emails (account confirmation, password reset, payment receipts, domain expiry reminders)

IMPROVING THE PLATFORM • Analysing usage patterns to improve features and performance • Diagnosing bugs and technical issues • Conducting internal research and analytics • Personalising your experience based on your onboarding preferences

COMMUNICATIONS • Sending product updates, new features, and newsletters (only with your consent) • Responding to your support requests • Notifying you about changes to our Terms or Privacy Policy

LEGAL & SECURITY • Detecting, preventing, and addressing fraud, abuse, and security incidents • Complying with legal obligations under Nigerian law and other applicable regulations • Enforcing our Terms of Service

We will not sell, rent, or trade your personal information to third parties for their marketing purposes.

We do not sell your personal data. We may share your information with third parties only in the following circumstances:

SERVICE PROVIDERS We share data with trusted third-party vendors who help us operate the Platform. All service providers are contractually obligated to protect your data and use it only for the purposes we specify: • Bachs — cross-border payment processing and billing • Our domain registration partner — domain registration and management • Railway — database and infrastructure hosting • Vercel — platform hosting and edge delivery • Cloudinary — image storage and optimisation • Resend — transactional email delivery

LEGAL REQUIREMENTS We may disclose your information if required to do so by law or in response to valid legal requests from public authorities (e.g., a court order, subpoena, or government agency request).

BUSINESS TRANSFERS If Chavica is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email and/or a notice on our website before your data is transferred and becomes subject to a different Privacy Policy.

WITH YOUR CONSENT We may share your information with third parties when you have given us explicit consent to do so.

Your data is stored on Railway-managed PostgreSQL databases located within secure data centres. We implement industry-standard security measures including:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2+ • Encryption at rest: database storage is encrypted at rest by Railway • Password hashing: passwords are hashed using bcrypt with a salt factor of 12 — we never store or transmit plaintext passwords • HTTP-only cookies: authentication tokens are stored in HTTP-only cookies to prevent XSS access • Access controls: only authorised Chavica personnel have access to production data, subject to role-based permissions • Webhook verification: Bachs webhook payloads are verified using HMAC-SHA256 signatures

Despite these measures, no security system is impenetrable. We cannot guarantee the absolute security of your data. In the event of a data breach that affects your personal information, we will notify you within 72 hours in compliance with NDPR requirements.

We retain your personal data for as long as your account is active. If you delete your account, we will erase your personal data within 30 days, except where retention is required by law (e.g., financial records which must be kept for 7 years under Nigerian financial regulations).

We use cookies and similar technologies to operate and improve the Platform.

ESSENTIAL COOKIES (cannot be disabled) • chavica_token — HTTP-only authentication cookie, stores your encrypted login session. Expires after 7 days or on logout. This cookie is strictly necessary for the Platform to function.

ANALYTICS (can be opted out) • We use internal analytics to count page views on your published sites. No personally identifiable information about your visitors is collected or stored. IP addresses are anonymised before storage.

We do not currently use third-party advertising cookies or cross-site tracking pixels. We do not share behavioural data with advertising networks.

You can control cookie behaviour through your browser settings. Note that disabling essential cookies will prevent you from logging in to the Platform.

Under the Nigeria Data Protection Regulation (NDPR) and applicable law, you have the following rights regarding your personal data:

• RIGHT TO ACCESS — You may request a copy of all personal data we hold about you at any time. • RIGHT TO RECTIFICATION — You may ask us to correct inaccurate or incomplete personal data. • RIGHT TO ERASURE — You may request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements. • RIGHT TO RESTRICT PROCESSING — You may ask us to stop processing your data in certain circumstances. • RIGHT TO DATA PORTABILITY — You may request your data in a structured, machine-readable format (JSON or CSV). • RIGHT TO OBJECT — You may object to our processing of your data for direct marketing at any time. • RIGHT TO WITHDRAW CONSENT — Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, email dpo@chavica.com with "Data Request" in the subject line. We will respond within 30 days. We may need to verify your identity before fulfilling any request.

You also have the right to lodge a complaint with the National Information Technology Development Agency (NITDA), Nigeria's data protection authority.

The Platform is not directed to children under the age of 13. We do not knowingly collect personally identifiable information from children under 13. If we discover that a child under 13 has provided us with personal data, we will promptly delete it.

If you are between 13 and 18 years of age, you may only use the Platform with the consent of a parent or legal guardian. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at privacy@chavica.com.

The Platform may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

When you use domain registration through our Platform, you are also subject to our domain registration partner's privacy policy. When you make payments, you are subject to Bachs' privacy policy. We encourage you to review the privacy policies of any third-party services you use.

Chavica is based in Nigeria. If you are accessing our Platform from outside Nigeria, please be aware that your information may be transferred to, stored, and processed in countries where our servers and service providers are located, including Ireland (Vercel) and the United States (Cloudinary, Resend).

Where we transfer data internationally, we ensure appropriate safeguards are in place in accordance with NDPR requirements, including contractual data protection clauses with our service providers.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date above.

For significant changes that affect your rights or how we use your data, we will also send a notification to your registered email address at least 14 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after any changes constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Data Protection Officer Chavica Email: dpo@chavica.com General enquiries: privacy@chavica.com Website: chavica.com

We are committed to working with you to obtain a fair resolution of any complaint or concern. If you are not satisfied with our response, you may contact NITDA at www.nitda.gov.ng.