Legal
Privacy Policy
We collect only what we need to shop for you, deliver to you, and stay in touch about your order. We never sell your data. You can delete it at any time via our Data Deletion page.
On this page
1. Who we are
Derin’s Pot(“we”, “us”) is the data controller for the personal data described in this policy. We operate from Lagos, Nigeria.
- Email:
privacy@derinspot.com - WhatsApp:
+234 806 708 8035
2. What data we collect
We only collect what we need to provide the service.
You give us directly
- Phone number — your primary identifier on our system
- Name (or the name shown on your WhatsApp profile)
- Preferred name (optional, e.g. “Aunty Bisi”)
- Alternate phone + label (e.g. “Husband”, “PA”) — optional
- Email — optional, used for receipts
- Delivery addresses — including landmarks and delivery notes
- Location pins sent via WhatsApp — used once to suggest your address, then discarded if you decline
- Messages you send the bot — text, voice notes, photos, lists
Generated as you use the service
- Order history — items, prices, dates, totals
- Delivery records — driver name, delivery time, photo confirmation if taken
- Ratings you give us after an order
- Conversation logs — full WhatsApp threads with the bot and human agents
- Operator notes — staff may add internal notes to your profile (e.g. “prefers ripe plantain”). Some notes can be marked private
From third parties
- Payment metadata from Paystack — transaction reference, last 4 digits of card, channel. We do not store full card numbers
- Delivery webhooks from third-party logistics for diaspora freight
3. How we use your data
- To take, shop, pack, and deliver your order
- To send you order updates via WhatsApp (basket photos, ETAs, delivery confirmation, ratings request)
- To process your payment via Paystack and our banking partners
- To resolve disputes — refunds, returns, missing items
- To send you occasional marketing (new in season, bundles) — you can opt out anytime
- To improve the service — e.g. analysing which products customers ask for to plan stocking
- To meet legal obligations — tax records, regulatory requests, fraud prevention
4. Legal basis for processing
Under NDPR, we process your data on the following legal bases:
- Performance of a contract — to fulfil your order
- Consent — for marketing messages; you can withdraw at any time
- Legitimate interest — for fraud prevention, internal analytics, service improvement
- Legal obligation — for tax and regulatory record-keeping
6. WhatsApp & Meta
When you message us on WhatsApp, your message goes through Meta’s servers before reaching ours. Meta’s own privacy policies apply to that leg of the journey. Meta provides us with:
- Your WhatsApp phone number
- Your WhatsApp profile name (the name you set in WhatsApp)
- The content of the messages you send our business number
- Delivery status of messages we send you (sent, delivered, read)
We do not see your other WhatsApp chats, contacts, or media you haven’t sent us. WhatsApp messages between you and us are end-to-end encrypted on the way in; once they reach our business server they are decrypted so we can act on them.
7. Where we store it
Your data is stored on managed PostgreSQL databases hosted in Frankfurt (DigitalOcean) and product images on Cloudflare R2. Both providers are SOC 2 / ISO 27001 certified. Some processing happens in jurisdictions outside Nigeria, but we ensure equivalent protections via standard contractual clauses with our processors.
8. How long we keep it
- Active customer data (profile, addresses) — for as long as you have an account with us
- Order history — 7 years from the date of the order, for tax and accounting reasons
- WhatsApp message logs — 2 years from the last interaction, then automatically archived
- Payment records — 7 years, per regulatory requirement
- Marketing consent — until you withdraw it
When you request deletion (see /data-deletion), we delete or anonymise everything we’re not legally required to keep, within 30 days. Records we must retain for tax reasons are kept in pseudonymised form (your name removed, transaction ID kept).
9. Your rights under NDPR
You have the right to:
- Access — see what data we hold about you
- Rectify — correct anything inaccurate
- Erase — request deletion (see the link below)
- Restrict processing — pause certain uses (e.g. marketing) without deleting
- Object — to processing based on legitimate interest, including profiling
- Data portability — receive your data in a machine-readable format
- Withdraw consent — for anything we do under consent (mostly marketing)
- Complain — to the Nigerian Data Protection Commission (NDPC) at ndpc.gov.ng
To exercise any of these rights, email privacy@derinspot.com or use our Data Deletion request form.
11. Children
Our service is intended for adults (18+). We don’t knowingly collect data from children under 13. If you believe a child has sent us their data, message privacy@derinspot.comand we’ll delete it.
12. Security & breach notification
We use industry-standard security (TLS in transit, encryption at rest, access controls, audit logging). No system is 100% secure. If a breach affects your data, we will:
- Notify the NDPC within 72 hours of becoming aware
- Notify affected customers without undue delay, via WhatsApp and email
- Tell you what happened, what data was affected, and what we’re doing about it
13. Changes to this policy
We’ll update this page when our practices change. Material changes will be announced via WhatsApp and email, and on the homepage. The “Last updated” date reflects the most recent revision.
14. Contact our Data Protection Officer
Our DPO handles privacy questions and data-rights requests.
- Email:
privacy@derinspot.com - WhatsApp:
+234 806 708 8035(mark your message “PRIVACY”)
For an immediate data-deletion request, use the Data Deletion form — most are processed within 24 hours.