Privacy Policy

ChatLedger is a product of Casia Growth Lab Ltd., a company registered with the Nigerian Corporate Affairs Commission. Casia Lab builds software solutions for small businesses across Nigeria and other African markets ( casialab.com).

You can reach our data protection team at chatledger@casialab.com. Our registered address is published on our website footer once finalised with CAC.

• Account identifiers — your name, phone number, email address.
• Business profile — business name, address, default currency, billing tier.
• Authentication data — one-time codes sent to your phone or email.
• Staff records — names, roles, contact details of staff you add.
• Payment information — bank account details and Paystack subaccount reference, processed for the purpose of routing customer payments to you. We do not store card numbers.
• Usage data — logs of actions taken in the product (messages sent, quotes created, login times) to operate, secure, and improve the service.

When a Customer uses ChatLedger, the platform processes data about the End Users that the Customer messages. In this context, the Customer is the data controller and ChatLedger is a data processor acting on the Customer's instructions. This data includes:

• End User WhatsApp phone numbers and display names provided by Meta.
• Message content sent to and from the Customer (including any media attachments).
• Customer-assigned tags, notes, location, segment, and order history.
• Payment references and transaction outcomes.
• Delivery details voluntarily provided (addresses, ETAs, proof images).

Neither ChatLedger nor Casia Growth Lab Ltd. uses End User data for our own marketing, profiling, or any purpose beyond providing the service to the Customer.

• To operate the inbox, quote, payment, and order workflows the Customer signed up for.
• To authenticate Customers and protect their accounts.
• To send transactional notifications (payment confirmations, dispatch updates) on the Customer's behalf.
• To meet our legal, tax, and accounting obligations.
• To analyse aggregate usage and improve the product. We do not sell personal data.

We rely on the following third parties to deliver the service. Each is bound by data protection agreements that restrict their use of the data to providing services to us.

• Meta Platforms Ireland Ltd. — WhatsApp Business Platform; transports messages between Customers and their End Users. Meta's own privacy practices apply to message routing.
• Supabase Inc. (USA) — managed Postgres database, file storage, and authentication.
• Railway Corp. (USA) — application hosting.
• Paystack Payments Ltd. (Nigeria/USA) — payment processing and split settlement to Customer bank accounts.
• Termii / Twilio — SMS delivery for one-time codes.
• Resend — transactional email (sign-in codes, account notifications).

An updated list of sub-processors and their locations is published at chatledger.app/subprocessors.

Some of our sub-processors are located outside Nigeria. When data is transferred internationally, we rely on the data subject's consent (given through use of the service), our legitimate interest in operating the service, and the contractual safeguards we have with each sub-processor.

• Active account data — for as long as the Customer maintains an active subscription.
• Message and order history — retained while the account is active so the Customer can search their history.
• Authentication logs — 90 days.
• After cancellation — Customer and End User data is deleted within 30 days, except where we are legally required to retain it (e.g. tax records: 7 years).
• Backups — encrypted backups may persist up to a further 35 days before being overwritten.

If you are a data subject under the NDPA, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your data, subject to our legal retention obligations;
• object to or restrict certain processing;
• request a portable copy of your data;
• withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, contact chatledger@casialab.com. For End Users, please contact the Customer business that messaged you first; if they cannot resolve your request, write to us directly.

We use TLS for all network traffic, encrypt data at rest in our database, isolate tenants' data at the row level, and require strong authentication for all staff accessing production systems. We do not guarantee security against every possible threat, but we work to limit and quickly respond to incidents.

We use a small number of strictly necessary cookies to keep you signed in and remember your acting-staff identity in dev mode. We do not use third-party advertising or tracking cookies.

ChatLedger is not intended for use by anyone under 18. We do not knowingly collect data from minors. If you believe we have, contact us and we will delete it.

We may update this policy as the product evolves or laws change. Material changes will be communicated to Customers via in-product notification and email at least 14 days before they take effect.

If you believe your data has been mishandled, you can complain to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.