Privacy Policy — Data Protection & Your Rights | Gears NG

1. About This Policy

GEARS Rental Marketplace (“GEARS”, “we”, “us”, or “our”) is committed to protecting the privacy of everyone who uses our platform. This Privacy Policy describes:

What personal data we collect from renters, vendors, and visitors.
Why we collect it and the legal basis for doing so.
How long we keep it and who we share it with.
Your rights under Nigerian law and how to exercise them.

By creating an account or using any part of the GEARS platform (website, mobile app, or API), you acknowledge that you have read and understood this policy. If you do not agree, please discontinue use of our services.

2. Who We Are

GEARS is a technology platform that connects equipment vendors with renters across Nigeria. We operate as the data controller for personal data collected through our platform and as a data processor on behalf of vendors where we handle their customers' data at their instruction.

Registered name: GEARS Rental Marketplace

Operating address: Wuye, Abuja, Federal Capital Territory, Nigeria

Data Protection Officer (DPO): privacy@gears.ng

Regulator: Nigeria Data Protection Commission (NDPC)

3. Data We Collect

We collect only the data that is necessary to provide, secure, and improve our services. The categories depend on whether you are a renter, vendor, or unauthenticated visitor.

3.1 Account & Identity Data

Full name, email address, phone number, and password (hashed — never stored in plain text).
Profile photograph (optional).
Government-issued ID type and document image — required for identity verification before renting.
Guarantor name, phone number, and relationship.

3.2 Location Data

State, city, and street address provided during onboarding.
We do not collect real-time GPS location from your device.

3.3 Transaction & Booking Data

Booking dates, selected products, rental duration, and pickup/return times.
Invoice and payment references (generated by our payment processor — we do not store raw card numbers, CVVs, or full PAN data).
Settlement records between GEARS and vendors.
Booking status history (confirmed, active, completed, cancelled).

3.4 Vendor-Specific Data

Shop name, shop description, business logo, and operating location.
Bank account details (account name, number, bank code) — used exclusively to process vendor payouts via Paystack.
Product listings: titles, descriptions, photos, pricing, and availability calendars.
Verification status and date.

3.5 Communications Data

Messages exchanged between renters and vendors through the in-platform booking thread.
Support tickets and correspondence with the GEARS team.
Feedback and review content submitted after a completed rental.

3.6 Technical & Usage Data

IP address, browser type, operating system, and device identifiers.
Pages visited, search queries, and click paths — collected via server logs and first-party analytics.
Session tokens stored in HTTP-only cookies for authentication.
Service worker registrations for offline and push notification functionality.

3.7 Data We Do Not Collect

Full payment card numbers, CVV codes, or bank PINs — these are handled entirely by Paystack.
Biometric data.
Real-time device location.
Data from minors under 18 (see Section 11).

4. How We Use Your Data

We process your data only for the purposes described below. Each purpose has a corresponding lawful basis under the NDPA 2023.

Purpose	Lawful Basis (NDPA)
Create and manage your account	Contract performance
Process bookings and payments	Contract performance
Verify renter and vendor identity	Legal obligation / Legitimate interest
Facilitate renter–vendor communication	Contract performance
Calculate and disburse vendor settlements	Contract performance
Detect and prevent fraud or abuse	Legitimate interest / Legal obligation
Send transactional emails (booking confirmation, receipts)	Contract performance
Send product updates and marketing emails	Consent (opt-out available at any time)
Improve platform features and performance	Legitimate interest
Comply with regulatory, tax, and law enforcement requests	Legal obligation
Resolve disputes between renters and vendors	Legitimate interest / Contract performance

We will never use your data for automated decision-making that produces significant legal effects without human review, unless required by law.

5. Sharing Your Data

We do not sell, rent, or trade your personal data. We share it only in the following circumstances:

5.1 With Vendors (when you book from them)

When you place a booking, the vendor receives your full name, phone number, and pickup/return schedule. Vendors are contractually bound by our Vendor Terms of Service to use this data solely to fulfil your rental and not for any secondary marketing or third-party disclosure.

5.2 With Renters (when a vendor accepts their booking)

Renters receive the vendor's shop name, location, and contact information necessary to complete the pickup and return.

5.3 With Third-Party Service Providers

Paystack — payment processing. Paystack is PCI-DSS compliant and operates under its own privacy policy. We share booking amount and payer reference only.
ImageKit — image hosting and CDN for product photos, user profile pictures, and ID document images. Images are stored on ImageKit's servers in accordance with their data processing agreement.
Google Firebase — cloud infrastructure, push notifications, and supplementary file storage. Firebase processes data under Google's standard contractual clauses.
Email delivery provider — transactional emails (booking confirmations, password resets, receipts) are sent via SMTP. Email addresses are shared for delivery purposes only.

5.4 With Law Enforcement or Regulators

We will disclose personal data to courts, law enforcement agencies, or the NDPC when required by a valid court order, subpoena, or applicable Nigerian law. Where legally permitted, we will notify affected users before disclosure.

5.5 Business Transfers

If GEARS is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. You will be notified via email and a prominent platform notice at least 30 days before any such transfer, and you will have the right to delete your account before it occurs.

