PrivePas Support

Away

PrivePas
FeaturesPricingBlog

Legal

Privacy Policy

Last updated: March 2026

This Privacy Policy explains how PrivePas Technologies Limited ("PrivePas", "we", "us", "our") collects, uses, stores, protects, and transfers personal information when you use our event security and invitation management platform at https://privepas.com. By using PrivePas, you acknowledge that you have read and understood this Policy.

1. Who We Are

PrivePas Technologies Limited is a web-based event security and invitation management platform operating in Nigeria. We are registered with the Corporate Affairs Commission (CAC) of the Federal Republic of Nigeria.

For all privacy inquiries, data access requests, and data deletion requests, contact our Data Protection Officer at: privacy@privepas.com

PrivePas processes personal data in accordance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and other applicable Nigerian law.

2. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the services you have purchased or registered for.
  • Legal obligation: Processing required to comply with applicable Nigerian law, including financial record-keeping requirements.
  • Legitimate interests: Processing for platform security, fraud prevention, abuse detection, and service improvement, where these interests are not overridden by your rights.
  • Consent: Processing for marketing communications, where you have expressly opted in. You may withdraw consent at any time.

3. Information We Collect

Account Information: When you register as an Event Owner or Event Planner, we collect your full name, email address, phone number, and a bcrypt-hashed password. We never store plaintext passwords.

Event and Guest Data: We store event names, event dates, guest lists (including guest names and, where provided, email addresses), unique invitation tokens, check-in logs, and card generation timestamps that you upload or enter.

Payment Information: Payments are processed by Paystack. PrivePas does not store your card number, CVV, bank account number, or BVN. We retain only the Paystack payment reference number, transaction amount, payment type, and date for our records.

Usage and Analytics Data: We collect anonymised data about how pages are used (page views, interaction patterns, referral sources) using privacy-respecting analytics. This data does not personally identify you.

Scanner and Check-in Logs: We record QR scan events including the guest name, staff token used, check-in timestamp, and event identifier. These logs are accessible to the event organiser.

Communications: If you contact us by email or submit feedback, we retain your email address, name, and the content of your message.

Newsletter Subscribers: If you subscribe to our newsletter, we retain your email address and, where provided, your name. We do not add you to marketing communications without your consent.

Attribution Data: If you access PrivePas via a referral link containing a tracking parameter (e.g. ?source=instagram), we record that source for internal attribution purposes only.

4. How We Use Your Information

We use your personal data to:

  • Create and maintain your account and provide the services you have purchased
  • Generate and deliver QR-coded invitation cards to your guests
  • Process payments and send access codes and receipts via email
  • Send transactional emails including account verification, password reset, RSVP confirmation, and plan expiry notices
  • Enable real-time check-in monitoring and scanning at your event
  • Investigate and prevent fraud, abuse, and security incidents
  • Improve and maintain the Platform based on anonymised usage data
  • Send marketing or newsletter communications where you have consented
  • Comply with legal obligations including Nigerian financial regulations
  • Enforce our Terms and Conditions

We do not sell, rent, lease, or share your personal information with third parties for their own marketing purposes under any circumstances.

5. Data Sharing and Third Parties

We share personal data only in the following circumstances:

  • Paystack for payment processing. Paystack processes your payment information under their own privacy policy (paystack.com/privacy). We share only your email address and payment amount with Paystack to initiate transactions.
  • Resend for transactional email delivery. We share recipient email addresses and email content with Resend solely to deliver emails you have instructed us to send (access codes, invitations, RSVP confirmations). Resend is contractually bound not to use this data for any other purpose.
  • Vercel our hosting provider. Your data transits Vercel's infrastructure under a data processing agreement. Vercel does not access or use your data independently.
  • Neon (database) our database provider processes your data under a data processing agreement. Data is stored in encrypted form.
  • Cloudinary for image and asset storage (including your card templates). Cloudinary processes uploaded images on our behalf.
  • Law enforcement and legal authorities if required by a valid court order, government demand, or applicable Nigerian law. We will notify you of such requests where legally permitted.
  • Business transfers in the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred as a business asset. We will notify affected users before such transfer and provide options where required by law.

6. International Data Transfers

PrivePas is based in Nigeria. However, some of our third-party service providers are headquartered outside Nigeria and may process your data in jurisdictions including the United States and the European Union. Specifically:

  • Vercel United States (with global edge network)
  • Neon United States
  • Resend United States
  • Cloudinary United States

These transfers are made subject to appropriate safeguards including contractual data processing agreements that require these providers to protect your data to standards comparable to the NDPR. By using PrivePas, you consent to these international data transfers.

If you have questions about the safeguards applied to international transfers, contact privacy@privepas.com.

7. Cookies and Tracking

Session Cookies: PrivePas uses strictly necessary HTTP-only, SameSite-protected cookies to maintain your login session. These cookies contain only an encrypted JWT token. They expire after 7 days or when you sign out. No personal information is stored in these cookies.

