Your data, on your terms.
ActiveHustler is a verified work-identity platform for skilled hustlers in Nigeria. This notice describes what personal data we collect, why we collect it, who we share it with, how long we keep it, and your rights under Nigerian law.
1. Who this notice covers
This notice applies to anyone who interacts with ActiveHustler -- customers searching for skilled providers, hustlers offering services, and visitors to our public pages. Where we say "we," "us," or "ActiveHustler," we mean the platform operator identified in section 2.
2. Operator, Data Protection Officer, and supervisory authority
- Operator (controller): ActiveHustler, operated by stayguided.tech.
- Operating location: Owerri, Imo State, Nigeria. A formal registered-office address will be published when the operating entity is incorporated.
- Data Protection Officer: Uche-Obilor Praise (acting DPO), dpo@activehustler.com. A dedicated DPO will be appointed and notified under the NDPA in line with our processing volume.
- Supervisory authority: Nigeria Data Protection Commission (NDPC), ndpc.gov.ng. You may lodge a complaint with the NDPC at any time -- see section 11.
- Registration: ActiveHustler intends to register with the NDPC as a data controller under the NDPA once our processing volume reaches the registration threshold, and to keep that registration current.
3. The legal frameworks we follow
This notice reflects our obligations under the following Nigerian instruments, among others:
- Nigeria Data Protection Act, 2023 (NDPA) -- primary statute.
- Nigeria Data Protection Regulation 2019 (NDPR) and the 2020 NDPR Implementation Framework, in so far as they remain operative under the NDPA.
- Federal Competition and Consumer Protection Act 2018 (FCCPA).
- Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended 2024).
- Money Laundering (Prevention and Prohibition) Act 2022.
- Nigerian Communications Commission (NCC) Subscriber Identification Module (SIM) Registration Regulations and consumer-protection codes, where applicable.
- NIMC Act and CAMA 2020, where applicable to identity and business verification.
4. What we collect
4.1 Information you give us
- Account details -- your name, phone number, optional email, password (hashed), and role (customer or hustler).
- Profile content -- for hustlers: display name, bio, service category, areas served, portfolio photos, indicative pricing, public phone, WhatsApp number.
- Verification artifacts -- phone OTP, NIN (with consent and via NIMC), CAC business number, guild/guarantor references, and documents you upload. Public profiles never display raw identity data -- only a verification status (Basic, Verified, Pro).
- Service-request content -- titles, descriptions, locations, urgency, budgets, completion PINs, reviews, dispute submissions.
- Income entries -- when a hustler logs income, it stays private. Sharing with a partner (e.g., a lender) requires a separate, named, written consent.
- Payment metadata -- handled by Paystack; we store the reference, amount, currency, status, and provider metadata. We do not store full card numbers.
4.2 Information collected automatically
- Device and session -- IP address (hashed for audit), user-agent, app version, OS, connection status.
- Product usage -- searches, screen views, request and review actions.
- Security telemetry -- failed logins, OTP attempts, suspicious activity.
4.3 Information from third parties
- NIMC for NIN verification; CAC for business verification.
- Paystack for payment outcomes.
- Google / Apple if you use social sign-in (verified name and email only).
5. Special-category personal data
Some processing may involve special-category data under the NDPA, namely:
- Biometric data -- face photographs you submit during identity verification. Portfolio image uploads may also contain a face or other identifying features; those images are displayed only where you publish them yourself and are moderated for marketplace safety.
- Sensitive financial data -- income records and payment history. Treated as restricted and shared only on your explicit consent.
We do not knowingly process health data, religious affiliation, political opinion, sexual orientation, or genetic data. If you submit such data unsolicited (for example, in a review), we may redact it.
6. Why we collect it -- lawful bases under the NDPA
| Purpose | Lawful basis (NDPA s.25) |
|---|---|
| Run your account, match service requests, process payments | Performance of a contract |
| Identity verification (phone, NIN, CAC, guild) | Consent and legitimate interest |
| Detect fraud, fake profiles, unsafe behaviour | Legitimate interest and legal obligation |
| Send operational SMS, push, and lead notifications | Performance of a contract |
| Send marketing notifications | Consent (opt-in only; withdrawable anytime) |
| Product analytics to improve the platform | Legitimate interest (minimised; anonymised where possible) |
| Comply with court orders, tax obligations, regulator requests | Legal obligation |
7. Who we share it with
We do not sell personal data. We share strictly limited data with the following categories of recipients:
- Service providers (data processors acting on our instructions): Paystack (payments), SMS gateway, push provider, NIMC and CAC (verification), our hosting and storage providers (managed databases, object storage), and our analytics tooling. Each operates under a written data-processing agreement consistent with NDPA s.29.
- Other users (in limited ways): a customer sees a hustler's verified profile (status, not raw identity); a hustler sees the customer's name and request details after the customer initiates a service request.
- Regulators and law enforcement: NDPC, Federal Inland Revenue Service (FIRS), Imo State Internal Revenue Service (IIRS), the Federal Competition and Consumer Protection Commission (FCCPC), the Economic and Financial Crimes Commission (EFCC), the Nigeria Police Force (NPF), or a court of competent jurisdiction -- only where we are legally required, and only the minimum necessary.
