Privacy Policy

01 Overview & Data Controller

This Privacy Policy applies to all personal data processed by AllinOneGig in connection with the operation of the Platform at allinonegig.com.

AllinOneGig is the Data Controller for all personal data collected through the Platform. For privacy-related enquiries, data subject requests, or to contact our Data Protection Officer, please write to:

Data Controller: AllinOneGig
Email: allinonegig@outlook.com
Platform: allinonegig.com
Jurisdiction: Federal Republic of Nigeria

This policy is issued in compliance with the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA), and where applicable, the EU General Data Protection Regulation (GDPR) for users accessing the Platform from the European Economic Area.

02 Data We Collect

We collect the following categories of personal data:

Category	Data Collected	When Collected
Identity Data	Full name, username, profile photo (optional)	Account registration
Contact Data	Email address	Account registration
Financial Data	Bank account number, bank name, account holder name (for payouts only). Card details are processed by Paystack — we never store card numbers.	Payout requests
Transaction Data	Order history, trade history, wallet transactions, Paystack payment references	Platform activity
Technical Data	IP address (at login), browser type, device type, session timestamps	Automatically on use
Communications Data	Messages sent between users (end-to-end encrypted — we cannot read message content), support emails	Messaging activity
Usage Data	Features used, sections visited, order types placed, session duration	Automatically on use
Referral Data	Referral codes used, commission earned, referred users (anonymised)	Referral activity

End-to-End Encryption: User-to-user chat messages are encrypted using AES-GCM-256 with keys stored only on users' devices (IndexedDB). AllinOneGig cannot read the content of encrypted messages. Only metadata (sender, recipient, timestamp) is accessible to us.

03 How We Use Your Data

We use your personal data for the following purposes:

Account Management: Creating and maintaining your account, verifying identity, authenticating logins, and providing access to Platform features.
Service Delivery: Processing orders, delivering proxy credentials, managing escrow trades, and facilitating peer-to-peer transactions.
Payment Processing: Processing wallet top-ups through Paystack, crediting wallets, processing payout requests to bank accounts.
Communications: Sending transactional emails (order confirmations, delivery notifications, payout updates), responding to support enquiries, and sending service announcements.
Safety & Fraud Prevention: Detecting and preventing fraudulent transactions, abuse of the referral system, money laundering, and violations of our Terms of Service.
Legal Compliance: Meeting our obligations under Nigerian law, CBN regulations, NDPR requirements, and responding to valid legal requests.
Platform Improvement: Analysing usage patterns (aggregated and anonymised) to improve features, performance, and user experience.
Admin Operations: Internal administration, dispute resolution, audit logging of admin actions, and platform maintenance.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We do not use your data for automated decision-making that produces legal or similarly significant effects without human review.

04 Legal Basis for Processing

Under NDPR and GDPR, we process your data on the following legal bases:

Processing Purpose	Legal Basis
Account creation and management	Contract performance
Processing orders and payments	Contract performance
Fraud detection and security	Legitimate interests / Legal obligation
Sending transactional emails	Contract performance
Platform analytics (anonymised)	Legitimate interests
Compliance with Nigerian law and CBN	Legal obligation
Marketing communications (if any)	Consent (opt-in only)

05 Data Sharing & Third Parties

We share your personal data only with the following categories of recipients, and only to the extent necessary:

Paystack (Paystack Inc.): Our payment processor. When you top up your wallet or we process a payout, your bank details and transaction amounts are shared with Paystack under their Privacy Policy (paystack.com). Paystack is a PCI-DSS certified processor.
Supabase Inc.: Our database and authentication infrastructure provider. Your account data, order history, and wallet data are stored on Supabase servers (hosted on AWS). Supabase processes data under a Data Processing Agreement.
Resend (email delivery): Transactional emails (order confirmations, payout notifications) are sent through Resend. Your email address and the content of transactional emails are shared with Resend solely for delivery.
IPRoyal: When an automated proxy order is placed, order details (proxy type, country, quantity) are shared with IPRoyal for delivery. No personal identity data is shared beyond what is needed for proxy provisioning.
Law Enforcement & Regulators: We will disclose personal data to government authorities, law enforcement agencies, NITDA, CBN, or courts when required by law, court order, or regulatory obligation. We will notify you of such disclosures unless legally prohibited.

⚠️ We do not share your personal data with advertisers, data brokers, or any third party for commercial marketing purposes. Our platform contains no advertising and we derive no revenue from your data.

