Privacy Policy

1. Who we are

"We", "us", and "Ratecrest" refer to the company operating the Ratecrest review platform. Under the Nigeria Data Protection Act, 2023, we are the data controller for the personal data described in this policy.

You can reach us through the contact form on this site. For privacy questions specifically, please write "Privacy" in the subject so the right team picks it up.

2. What we collect

The data we hold about you falls into a few categories. We do not collect data we do not need.

2.1 Information you give us

When you create an account, you give us a name (or username), an email address, and a password. If you sign in through a social provider, we receive a profile basic set from that provider. You may also choose to add a profile photo, a short bio, or your location.

When you write a review, we keep the review text, the rating, the business reviewed, and any photos you upload. Reviews are public by design. The name shown on a review is the display name on your account.

When you message us, we keep your message and our reply for as long as it is reasonable to do so.

2.2 Identity verification (only if you choose it)

If you choose to verify your identity to receive a "verified reviewer" badge, we collect what is needed to confirm you are a real Nigerian. That may include your BVN or NIN, an ID document image, and a selfie. We use a verification provider to confirm the match. After verification, we keep the minimum we are required to keep under Nigerian law, and we delete the rest. The full retention period is in Section 8.

2.3 Information about your device

Like every site on the modern internet, our servers see the basics of your device when you visit. That includes your IP address, the browser you use, the operating system, the screen size, the language setting, and the page that referred you to us.

2.4 What you do on Ratecrest

We log the actions you take on the site. Which pages you load, what you search for, which businesses you click on, when you sign in, when you write or edit a review. This is normal product analytics. Where we can, we work on aggregates rather than on you specifically.

2.5 Cookies and similar

We use cookies to keep you signed in, remember your preferences, and understand how the platform is used. The Cookies Policy explains each category in detail and how to manage them.

2.6 Payments

If you are a business owner on a paid plan, your payment is processed by a Nigerian payment provider such as Paystack or Flutterwave. We do not store your full card number. We store the result of the transaction (success, failure, amount) and a token the provider gives us so you can pay again without re-entering everything.

2.7 Data we receive from others

If you sign in with Google, Facebook, or another social provider, we receive the basics that provider shares with us. Usually that is your name, email, and profile picture. We do not receive your contacts, your messages, or anything else without your explicit choice.

3. Why we collect it

Under the Nigeria Data Protection Act, 2023, we can only process your data if we have a lawful basis. We rely on the following bases, depending on what we are doing.

3.1 Performance of a contract

To run an account for you, show you reviews, and let you write reviews, we have to process your basic account data. Without this, the service does not exist.

3.2 Consent

For things you choose into, such as marketing emails, identity verification, or non-essential cookies, we rely on your consent. You can withdraw consent at any time, and we explain how in Section 9.

3.3 Legitimate interest

We have a legitimate interest in keeping the platform safe, detecting fake reviews, preventing fraud, understanding how the site is used so we can improve it, and defending ourselves and our users in legal disputes. We have weighed our interest against your rights, and we believe these activities do not override your reasonable expectations. If you disagree on a specific point, you can object using the process in Section 9.

3.4 Legal obligation

Some processing is required by Nigerian law. Examples include keeping financial records for tax purposes, responding to lawful requests from courts and regulators, and meeting know-your-customer rules in some cases.

3.5 Vital interests and public interest

In rare cases, we may process data to protect someone's life, or to protect the public from a clear and serious harm. We use these bases sparingly and document them when we do.

4. How we use it

The data we collect supports the following activities.

• Running your account and showing you the platform.
• Publishing your reviews and showing them to the right audience.
• Verifying that reviewers are real people, where they have chosen to verify.
• Helping you find the right businesses through search, suggestions, and ranking.
• Sending you notifications about things you asked for, such as replies to your reviews or password resets.
• Sending you marketing communications, if you opted in.
• Detecting and removing fraud, fake reviews, harassment, and illegal content.
• Responding to lawful requests from courts, regulators, and law enforcement.
• Improving the platform by studying how it is used, mostly in aggregate.
• Defending ourselves and our users in disputes and legal proceedings.

5. Who we share it with

We do not sell your data. We share it only with the parties below, and only to the extent each one needs.

5.1 Business owners

When you write a review about a business, the business owner sees the review, the rating, the display name on your account, and any photos you attached. If you chose to verify your identity, the business owner sees only the "verified" badge. Your phone number, email, and KYC details are never shared with business owners.

5.2 Service providers we rely on

To run Ratecrest, we depend on a small set of specialised providers. They process data only on our written instructions, only for the purposes we set, and they are required to keep your data confidential.

• Hosting and cloud infrastructure.
• Email and notification delivery.
• Payment processing for paid business plans.
• Identity verification (for the optional verified-reviewer badge).
• Analytics and error monitoring.
• Customer support tooling.

5.3 Lawful requests

If a Nigerian court orders us to disclose data, or a Nigerian law enforcement agency makes a lawful demand, we respond. We push back where the request is too broad or not properly authorised. Where we are legally allowed to tell you about the request, we will.

5.4 Mergers and acquisitions

If Ratecrest is sold, merged with another company, or restructured, your data may transfer to the new entity. The new entity must respect the commitments in this policy. You will be told about any material change before it affects you.