6. Vendor-Specific Obligations

Vendors on GEARS handle personal data belonging to their customers (renters). In doing so, vendors act as independent data controllers for their own customer relationships. By listing on GEARS, vendors agree to:

Comply with the NDPA 2023 with respect to all renter data accessed through the GEARS platform.
Use renter personal data only to fulfil bookings and provide customer service — not for unsolicited marketing.
Not share renter data with any third party without the renter's explicit consent.
Not retain renter data beyond the period necessary to resolve disputes or meet legal obligations.
Report any data breach involving renter data to GEARS within 24 hours of discovery so GEARS can fulfil its regulatory notification obligations.
Ensure physical or digital records of renter data (e.g., copied ID documents) are securely destroyed after the rental is completed unless legally required to retain them.

GEARS reserves the right to suspend or terminate a vendor's account for material breach of these obligations.

7. Cookies & Tracking Technologies

We use a minimal set of cookies that are essential for the platform to function. We do not use third-party advertising cookies or cross-site tracking pixels.

Cookie	Type	Purpose	Expires
auth_token	HTTP-only, Secure	Keeps you logged in between sessions	7 days
refresh_token	HTTP-only, Secure	Silently refreshes your session without re-login	30 days
_gears_pref	First-party	Remembers your display preferences (e.g., location filter)	1 year

Authentication cookies are essential for security and cannot be disabled without logging out. You may clear all cookies from your browser settings at any time, which will log you out of the platform.

8. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by Nigerian law.

Data Category	Retention Period
Active account data	Duration of account + 12 months after deletion request
Booking and transaction records	6 years (Nigerian tax and commercial law requirement)
Identity verification documents (ID images)	Duration of account + 90 days after closure
Payment references and invoices	6 years
Support correspondence	3 years
Server and access logs	90 days
Marketing consent records	Until consent is withdrawn + 1 year

When data reaches the end of its retention period it is securely deleted or anonymised. Anonymised data (from which you cannot be identified) may be retained indefinitely for aggregate analytics.

9. Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration.

All data is transmitted over TLS 1.2 or higher (HTTPS). Unencrypted HTTP connections are rejected.
Passwords are hashed using bcrypt with a minimum cost factor of 10 before storage.
Authentication tokens are stored in HTTP-only, Secure, SameSite cookies — inaccessible to JavaScript and resistant to XSS.
Sensitive environment variables (API keys, DB credentials) are never committed to version control and are injected at runtime.
Database access is restricted to application-layer services behind a private network; no direct public database exposure.
ID document images are stored with restricted-access policies on ImageKit and are not publicly listed or indexable.
Payment card data is never processed by GEARS servers — all card handling is delegated to Paystack's PCI-DSS Level 1 infrastructure.
We conduct periodic security reviews and address reported vulnerabilities under a responsible-disclosure model.

Despite our measures, no system is perfectly secure. In the event of a data breach that is likely to result in high risk to your rights, we will notify you and the NDPC within 72 hours of becoming aware of it.

10. Your Rights

Under the Nigeria Data Protection Act 2023, you have the following rights with respect to your personal data:

Right to Access

Request a copy of all personal data we hold about you. We will respond within 30 days.

Right to Rectification

Correct inaccurate or incomplete data. You can update most information directly from your account settings.

Right to Erasure (“Right to be Forgotten”)

Request deletion of your account and personal data. Note: we may retain certain records for the statutory periods outlined in Section 8.

Right to Restriction of Processing

Ask us to pause processing your data while a dispute or rectification request is pending.

Right to Data Portability

Receive your personal data in a structured, machine-readable format (JSON/CSV) to transfer to another service.

Right to Object

Object to processing based on legitimate interest — including profiling and direct marketing. We will stop unless we have compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent (e.g., marketing emails), withdraw it at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

File a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe we have violated your rights.

To exercise any right, email privacy@gears.ng with “Data Rights Request” in the subject line and proof of identity. We will acknowledge within 5 business days and fulfil the request within 30 days. Complex requests may be extended by a further 60 days with notice.

11. Children's Privacy

GEARS is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. Creating an account constitutes a representation that you are at least 18 years old.

If we discover that a user is under 18, we will immediately suspend the account, delete all associated personal data, and reverse any transactions where legally possible. If you believe a minor has registered on our platform, contact us at privacy@gears.ng.

12. International Data Transfers

Our primary servers are located in Nigeria. However, some of our third-party service providers (including Google Firebase and ImageKit) may process or store data outside Nigeria, including in the United States and the European Economic Area.

Where data is transferred internationally, we ensure an adequate level of protection is in place through one or more of the following:

Standard Contractual Clauses (SCCs) approved by the relevant data protection authority.
The recipient country has been recognised by the NDPC as providing adequate data protection.
The transfer is necessary for the performance of a contract you have entered into with us.

You may request details of the safeguards in place for any specific international transfer by contacting our DPO.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal obligations. When we make material changes, we will:

Update the “Last updated” date at the top of this document.
Send a notification email to all registered users at least 14 days before the changes take effect.
Display a banner on the platform prompting you to review the updated policy.

Continued use of the platform after the effective date of a revised policy constitutes acceptance of those changes. If you do not agree with the revised policy, you may delete your account before the effective date.

14. Contact & Complaints

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to report a concern, contact our Data Protection Officer:

Email: privacy@gears.ng

Post: Data Protection Officer, GEARS Rental Marketplace, Wuye, Abuja, Nigeria

Response time: 5 business days for acknowledgement; 30 days for full resolution

Right to escalate to the regulator

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng or by emailing info@ndpc.gov.ng.