Privacy Policy

Last updated: June 2026 · Effective date: June 2026

This document was last reviewed by OrbitVerse Holdings legal team. For legal advice specific to your situation, consult a qualified legal professional. This document does not constitute legal advice.

1. Introduction

OrbitVerse ("we", "us", "our") is a verified marketplace platform operated by OrbitVerse Holdings. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform at orbitverse.africa and related services.

We are committed to compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and applicable data protection laws across our operating regions. OrbitVerse Holdings is registered with the Nigeria Data Protection Commission (NDPC, formerly under NITDA) as a Data Controller, reference on file and available on request.

1A. Data Protection Officer

OrbitVerse has appointed a Data Protection Officer (DPO) responsible for overseeing our data protection obligations under the NDPR and for acting as the point of contact for data subjects and regulators.

Data Protection Officer: dpo@orbitverse.africa

1B. Lawful Basis for Processing

In accordance with NDPR Article 2.1, we only process personal data where at least one of the following lawful bases applies:

  • Consent: you have given clear consent for a specific purpose
  • Contract: processing is necessary to perform our agreement with you (e.g. order fulfilment, escrow)
  • Legal obligation: processing is required to comply with Nigerian law (e.g. AML/CFT, tax, financial record-keeping)
  • Vital interest: processing is necessary to protect life or physical safety
  • Public interest: processing is necessary for functions in the public interest
  • Legitimate interest: processing is necessary for our legitimate business interests, balanced against your rights and freedoms

2. Information We Collect

2.1 Account Information

  • Full name, email address, phone number
  • Password (stored as encrypted hash, never in plain text)
  • Profile photo and biography (optional)
  • Country and location

2.2 Identity Verification Data (OrbitVerify)

  • National Identification Number (NIN)
  • Bank Verification Number (BVN)
  • CAC Registration Number (for business accounts)
  • Verification status and tier

Identity documents are verified through Dojah, a licensed KYC provider. We do not store raw NIN or BVN numbers after verification is complete. Only verification status and anonymised metadata are retained.

2.3 Transaction Data

  • Order history, amounts, currencies
  • Escrow transaction records
  • OrbitWallet balance and transaction history
  • Payment references (no full card numbers are stored)

2.4 Usage Data

  • Pages visited, search queries, products viewed
  • Device type, browser, IP address
  • Communication timestamps

2.5 Communications

  • Messages sent through the OrbitVerse chat system
  • Dispute evidence and descriptions
  • Support ticket content

3. How We Use Your Information

  • To create and manage your account
  • To process orders and manage escrow
  • To verify your identity through OrbitVerify
  • To calculate and display TrustScore
  • To send transaction notifications and alerts
  • To detect fraud and prevent abuse
  • To resolve disputes
  • To improve our platform and services
  • To comply with legal obligations

4. Identity Verification and Data Protection

OrbitVerify uses NIN and BVN data solely for the purpose of confirming your identity. This process is powered by Dojah (dojah.io), a NITDA-licensed identity verification provider.

We do not:

  • Sell your identity data to third parties
  • Use your NIN or BVN for any purpose other than verification
  • Store raw government ID numbers after verification is complete
  • Share verification data with other users

5. Escrow and Wallet Data

All financial transaction records are retained for a minimum of 7 years in compliance with Nigerian financial regulations. OrbitWallet balances are recorded in append-only ledgers. No transaction record is ever deleted or modified.

6. Data Sharing

We share data only with:

  • Dojah: for identity verification
  • Flutterwave: for payment processing and settlement
  • Resend: for transactional email delivery
  • Railway: our infrastructure provider

We do not sell personal data. We do not share data with advertisers.

7. Data Retention

  • Account data: retained while your account is active and for 2 years after closure
  • Transaction records: retained for 7 years (regulatory requirement)
  • Verification records: retained for 5 years
  • Chat messages: retained for 2 years
  • Usage logs: retained for 90 days

8. Your Rights

Under NDPR and applicable law, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of non-essential data
  • Object to certain processing
  • Data portability
  • Withdraw consent where processing is based on consent

To exercise these rights, submit a request to privacy@orbitverse.africa or our Data Protection Officer at dpo@orbitverse.africa. We will acknowledge your request and respond substantively within 30 days, as required under the NDPR. Where a request is complex, we may extend this period by up to a further 30 days, and we will notify you of the extension and the reason for it.

9. Security

We implement industry-standard security measures including:

  • AES-256 encryption for sensitive data at rest
  • TLS 1.3 for all data in transit
  • JWT-based authentication with secure token rotation
  • Rate limiting and anomaly detection
  • Append-only financial ledgers

10. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies.

11. Children

OrbitVerse is not intended for users under 18 years of age. We do not knowingly collect data from minors.

12. Cross-Border Transfers

OrbitVerse operates across multiple countries. By using our platform, you consent to your data being processed in Nigeria and other countries where our service providers operate.

Where personal data is transferred outside Nigeria, we rely on appropriate safeguards consistent with NDPR requirements for cross-border transfer, including Standard Contractual Clauses (SCCs) with recipient processors, an adequacy determination by the regulator, or your explicit consent, and we require recipients to maintain a level of data protection commensurate with the NDPR.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, OrbitVerse will notify the Nigeria Data Protection Commission (NDPC, formerly NITDA) within 72 hours of becoming aware of the breach, in accordance with NDPR breach notification requirements.

Where a breach is likely to result in a high risk to affected users, we will also notify those users directly and without undue delay, describing the nature of the breach and the measures taken or proposed to address it.

14. Changes to This Policy

We will notify you of material changes via email and an in-app notice at least 14 days before they take effect.

15. Contact

OrbitVerse Holdings

Email: privacy@orbitverse.africa

Data Protection Officer: dpo@orbitverse.africa

Website: orbitverse.africa

© 2026 OrbitVerse