SparoPay Data Use and Security Policy

1. Introduction

This Data Use and Security Policy details how SparoPay collects, processes, secures, and shares data across its ecosystem (User App, Rider App, Vendor Portal, and Backend Services). It complies with standard data protection regulations and leverages industry-standard security practices.

2. Data Collection & Usage

2.1. Personal Identity Information (PII)

Collected Data:

• Accounts: First Name, Last Name, Email, Phone Number (E.164 format), Profile Pictures.
• Vendors: Business Name, Business Address, City, Manager Name.
• Riders: Full Name, Vehicle Type, City.

Usage:

• Identity Verification: Authenticating users and checking against duplicate registrations.
• Communication: Sending transaction alerts, OTPs (via SMS/Termii), and delivery updates (via Email).
• Service Delivery: Matching users with nearby vendors and riders.

2.2. Financial Data

Collected Data:

• Bank Accounts: Account Number (NUBAN), Bank Name, Bank Code.
• Wallet: Balance, PIN Hash, Transaction History (Credits/Debits).
• Payments: detailed logs of Card and Bank Transfer initiations.

Usage:

• Processing: Facilitated via KoraPay for payments and payouts.
• Wallet System: Atomic transactions are used for internal credits/debits to prevent double-spending.
• Security: Wallet PINs are hashed using Argon2 and are never stored in plain text.

2.3. Location & Device Data

Collected Data:

• Real-Time GPS: Latitude/Longitude from Riders (background/foreground) and Users (address picking).
• Device Info: deviceId, IP Address, User Agent.
• Contact List: Accessed (with permission) for Airtime/Data gifting logic.

Usage:

• Logistics: Calculating delivery fees based on distance (Google Maps / Haversine fallback).
• Routing: Generating polyline routes for package tracking.
• Security: Linking refresh tokens to specific deviceIds to detect token theft.
• Fraud Prevention: Rate-limiting logins based on IP/Device.

2.4. Package Delivery Data

Collected Data:

• Package Details: Description, Size, Type, Images.
• Addresses: Pickup and Drop-off coordinates and street addresses.
• Secrets: deliveryPin (for sender validation) and deliveryToken (for receiver validation).

Usage:

• Public access: Package images are stored in a publicly accessible bucket to ensure visibility for assigned riders.
• Tracking: Public tracking pages show masked details (e.g., "Ikeja, Lagos" instead of exact house number) to protect privacy.

3. Data Storage & Retention

3.1. Database Storage

• Primary DB: PostgreSQL.
• Encryption at Rest: Sensitive columns (NUBAN, 2FA Secrets, Wallet PINs) are encrypted using aes-256-gcm before storage.
• Soft Deletion: Accounts and records use deletedAt for soft deletion, allowing for data recovery or audit trails before permanent purging.

3.2. Password Security

• Hashing: All passwords and passcodes are hashed using Argon2 with a unique salt/pepper.
• History: We retain the last 10 password hashes to prevent reuse of recent credentials.
• Policy: Enforces complexity (Upper, Lower, Number, Special Char) and checks against a blacklist of weak passwords (e.g., "password123").

3.3. Client-Side Storage (Mobile)

• Tokens: Access and Refresh Tokens are stored in secure storage (e.g., iOS Keychain / Android Keystore) via expo-secure-store.
• Session: Client automatically refreshes tokens when they expire using a dedicated refresh_token + deviceId handshake.

4. Third-Party Data Sharing

5. Security Measures

5.2. Network Security

• Transport: All API communication is over HTTPS.

5.3. Conflict Resolution

• Atomic Transactions: Database transactions ensure money is not lost during system failures.
• Idempotency: Unique system references prevent duplicate VTU or Payment charges within short windows.

6. User Rights & Contact

Users may request:

• Data Deletion: Via the "Delete Account" feature (Soft delete initiated).
• Data Export: Transaction history and profile data.
• Dispute Resolution: For transaction issues, tracking numbers and references are immutable logs.