NDPR Compliance Notice

This notice addresses Xarazo's compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023, as applicable to our operations and Nigerian users.

Who This Applies To

This notice applies to all Nigerian residents and citizens who use Xarazo, as well as to Xarazo's processing of personal data belonging to Nigerian data subjects regardless of where the processing occurs.

Our Lawful Basis for Processing

Under the NDPR, we process personal data on the following lawful bases:

Contractual necessity — processing your host email and event data is necessary to deliver the Xarazo service you've paid for
Consent — guest names and optional email addresses are collected with your knowledge and for a stated purpose (gallery attribution and optional photo delivery)
Legitimate interests — processing minimal technical data to operate and secure the platform

Personal Data We Collect from Nigerian Users

Host email address (required at event creation)
Guest name (required before first photo upload)
Guest email address (optional, post-upload)
Payment metadata via Stripe (we do not store card details)

For full details, see our Privacy Policy.

Your Rights Under the NDPR/NDPA

As a Nigerian data subject, you have the following rights:

Right to access — request a copy of personal data we hold about you
Right to rectification — request correction of inaccurate personal data
Right to erasure — request deletion of your personal data (subject to legal retention requirements)
Right to object — object to specific processing activities
Right to data portability — request your data in a portable format
Right to withdraw consent — where processing is based on consent, withdraw at any time without affecting prior processing

To exercise any of these rights, contact us via our contact page. We will respond within 30 days.

Data Retention

All event data and photos are retained for 90 days from the event date, then permanently deleted. See our Data Retention & Deletion Policy for full details.

Cross-Border Data Transfers

Your data may be stored on Cloudflare R2 infrastructure, which may be located outside Nigeria. Cloudflare provides appropriate safeguards for cross-border data transfers. We only use infrastructure providers with adequate data protection standards.

Security Measures

Xarazo implements appropriate technical measures including HTTPS encryption, access controls, and regular security reviews to protect personal data from unauthorised access, disclosure, or loss.

No Minors

Xarazo is not directed at children under 13. We do not knowingly collect personal data from minors. If you believe data from a minor has been submitted, contact us for immediate deletion.

Complaints

If you are unsatisfied with how we handle your data rights request, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpb.gov.ng.

Related: Privacy Policy · Data Retention · GDPR Notice