What we collect, why, and how to get it back.

To process your order and ship goods to you, we collect:

• Identity: full name, phone number (E.164), email address.
• Order data: items, quantities, delivery hub or address, payment reference.
• Optional: BVN or NIN for orders above ₦200,000 (anti-fraud — only collected when triggered).
• Device + usage data: IP address, browser, pages visited, for security + analytics.

• Processing your orders + refunds.
• Communicating about your batch (WhatsApp, email, in-app notifications).
• Customer support and dispute resolution.
• Anti-fraud, security, and compliance (KYC where required).
• Anonymous, aggregated analytics to improve the product (no individual identification).

We share only what is necessary, with these parties:

• Paystack — payment processing.
• WhatsApp Business / BSP — notifications you opt into.
• Our clearing broker — name and contact for customs clearance.
• Inter-state courier (when chosen) — delivery address.
• Lawful authorities — only on valid court order.

We do not sell your data, ever. We do not run ad-network pixels.

Customer data is stored in PostgreSQL with encryption at rest, hosted in DigitalOcean's Lagos region (or AWS Cape Town as fallback). Backups are encrypted and retained for 30 days. Operational logs are retained for 90 days then purged.

You have the right to:

• Access the personal data we hold about you.
• Correct any data that is wrong or out of date.
• Request deletion (subject to legal retention obligations — e.g. tax records for 7 years).
• Withdraw consent for marketing communications anytime.
• Lodge a complaint with the NDPB.

For data access or deletion requests, email privacy@krated.com. We respond within 30 days as required by NDPR.