PRIVACY

Privacy notice

This notice explains how Qlutterbox collects, uses, shares, and protects personal data in line with NDPR/NDPA and GDPR, while staying aligned with the wider Qubicbox trust commitments published on Qubicweb and Qubictry.

Last updated: 29 January 2026

Who we are

• Qlutterbox is part of Qubicbox Technologies Limited (operators of Qubicweb, Qubictry, the Trust badge, and E-Fraud Watch). Qubicbox is the primary data controller unless we explicitly serve as a processor for enterprise partners.
• Operational headquarters: Lagos, Nigeria with TrustOps and engineering support distributed across the EU/EEA.

Information we collect

• Identity & verification: names, pronouns, NIN/BVN/CAC documents, guild references, selfie/video captures to issue badges or curate protected payment.
• Contact details: email, phone, messaging handles, notification preferences.
• Listings & inspections: inventory metadata, provenance notes, diagnostic logs, proof-of-condition media, dispute artefacts.
• Protected Payment & payout: bank account details, transaction IDs, invoice references, commission statements, settlement preferences.
• Technical telemetry: device fingerprints, IP addresses, session identifiers, MFA events, moderation audit logs, rate-limiting fingerprints.
• Trust graph signals: Trust badge status, referrals, leaderboard rank, TrustOps annotations that feed Qubicweb overlays and Qubictry referrals.

Purposes & lawful bases

• Contract: onboarding Curators, publishing listings, processing protected payment, inspections, payouts, disputes, and restitution workflows.
• Legal obligation: NDPR/NDPA, AML/CFT, financial services, tax, and consumer protection compliance.
• Legitimate interest: preventing fraud, securing the platform, measuring product usage with privacy-preserving telemetry, and improving moderation accuracy. Assessments are reviewed annually.
• Consent: optional marketing updates, referrals, saved searches, biometric capture where explicit consent is mandated. Withdraw anytime without affecting prior lawful processing.

Retention

• Operational records (listings, protected payment logs, payout statements): transaction close plus 7 years for audit and restitution.
• Curator KYC dossiers: duration of the relationship plus 5 years for regulatory requirements.
• TrustOps dispute files: 5 years post resolution.
• Evidence uploads: 24 months unless legal holds apply, then securely deleted from primary and backup storage.
• Marketing preferences: until withdrawn; requests honoured within 72 hours.

International transfers

• Data may move between Nigeria, the EU, and South Africa to provide redundancy and low latency. Transfers rely on Standard Contractual Clauses (2021/914/EU), encryption, scoped access, and supplementary risk assessments.

Security controls

• Mandatory MFA for Curators, TrustOps, payout actors, and admin tooling.
• Role-based access with quarterly recertification and immutable AuditLog entries.
• Evidence sanitisation (EXIF stripping, malware scans) before analysts review uploads.
• Honeypots, adaptive rate limiting, anomaly detection, and rehearsed incident response plans with 72-hour regulator notifications when required.

Sharing & processors

• Payments & protected payment: Paystack, Flutterwave, and regulated payout partners under NDPR-compliant DPAs and Standard Contractual Clauses.
• Cloud infrastructure: Vercel, AWS (eu-west-1/af-south-1), Cloudflare, Supabase, Resend, Upstash.
• Ecosystem partners: Qubicweb (trust overlays), Qubictry (pro referrals), and the Trust badge service when required to fulfil your request.
• Lawful disclosures: only when legally compelled or necessary to prevent imminent harm. Every disclosure is logged in immutable AuditLog trails.

Your rights

• Access, rectification, deletion, restriction, objection, portability, and withdrawal of consent without affecting prior lawful processing.
• Right to complain to the Nigeria Data Protection Commission (NDPC) or your local EU supervisory authority.
• Right to understand automated decision-making; we do not run solely automated decisions with legal effects without human review.

How to exercise your rights

• Email privacy@qlutterbox.com with the subject "Data Subject Request" and include the email/phone tied to your account. We acknowledge within one working day and fulfil within 30 days (extendable by 15 days for complex cases).
• Escalations: NDPC (complaints@ndpc.gov.ng) or your EU supervisory authority.
• Postal: Qlutterbox Privacy Desk, 12B Adeola Odeku Street, Victoria Island, Lagos, Nigeria.

Product-specific notes

• Qlutterbox protected payment and inspections rely on Trust badge verification data; badge state synchronises with Qubictry referrals and Qubicweb trust overlays.
• Community submissions feeding E-Fraud Watch or OSINT Lab are reviewed and anonymised before publication. Reporters can remain anonymous.

Updates

• We review this notice whenever regulations, processors, or product scope changes. Updated versions appear here with a new revision date.
• Latest revision: 29 January 2026.