No Advertising Cookies: We do not use advertising cookies, cross-site tracking, retargeting pixels, or third-party analytics platforms that profile individual users.

Anonymous Analytics: We collect aggregated, anonymised page-view data to understand how the Platform is used. This does not involve setting third-party cookies or tracking individual users across sessions.

Cookie Consent: Because we use only strictly necessary cookies for session management and do not use tracking or advertising cookies, no cookie consent banner is technically required. If we introduce non-essential cookies in the future, we will update this Policy and implement appropriate consent mechanisms.

8. Data Retention

We retain your personal data as follows:

  • Account data (name, email, hashed password): retained for as long as your account is active plus 12 months after closure.
  • Event and guest data: retained until you delete it from your dashboard. We recommend exporting records you wish to keep before deletion. Deleted data is purged from our systems within 30 days.
  • Payment records: retained for 7 years as required by Nigerian financial and tax regulations.
  • Check-in logs: retained for 12 months from the event date, after which they are automatically deleted unless the account owner exports them.
  • Newsletter subscriber data: retained until you unsubscribe, after which it is deleted within 30 days.
  • Support and feedback communications: retained for 2 years.

You may request deletion of your account and all associated data at any time by emailing privacy@privepas.com. Payment records required by law will be retained even after account deletion.

9. Data Security

We protect your data with industry-standard security measures including:

  • HTTPS/TLS encryption for all data in transit
  • bcrypt hashing (cost factor 12+) for all passwords no plaintext passwords are stored
  • HTTP-only session cookies with SameSite=Strict protection against CSRF
  • Separate JWT secrets per user type (owner, planner, admin) to contain breaches
  • Login rate limiting and account lockout protection against brute-force attacks
  • Redis-based webhook replay protection to prevent duplicate payment processing
  • Database access restricted to application-level connections only
  • Regular security reviews and patching

Despite these measures, no internet transmission or storage system is 100% secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify affected users and the relevant Nigerian authority within 72 hours of becoming aware of the breach, as required by the NDPR.

We encourage you to use a strong, unique password and to notify us immediately if you suspect unauthorised access to your account.

10. Your Rights

Under the NDPR and NDPA, you have the following rights with respect to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may correct inaccurate data via your account settings or by contacting us.
  • Right to erasure: You may request deletion of your account and associated personal data, subject to our legal retention obligations.
  • Right to restriction: You may request that we restrict processing of your data while a dispute is being resolved.
  • Right to data portability: You may request your data in a commonly used, machine-readable format.
  • Right to object: You may object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent (e.g. newsletter), you may withdraw at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You may lodge a complaint with the National Information Technology Development Agency (NITDA) or another relevant supervisory authority.

To exercise any of these rights, contact us at privacy@privepas.com. We will respond within 30 days. We may require verification of your identity before processing requests.

11. Children

PrivePas is not directed at and is not intended for use by children under the age of 18. We do not knowingly collect, store, or process personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly without requiring a request. If you believe a minor has submitted data through our Platform, please contact us immediately at privacy@privepas.com.

12. Guest Data Organiser Responsibility

When you upload guest lists and personal data into PrivePas on behalf of your event attendees, you are acting as the data controller for that guest data. PrivePas acts as a data processor on your behalf.

As the data controller, you are solely responsible for:

  • Ensuring you have a lawful basis to process each guest's personal data
  • Informing your guests that their data is being processed and that a personalised digital invitation will be generated for them
  • Complying with the NDPR and any other applicable data protection laws in relation to your guests' data
  • Ensuring that guest email addresses are accurate before using the email delivery feature

PrivePas does not verify the accuracy, consent status, or lawfulness of any guest data you upload. You indemnify PrivePas from any claim by a guest or regulatory authority arising from your handling of guest personal data.

13. NDPR Compliance

PrivePas Technologies Limited is committed to compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023. In particular:

  • We have appointed a responsible officer for data protection matters.
  • We conduct data protection impact assessments for high-risk processing activities.
  • We maintain records of processing activities as required by the NDPA.
  • We have contractual safeguards in place with all third-party processors listed in Section 5.
  • In the event of a personal data breach, we will notify NITDA and affected data subjects within the timeframes prescribed by applicable law.

If you believe we have failed to comply with the NDPR or NDPA, you may lodge a complaint with NITDA at nitda.gov.ng.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify registered users by email of material changes at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of PrivePas after the effective date of any change constitutes acceptance of the revised Policy.

15. Contact Us

For privacy questions, data subject requests, or to report a data breach:

PrivePas Technologies Limited | RC: 9406168

Data Protection Officer

Email: privacy@privepas.com

Website: https://privepas.com

Registered in the Federal Republic of Nigeria

We will acknowledge your request within 5 business days and respond fully within 30 days.

© 2026 PrivePas Technologies Limited. All rights reserved.