Privacy Policy

1. Introduction and Legal Framework

Nguzo Marketplace is committed to protecting the privacy and personal data of all Users of the Platform in a manner consistent with the laws of the Republic of Burundi and applicable international standards.

This Policy is grounded in the following legal instruments:

The Burundian Personal Data Protection Law adopted by the National Assembly on 15 January 2026.
Law N°1/10 of 16 March 2022 on the Prevention and Repression of Cybercriminality.
The Constitution of the Republic of Burundi, Articles 28 and 42, which enshrine the right to privacy.
The AU Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014), to which Burundi is a signatory.

Important: As of the date of this Policy, the implementing decrees under the January 2026 Data Protection Law are pending publication. This Policy is drafted to comply with the Law's stated principles upon their entry into force. We will update this Policy as implementing texts become available.

2. Data Controller

Controller: Nguzo
Data Protection Contact: nguzo.official@gmail.com

3. Personal Data We Collect and Why

3.1 Data You Provide Directly

Account identity: email address, display name, profile photo, account creation date — for account creation and fraud prevention.
Listing data: title, description, price, photos, GPS coordinates at time of posting — for displaying listings and enabling local discovery.
Messages: content, sender info, timestamps — for enabling communication and investigating safety reports.
User activity: bookmarked listings, listing count — for personalization and compliance.

3.2 Data Collected Automatically

Firebase Analytics (Google LLC) — app performance and user experience improvement.
Firebase Authentication (Google LLC) — secure sign-in management.
Firebase Crashlytics (Google LLC) — identifying and fixing technical errors.
Cloudinary (Cloudinary Ltd) — image storage and delivery via CDN.

4. Location Data — Specific Rules

GPS location is collected only when you actively use the Nearby discovery feature or create a new listing.
Location data is used solely to generate a geohash and coordinates linked to the listing, not to your personal profile.
The Platform does not conduct background location tracking at any time.
Location data is not stored as a movement history or personal tracking record.
The legal basis for GPS processing is your consent. You may withdraw consent at any time by revoking location permissions in your device settings.

5. Legal Bases for Processing

Performance of contract: Processing necessary to provide the Services — account creation, listing display, messaging.
Legitimate interest: Fraud prevention, platform security, crash analytics, and enforcement of Terms.
Consent: GPS location data collection. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation: Compliance with valid requests from Burundian law enforcement (OPJ) or the ARCT, pursuant to Law N°1/10 of 16 March 2022.

6. Who We Share Your Data With

6.1 Data Processors

We share personal data with the following service providers, solely for the purposes described in this Policy: Google LLC (Firebase Authentication, Firestore, Analytics, Crashlytics) — servers may be located outside Burundi; Cloudinary Ltd — for image storage and delivery.

6.2 Law Enforcement

We will disclose personal data to the Burundian Police (OPJ) or the ARCT only upon presentation of a valid judicial warrant or court order, and only to the extent required by that order. We do not proactively share data with government authorities in the absence of a legal mandate.

6.3 No Sale or Commercial Sharing

We do not sell, rent, license, or otherwise commercially disclose personal data to any third party. We do not share data with advertisers, data brokers, marketing companies, or any entity for commercial purposes.

7. Cross-Border Data Transfers

Your personal data is stored on servers operated by Google LLC (Firebase) and Cloudinary Ltd, which may be located outside the Republic of Burundi. By creating an account and using the Platform, you explicitly acknowledge and consent to this cross-border transfer. We ensure that our service providers maintain industry-standard security protections, including AES-256 encryption at rest and TLS encryption in transit.

8. How Long We Retain Your Data

Account and profile data — until account deletion plus the 30-day cooling-off period.
Active listings — until the Seller's account is completely deleted.
General messages — until both parties' accounts are deleted, then anonymized.
Messages subject to active report or investigation — up to 2 years.
Account metadata (fraud/security logs) — up to 2 years after deletion.
Crash logs — per Google/Firebase policy.

9. Your Rights

Under the Burundian Personal Data Protection Law (January 2026), you have the following rights:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure: Request deletion of your personal data, subject to our legal retention obligations.
Portability: Receive your data in a structured, machine-readable format.
Withdraw Consent: Withdraw consent for GPS location processing at any time via your device settings, without penalty.
Object: Object to processing based on legitimate interest.

To exercise any right, contact: nguzo.official@gmail.com

10. Children's Privacy

The Platform is strictly intended for users who are 18 years of age or older. We do not knowingly collect or retain personal data from minors. If we discover that a User is under 18, we will immediately and permanently suspend the account and delete all associated personal data.

If you become aware of a minor using the Platform, please report it immediately via support.nguzo@gmail.com.

11. Security Measures

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS.
Encryption at rest: Data stored in Firebase Firestore and Google Cloud is encrypted at rest using AES-256.
Authentication: We use Firebase Authentication with passwordless email link sign-in, eliminating password-based attack vectors entirely.
Breach notification: In the event of a high-risk personal data breach, we will notify the competent Burundian Data Protection Authority within 72 hours of becoming aware of the breach.

12. Changes to This Policy

We may update this Privacy Policy as required by changes in the law, our Services, or our data practices. Material changes will be communicated by in-app notification and, where available, by email. Continued use of the Platform after the effective date of an updated Policy constitutes acceptance of the revised terms.

13. Contact and Complaints

Data Protection: nguzo.official@gmail.com
General Support: support.nguzo@gmail.com

If you believe your privacy rights have been violated and we have not adequately addressed your concern, you have the right to lodge a complaint with the Burundian Data Protection Authority once it is constituted under the January 2026 Data Protection Law.

Read the Terms of Use →