Legal

Privacy Policy

Effective date: 2 May 2025 · Last updated: 2 May 2025

Chakam (“we”, “our”, “us”) operates an event photo-sharing platform available at chakam.xyz. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over your data. We are committed to protecting your privacy in accordance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and applicable international standards.

1. Who We Are

Chakam is a software product built for event organisers and their guests in Nigeria and beyond. The platform lets organisers create a live event gallery, generate a QR code for guests, and collect photos in real time — without requiring guests to download any app or create an account.

For the purposes of data protection law, Chakam is the data controller for the personal data of registered organisers. For personal data uploaded by guests (such as names and photos), the event organiser is also a data controller for their own event data.

Contact: privacy@chakam.xyz

2. Data We Collect

2.1 Account and Profile Data (Organisers)

When you register as an organiser, we collect your full name, email address, and the user type you select during onboarding (e.g. individual or business). This data is collected via our authentication provider, which supports sign-in with Google or email and password.

2.2 Event Data

Organisers create events by providing an event name, optional description, event date, and other configuration settings (such as whether photo uploads are locked, watermarks are enabled, or downloads are allowed). This information is stored in our database.

2.3 Photos and Media Uploaded by Guests

Guests who scan an event QR code can upload photos directly to the event gallery. Guests are not required to provide a name or email address unless an organiser has enabled guest identification. Uploaded photos are stored in cloud object storage (Cloudinary) and may contain metadata embedded in the image file (such as EXIF data including device model and, in some cases, GPS coordinates). We do not actively extract or display this metadata but we recommend guests review their device camera settings if they are concerned about embedded location data.

2.4 Payment Data

When you purchase a paid plan or a one-time event upgrade, your payment is processed by Paystack, a PCI-DSS compliant payment processor. We do not store your card number, CVV, or bank account details. We receive and store a transaction reference, payment status, amount, and the product purchased. For identity-linked payments, we store the email address used during checkout.

2.5 Technical and Usage Data

We and our service providers may automatically collect technical data when you use Chakam, including your IP address, browser type and version, operating system, pages visited, time and date of your visit, and other diagnostic data. This data is used to maintain platform security, diagnose errors, and understand how the platform is used.

2.6 Communications Data

If you contact us by email or through any support channel, we will retain the content of your messages and your contact details in order to respond to you and keep a record of our communication.

3. How We Use Your Data

We use your personal data for the following purposes:

  • Providing the service: Creating and managing your account, processing your events, serving your galleries to guests, and enabling photo uploads.
  • Processing payments: Handling subscriptions and one-time purchases via Paystack.
  • Sending transactional emails: Confirming your registration, payment receipts, and other account-related notifications via Resend.
  • Security and fraud prevention: Monitoring for abuse, verifying webhook signatures, and protecting both organisers and guests.
  • Improving the platform: Analysing aggregate, anonymised usage patterns to improve features and performance.
  • Legal compliance: Meeting our obligations under Nigerian and applicable international law.

We will not use your data for automated decision-making that produces legal or similarly significant effects without your explicit consent.

4. Legal Bases for Processing

Under the NDPA 2023 and, where applicable, the EU General Data Protection Regulation (GDPR), we rely on the following legal bases:

  • Contract performance: Processing necessary to provide the service you signed up for (account creation, event management, payment processing).
  • Legitimate interests: Security monitoring, platform improvement, and fraud prevention, where these are not overridden by your interests or rights.
  • Legal obligation: Where we must retain or disclose data to comply with Nigerian law or a court order.
  • Consent: For any processing not covered above (e.g. marketing emails), we will ask for your explicit consent and you may withdraw it at any time.

5. Who We Share Your Data With

We share personal data only with service providers who help us deliver the platform. All sub-processors are bound by data processing agreements.

ProviderPurposeLocation
MongoDB AtlasDatabaseUSA
CloudinaryFile storageUSA
Google / NextAuthAuthentication and identityUSA
PaystackPayment processingNigeria / USA
ResendTransactional emailUSA
VercelHosting and edge networkGlobal (AWS/GCP)

We do not sell, rent, or trade your personal data to any third party for marketing purposes. We may disclose data if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Chakam, its users, or the public.

6. International Data Transfers

Some of our sub-processors are located outside Nigeria. Where data is transferred to countries that may not have equivalent data protection laws, we rely on Standard Contractual Clauses (SCCs), the sub-processor's participation in recognised certification schemes (such as the EU-US Data Privacy Framework), or other appropriate safeguards as permitted under the NDPA 2023.

7. Data Retention

  • Account data: Retained for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law.
  • Event data and photos: Retained as long as the associated event exists. You can delete individual photos or entire events from your dashboard at any time.
  • Payment records: Retained for a minimum of 7 years as required by Nigerian financial regulations (FIRS and CBN guidelines).
  • Technical logs: Retained for up to 90 days for security and debugging purposes.

8. Your Rights

Under the NDPA 2023 and, where applicable, the GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data where there is no overriding legal reason for us to retain it.
  • Right to restriction: Request that we restrict processing of your data while a dispute is resolved.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at privacy@chakam.xyz. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

9. Cookies and Tracking

Chakam uses strictly necessary cookies and session tokens to keep you signed in and maintain the security of your session. These are essential to the operation of the platform; we do not use third-party advertising or analytics cookies.

We do not use tracking pixels, fingerprinting, or any cross-site tracking technology. If we introduce optional analytics in the future, we will update this policy and request your consent.

10. Children's Privacy

The Chakam platform is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at privacy@chakam.xyz and we will delete it promptly.

Guests who upload photos to event galleries may be any age; however, event organisers are solely responsible for ensuring that photo collection at their events complies with applicable laws regarding minors.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Row-level security policies on our database to ensure organisers can only access their own data.
  • Webhook signature verification for all incoming payment notifications.
  • Short-lived, signed URLs for accessing stored media files.
  • Strict access controls limiting which team members can access production systems.

No method of transmission over the internet or electronic storage is 100% secure. If you become aware of a security concern, please notify us immediately at privacy@chakam.xyz.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered organisers by email and update the effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our Data Protection Officer at:

Chakam

Lagos, Nigeria

privacy@chakam.xyz