We are committed to protecting your personal information and your right to privacy. This policy explains exactly what we collect, why, and how we protect it.
Who we are: PrioEat ("PrioEat", "we", "us", "our") is a technology platform operated by PrioEat Technologies Limited, a company registered under the laws of the Federal Republic of Nigeria. We operate a restaurant pre-ordering and table reservation platform accessible via our mobile application and website at prioeatng.com.
This Privacy Policy applies to: all users of the PrioEat mobile application (iOS and Android), the PrioEat website, and any related services. By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of our Services immediately.
We collect information you provide directly, information generated automatically when you use our Services, and information obtained from third-party partners. The categories of personal data we collect are described below.
| Data Category | Specific Data Points | When Collected |
|---|---|---|
| Account Information | Full name, email address, phone number, password (hashed) | At account registration |
| Order Information | Selected menu items, quantities, special instructions, table preference, dining time | When placing an order |
| Reservation Information | Date, time, party size, special requests, occasion notes | When making a reservation |
| Payment Information | Payment method type, last 4 digits of card (tokenised), billing details | At checkout. Full card numbers are never stored by PrioEat. |
| Communications | Messages sent to our support team, feedback, reviews | When you contact us |
| Restaurant Partner Data | Business name, address, banking details (for restaurant managers), menu and pricing information | During partner onboarding |
| Data Category | Specific Data Points | Purpose |
|---|---|---|
| Device Information | Device model, operating system version, unique device identifiers (IDFV), app version | Security, troubleshooting, compatibility |
| Usage Data | Screens viewed, features used, time spent in-app, tap interactions, order flow completion | Product improvement, analytics |
| Location Information | Approximate or precise device location, only after you grant device-level permission | Showing nearby restaurants, distance estimates, directions, and arrival support |
| Network Information | IP address, network type (Wi-Fi/mobile data), approximate city-level location derived from IP | Fraud detection, service delivery |
| Push Notification Token | Firebase Cloud Messaging (FCM) device token | Delivering order status notifications |
| Transaction Metadata | Paystack payment reference, transaction timestamps, payment status | Order fulfilment, dispute resolution |
What we do NOT collect: We do not collect contacts, microphone recordings, biometric data, social media credentials, or any data not described above. We do not collect full payment card numbers β this data is handled exclusively by Paystack under PCI-DSS Level 1 compliance.
We use your personal data only for the purposes described below. We do not sell your personal data to third parties for marketing purposes.
Under the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023, we are required to identify a valid legal basis for each category of personal data processing. Our legal bases are as follows:
| Processing Activity | Legal Basis | Applicable Provision |
|---|---|---|
| Account creation and authentication | Contractual necessity β required to provide the service you requested | NDPA 2023, s. 25(1)(b) |
| Processing and fulfilling orders | Contractual necessity | NDPA 2023, s. 25(1)(b) |
| Payment processing | Contractual necessity and legal obligation (CBN regulations) | NDPA 2023, s. 25(1)(b)(c) |
| Push notifications for order updates | Contractual necessity and consent (device-level permission) | NDPA 2023, s. 25(1)(a)(b) |
| Fraud detection and security | Legitimate interests β protecting users and the platform from harm | NDPA 2023, s. 25(1)(f) |
| Marketing communications | Consent β you must actively opt in | NDPA 2023, s. 25(1)(a) |
| Analytics and product improvement | Legitimate interests β improving our services for all users | NDPA 2023, s. 25(1)(f) |
| Legal compliance and regulatory reporting | Legal obligation | NDPA 2023, s. 25(1)(c) |
Where we rely on legitimate interests: We have conducted a Legitimate Interests Assessment (LIA) for each processing activity relying on this basis. We have determined that our interests are not overridden by your rights and interests, taking into account the nature of the data processed and the reasonable expectations of users of a restaurant pre-ordering platform. You may request a copy of our LIAs by contacting us at the details in Section 16.
We do not sell, rent, or trade your personal data to third parties for their marketing or commercial purposes. Period.