5.5 Other users

Your reviews are public. Your display name, profile photo, and review history are visible to anyone who visits the site. You decide what to put on your profile, and you can change or remove it.

5.6 What we do not do

We do not sell your data to advertisers, data brokers, or any third party. We do not feed your data into model training pipelines outside of our own platform-improvement work. We do not let advertisers buy access to specific Ratecrest users.

6. International transfers

We aim to keep your data within Nigeria where it is practical. Some of our service providers operate from outside Nigeria. When data leaves Nigeria, we rely on the safeguards required by the Nigeria Data Protection Act, 2023, which may include contractual commitments to data protection standards equivalent to those under Nigerian law, the approval of the Nigeria Data Protection Commission, or your explicit consent in certain cases.

You can ask us, through the contact form, where a specific provider is based and what safeguards apply.

7. How long we keep it

We do not keep your data forever. The general rules are below. We may keep specific items longer where Nigerian law requires it, or where we have an active legal claim that depends on the data.

• Account data: while your account is open, and for up to 24 months after you close it. This buffer lets us handle disputes, fraud investigations, and tax requirements.
• Reviews and ratings: indefinitely. Reviews are part of the public record of the platform. If you close your account, your reviews can stay up, but you can ask us to remove your name from them so they appear anonymously.
• KYC documents: kept only for the period required by Nigerian financial and identity regulations, and deleted shortly after that period ends.
• Server logs: up to 12 months, except where a specific investigation requires us to hold them longer.
• Backups: we roll backups forward on a regular cycle. Deleted data may live in backups for up to 90 days before being overwritten.
• Support conversations: up to 36 months after the last contact, so we can help if you come back to the same issue.
• Marketing consent records: kept for the duration of your subscription plus 24 months, so we can prove you opted in if a regulator asks.

8. How we protect it

We take security seriously. The measures below are not a complete list, but they cover the main areas.

• Data travels between your device and our servers over HTTPS using current TLS standards.
• Passwords are hashed using a modern algorithm. We do not store your password in a form we can read.
• Access to personal data is limited to staff who need it for their job. Access is logged.
• KYC documents and payment data are kept in restricted storage with extra controls.
• We patch our systems on a regular schedule. We monitor for unusual activity.
• If a security incident affects your data, we will tell you and the Nigeria Data Protection Commission as required by law.

You also have a part to play. Use a strong password that you do not reuse on other sites. Turn on two-factor authentication. Be cautious with anyone who asks for your password or your verification codes, since we will never ask for those.

9. Your rights under the NDPA 2023

Nigerian data protection law gives you specific rights over your data. We take these seriously, and we make them easy to use.

9.1 The rights you have

• Right of access. Ask us for a copy of the data we hold about you.
• Right to rectification. Ask us to correct anything that is wrong.
• Right to erasure. Ask us to delete your data. This applies in most cases, with exceptions for legal obligations, defence of legal claims, and protecting other users.
• Right to restrict processing. Ask us to pause specific processing while we sort something out with you.
• Right to data portability. Ask us to export your data in a structured, common format.
• Right to object. Tell us to stop processing your data for reasons such as direct marketing, profiling, or our legitimate interest. We will stop, or we will explain why we cannot.
• Right not to be subject to automated decisions. We do not make significant decisions about you using software alone, without a human in the loop, in the rare cases where this would apply.
• Right to withdraw consent. Where we rely on consent, you can take it back at any time. Withdrawal does not undo what was lawful before.

9.2 How to use them

Most of these rights can be exercised directly inside your account. Account settings let you correct your information, change your communication preferences, download a copy of your data, or close your account. For anything you cannot do from your account, write to us through the contact form and mention which right you are exercising. We respond within the timelines set by Nigerian law, which is generally within 30 days, and we will tell you if we need longer for a complex request.

9.3 Identity check

To protect you, we may need to confirm your identity before we act on a request, especially for access, portability, and erasure. We use the minimum check needed.

9.4 No fee, except in limited cases

Exercising your rights is free. We may charge a reasonable fee or refuse the request only when it is clearly unfounded, excessive, or repetitive, and we will explain our reasons if we do.

10. Children

Ratecrest is for adults. We do not allow accounts for anyone under 18. If you are a parent or guardian and you believe your child has created an account, please tell us through the contact form. We will close the account and delete the data.

11. Cookies

Cookies, local storage, and similar technologies have their own detailed page. Please read the Cookies Policy for the list of cookies we set, what each one does, how long it lasts, and how to manage your preferences.

12. Changes to this policy

We update this policy from time to time. Small clarifications happen without fuss. Material changes will be highlighted when you next visit the site, and where we have a reason to email you about a change, we will. The "Last updated" date at the top of the page always reflects the current version.

13. How to contact us

The contact form on this site is the right way to reach us for any privacy question, including requests to use your rights. Write "Privacy" in the subject so the right team handles it.

14. How to complain

If you believe we have handled your data poorly, we want to know first. Reach us through the contact form and we will look into it. You can also report us to the Nigeria Data Protection Commission, the regulator that supervises data protection in Nigeria. You do not have to come to us first, but it is often the fastest way to get an issue resolved.