Skip to main content
Qlutterbox logo

PRIVACY

Privacy notice

This notice explains how Qlutterbox collects, uses, shares, and protects personal data in line with NDPR/NDPA and GDPR, while staying aligned with the wider Qubicbox trust commitments published on Qubicweb and Qubictry.

Last updated: 29 January 2026

Who we are

  • Qlutterbox is part of Qubicbox Technologies Limited (operators of Qubicweb, Qubictry, the Trust badge, and E-Fraud Watch). Qubicbox is the primary data controller unless we explicitly serve as a processor for enterprise partners.
  • Operational headquarters: Lagos, Nigeria with TrustOps and engineering support distributed across the EU/EEA.

Information we collect

  • Identity & verification: names, pronouns, NIN/BVN/CAC documents, guild references, selfie/video captures to issue badges or curate protected payment.
  • Contact details: email, phone, messaging handles, notification preferences.
  • Listings & inspections: inventory metadata, provenance notes, diagnostic logs, proof-of-condition media, dispute artefacts.
  • Protected Payment & payout: bank account details, transaction IDs, invoice references, commission statements, settlement preferences.
  • Technical telemetry: device fingerprints, IP addresses, session identifiers, MFA events, moderation audit logs, rate-limiting fingerprints.
  • Trust graph signals: Trust badge status, referrals, leaderboard rank, TrustOps annotations that feed Qubicweb overlays and Qubictry referrals.

Purposes & lawful bases

  • Contract: onboarding Curators, publishing listings, processing protected payment, inspections, payouts, disputes, and restitution workflows.
  • Legal obligation: NDPR/NDPA, AML/CFT, financial services, tax, and consumer protection compliance.
  • Legitimate interest: preventing fraud, securing the platform, measuring product usage with privacy-preserving telemetry, and improving moderation accuracy. Assessments are reviewed annually.
  • Consent: optional marketing updates, referrals, saved searches, biometric capture where explicit consent is mandated. Withdraw anytime without affecting prior lawful processing.

Retention

  • Operational records (listings, protected payment logs, payout statements): transaction close plus 7 years for audit and restitution.
  • Curator KYC dossiers: duration of the relationship plus 5 years for regulatory requirements.
  • TrustOps dispute files: 5 years post resolution.
  • Evidence uploads: 24 months unless legal holds apply, then securely deleted from primary and backup storage.
  • Marketing preferences: until withdrawn; requests honoured within 72 hours.

International transfers

  • Data may move between Nigeria, the EU, and South Africa to provide redundancy and low latency. Transfers rely on Standard Contractual Clauses (2021/914/EU), encryption, scoped access, and supplementary risk assessments.

Security controls

  • Mandatory MFA for Curators, TrustOps, payout actors, and admin tooling.
  • Role-based access with quarterly recertification and immutable AuditLog entries.
  • Evidence sanitisation (EXIF stripping, malware scans) before analysts review uploads.
  • Honeypots, adaptive rate limiting, anomaly detection, and rehearsed incident response plans with 72-hour regulator notifications when required.

Sharing & processors

  • Payments & protected payment: Paystack, Flutterwave, and regulated payout partners under NDPR-compliant DPAs and Standard Contractual Clauses.
  • Cloud infrastructure: Vercel, AWS (eu-west-1/af-south-1), Cloudflare, Supabase, Resend, Upstash.
  • Ecosystem partners: Qubicweb (trust overlays), Qubictry (pro referrals), and the Trust badge service when required to fulfil your request.
  • Lawful disclosures: only when legally compelled or necessary to prevent imminent harm. Every disclosure is logged in immutable AuditLog trails.

Your rights

  • Access, rectification, deletion, restriction, objection, portability, and withdrawal of consent without affecting prior lawful processing.
  • Right to complain to the Nigeria Data Protection Commission (NDPC) or your local EU supervisory authority.
  • Right to understand automated decision-making; we do not run solely automated decisions with legal effects without human review.

How to exercise your rights

  • Email privacy@qlutterbox.com with the subject "Data Subject Request" and include the email/phone tied to your account. We acknowledge within one working day and fulfil within 30 days (extendable by 15 days for complex cases).
  • Escalations: NDPC (complaints@ndpc.gov.ng) or your EU supervisory authority.
  • Postal: Qlutterbox Privacy Desk, 12B Adeola Odeku Street, Victoria Island, Lagos, Nigeria.

Product-specific notes

  • Qlutterbox protected payment and inspections rely on Trust badge verification data; badge state synchronises with Qubictry referrals and Qubicweb trust overlays.
  • Community submissions feeding E-Fraud Watch or OSINT Lab are reviewed and anonymised before publication. Reporters can remain anonymous.

Updates

  • We review this notice whenever regulations, processors, or product scope changes. Updated versions appear here with a new revision date.
  • Latest revision: 29 January 2026.