We share personal data only in the following limited circumstances:
When you place an order or make a reservation, we share the following information with the relevant restaurant partner to fulfil your request:
Restaurant partners are bound by our Partner Data Processing Agreement and are prohibited from using your data for any purpose other than fulfilling your order or reservation.
We engage third-party technology providers who process data on our behalf as data processors under binding data processing agreements. See Section 5 for the complete list.
We may disclose your personal data without prior notice where required by:
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will notify you by email and/or prominent in-app notice at least 30 days before your data becomes subject to a materially different privacy policy, and you will have the right to delete your account during this period.
We may share your data with third parties where you have given us explicit, specific, informed, and unambiguous consent to do so.
We use the following sub-processors to operate our platform. Each is bound by a data processing agreement and is required to apply technical and organisational security measures equivalent to or exceeding our own standards.
| Provider | Service | Data Shared | Data Location | Privacy Policy |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication, real-time data infrastructure | All account, order, and reservation data | United States (AWS us-east-1) | supabase.com/privacy |
| Paystack Payments Limited | Payment processing, subaccount disbursement | Payment card data (tokenised), transaction amounts, customer name and email | Nigeria / Ireland | paystack.com/privacy |
| Google LLC (Firebase) | Push notification delivery (Firebase Cloud Messaging) | Device push token, notification payload (order status text) | United States | policies.google.com/privacy |
| Vercel, Inc. | Web hosting and content delivery | IP address, HTTP request metadata (logs retained for 30 days) | United States | vercel.com/legal/privacy-policy |
International transfers: Some of our service providers are located outside Nigeria. Where personal data is transferred outside Nigeria, we ensure that such transfers comply with the NDPA 2023 and the NDPC's Transfer of Personal Data Across Borders regulations, including through the use of Standard Contractual Clauses (SCCs) or adequacy decisions where applicable.
All payment transactions on PrioEat are processed by Paystack Payments Limited, a CBN-licensed payment service provider and a subsidiary of Stripe, Inc. Paystack operates at PCI-DSS Level 1 β the highest level of payment security certification in the industry.
PrioEat charges the full order amount (food subtotal plus PrioEat's platform fee) in-app at the time of ordering. Nothing is collected on arrival at the restaurant. Paystack splits the payment at the gateway between the restaurant's registered Paystack subaccount (food revenue, minus Paystack's processing fee) and PrioEat's main account (platform fee). For restaurants whose Paystack subaccount has not yet been provisioned, the food portion is held temporarily by PrioEat and disbursed to the restaurant on settlement day.
Menu prices are inclusive of any applicable tax the restaurant chooses to embed. PrioEat does not compute, display, or charge VAT as a separate line item. Restaurants remain responsible for their own tax obligations to Nigerian tax authorities.
PrioEat charges a single platform fee per order: a β¦1,000 base plus 2.5% of the order value above β¦20,000 (subject to a configurable floor and ceiling). Member-tier customers (Bronze / Silver / Gold / Platinum) receive a percentage discount on this fee, applied automatically at checkout. The final fee β including any tier discount β is always shown before payment.
If you cancel a paid order, or if a restaurant cancels your confirmed order, the full charged amount (food plus platform fee) is issued to you as PrioEat Credit β a balance held in your in-app Wallet, redeemable on a future order at the same restaurant. Credit issued by a restaurant that is later suspended automatically converts to platform-wide credit, usable at any active restaurant. PrioEat Credit does not expire. PrioEat does not process cash refunds or Paystack reversals to original payment methods; every refund is issued as PrioEat Credit only.
PrioEat sends push notifications to keep you informed about your orders and reservations. These notifications are powered by Google Firebase Cloud Messaging (FCM).
You may manage push notification permissions at any time through your device's system settings (iOS: Settings β PrioEat β Notifications; Android: Settings β Apps β PrioEat β Notifications). Disabling notifications will not affect your ability to use the app, but you will not receive real-time order updates until notifications are re-enabled.
