Last updated: May 2026 · Gwanicore Technologies (RC 9516797) · Effective date: 1 May 2026
Summary: Gwani collects only the data needed to run our artisan booking marketplace. We do not sell your data. We comply with Nigeria's Data Protection Act 2023 (NDPA). You can request deletion of your account and data at any time by emailing dpo@getgwani.com.
Gwani is a digital marketplace operated by Gwanicore Technologies (RC 9516797), a company incorporated under the laws of the Federal Republic of Nigeria. We connect customers with verified skilled artisans for bookings and services across Nigeria.
Data Controller: Gwanicore Technologies, Lagos, Nigeria.
Data Protection Officer (DPO): dpo@getgwani.com
General enquiries: hello@getgwani.com
Postal address: Available on request.
We operate in compliance with the Nigeria Data Protection Act 2023 (NDPA).
This Privacy Policy applies to all personal data collected through:
• The Gwani mobile application (iOS and Android)
• The Gwani web application at app.getgwani.com
• Our marketing website at getgwani.com
• Any communication you send to us by email, phone, or otherwise
This policy does not apply to third-party websites or services linked from our platform. We encourage you to read the privacy policies of those services separately.
We collect only the data necessary to provide and improve our services. The categories we collect are:
Identity and Contact Data: Full name, email address, phone number (optional), WhatsApp number (optional), and profile photo.
Account Data: Username, password (stored hashed, we never see it in plain text), account type (customer or artisan), and account creation date.
Booking Data: Service bookings, scheduled dates and times, booking status, completion codes, customer notes and special requests, whether the service was a home visit, and the customer's address for home visits.
Payment Data: Payment references (transaction IDs from Paystack). We do NOT store card numbers, CVVs, expiry dates, or bank account details, these are handled entirely and securely by Paystack (PCI-DSS compliant).
Artisan Profile Data: Trade/skill, biography, service area (location), GPS coordinates (only when the artisan sets their location), service listings, portfolio photos, and identity verification status.
Identity Verification Data: For artisans, NIN/BVN is submitted to our verification partner Didit for identity checking. Gwani stores only the outcome of the verification (verified/not verified), raw NIN/BVN data is not retained by Gwani.
Technical and Usage Data: IP address, browser type, device type, operating system, referring URL, pages visited, time spent on pages, and app usage patterns. This is collected via PostHog (analytics) and Google Tag Manager.
Communications: Any messages, support requests, or feedback you send to us.
Under the NDPA 2023, we process your personal data on the following legal grounds:
Contract performance: Processing your booking, facilitating payment, and coordinating between customers and artisans.
Legitimate interests: Fraud prevention, platform security, product improvement, and analytics, provided these interests are not overridden by your rights.
Legal obligation: Complying with Nigerian financial regulations, tax requirements, and court orders.
Consent: Sending optional marketing communications (you can withdraw consent at any time). Collecting location data beyond your service area setting.
We will always tell you the legal basis when we collect your data. Where we rely on legitimate interests, you have the right to object.
We use your personal data for the following purposes:
Service Delivery: Creating and managing your account, processing bookings, facilitating payments and payouts, sending booking confirmations and reminders by email, WhatsApp, and push notification.
Verification: Confirming artisan identities to protect platform safety and customer trust.
Customer Support: Responding to enquiries, resolving disputes, and handling complaints.
Platform Safety: Detecting fraud, abuse, and fake profiles; enforcing our Terms of Service; suspending accounts that violate our policies.
Analytics and Improvement: Understanding how people use Gwani so we can improve features, fix bugs, and prioritise development.
Legal Compliance: Meeting obligations under Nigerian law, including tax reporting and responding to lawful requests from authorities.
Marketing (with consent): Sending newsletters, feature announcements, and promotional offers. You can unsubscribe at any time using the link in any email.
We share your data only where necessary and with organisations that meet our data protection standards. Our current sub-processors and partners are:
Supabase (Ireland/EU): Database and file storage. SOC 2 Type II certified. Data Processing Agreement in place. Data is stored in the EU (Frankfurt/London region).
Paystack (Nigeria): Payment processing. PCI-DSS Level 1 compliant. They receive your email and payment amount to process transactions.
Didit: Identity verification for artisans. Processes NIN/BVN submitted by artisans. Their privacy policy governs how they handle this data.
Resend: Transactional email delivery (booking confirmations, notifications). They receive your name and email address to send emails on our behalf.
PostHog (EU): Product analytics. Receives pseudonymised usage events. Data stored in EU. GDPR-compliant.
Firebase / Google (USA): Push notifications on mobile apps. Receives a device token to deliver notifications. Google's Data Processing Addendum applies.
