Legal

Privacy Policy

Effective: 1 June 2026 · Governed by Nigerian law (NDPR 2019)

Who we are

Vodium Ledger is operated by Vodium Technology Limited ("Vodium", "we", "us"), a Nigerian company building credit intelligence infrastructure for campus vendors. This policy explains how we handle personal data collected through our web platform at vodiumledger.com and our WhatsApp bot service.

We are a data controller under Nigeria's National Information Technology Development Agency (NITDA) regulations. Questions? Email privacy@vodiumledger.com.

Data we collect

Vendor data (you, the shop owner):

  • Business name, owner name, vendor type, campus location
  • Email address and WhatsApp phone number (used as your login identity)
  • Password (stored as a bcrypt hash never in plaintext)
  • Subscription and payment history (via Paystack)

Student data (your customers):

  • Full name, matric number, and WhatsApp number (if provided)
  • Credit records: amount, due date, repayment status
  • Vodium Score a proprietary credit quality index (0–1000) derived from repayment behaviour across the network

Usage data:

  • Browser type, IP address, pages visited, feature usage (via PostHog)
  • Error logs (via Sentry anonymised where possible)
  • WhatsApp message content related to credit operations

How we use your data

We process data only for the purposes below, with the indicated legal basis:

PurposeLegal basis
Providing credit tracking and dashboard servicesContract performance
Sending OTP verification emailsContract performance
Sending student payment reminders via WhatsAppLegitimate interest
Computing Vodium Score for studentsLegitimate interest
Subscription billing through PaystackContract performance
Product analytics and improvement (PostHog)Legitimate interest
Error monitoring (Sentry)Legitimate interest
Compliance with NDPR and applicable Nigerian lawLegal obligation

Data sharing

We do not sell your personal data. We share data only as follows:

  • Cross-vendor credit scores: If you are on Growth or Campus Pro, you can view a student's Vodium Score. This score is derived from the student's aggregate repayment history across the network, but you never see which other vendors they owe or details of those transactions.
  • Payment processor (Paystack): Billing information is processed by Paystack in accordance with their own privacy policy.
  • WhatsApp (Meta): Student reminders are delivered through Meta's WhatsApp Business API. Message content is governed by Meta's Data Policy.
  • Service providers: Supabase (database), Vercel (hosting), Resend (email), Upstash (caching). All are bound by data processing agreements.
  • Law enforcement: Only when required by a valid court order or Nigerian law.

Data retention

  • Vendor accounts and credit records: retained while your account is active and for 3 years after closure (Nigerian accounting requirement).
  • Student records: retained as long as there is at least one active vendor with records for that student. Anonymised after 5 years of inactivity.
  • WhatsApp session data: 90 days of conversation context, then purged.
  • Server logs: 30 days rolling.

Your rights (NDPR)

Under the Nigeria Data Protection Regulation 2019, you have the right to:

  • Access : request a copy of your personal data
  • Rectification : correct inaccurate data
  • Erasure : request deletion of your account and data (subject to legal retention requirements)
  • Restriction : limit how we process your data
  • Portability : receive your data in a machine-readable format (CSV export available in-dashboard)
  • Object : object to processing based on legitimate interest

To exercise any of these rights, email privacy@vodiumledger.com. We respond within 30 days.

Security

We take security seriously. Measures in place include: HMAC-SHA256 signed session tokens, bcrypt password hashing (cost factor 12), httpOnly + Secure + SameSite cookies, TLS everywhere, row-level data isolation (vendors cannot see each other's books), IP-based rate limiting on all authentication endpoints, and Sentry error monitoring with PII scrubbing.

We conduct periodic security reviews. If you discover a vulnerability, please report it responsibly to security@vodiumledger.com.

Cookies

We use strictly necessary cookies only specifically, an httpOnly session cookie named vodium_sid that stores your authenticated session. We do not use advertising cookies. PostHog analytics may set a first-party cookie to track session continuity.

Children

Vodium Ledger is intended for business owners (vendors). We do not knowingly collect data from individuals under 18 years old as primary account holders. Student records (which may include students of any age) are entered by vendors, who are responsible for obtaining any necessary consent from their customers.

Changes to this policy

We will notify active vendors by email at least 14 days before any material changes to this policy. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

Contact

Vodium Technology Limited
Lagos, Nigeria
Email: privacy@vodiumledger.com
Data Protection Officer: dpo@vodiumledger.com

© 2026 Vodium Technology Limited · Lagos, Nigeria · All rights reserved