Privacy Policy

Last updated: May 2026

1. Introduction

HypeFolk Technologies Ltd ("we", "us", or "our"), a company registered in Lagos, Nigeria, operates a mobile platform that connects brands with local Taskers across Africa for verified physical brand placement. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our mobile application and services.

We are committed to compliance with the Nigeria Data Protection Regulation (NDPR), the Nigeria Data Protection Act 2023 (NDPA), the Kenya Data Protection Act 2019, the Ghana Data Protection Act 2012, and the Uganda Data Protection and Privacy Act 2019.

2. Data Collection

2.1 Information You Provide

• Account information: Phone number, display name, and profile photo.
• Identity verification (KYC): Bank Verification Number (BVN), National Identification Number (NIN), and selfie photo for identity confirmation.
• Payment information: Bank account details for withdrawal processing via Paystack.
• Submissions: Photos and videos you capture as proof of brand placement, along with optional notes.

2.2 Information Collected Automatically

• GPS location: Precise location data when you submit proof of brand placement, used to verify that placements are within designated geographic zones.
• Device information: Device model, operating system version, app version, device fingerprint, and a cryptographic signing key for security purposes.
• EXIF metadata: Camera metadata from submitted photos, including timestamps and device identifiers, used for authenticity verification.
• Usage data: App interactions, feature usage, and session information for service improvement.
• IP address: Collected for security monitoring, fraud prevention, and impossible-travel detection.

3. How We Use Your Data

• Service delivery: To match you with brand placement tasks, process submissions, and facilitate payments.
• AI-powered verification: Your submitted photos are processed by our automated AI pipeline to verify image quality, GPS accuracy, brand visibility, duplicate detection, spoof prevention, and content safety. Borderline cases are escalated to human reviewers.
• Identity verification: To confirm your identity using BVN/NIN checks and selfie comparison, ensuring platform integrity.
• Payment processing: To process earnings withdrawals via Paystack to your registered bank account.
• Fraud prevention: To detect and prevent fraudulent activity, including multi-account detection, impossible travel, spoofed photos, and duplicate submissions.
• Communication: To send task notifications, payment confirmations, and service updates via push notifications and WhatsApp (for Nigerian users who opt in).
• Platform improvement: To analyze aggregated, de-identified usage patterns and improve our services.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Consent: You provide explicit consent during account registration and when enabling location services, push notifications, and WhatsApp messaging.
• Contract performance: Processing is necessary to fulfill our obligations under the Terms of Service, including task matching, submission verification, and payment processing.
• Legitimate interest: Fraud prevention, platform security, and service improvement, balanced against your privacy rights.
• Legal obligation: Compliance with applicable data protection laws and financial regulations.

5. Data Sharing

We do not sell your personal data. We share data only in these circumstances:

• Payment providers: Bank account details are shared with Paystack to process withdrawals. Paystack operates as an independent data controller for payment processing.
• Brands (Advertisers): Brands receive anonymized placement reports including GPS-jittered locations (approximately 200 meters offset) and submission photos. Brands do not receive your personal identity information, phone number, or exact location.
• Service providers: Cloud infrastructure providers (AWS, Cloudflare) that host our services under strict data processing agreements.
• Legal requirements: When required by law, court order, or regulatory authority in any of our operating jurisdictions.

6. Data Security

We implement robust security measures to protect your data:

• AES-256-GCM encryption for personally identifiable information at rest.
• GPS coordinates encrypted at the database layer using pgcrypto.
• ECDSA P-256 device-level signing for submission authenticity.
• Phone numbers and email addresses stored as HMAC hashes for lookups, with encrypted values for retrieval.
• TLS encryption for all data in transit.
• Role-based access controls and audit logging for all administrative actions.

7. Data Retention

• Account data: Retained for the duration of your active account plus 30 days after deletion request.
• Submission data: Photos and verification records retained for 12 months after submission for dispute resolution and audit purposes.
• Payment records: Retained for 7 years as required by financial regulations.
• Security logs: Retained for 90 days for fraud investigation purposes.

8. Your Rights

Under applicable data protection laws (including the NDPR, NDPA, Kenya DPA, Ghana DPA, and Uganda DPPA), you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete personal data.
• Erasure: Request deletion of your account and personal data, subject to legal retention obligations.
• Restriction: Request that we limit how we process your data in certain circumstances.
• Data portability: Receive your data in a structured, machine-readable format.
• Withdrawal of consent: Withdraw consent at any time via the app settings, without affecting the lawfulness of processing performed before withdrawal.
• Objection: Object to processing based on legitimate interest.

To exercise any of these rights, contact us at privacyhypefolk.org or use the in-app privacy settings. We will respond within 30 days.

9. Children's Privacy

HypeFolk is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately.

10. International Data Transfers

Your data is primarily stored and processed within Africa (AWS af-south-1 region, Cape Town). Some data may be processed by cloud service providers in other regions under appropriate safeguards and data processing agreements.

11. NDPR Compliance

In accordance with the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act 2023:

• Data Controller: HypeFolk Technologies Ltd, Lagos, Nigeria.
• We have appointed a Data Protection Officer reachable at dpohypefolk.org, HypeFolk Technologies Ltd, Lagos, Nigeria.
• We maintain a Data Protection Impact Assessment (DPIA) for our processing activities.
• We process personal data lawfully, fairly, and transparently.
• We collect data only for specified, explicit, and legitimate purposes.
• We implement appropriate technical and organizational measures to ensure data security.

11a. Automated Decision-Making

HypeFolk uses AI-based automated decision-making to verify brand placement submissions. Our multi-stage AI pipeline evaluates image quality, GPS accuracy, brand visibility, duplicate detection, spoof indicators, and content safety. Each stage produces a weighted score that determines whether a submission is automatically approved, rejected, or escalated to human review.

You have the right to:

• Be informed that automated decision-making is being used (as described in this section).
• Request human review of any automated decision that affects your earnings.
• File a dispute within 48 hours of an automated rejection, which will be reviewed by a human reviewer.
• Receive an explanation of the factors that contributed to an automated decision upon request.

Automated decisions are not based on special categories of personal data (e.g., race, religion, health). Borderline submissions and a random sample of approved submissions are always escalated to human reviewers for quality assurance.

12. Cookies and Tracking

Our mobile application does not use browser cookies. We use minimal analytics to monitor app performance and crash reporting via Sentry (with PII scrubbing enabled). We do not use third-party advertising trackers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via push notification and by updating the date at the top of this page. Continued use of the app after changes constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: privacyhypefolk.org
Data Protection Officer: dpohypefolk.org