Google Tag Manager: Tag management for analytics scripts. May collect anonymised web analytics data.
We never sell, rent, or trade your personal data to third parties for their own marketing purposes. We do not share your data with law enforcement unless required by a valid legal order from a Nigerian court or competent authority.
Some of our service providers are based outside Nigeria (primarily in the EU and USA). When we transfer your data internationally, we ensure adequate safeguards are in place:
• Transfers to the EU: Nigeria does not yet have an adequacy decision with the EU, but our EU providers (Supabase, PostHog) operate under standard contractual clauses and SOC 2 certification.
• Transfers to the USA (Firebase/Google): Governed by Google's Data Processing Addendum, which includes standard contractual clauses under the GDPR framework.
We regularly review these transfer mechanisms to ensure continued compliance with the NDPA 2023 requirements on cross-border data transfers.
We keep your data for as long as it is needed for the purpose it was collected, or as required by Nigerian law.
Active accounts: We retain your data for the duration of your account's existence.
Booking records: Retained for 7 years after the booking date, in compliance with Nigerian financial record-keeping requirements.
Payment records: Payment references retained for 7 years for tax and audit compliance.
Identity verification records (artisans): Verification status retained indefinitely as it is tied to ongoing platform trust; raw NIN/BVN is not retained by Gwani.
Deleted accounts: When you delete your account, your profile is soft-deleted immediately and permanently purged within 30 days, except for data we are required to retain by law (e.g. booking/payment history for tax purposes, retained in anonymised form).
Analytics data: Pseudonymised usage data retained for up to 2 years.
As a data subject, you have the following rights under the Nigeria Data Protection Act 2023:
Right of Access: Request a copy of all personal data we hold about you.
Right to Rectification: Ask us to correct inaccurate or incomplete data.
Right to Erasure: Request deletion of your data where we no longer have a legal basis to hold it.
Right to Restriction: Ask us to pause processing your data in certain circumstances.
Right to Data Portability: Receive your data in a machine-readable format to transfer to another provider.
Right to Object: Object to processing based on legitimate interests, or object to direct marketing at any time.
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: Complain to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe your rights have been violated.
To exercise any of these rights, email dpo@getgwani.com. We will respond within 30 days. We may need to verify your identity before processing your request.
We use the following types of cookies and tracking technologies:
Strictly Necessary Cookies: Session tokens required to keep you logged in. These cannot be disabled without breaking the service.
Analytics Cookies: PostHog uses cookies to understand feature usage patterns. These are pseudonymised and do not identify you personally. You can opt out by contacting us.
Tag Management: Google Tag Manager loads our analytics scripts. It does not itself store personal data.
We do not use advertising cookies, third-party tracking pixels, or retargeting technologies.
Cookie consent: On first visit to our website, we display a cookie consent banner. Continuing to use the platform after dismissing the banner constitutes consent to strictly necessary cookies only.
Gwani is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at hello@getgwani.com and we will delete it promptly.
We take the security of your personal data seriously and implement appropriate technical and organisational measures:
• All data is encrypted in transit using TLS 1.2 or higher.
• Data at rest is encrypted by Supabase using AES-256.
• Row Level Security (RLS) policies in our database ensure each user can only access their own data.
• Passwords are hashed using bcrypt, we never store or see plain-text passwords.
• Payment card data is never stored by Gwani, it is tokenised and managed entirely by Paystack.
• Access to production systems is restricted to authorised personnel via multi-factor authentication.
• We conduct regular security reviews and respond promptly to identified vulnerabilities.
Despite these measures, no system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@getgwani.com.
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will:
• Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware, as required by the NDPA 2023.
• Notify affected users without undue delay where the breach is likely to result in high risk.
• Provide details of the nature of the breach, the data involved, the likely consequences, and the steps we are taking to address it.
We maintain an internal data breach register and investigate all suspected incidents promptly.
Artisan profile information, portfolio photos, and reviews are visible to all users of the Gwani platform. Before uploading content, please ensure:
• You own or have the right to use any photos or images you upload.
• Your content does not contain personal data of third parties without their consent.
• Your content complies with our Terms of Service.
Portfolio photos and profile information will remain visible as long as your account is active. They are removed when you delete your account.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via an in-app notification at least 14 days before the changes take effect. The date at the top of this page always shows when it was last updated.
Continued use of Gwani after the effective date of changes constitutes acceptance of the updated policy. If you do not agree, you should stop using Gwani and request deletion of your account.
For any privacy-related queries or to exercise your rights:
Data Protection Officer: dpo@getgwani.com
General: hello@getgwani.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
Gwanicore Technologies, Lagos, Nigeria, RC 9516797