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law. Our retention schedules are as follows:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data (name, email, phone) | Duration of account + 3 years post-deletion | Dispute resolution, legal claims |
| Order records | 7 years from order date | Nigerian tax and accounting regulations (FIRS) |
| Payment transaction records | 7 years from transaction date | CBN record-keeping requirements, AML compliance |
| Reservation records | 2 years from reservation date | Dispute resolution, analytics |
| Push notification tokens | Until account deletion or token refresh | Notification delivery |
| Support communications | 3 years from last interaction | Quality assurance, dispute resolution |
| Web server logs (IP addresses) | 30 days | Security monitoring |
| Abandoned/ghost orders (pending payment, no completion) | Automatically deleted after 30 minutes | Data minimisation; these represent incomplete transactions |
Upon account deletion, we will anonymise or securely delete your personal data within 30 days, except where retention is required by law (as noted above). Anonymised, aggregated data that cannot be used to identify you may be retained indefinitely for statistical purposes.
We implement industry-standard technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Our security programme includes:
No system is 100% secure. While we take your data security extremely seriously, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required by the NDPA 2023.
Under the Nigeria Data Protection Act (NDPA) 2023, you have the following rights with respect to your personal data. We will respond to all valid requests within 30 days of receipt (extendable to 60 days for complex requests, with notice to you).
To exercise any of the above rights, please contact our Data Protection Officer at privacy@prioeat.com with the subject line "Data Rights Request β [Your Full Name]". We may require identity verification before processing your request.
Our mobile application does not use cookies. Our website (prioeatng.com) uses a limited set of cookies as described below.
| Cookie Type | Name / Source | Purpose | Duration |
|---|---|---|---|
| Strictly Necessary | supabase-auth-token | Maintains your authenticated session | Session / 7 days |
| Strictly Necessary | sb-ecpg-auth-token | Supabase authentication refresh token | Up to 1 year |
| Performance | Vercel analytics (anonymous) | Aggregated page load metrics, no personal identifiers | Session |
We do not use advertising cookies, third-party tracking pixels, or any cross-site tracking technologies. You may clear cookies at any time through your browser settings; however, this will log you out of active sessions.
PrioEat is not directed at, and does not knowingly collect personal data from, children under the age of 13 years (or under 16 years where a higher age applies under local law). Our Services are intended for use by persons aged 13 and above; persons under 18 should use the platform only with parental or guardian supervision.
If we become aware that we have inadvertently collected personal data from a child under 13, we will take immediate steps to delete that information from our systems. If you believe we may have collected data from a child under 13, please contact us immediately at privacy@prioeat.com.
Our mobile application is rated 4+ on the Apple App Store and Everyone on Google Play. This rating reflects the absence of objectionable content, violence, or adult themes in our application.
PrioEat is based in Nigeria, and our primary operations are conducted within Nigeria. However, some of our technology service providers (notably Supabase, Firebase, and Vercel) are headquartered in or operate infrastructure in the United States.
When we transfer personal data outside Nigeria, we ensure that adequate safeguards are in place in accordance with the NDPA 2023 and the NDPC Transfer of Personal Data Across Borders Regulations 2023. Safeguards used include:
You may obtain a copy of the specific safeguards applicable to any international transfer by contacting our Data Protection Officer.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
Your continued use of our Services after the effective date of any updated Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the updated policy, you must discontinue use of our Services and may request deletion of your account.
All previous versions of this Privacy Policy are archived and available upon request.
This Privacy Policy is governed by and construed in accordance with the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and all applicable regulations issued by the Nigeria Data Protection Commission (NDPC).
Any dispute arising from this Privacy Policy or our data processing practices shall be subject to the exclusive jurisdiction of the courts of the Federal Capital Territory, Abuja, Nigeria, without prejudice to your right to lodge a complaint with the NDPC.
PrioEat Technologies Limited operates under the regulatory oversight of the Nigeria Data Protection Commission (NDPC). Our Data Protection Compliance Organisation (DPCO) registration and our annual Data Protection Audit reports are available upon request.
Apple App Store: If you downloaded PrioEat from the Apple App Store, Apple Inc. may have access to transaction and download data as described in Apple's Privacy Policy (apple.com/legal/privacy). Apple is an independent data controller for that data, and PrioEat has no control over Apple's data practices.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us through any of the channels below. We take all privacy enquiries seriously and will respond within 5 business days.
Registered in the Federal Republic of Nigeria