Privacy Policy
Your privacy is fundamental to our mission. We collect only what's necessary, protect it rigorously, and give you control over your data.
Effective Date: December 25, 2024 | Last Updated: December 25, 2024
Our Privacy Principles
Minimal Collection
We collect only the data essential for platform functionality nothing more.
Full Transparency
Clear explanations of what we collect, why, and how long we keep it.
Security First
Industry-standard encryption and access controls protect your information.
User Control
You have rights over your data access, correct, delete, or export anytime.
Data We Collect
We collect different types of data depending on how you use CFA. Here's a clear breakdown:
Environmental Reports
Photos, GPS coordinates, category selection, and written descriptions of environmental issues. Location data is essential for mapping and verification purposes.
Verification Data
Your verification status (confirm, dispute, or can't verify), optional notes, and timestamp. This builds community trust and validates reports.
Account Information
Email address and authentication data for registered users. Anonymous users may submit reports without an account using session-based tracking.
Technical Data
Device type, browser version, and general location (country/region) for platform optimization. We do NOT use device fingerprinting or invasive tracking.
Photo Privacy & Handling
Photos are critical evidence, but we handle them with privacy in mind:
- EXIF metadata is automatically stripped from all photos, removing camera info, timestamps, and embedded GPS data
- Images are resized and compressed for efficient storage while maintaining quality for verification
- Photos are stored securely on encrypted infrastructure with access controls
- Only verified reports are publicly visible; pending reports have restricted access
How We Use Your Data
Your data serves specific, legitimate purposes:
Platform Operation
Display reports on maps, enable verification, and coordinate responses
Partner Coordination
Share verified data with NGO partners for issue resolution
Aggregate Analytics
Understand usage patterns to improve the platform (anonymized)
Service Improvement
Identify bugs, optimize performance, and develop new features
Data Sharing & Third Parties
We never sell your data. Period.
Your personal information is not sold, rented, or traded to advertisers, data brokers, or any third parties for commercial purposes.
We may share data with: (1) NGO and government partners for issue resolution (verified reports only), (2) Infrastructure providers essential for platform operation (Supabase, Vercel) under strict data processing agreements, (3) Legal authorities when required by law or to protect safety.
Data Retention
We keep data only as long as necessary for the stated purposes:
| Data Type | Retention Period |
|---|---|
| Environmental Reports | Retained while issue is active; archived after resolution |
| Account Data | Until account deletion or 2 years of inactivity |
| Anonymous Sessions | 7 days after last activity |
| Analytics Data | 12 months (anonymized and aggregated) |
Your Data Rights
You have the following rights regarding your personal data, aligned with GDPR and NDPR principles:
Right to Access
Request a copy of all data we hold about you
Right to Correction
Update or correct inaccurate personal information
Right to Deletion
Request erasure of your data (subject to legal requirements)
Data Portability
Export your data in a machine-readable format
Right to Object
Object to certain types of data processing
Withdraw Consent
Revoke previously given consent at any time
Security Measures
We implement comprehensive security measures to protect your data:
- TLS encryption for all data in transit; AES-256 encryption for data at rest
- Role-based access controls limiting who can view personal data
- Regular security audits and vulnerability assessments
- Row-Level Security (RLS) ensuring users can only access their own data
International Data Transfers
Your data may be processed in countries outside your residence for platform operation. We ensure appropriate safeguards through data processing agreements and compliance with applicable data protection laws, including GDPR and Nigeria's NDPR.
Children's Privacy
CFA is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately for deletion.
Policy Updates
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified via email (for registered users) or prominent notice on the platform. Continued use after updates constitutes acceptance of the revised policy.
Privacy Questions?
For any privacy-related questions, data access requests, or concerns, please contact our privacy team: