Privacy Policy

We collect the minimum needed to fulfil your order. We don't sell your data. We don't use ad trackers. We use Paystack for payments and never see your card details. You can ask us to delete your data at any time by emailing 8amfoods@gmail.com.

This policy complies with the Nigeria Data Protection Regulation (NDPR, 2019) and the Nigeria Data Protection Act (2023).

From you, directly:

• Your phone number (required so we can reach you about pickup)
• Your email address (optional — used only to send receipts)
• Your name (optional — only if you submit feedback or a walk-in order)
• Special-request notes (optional, e.g. "no salt")
• Your order ratings and written feedback after pickup

From your device, automatically:

• Your IP address (for rate limiting and abuse prevention)
• Basic browser / OS information (for debugging)
• Push notification subscription — only if you explicitly grant permission

What we do NOT collect:

• Card or bank account details — handled entirely by Paystack
• Your location, contacts, photos, or anything requiring device permissions
• Behaviour across other websites

We process your data only for these purposes:

• Fulfilling orders — lawful basis: contract performance
• Order updates (push, email, SMS callbacks) — lawful basis: your consent and contract performance
• Fraud and abuse prevention (rate limits, audit log) — lawful basis: legitimate interest
• Improving the menu and operations (using aggregated ratings + analytics) — lawful basis: legitimate interest

We do not use your data for advertising, profiling, or sell it to anyone. Ever.

Inside 8am Foods: only the owner and authorised staff. Each person logs in with their own PIN, and every sensitive action (refunds, item edits, exports) is recorded in an audit log.

Third parties we share specific data with:

• Paystack (Nigeria) — receives your phone number and order amount to process payment. They issue your refund if applicable. See paystack.com/privacy.
• Supabase (United States) — hosts our database. Your data is encrypted in transit (TLS 1.2+) and at rest. supabase.com/privacy.
• Resend (United States) — sends email receipts. Only triggered if you provide an email. resend.com/legal.
• Cloudinary (US/EU) — hosts our food photos. No customer data is sent here.
• Vercel (United States) — hosts our website. Stores anonymised request logs (including IP) for up to 30 days.

Some of these providers are based outside Nigeria. Each is covered by their own data-protection standards (GDPR, CCPA, etc.) which exceed NDPR's baseline.

• Order records — 3 years (tax and business-record requirements)
• Customer phone & email tied to those orders — 3 years from your last order, then anonymised
• Push subscriptions — until you uninstall the PWA, revoke permission, or your device token expires
• Audit logs — 1 year
• IP addresses in our rate-limit table — up to 30 minutes
• Data stored on your own device (localStorage) — controlled by you; we clear our drafts after 14 days automatically

Under NDPR and the Nigeria Data Protection Act, you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data ("right to be forgotten")
• Restriction — pause our processing while you raise a concern
• Objection — object to a specific use of your data
• Portability — receive your data in a structured, machine-readable format
• Withdraw consent — for anything you previously opted into (push, marketing emails)

To exercise any right, email 8amfoods@gmail.com with the subject line "Data request". We'll respond within 30 days as required by NDPR.

We don't use third-party tracking cookies. We use:

• A signed, HTTP-only session cookie for staff PIN access (expires after 12 hours)
• Local storage on your device for: your phone number (so you don't re-enter it), your last 10 order codes (for quick re-access), push subscription endpoint, and any unfinished application draft (cleared after 14 days)

Local storage data lives on your device and never leaves unless you take an action (placing an order, etc.). Clearing your browser data removes it all.

8am Foods is not intended for users under 16. We don't knowingly collect data from anyone under that age. If you believe we've received data from a minor, email us and we'll delete it.

How we protect your data:

• All traffic is HTTPS-only (HSTS, two-year preload)
• Payments handled by Paystack (PCI-DSS Level 1)
• Database encrypted at rest and in transit (Supabase)
• Admin access protected by per-PIN and per-IP lockout, with constant-time PIN comparison and audit logging
• Strict Content-Security-Policy and other browser-level protections

In the unlikely event of a breach affecting your personal data, we will:

• Notify affected users within 72 hours via email or in-app banner
• Notify the Nigeria Data Protection Commission (NDPC) as required
• Publish a post-incident report explaining what happened and what we've changed

We'll post material updates here with the "Last updated" date refreshed. If the change materially affects how we handle your data, we'll notify you in-app and by email (if we have one for you).

Data Protection contact for 8am Foods:

• Email 8amfoods@gmail.com (subject: "Data request")
• WhatsApp 0706 579 2002
• The Bakery, beside the school market

If you're not satisfied with our response, you can lodge a complaint with the Nigeria Data Protection Commission at ndpc.gov.ng.