M
MyCardVendor
Cart0

Privacy Policy

Last updated: 20 April 2026

1. Who we are

MyCardVendor is operated by CardVendor Limited, registered in Nigeria with the Corporate Affairs Commission under RC number 9488962, with its registered office at 6 Ibrahim Garba Street, Katampe Extension, FCT, Abuja, Nigeria ("we", "us", "our"). We are the data controller for the personal data we collect from you through the Service. For privacy questions, contact us at support@mycardvendor.com.

2. What this policy covers

This Privacy Policy describes what personal data we collect when you use MyCardVendor, why we collect it, how we use and share it, how long we keep it, and the rights you have over it. It applies to all visitors and account holders on www.mycardvendor.com and any related services.

This policy is governed by the Nigeria Data Protection Act 2023 (the "NDPA") and the regulations issued under it.

3. Information we collect

a. Information you give us

  • Account data — your email address and password (passwords are stored only as salted hashes, never in plain text) when you sign up.
  • Profile data — any optional details you add to your profile, such as a display name or delivery WhatsApp number.
  • Order data — the products you buy, the face values chosen, and the delivery email or WhatsApp number you specify.
  • Communications — the content of emails or support messages you send us.
  • KYC data — where verification is required, a government-issued ID, a selfie for liveness, and proof of address. This data is kept separately and only accessed when necessary for verification or legal obligations.

b. Information we collect automatically

  • Device and log data — IP address, browser type, operating system, referrer URL, and timestamps, collected by our hosting and analytics providers.
  • Wallet and transaction records — every deposit, purchase, and refund on your account, including amounts and reference IDs.
  • Cookies and session data — small identifiers stored in your browser to keep you signed in and to remember your preferences. See Section 8 below.

c. Information we receive from third parties

  • Payment processor (Paystack) — confirmation that a deposit succeeded or failed, the last four digits of the card, the card brand, and the billing country. We never receive your full card number, CVV, or PIN.
  • Fulfillment partner (Reloadly) — the transaction ID and status of each gift card purchase, plus the card code and PIN returned for delivery to you.
  • Email delivery (Resend) — delivery, bounce, and complaint events for the transactional emails we send.

4. How we use your information

We use your personal data for the following purposes and on the following legal bases under the NDPA:

  • To provide the Service — creating your account, running your wallet, fulfilling your orders, and sending you the code you paid for. Legal basis: performance of a contract.
  • To communicate with you — sending order confirmations, deposit confirmations, and support replies. Legal basis: performance of a contract.
  • To keep the Service secure — detecting fraud, preventing abuse, investigating suspicious activity, and protecting our other customers. Legal basis: legitimate interest.
  • To comply with legal obligations — anti-money-laundering rules, tax reporting, and responses to lawful requests from authorities. Legal basis: legal obligation.
  • To improve the Service — analysing aggregate usage patterns and debugging errors. Legal basis: legitimate interest.
  • To send marketing emails — only if you have explicitly opted in, and you can unsubscribe at any time. Legal basis: consent.

We do not sell your personal data to anyone, and we do not use it for any automated decision-making that has a legal or similarly significant effect on you.

5. Who we share your information with

We share personal data only with the service providers that help us run MyCardVendor:

  • Supabase — authentication and database hosting for your account and order records.
  • Vercel — web hosting and application delivery.
  • Paystack — processing your deposits and confirming payments.
  • Reloadly — sourcing and issuing the gift card codes you buy.
  • Resend — delivering transactional emails (order confirmations, deposit receipts).
  • Zoho Mail — handling email sent to our @mycardvendor.com addresses.

Each of these providers is bound by its own terms and privacy policy, and we share with them only the minimum data needed for the task. We may also disclose your data to courts, regulators, or law enforcement where we are legally required to do so, and to professional advisers, auditors, or insurers where strictly necessary.

If we are ever involved in a merger, acquisition, or sale of assets, your data may be transferred to the successor entity subject to equivalent protection.

6. International transfers

Some of our service providers are located outside Nigeria, including in the United States and the European Union. When your personal data is transferred to these countries, we rely on appropriate safeguards permitted under the NDPA — including adequacy determinations, standard contractual clauses with the recipient, and the recipient's own compliance with regimes such as the EU GDPR — so that your data continues to receive a comparable level of protection.

7. How long we keep your data

We keep your personal data only for as long as we need it for the purposes set out in this policy. In practice that usually means:

  • Account data — for as long as your account is active, and for up to 7 years after closure to meet Nigerian accounting and AML record-keeping obligations.
  • Transaction records — retained for 7 years after the transaction date, as required by financial record-keeping laws.
  • KYC documents — retained for 5 years after account closure, in line with AML requirements.
  • Support correspondence — retained for 2 years, then deleted unless part of an open dispute.
  • Server and access logs — retained for up to 90 days for security and debugging.

After these periods, we either delete your data or anonymise it so it can no longer be linked back to you.

8. Cookies and similar technologies

We use a small number of cookies and similar browser storage to make the Service work:

  • Strictly necessary — session cookies that keep you signed in, remember your cart while you shop, and protect against cross-site request forgery. Without these, the Service cannot function.
  • Preferences — remembering your region or display choices.

We do not currently use advertising or cross-site tracking cookies. If we introduce any in future, we will update this policy and, where required, ask for your consent first.

You can control cookies through your browser settings. Blocking strictly necessary cookies will prevent you from signing in.

9. Security

We take reasonable technical and organisational measures to protect your personal data against loss, misuse, and unauthorised access. These include encryption in transit (TLS), row-level security on our database, access controls on administrative systems, and secure credential handling.

No system is ever perfectly secure. If we become aware of a personal-data breach likely to result in a risk to your rights, we will notify you and the Nigeria Data Protection Commission as required by law.

10. Your rights

Under the NDPA, you have the right to:

  • Access the personal data we hold about you and receive a copy of it;
  • Rectify data that is inaccurate or incomplete;
  • Erase your data when we no longer have a lawful basis to keep it;
  • Restrict or object to our processing in certain circumstances;
  • Port your data to another service in a structured, machine-readable format;
  • Withdraw consent at any time where we rely on it, without affecting processing already done;
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe we have mishandled your data.

To exercise any of these rights, email us at support@mycardvendor.com from the address on your account. We will respond within 30 days. We may ask you to verify your identity before acting on a request, and we may charge a reasonable fee (or refuse) if a request is manifestly unfounded or excessive.

11. Children

MyCardVendor is not intended for anyone under the age of 18. We do not knowingly collect data from children. If you believe a child has provided us data, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email or through a notice on the Service at least 7 days before the change takes effect. The date at the top of this page tells you when the current version took effect.

13. Contact

Questions about this policy or your data? Reach us at support@mycardvendor.com or by post at the registered office above.

💬