Privacy Policy

1. Introduction

Storefront is an e-commerce platform developed by Paystack Payments Limited. It offers a seamless and user-friendly experience for business owners and creatives, taking away the burden of creating a website themselves, and making it the preferred choice for small business owners and creatives.

This Privacy Notice (“Notice”) governs your use of (“the Website”, “the Webapp”, “the Platform”). We provide this Notice because you have a right to know what information we collect, why we collect it, how it is protected and used, and the circumstances under which it may be disclosed.  

2. The data that we process

Personal data is any information about an individual that can be used to identify that person either directly or indirectly. For example, when using Paystack's payment portal to make purchases from your favourite vendor on the Storefront platform, we will request personal information from you to process your transaction. We also collect personal data from third-party sources or through your use of our services. 

We collect the following information:

Data collected from Paystack merchants

Data collected from customers

Profile biodata of team members: First and last name, phone number, email address

First and last name

Contact information: email address, business email address, phone number 

Phone number and email address

Compliance KYC data for directors and shareholders: government ID, proof of address

Delivery address 

Customer transaction information (payments received, date of payment, sender name, IP address, transaction type, bank, country, payment channel, amount, customer email address)

Transaction information (amount paid, date of payment, IP address, transaction type, bank, country, payment channel, amount)

 

3. Lawful bases and purpose of processing 

Paystack’s Storefront processes your data under at least one of these lawful bases:

  • Legitimate interest: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided your rights and interests do not override those interests.
  • Consent: You have given explicit consent for us to process your data for a specific purpose.
  • Contract: If processing your data is necessary for the performance of a contract with us, or we have asked you to take specific steps before entering that contract.
  • Legal obligation: If the processing of your data is necessary to comply with a legal requirement to which we are subject.

4. The purpose of processing your data and the lawful bases

Purpose of Processing

Lawful Bases

- To collect statistical data and analytics for internal use

- To send service-related messages

- To analyse the platform usage and provide, maintain and improve the content and functionality of our Application

Legitimate interest

- To secure our platform and prevent fraud

- For ID verification and payment authentication

    Legitimate interest, legal obligation

    - To send reminders and keep you updated on the actions you perform on your account

    Consent

    - To manage your account

    - To facilitate and manage transactions

    - To enable seamless payment for goods

    Contract

    - To interact with regulatory authorities or other public authorities concerning your use of our Platform

    - To inform you of any changes to our terms of business, services, or our Privacy Notice

      Legal obligation

    5. Your rights as a data subject

    The law vests you with certain rights as a data subject. They include the right to:

    • Access personal data we hold about you by requesting a copy;
    • Rectify such information where you believe it to be inaccurate;
    • Restrict the processing of your data in certain circumstances;
    • Object to the processing of your data where we intend to process such data for marketing purposes;
    • Where feasible, receive a copy of the personal data you have provided to us—in a structured, commonly used, and machine-readable format—and transmit the information to another data controller;
    • Request the erasure of your data and a deletion of your account;
    • Withdraw your consent to processing your data; and
    • Lodge a complaint with a relevant authority where you have reason to believe we have violated this Privacy Notice (you may complain or seek redress from us within 30 days from when you first detected the alleged violation). You also have the right to complain to the relevant data protection regulator.

    You may seek to exercise any of the above rights at any time by emailing us at [email protected].  For information on how to close your Storefront account, you may delete your account from your dashboard.  

    6. Who do we share your data with

    The following service providers support us to ensure the smooth running of the Product:

    Service Providers

    Purpose of processing

    Google Firebase Analytics

    It helps us understand how people use the platform. This information helps us improve our platform and make it more useful for everyone. See the Firebase Analytics privacy notice here.

    Smile ID

    We use Smile ID for document verification, identity verification, to prevent duplicate account creation, and to combat fraud. See Smile ID’s privacy notice here.

    Cloudflare

    We use Cloudflare to enhance our website’s performance, protect our system, and improve the user experience by reducing load times. See Cloudflare’s privacy notice here.