06 Data Retention

We retain your personal data for the following periods:

Data Type	Retention Period	Reason
Account profile data	Duration of account + 2 years	Legal obligation, fraud prevention
Transaction records	7 years from transaction date	CBN AML requirements, tax compliance
Chat messages	180 days from send date (then archived)	Dispute resolution support
Support emails	3 years	Service improvement, dispute reference
Login / IP logs	90 days	Security and fraud detection
Admin action logs	5 years	Regulatory compliance, accountability
Deleted account data	30 days (then purged)	Data recovery window, then erasure

After the applicable retention period, data is securely deleted or anonymised so it can no longer be attributed to an identified individual.

07 Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure. These measures include:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3.
End-to-end encrypted chat: User messages are encrypted with AES-GCM-256. Keys are stored on users' devices only. We cannot access message content.
Row-Level Security (RLS): Our database enforces user-level access controls — users can only query their own data. Admin access requires verified admin credentials.
Supabase Auth: Passwords are never stored in plain text. Authentication is managed by Supabase Auth which uses industry-standard hashing (bcrypt/Argon2).
Audit Logging: All administrative actions (wallet adjustments, order cancellations, user bans) are logged with timestamp and admin identity.
Access Controls: Only authorised AllinOneGig personnel have access to the admin panel. Admin accounts are protected by credentials.

Despite these measures, no system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and NITDA within 72 hours of becoming aware of the breach, as required by NDPR.

If you believe your account has been compromised, contact us immediately at allinonegig@outlook.com and change your password at once via the Forgot Password function.

08 Cookies & Local Storage

The AllinOneGig Platform uses the following client-side storage mechanisms:

Technology	Purpose	Expiry
localStorage (Supabase session token)	Maintains your login session between browser sessions	Until logout or expiry (~1 week)
localStorage (rate limiting)	Tracks failed login attempts for brute-force protection	60 seconds after last attempt
IndexedDB (E2E encryption keys)	Stores your private encryption key for decrypting messages	Until you clear browser data or log out
Google Fonts (external)	Loads the Outfit font typeface from Google's CDN	Browser cache, typically 1 year

We do not use advertising cookies, tracking cookies, or any third-party analytics cookies. Google Fonts is loaded from Google's CDN and Google may process your IP address in accordance with Google's Privacy Policy.

You can clear localStorage and IndexedDB at any time through your browser's settings. Note that clearing IndexedDB will delete your private encryption keys, making past encrypted messages permanently unreadable.

09 Your Rights Under NDPR & GDPR

You have the following rights regarding your personal data. To exercise any of these rights, contact us at allinonegig@outlook.com with the subject line "Data Rights Request":

Right of Access: You may request a copy of all personal data we hold about you. We will respond within 30 days.
Right to Rectification: You may request correction of inaccurate personal data. For most data (name, username), you can update this yourself in your dashboard Settings.
Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data. We will comply unless we have a legal obligation to retain certain records (e.g., transaction history for tax compliance).
Right to Data Portability: You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to Object: You may object to processing of your data where we rely on legitimate interests, including processing for direct marketing.
Right to Restrict Processing: You may request that we restrict processing of your data in certain circumstances (e.g., while a dispute is pending).
Right to Withdraw Consent: Where processing is based on your consent (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: You have the right to lodge a complaint with NITDA (the Nigerian data protection supervisory authority) at nitda.gov.ng if you believe your data rights have been violated.

We will respond to all data rights requests within 30 days. In complex cases, we may extend this to 60 days with notification.

NDPR Compliance: This platform processes personal data of Nigerian citizens in compliance with the Nigeria Data Protection Regulation (NDPR) 2019 as administered by NITDA. Our data processing activities are lawful, fair, transparent, and limited to specified purposes.

10 Children's Privacy

The AllinOneGig Platform is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from persons under 18 years of age.

If we become aware that we have inadvertently collected personal data from a minor, we will delete that data promptly and terminate the associated account. If you are a parent or guardian and believe your child has registered on the Platform without your consent, please contact us immediately at allinonegig@outlook.com.

11 International Data Transfers

Your personal data is stored on Supabase infrastructure hosted by Amazon Web Services (AWS). While our primary operations are in Nigeria, data may be stored on servers located outside Nigeria, including in the United States and European Union.

When data is transferred outside Nigeria, we ensure that appropriate safeguards are in place in accordance with NDPR Article 43, including:

Data Processing Agreements with all sub-processors (Supabase, Paystack, Resend).
Use of sub-processors that maintain SOC 2 Type II or equivalent security certifications.
Standard contractual clauses where required by applicable law.

By using the Platform, you consent to the transfer of your data to these jurisdictions for the purposes described in this Policy.

12 Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Send an email notification to all registered users at least 14 days before changes take effect.
Display a prominent notice on the Platform dashboard.

Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you must discontinue use and may request account deletion.

We encourage you to review this Policy periodically. The most current version will always be available at allinonegig.com/privacy.html.

Table of Contents