Sweet Canvas

Privacy Policy

Last updated: April 2026

1. Who We Are

Sweet Canvas Ltd ("Sweet Canvas", "we", "us") operates an online marketplace connecting customers with verified local bakers. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services.

We are committed to protecting your privacy in accordance with the Nigeria Data Protection Regulation (NDPR) 2019 and other applicable data protection laws.

2. Data We Collect

We collect the following categories of personal data:

2.1. Information You Provide

  • Account data: Name, email address, phone number, password (hashed)
  • Order data: Delivery addresses, cake customisation details, special instructions, dietary requirements, reference images
  • Payment data: Processed by Paystack — we do not store full card numbers
  • Vendor data: Business name, location, NIN, CAC number, bank details, portfolio images, food safety certificates
  • Communications: Messages sent through our in-app messaging system, support requests

2.2. Information Collected Automatically

  • Usage data: Pages visited, features used, search queries, order history
  • Device data: Browser type, operating system, IP address, device identifiers
  • Cookies: Session cookies for authentication and preferences (see Section 8)

3. How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery: Processing orders, facilitating communication between customers and vendors, managing payments and payouts
  • Account management: Creating and maintaining your account, verifying identity
  • Communication: Sending order updates, payment confirmations, delivery notifications, and support responses
  • Platform improvement: Analysing usage patterns to improve our services, fix bugs, and develop new features
  • Trust & safety: Detecting fraud, enforcing our Terms, verifying vendor legitimacy, and resolving disputes
  • Legal compliance: Meeting regulatory requirements, responding to legal requests

4. Data Sharing

We share your data only as necessary:

  • With Vendors: When you place an order, the Vendor receives your name, delivery address, phone number, and order details to fulfil the order
  • With Customers: Vendors' business name, location, and product information are displayed publicly. Customer personal data is only shared for order fulfilment
  • Payment processors: Paystack processes payments on our behalf under their own privacy policy
  • Service providers: Email delivery (for notifications), cloud hosting, and analytics services — all bound by data processing agreements
  • Legal requirements: If required by law, court order, or government authority

We do not sell your personal data to third parties.

5. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Hashed and salted passwords — we cannot see your password
  • Secure session management with HTTP-only cookies
  • Access controls limiting who can view personal data
  • Regular security reviews

No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security of data transmitted over the internet.

6. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

  • Account data: Retained while your account is active, plus 12 months after deletion request
  • Order data: Retained for 7 years for tax and legal compliance
  • Payment records: Retained for 7 years as required by financial regulations
  • Messages: Retained for 12 months after the related order is completed

7. Your Rights

Under the NDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data (subject to legal retention requirements)
  • Restriction: Request limitation of data processing in certain circumstances
  • Portability: Request your data in a machine-readable format
  • Objection: Object to processing of your data for specific purposes

To exercise any of these rights, contact us at privacy@sweetcanvas.org. We will respond within 30 days.

8. Cookies

We use essential cookies for:

  • Authentication: Keeping you logged in during your session
  • Preferences: Remembering your settings and choices

We do not currently use third-party tracking or advertising cookies. If this changes, we will update this policy and provide clear opt-in/opt-out mechanisms.

9. Children

Sweet Canvas is not directed at children under 18. We do not knowingly collect data from minors. If we learn that a child's data has been collected, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top indicates the most recent revision.

11. Contact

For privacy-related questions or to exercise your data rights: