Legal
Privacy Policy
Effective date: 2 May 2025 · Last updated: 2 May 2025
Chakam (“we”, “our”, “us”) operates an event photo-sharing platform available at chakam.xyz. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over your data. We are committed to protecting your privacy in accordance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and applicable international standards.
1. Who We Are
Chakam is a software product built for event organisers and their guests in Nigeria and beyond. The platform lets organisers create a live event gallery, generate a QR code for guests, and collect photos in real time — without requiring guests to download any app or create an account.
For the purposes of data protection law, Chakam is the data controller for the personal data of registered organisers. For personal data uploaded by guests (such as names and photos), the event organiser is also a data controller for their own event data.
Contact: privacy@chakam.xyz
2. Data We Collect
2.1 Account and Profile Data (Organisers)
When you register as an organiser, we collect your full name, email address, and the user type you select during onboarding (e.g. individual or business). This data is collected via our authentication provider, which supports sign-in with Google or email and password.
2.2 Event Data
Organisers create events by providing an event name, optional description, event date, and other configuration settings (such as whether photo uploads are locked, watermarks are enabled, or downloads are allowed). This information is stored in our database.
2.3 Photos and Media Uploaded by Guests
Guests who scan an event QR code can upload photos directly to the event gallery. Guests are not required to provide a name or email address unless an organiser has enabled guest identification. Uploaded photos are stored in cloud object storage (Cloudinary) and may contain metadata embedded in the image file (such as EXIF data including device model and, in some cases, GPS coordinates). We do not actively extract or display this metadata but we recommend guests review their device camera settings if they are concerned about embedded location data.
2.4 Payment Data
When you purchase a paid plan or a one-time event upgrade, your payment is processed by Paystack, a PCI-DSS compliant payment processor. We do not store your card number, CVV, or bank account details. We receive and store a transaction reference, payment status, amount, and the product purchased. For identity-linked payments, we store the email address used during checkout.
2.5 Technical and Usage Data
We and our service providers may automatically collect technical data when you use Chakam, including your IP address, browser type and version, operating system, pages visited, time and date of your visit, and other diagnostic data. This data is used to maintain platform security, diagnose errors, and understand how the platform is used.
2.6 Communications Data
If you contact us by email or through any support channel, we will retain the content of your messages and your contact details in order to respond to you and keep a record of our communication.
3. How We Use Your Data
We use your personal data for the following purposes:
- Providing the service: Creating and managing your account, processing your events, serving your galleries to guests, and enabling photo uploads.
- Processing payments: Handling subscriptions and one-time purchases via Paystack.
- Sending transactional emails: Confirming your registration, payment receipts, and other account-related notifications via Resend.
- Security and fraud prevention: Monitoring for abuse, verifying webhook signatures, and protecting both organisers and guests.
- Improving the platform: Analysing aggregate, anonymised usage patterns to improve features and performance.
- Legal compliance: Meeting our obligations under Nigerian and applicable international law.
We will not use your data for automated decision-making that produces legal or similarly significant effects without your explicit consent.
4. Legal Bases for Processing
Under the NDPA 2023 and, where applicable, the EU General Data Protection Regulation (GDPR), we rely on the following legal bases:
- Contract performance: Processing necessary to provide the service you signed up for (account creation, event management, payment processing).
- Legitimate interests: Security monitoring, platform improvement, and fraud prevention, where these are not overridden by your interests or rights.
- Legal obligation: Where we must retain or disclose data to comply with Nigerian law or a court order.
- Consent: For any processing not covered above (e.g. marketing emails), we will ask for your explicit consent and you may withdraw it at any time.
5. Who We Share Your Data With
We share personal data only with service providers who help us deliver the platform. All sub-processors are bound by data processing agreements.
| Provider | Purpose | Location |
|---|---|---|
| MongoDB Atlas | Database | USA |
| Cloudinary | File storage | USA |
| Google / NextAuth | Authentication and identity | USA |
| Paystack | Payment processing | Nigeria / USA |
| Resend | Transactional email | USA |
| Vercel | Hosting and edge network | Global (AWS/GCP) |
We do not sell, rent, or trade your personal data to any third party for marketing purposes. We may disclose data if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Chakam, its users, or the public.
6. International Data Transfers
Some of our sub-processors are located outside Nigeria. Where data is transferred to countries that may not have equivalent data protection laws, we rely on Standard Contractual Clauses (SCCs), the sub-processor's participation in recognised certification schemes (such as the EU-US Data Privacy Framework), or other appropriate safeguards as permitted under the NDPA 2023.
7. Data Retention
- Account data: Retained for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law.
- Event data and photos: Retained as long as the associated event exists. You can delete individual photos or entire events from your dashboard at any time.
- Payment records: Retained for a minimum of 7 years as required by Nigerian financial regulations (FIRS and CBN guidelines).
- Technical logs: Retained for up to 90 days for security and debugging purposes.
8. Your Rights
Under the NDPA 2023 and, where applicable, the GDPR, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data where there is no overriding legal reason for us to retain it.
- Right to restriction: Request that we restrict processing of your data while a dispute is resolved.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests, including profiling.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@chakam.xyz. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
9. Cookies and Tracking
Chakam uses strictly necessary cookies and session tokens to keep you signed in and maintain the security of your session. These are essential to the operation of the platform; we do not use third-party advertising or analytics cookies.
We do not use tracking pixels, fingerprinting, or any cross-site tracking technology. If we introduce optional analytics in the future, we will update this policy and request your consent.
10. Children's Privacy
The Chakam platform is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at privacy@chakam.xyz and we will delete it promptly.
Guests who upload photos to event galleries may be any age; however, event organisers are solely responsible for ensuring that photo collection at their events complies with applicable laws regarding minors.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
- Encryption of data in transit (TLS 1.2+) and at rest.
- Row-level security policies on our database to ensure organisers can only access their own data.
- Webhook signature verification for all incoming payment notifications.
- Short-lived, signed URLs for accessing stored media files.
- Strict access controls limiting which team members can access production systems.
No method of transmission over the internet or electronic storage is 100% secure. If you become aware of a security concern, please notify us immediately at privacy@chakam.xyz.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify registered organisers by email and update the effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.
13. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our Data Protection Officer at: