Privacy Policy

This Privacy Policy explains how DULA Studio Limited ("Wishari", "we") collects, uses, and protects personal data when you use the platform. It applies to all visitors, registered users, and contributors.

Wishari is operated from Nigeria and complies with the Nigeria Data Protection Act (NDPA) 2023 and the supporting NDPR Implementation Framework. Where you are located in the European Economic Area or the United Kingdom, we additionally provide the protections required by the GDPR and the UK GDPR.

Quick summary

1. Who is the data controller

DULA Studio Limited, the company that owns Wishari, is the data controller of personal data processed through the platform. You can contact our Data Protection Officer at privacy@wishari.co.

2. What we collect

Account data

• Name, email address, password (hashed), and (optionally) phone number and profile photo.
• Your username and bio, which are public if you choose to be discoverable.
• Authentication metadata — which provider you signed in with (Google or email/password), the device-level session identifier, and the timestamp of your most recent login.

Registry data

• Registry title, description, occasion type, event date, cover photo, and the items you list.
• Visibility settings (public vs. private profile, whether contributor names are shown).
• Aggregate statistics about your registry, such as how many people have contributed and how much has been raised.

Contribution data

• Contributor name, email address, the amount, the gift item, and the optional love note.
• Payment metadata from our PSP — the transaction reference, the masked card number, the processing fee. We never see or store full card numbers, CVVs, or bank credentials.
• For Creators: bank account details linked for payout. We store the bank code, masked account number, and the subaccount reference issued by our PSP. We do not store account passwords or other banking credentials.

Technical data

• IP address, browser type, device type, and approximate location (country and city) for security, fraud detection, and analytics.
• Cookies and similar technologies — see our Cookie Policy for details.
• Server logs of requests to our APIs, retained for security and debugging.

3. Why we use it (legal bases)

We process personal data on the following legal bases under Section 25 of the NDPA (and Article 6 of the GDPR, where applicable):

• To perform our contract with you — running your account, processing the contributions you receive or make, settling payouts to your bank.
• For our legitimate interests — keeping the platform secure, preventing fraud, improving the product, and responding to support requests.
• To comply with a legal obligation — financial-records retention for tax, anti-money-laundering, and regulatory reporting.
• With your consent — for optional things like marketing emails or analytics cookies, where required.

4. Sub-processors

We share personal data with the following service providers (sub-processors) only to the extent needed for them to provide their service to us:

• Paystack Payments Limited (Nigeria) — our Payment Service Provider for contributions paid in Nigerian Naira (NGN); handles payment processing, payout settlement, and card tokenisation.
• Neon Inc. (United States) — the managed PostgreSQL database that stores your account and registry data.
• Cloudflare, Inc. (United States) — object storage (R2) for the images and files you upload.
• Vercel Inc. (United States) — hosting and edge delivery of the website and APIs.
• Resend Inc. (United States) — transactional email delivery (receipts, notifications, password resets).
• Google LLC (United States) — only if you sign in with Google, for the OAuth handshake.
• Sentry, Inc. (United States) — error tracking, if a problem occurs while you are using the site.

As Wishari expands to accept contributions in additional currencies, we will engage additional Payment Service Providers to process those payments. Any additional PSP will be added to this list before it processes any user data, and we will publish an updated version of this Privacy Policy at the same time.

We have signed Data Processing Agreements with each sub-processor that requires them to protect personal data on our behalf and to use it only for the purposes we direct.

5. International transfers

Some of our sub-processors operate from countries that have not been formally recognised by the Nigeria Data Protection Commission as providing an adequate level of protection. Where this is the case, we rely on contractual safeguards — typically Standard Contractual Clauses or equivalent contractual commitments — to ensure your data continues to be protected to NDPA standards.

6. How long we keep it

• Account data — for as long as your account is active. If you delete your account, we will permanently delete personal data within 30 days, except where retention is required by law.
• Financial records (transactions, payouts, tax-relevant invoices) — 7 years from the end of the relevant tax year, per Federal Inland Revenue Service (FIRS) requirements.
• Server logs — 90 days, then aggregated.
• Backup copies — purged on the next backup cycle after the primary deletion (typically within 35 days).

7. Your rights

Under the NDPA (and the GDPR where applicable), you have the right to:

• Ask what personal data we hold about you and request a copy.
• Correct personal data that is inaccurate or incomplete.
• Ask us to delete your personal data (subject to the legal retention requirements above).
• Object to or restrict certain processing of your data.
• Ask us to provide your data in a portable format you can take to another service.
• Withdraw consent at any time where we are relying on consent.
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC) — see ndpc.gov.ng.

To exercise any of these rights, email us at privacy@wishari.co from the address associated with your account. We will respond within 30 days.

8. Security

We protect personal data using a layered set of measures, including encryption in transit (TLS) and at rest, scoped access controls, audit logging on administrative actions, and regular dependency and vulnerability reviews. We do not store payment card details — our PSP handles those.

If we become aware of a security breach affecting your personal data, we will notify the Nigeria Data Protection Commission within 72 hours of discovery and notify affected users without undue delay, in line with our legal obligations.

9. Children

Wishari is not for users under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@wishari.co and we will delete it.

10. Changes to this Privacy Policy

We will update this Privacy Policy whenever our practices change. If a change is material, we will notify users by email at least 14 days before the change takes effect.

11. Contact

For privacy questions, write to privacy@wishari.co. For general support, write to hello@wishari.co.