Privacy Policy
How we collect, use, and protect your personal data
Last updated: April 2026
UpNepa ("we", "us", "our") is committed to protecting your privacy in compliance with the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act 2023 (NDPA). This policy explains what data we collect, why we collect it, and how we safeguard it.
1. Information We Collect
1.1 Account Information
When you register, we collect:
- Email address -- for account authentication and notifications
- Name (first and last) -- for personalization and masked display
- Phone number (optional) -- for OTP authentication when enabled
- Password -- stored as a one-way hash (bcrypt), never in plaintext
1.2 Location Data
When you submit a power status report, we collect:
- Coordinates (latitude/longitude) -- used to place your report on the map
- Home state and LGA (optional) -- set by you in profile settings
Privacy protection: All report coordinates are "fuzzed" with approximately 100 meters of random noise before storage. This means your exact location is never stored or displayed. This is our NDPR compliance measure for location data minimization.
1.3 Power Reports
When you report power status (UP, DOWN, or PARTIAL), we store:
- The power status you reported
- The timestamp of the report
- The fuzzed location coordinates
- Your trust weight score (used for consensus calculation)
1.4 Device Information
For security and anti-abuse purposes, we may collect:
- Browser type and version
- Operating system
- IP address (not stored permanently, used for rate limiting)
2. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal Basis (NDPR) |
|---|---|
| Account creation and authentication | Consent + Contract |
| Displaying power status on the map | Legitimate interest |
| Sending notifications (geofence, reminders) | Consent |
| Consensus algorithm for zone status | Legitimate interest |
| Trust scoring (anti-spam) | Legitimate interest |
| Analytics (power availability tracking) | Consent + Legitimate interest |
3. Data Display and Masking
When your reports appear on the public map, your identity is protected:
- Your username is masked (e.g., "Ade*****") -- never shown in full
- Your exact location is fuzzed (100m noise) -- approximate area only
- Your email, phone number, and full name are never displayed publicly
- Masked name display can be disabled entirely by administrators via a privacy feature flag
4. Data Sharing
We do not sell, rent, or share your personal data with third parties, except:
- Aggregated, anonymized data -- zone-level power availability statistics contain no personal information
- Legal requirements -- if required by Nigerian law or a valid court order
- Service providers -- hosting (Google Cloud Platform) and email delivery services, bound by data processing agreements
5. Data Retention
We retain your data for as long as your account is active. Specifically:
- Account data -- retained until you delete your account
- Power reports -- retained permanently for historical analytics (coordinates are fuzzed)
- Power sessions -- retained permanently for availability tracking
- Notifications -- retained permanently
You may request deletion of your account and personal data at any time (see Section 8).
6. Data Security
We implement the following security measures:
- Passwords are hashed using bcrypt (industry standard one-way hashing)
- All data transmitted over HTTPS (TLS 1.2+)
- Location coordinates fuzzed with 100m random noise before storage
- JWT tokens for API authentication with automatic expiry and refresh
- Rate limiting to prevent abuse
- Database hosted on secured cloud infrastructure (Google Cloud SQL)
7. Cookie Policy
UpNepa uses minimal cookies and local storage:
| Storage | Purpose | Type | Duration |
|---|---|---|---|
| access_token | API authentication | localStorage | Until logout |
| refresh_token | Token renewal | localStorage | Until logout |
| csrftoken | CSRF protection | Cookie | Session |
| sessionid | Django admin session | Cookie | 2 weeks |
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No data is shared with advertising networks.
8. Your Rights Under NDPR
As a Nigerian data subject, you have the right to:
- Access -- request a copy of your personal data
- Rectification -- correct inaccurate personal data via your profile settings
- Deletion -- request deletion of your account and personal data
- Restriction -- request we stop processing your data
- Data portability -- request your data in a machine-readable format
- Objection -- object to processing based on legitimate interest
- Withdraw consent -- withdraw consent at any time (e.g., disable notifications)
To exercise any of these rights, contact us at [email protected].
9. Children's Privacy
UpNepa is not intended for children under 13 years of age. We do not knowingly collect personal data from children. If we learn that a child under 13 has provided us with personal data, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification. Continued use of UpNepa after changes constitutes acceptance of the updated policy.
11. Contact Us
UpNepa Data Protection Officer
Email: [email protected]
Website: thenepa.app
You may also lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.