    Amazon Web Services (AWS)

    We store the data that we process on AWS in Ireland. You can read AWS’ privacy notice here.

    Paystack 

    We use various Paystack products to provide streamlined service offerings, such as identifying customers who sign up to avoid creating duplicate accounts and processing payments. You can read Paystack’s privacy notice here.

    Legal and Regulatory Authorities

    We may disclose personal data to these bodies if it is necessary to comply with a law, regulation, order, subpoena, or audit, or to protect the safety of any person or address fraud, security, or technical issues.

    7. Retention of your data

    The data and any other information we collect from you will be stored for as long as necessary to fulfil the purposes described in this Notice. However, we will also retain data in line with applicable laws, in addition to resolving disputes, preventing fraud and abuse, and enforcing our legal agreements and policies. 

    Please note that any transaction data may be retained longer, even after you request its removal, if there is a legal requirement to do so.

    8. How do we protect your data

    We use strong technical and organisational measures to safeguard your data from unauthorised access or accidental loss. We adhere to data protection laws and best practices, using security protocols like encryption, firewalls, and physical access controls. Our employees only access your data when necessary and are contractually bound to maintain its confidentiality.

    We comply with the Payment Card Industry Data Security Standard (PCI DSS) to secure your card information and are certified to ISO/IEC 27001:2022 and ISO/IEC 27701:2019 Standards. This includes regular security updates to meet industry standards. Also, we have added two-factor authentication (2FA) for extra security. You will need to enter a one-time password (OTP) each time you sign out. 

    If there is a data breach that could harm your rights and freedoms, we will notify you promptly and do our best to fix the issue.

    9. International transfer of data

    Our services use third-party servers located in other countries, such as Amazon Web Services (AWS) servers in Ireland. This means your data is transferred outside of your country. We ensure that your data is processed and protected in accordance with this Notice and relevant laws, regardless of your location.

    When transferring data outside of your country of operation, we take extra steps to protect it and choose reliable third-party providers. Please contact us for more information about data transfers to third countries, including our methods for transferring data. Furthermore, we transfer data when we have a legal obligation to do so or need to establish or defend a legal claim.  

    10. Complaints

    If you are concerned about an alleged breach of data protection law or any other regulation by us, you can contact the Data Protection Officer (DPO) at  [email protected]. The DPO will investigate your complaint and provide information about how it is handled.

    If you are still unsatisfied with the resolution of your complaint, you may escalate this to the Data Protection Authority.

    11. Changes to this Notice

    We occasionally update our privacy notice. We will notify our users when we make a change, and users can check the last update date on this page whenever they visit to see if there have been any changes.

    12. Contact Us

    If you have any questions related to this Notice or your rights under it, or are not satisfied with how we manage your data, please contact our Data Protection Officer at [email protected].

    Effective Date: Friday, May 30, 2025

    Why Paystack

    Pricing

    Customers

    Learn

    Developers

    Community

    Support

    About

    Contact

    Lagos

    • 126 Joel Ogunnaike Street,
      Ikeja GRA, Ikeja,
      Lagos, Nigeria

    San Francisco

    • 354 Oyster Point Blvd.,
      South San Francisco,
      CA 94080
      United States

    Cape Town

    • Unit 6, 22fifty Building 1,
      32 Jamieson Street,
      Cape Town 8000
      South Africa

    Accra

    • AfricaWorks @ Airport City
      4th Floor, Stanbic Heights,
      215 North Liberation Link,
      Airport City,
      Accra, Ghana
    • +233 596 992990

    Dubai

    • Office 338,
      Building 16,
      Dubai Internet City, Dubai,
      United Arab Emirates

    Nairobi

    • The Pavilion (1st Floor)
      Lower Kabete Road, Westlands
      Nairobi, Kenya

    Abidjan

    • AfricaWorks,
      Rue du 7 décembre,
      Zone 4/C,
      Abidjan, Côte d'Ivoire