Privacy Policy

Evodira Technologies Ltd ("Evodira", "we", "us") operates the Lagos Merchant Trust platform — a continuous merchant verification and trust-intelligence service for food-market operators across Africa. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you hold under the Nigeria Data Protection Regulation 2023 ("NDPR"), the EU General Data Protection Regulation ("GDPR"), and other applicable laws.

By accessing or using the platform you agree to this policy. If you do not agree, please discontinue use and contact us to delete your data.

2.1 Merchant data — business name, registration number, address, contact details, uploaded evidence (photos, documents), complaint history, and risk-score history.

2.2 Operator / reviewer data — name, work email, role, IP address, and audit log entries created during platform use.

2.3 Partner data — API credentials, webhook configurations, and API call logs.

2.4 Automatically collected data — browser type, device identifiers, page views, session duration, and referral source collected via cookies and server logs.

2.5 AI inference data — when evidence photos are submitted for assessment our AI pipeline processes image metadata, extracted scene features, and model confidence scores. Raw images are not permanently retained beyond the configured evidence retention window.

• Verify merchant eligibility and maintain continuous compliance scores.
• Run automated evidence assessment using AI/ML models (scene classification, object detection, fraud detection, duplicate matching).
• Generate and serve embeddable Trust Badges to consumers.
• Investigate and resolve complaints submitted against merchants.
• Send webhook notifications to registered partner endpoints.
• Produce anonymised aggregate analytics and trend reports.
• Maintain audit logs to satisfy regulatory and contractual obligations.
• Improve model accuracy through feedback loops on human-reviewed outcomes.

We process personal data under one or more of the following lawful bases:

• Contract performance — processing necessary to provide the verification service to merchants and partners.
• Legitimate interests — fraud prevention, platform security, and aggregate analytics.
• Legal obligation — maintaining audit logs for regulatory compliance.
• Consent — marketing communications and non-essential cookies (consent can be withdrawn at any time).

We do not sell personal data. We share data only with:

• AI inference providers — image and text data sent to third-party model APIs (e.g. Google Vertex AI, OpenAI) under data-processing agreements.
• Cloud infrastructure providers — Google Cloud Platform for hosting and storage.
• Partner platforms — aggregated trust scores and webhook events shared with registered API partners as configured by your organisation.
• Regulatory authorities — where required by Nigerian law, court order, or equivalent legal process.

• Merchant profiles and risk scores: retained for the life of the account plus 7 years.
• Evidence attachments: 90 days by default; configurable per contract.
• Audit logs: 5 years.
• API access logs: 90 days.
• Deleted account data: purged within 30 days of deletion request.

Under the NDPR and GDPR you have the right to:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — request deletion where no overriding legal basis applies.
• Restriction — limit processing in certain circumstances.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Automated decision-making — request human review of any automated risk assessment that produces a significant effect on your business.

To exercise any right, email privacy@evodira.com. We respond within 30 days.

We apply AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, and continuous vulnerability scanning. AI model outputs are logged and auditable. Security incidents are reported to the Nigeria Data Protection Commission within 72 hours where required.

Data is primarily stored in EU (Belgium) Google Cloud regions. Where data is transferred outside Nigeria or the EEA we apply Standard Contractual Clauses or equivalent safeguards recognised under the NDPR.

Data Controller: Evodira Technologies Ltd, Lagos, Nigeria.
Privacy queries: privacy@evodira.com
Complaints may also be filed with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.