Privacy Policy
Version 3.0 · Effective: April 2026 · NDPA 2023 Compliant
NDPA 2023 compliant. We collect only what is necessary. We do not sell your data.

SubJara Privacy Policy

Version 3.0 · Effective: April 2026 · NDPA 2023 Compliant

This Privacy Policy explains how SubJara Technology Limited collects, uses, stores, and protects personal data in connection with the SubJara platform. It applies to Organisers who create accounts, Members who make payments, and visitors who interact with our services. We are committed to handling your data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and all applicable regulations.

1. Data Controller

The data controller for all personal data processed through SubJara is:

SubJara Technology Limited
Lagos, Nigeria
Privacy contact: privacy@subjara.app
General support: support@subjara.app

As data controller, we determine the purposes and means of processing your personal data. We process data lawfully, fairly, and transparently in accordance with the NDPA 2023. A Data Protection Officer (DPO) appointment is planned for a post-beta milestone in compliance with NDPA requirements for organisations processing personal data at scale.

2. Personal Data We Collect

2.1 Data Collected from Organisers

Identity: Full name, email address, phone number — Account creation, authentication, communications

Group Information: Group name, group type, member tag label, group description — Platform functionality

Bank Account Details: Bank name, account number (encrypted), account name, Paystack subaccount code — Routing payouts

Authentication Data: Password hash (bcrypt, never plaintext), session tokens, login timestamps — Account security

Usage Data: Plans created, payments received, feature usage, screen events — Product improvement, fraud detection

Communications: Support messages, feedback submitted — Customer support, service improvement

Beta Request Data: Name, email, organisation name, approximate member count — Beta access review and communication

2.2 Data Collected from Members

Identity: Full name, phone number, email address (optional) — Payment processing, receipt delivery, member records

Payment Data: Transaction reference, amount paid, payment date, payment status — Payment records, receipts, outstanding balance calculation

Group Tag: Custom tag value set by organiser — Organiser record-keeping; displayed at payment

Device / Technical: IP address, device type, browser/OS at time of payment — Fraud detection, security

Portal Session: Verification attempt timestamps, session token (24hr, device-specific) — Member portal access security

SubJara does not collect or store payment card numbers, CVV codes, or bank account numbers from Members. This data is processed exclusively by Paystack under their own privacy policy and PCI DSS compliance framework.

3. Lawful Basis for Processing

Under the NDPA 2023, we process personal data on the following lawful bases:

  • Account registration and authentication — Contract
  • Payment processing and routing — Contract / Legitimate interest
  • Bank account verification — Contract / Legal obligation
  • Sending payment receipts — Contract
  • Member portal access — Legitimate interest
  • Fraud detection and security — Legitimate interest / Legal obligation
  • AML record retention — Legal obligation
  • Beta request review — Legitimate interest
  • Product analytics — Legitimate interest
  • Marketing communications — Consent (opt-in only)

4. How We Use Your Data

4.1 To Provide the Service

  • Create and manage Organiser accounts and Groups.
  • Create and manage Plans, generate payment links, and display payment data in your group overview.
  • Process Member payments through Paystack and route Payouts to Organiser bank accounts.
  • Generate payment references and send receipts to Members.
  • Provide the Member Portal for Members to view their payment history.
  • Manage bank account registrations, verifications, and change requests.

4.2 For Security and Compliance

  • Verify account identity and detect suspicious activity.
  • Comply with applicable regulations and NDPA 2023.
  • Rate-limit portal verification attempts to protect against brute-force access.
  • Retain transaction records for the legally required period.

4.3 For Product Improvement

  • Analyse aggregated usage patterns to improve features and UX.
  • Investigate errors, crashes, and support issues.
  • Conduct internal research on feature effectiveness.

We do not use your personal data to train AI or machine learning models.

4.4 For Communications

  • Send payment receipt emails (transactional).
  • Send operational notifications to Organisers.
  • Respond to support requests.
  • Send product update emails to Organisers (unsubscribe available).

5. Data Sharing & Third Parties

5.1 Paystack Payments Limited

SubJara shares limited data with Paystack to process payments and create subaccounts. Paystack is an independent data controller for the data they receive.

5.2 Resend (Email Service)

Resend delivers transactional emails. Resend processes data as a data processor on SubJara’s behalf.

5.3 Supabase (Database & Authentication)

Supabase hosts our database and authentication. For data residency, we select the closest available region to Nigeria.

5.4 Railway (Backend Hosting)

Application logs and runtime data may transit Railway’s infrastructure.

5.5 Law Enforcement & Regulators

We may disclose personal data where required by law or to prevent fraud or financial crime.

5.6 No Sale of Data

SubJara does not sell, rent, or trade personal data to any third party for commercial purposes.

5.7 Business Transfer

If SubJara is acquired or merges, personal data may be transferred to the successor entity, with notice where required.

6. Data Retention

We retain different categories of data for specific periods (e.g. transaction records for multiple years) and securely delete or anonymise data on expiry, subject to legal obligations.

7. Data Security

  • Passwords hashed with bcrypt (never plaintext).
  • Encryption at rest for sensitive data.
  • TLS encryption in transit.
  • Row Level Security policies for database access control.
  • Verification and rate-limiting for portal access.

No system is completely secure. If you discover a vulnerability, report it to privacy@subjara.app. We will investigate and respond within 72 hours.

8. Your Data Subject Rights Under the NDPA 2023

To exercise any right, contact privacy@subjara.app. We respond within 30 days.

  • Right to Access
  • Right to Rectification
  • Right to Erasure (subject to legal retention limits)
  • Right to Restriction of Processing
  • Right to Data Portability
  • Right to Object
  • Right to Withdraw Consent
  • Right to Lodge a Complaint (NDPC: ndpc.gov.ng)

9. Children's Privacy

SubJara is not intended for persons under 18 years of age.

10. Cookies & Tracking

The SubJara mobile application does not use cookies. If a web version is introduced in future, a separate cookie policy will be provided.

11. International Data Transfers

Data may be stored outside Nigeria depending on infrastructure availability. We use appropriate safeguards consistent with NDPA 2023.

12. Organiser Responsibilities as Data Controllers

Organisers are independent data controllers for Member data in relation to their Group. SubJara acts as a data processor in that context.

13. Changes to This Privacy Policy

We may update this policy. We will notify Organisers of material changes in advance where possible.

14. Contact & Data Subject Requests

SubJara Technology Limited
Lagos, Nigeria
Privacy: privacy@subjara.app
Support: support@subjara.app
NDPC: ndpc.gov.ng

SubJara Privacy Policy · Version 3.0 · NDPA 2023 Compliant · Effective April 2026 · © SubJara Technology Limited