- Future financial partners: lenders, insurers, and training providers may receive derived trust signals about a hustler, only after the hustler explicitly consents and only for the purpose disclosed at consent.
8. International transfers (NDPA s.41)
Some service providers process data outside Nigeria. We transfer personal data abroad only where one of the following safeguards applies, and only the minimum data needed:
- Adequacy: the destination has been recognised by the NDPC or the Attorney-General of the Federation as offering an adequate level of protection.
- Standard contractual safeguards: we have a written data-processing agreement with the processor containing terms equivalent to those required by the NDPA.
- Explicit consent: for transfers that fall outside the above, we obtain your explicit consent first.
Indicative current destinations include the European Union (where our hosting / database providers may be located), the United States, and South Africa. We will update this list when material changes occur.
9. How we keep it safe
- Identity artifacts at rest are encrypted with AES-256-GCM using a key separate from database credentials.
- Refresh tokens on mobile are stored with platform secure storage where available, with app-sandboxed fallback storage only where secure storage is unavailable.
- Sensitive admin actions are audit-logged with hashed identifiers.
- Production administrative access requires multi-factor authentication.
- We rate-limit authentication and sensitive endpoints; accounts lock after repeated failed logins.
- We maintain incident-response procedures and notify the NDPC and affected data subjects under section 14 below.
10. How long we keep it
| Data | Default retention |
|---|---|
| One-time codes / OTP challenges | 7 days after issue or use |
| Refresh tokens | 30 days after expiry or revocation |
| Notification delivery records | 180 days |
| Search events | 365 days, then deleted or anonymised |
| Sensitive-data access logs | 730 days (audit baseline) |
| Payment transactions (successful) | 7 years (Nigerian tax / accounting baseline under CAMA & FIRS retention) |
| Reviews, ratings, completed-job history | For the life of the platform, unless redacted on account deletion |
| Account data after deletion request | Anonymised within 30 days; certain records (reviews, audit logs) are redacted rather than erased to preserve marketplace integrity. Records held for legal compliance are kept for the statutory retention period. |
11. Your rights under the NDPA
If you are a data subject under Nigerian law, you have the rights set out in sections 34-41 of the NDPA. To exercise any of them, email privacy@activehustler.com. We respond within 30 days (extendable by up to two further months only where the request is complex, in which case we tell you why).
- Right of access (NDPA s.34): receive confirmation of processing and a copy of the personal data we hold about you.
- Right to rectification: correct inaccurate or incomplete data.
- Right to erasure / "be forgotten": request deletion of your data, subject to legal retention rules in section 10 above.
- Right to restriction: limit processing while a dispute is open.
- Right to data portability: receive a structured, commonly used, machine-readable export of your data.
- Right to object: object to processing based on legitimate interest, including profiling.
- Right not to be subject to automated decision-making (NDPA s.37): request human review of any decision based solely on automated processing that significantly affects you -- for example, an automated ranking penalty or a denied verification. See also our Ranking & Trust Score Disclosure.
- Right to withdraw consent: withdraw consent at any time without affecting prior lawful processing.
- Right to lodge a complaint with the NDPC: if we have not resolved your complaint satisfactorily, you may complain to the Nigeria Data Protection Commission at ndpc.gov.ng or via the contact details published there.
12. Children
ActiveHustler is not directed to anyone under 18. Under NDPA s.31, processing a child's personal data requires the consent of a parent or legal guardian. If we learn we have collected personal data from a child without proper consent, we delete it.
13. Cookies, trackers, and marketing communications
- Essential cookies: we use minimal cookies for session, language, and security on our web surfaces. These are strictly necessary and do not require consent.
- Analytics: we collect anonymised product usage events. Where these involve identifiable information, we apply lawful-basis analysis and offer opt-out where required.
- Marketing notifications -- including marketing SMS, push, or WhatsApp messages -- are sent only with your opt-in consent and can be withdrawn at any time through the app or by replying STOP. Operational notifications (lead alerts, dispute notices, security alerts) are part of the service and continue until the account is closed.
14. Data-breach notification (NDPA s.40)
If we become aware of a personal-data breach, we will notify the NDPC within 72 hours in accordance with section 40 of the NDPA. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, with a clear description of the breach, the data involved, likely consequences, and the steps we are taking. You can report a suspected security incident to security@activehustler.com.
15. Records of Processing Activities (NDPA s.35)
We maintain an internal Record of Processing Activities documenting the categories of personal data we process, the purposes, recipients, retention periods, and safeguards. This record is made available to the NDPC on lawful request.
16. Changes to this notice
We may update this notice. Material changes will be notified to registered users at least 14 days before they take effect. The latest version is always at this URL. We record the version history internally for audit.
17. Contact
Privacy queries: privacy@activehustler.com
Data Protection Officer: dpo@activehustler.com
Security disclosures: security@activehustler.com
(see also /.well-known/security.txt)
Operator: ActiveHustler / stayguided.tech
Postal location: Owerri, Imo State, Nigeria
This notice is reviewed periodically and will be updated when legal, technical, or operational changes require it.