Privacy Policy

Data Controller: BountyBoard
Privacy contact: privacy@bountyboard.ng
Website: bountyboard.ng

BountyBoard is a Nigerian sourcing platform connecting Buyers who post bounties for hard-to-find items with Hunters who locate and submit verified leads to earn rewards.

All users (Buyers and Hunters):

• Full name and display name
• Phone number (Nigerian mobile)
• Email address
• Password (stored securely — we never store your plain-text password)
• City or preferred location (optional)
• Date and time of account creation, phone/email verification, and last login
• IP address at login and key account actions (for fraud prevention and security)
• Consent timestamp and privacy policy version accepted at registration

Hunters additionally:

• Bank account number, bank code, and account name (for payout processing via Paystack)
• Paystack recipient code
• Sourcing specialty/category (optional)
• Reputation score and flag status

Bounties and leads:

• Bounty details posted by Buyers (title, description, budget, reward, category)
• Lead submissions by Hunters including seller contact information, location, and evidence photos
• GPS coordinates embedded in uploaded photos (EXIF data), if present
• AI evaluation scores and reasoning generated from lead content

Payments:

• Payment reference numbers and transaction status via Paystack
• We do not store card numbers or bank credentials — Paystack handles all payment data under their own PCI-DSS compliance

We process your data under the following legal bases (NDPA Schedule 2):

• Contract performance — to create and manage your account, process bounties and leads, hold funds in escrow, and pay out rewards
• Consent — for SMS and email marketing notifications (you may withdraw consent at any time in Settings)
• Legitimate interest — to detect fraud, prevent abuse, maintain platform security, and improve our service
• Legal obligation — to comply with Nigerian financial regulations and respond to lawful requests from authorities

• Create and authenticate your account
• Send OTP verification codes via SMS and email
• Process bounty payments, hold funds in escrow, and release hunter payouts through Paystack
• Use AI to evaluate lead quality and detect potential scams
• Send transactional notifications about your bounties, leads, and payouts
• Send marketing communications if you opted in (unsubscribe any time)
• Detect and prevent fraudulent activity, abuse, and security breaches
• Generate anonymised aggregate statistics to improve the platform
• Comply with legal and regulatory obligations

We do not sell your data. We share it only with the following service providers who process it on our behalf:

• Paystack — payment processing and hunter payouts. Paystack Privacy Policy: paystack.com/privacy
• Termii — SMS OTP delivery to Nigerian phone numbers
• Resend — transactional and marketing email delivery
• OpenAI — AI-powered lead evaluation (lead content only; no account PII is shared)
• Cloudflare R2 — secure object storage for evidence photos uploaded by Hunters
• Railway — database hosting and application infrastructure
• Vercel — frontend hosting and content delivery

We may disclose data to law enforcement or regulatory authorities (including the NDPC) where required by Nigerian law or in response to a valid legal order.

When a Buyer funds a bounty, the reward amount is held in escrow by BountyBoard via Paystack until a verified lead is accepted or the bounty closes. We process these funds solely for the purpose of fulfilling the bounty reward. BountyBoard is not a bank or financial institution — all funds are processed through Paystack under their regulatory authorisations.

• Active accounts: retained for the life of your account
• Deleted accounts: personal identifiers (name, phone, email) are immediately anonymised on deletion; anonymised records are retained for audit and financial compliance purposes for 7 years
• OTP codes: deleted or invalidated within 10 minutes of issue
• Audit logs: retained for 7 years to meet Nigerian financial and anti-fraud regulations
• Evidence photos: retained while the associated lead exists; deleted when a lead is permanently removed

BountyBoard applies industry-standard technical and organisational measures to protect your data. All data in transit is encrypted via HTTPS/TLS. Passwords are never stored in plain text. Authentication sessions are managed securely with the ability to revoke access instantly. Access to sensitive systems is restricted to authorised personnel only.

Despite these measures, no system is completely secure. If you suspect your account has been compromised, contact us immediately at privacy@bountyboard.ng.

In the event of a personal data breach, BountyBoard will:

• Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required by the NDPA 2023
• Notify affected users by email within 72 hours where the breach is likely to result in a high risk to their rights and freedoms
• Provide details of what data was affected, the likely consequences, and the steps we have taken or propose to take

As a data subject you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — request deletion of your account and personal data (subject to legal retention obligations)
• Restriction — ask us to stop processing your data in certain circumstances
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — opt out of SMS or email marketing at any time in Settings, or by emailing us

To exercise any of these rights, email privacy@bountyboard.ng. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

BountyBoard uses httpOnly cookies for authentication sessions. These are strictly necessary for the service to function and do not require consent under the NDPA. We also store your display name in browser local storage for UI convenience only — no tracking or analytics cookies are used.

BountyBoard is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe a child has registered, contact support@bountyboard.ng and we will delete the account promptly.

We may update this policy as the platform evolves or regulations change. When we make material changes, we will notify you by email and update the version number and effective date at the top of this page. Continued use of BountyBoard after the effective date constitutes acceptance of the updated policy.