1. Who We Are
Teklofts Limited ("Teklofts", "we", "us", "our") is a cross-border technology company operating in Nigeria, the United Kingdom, and Zimbabwe. We are the data controller responsible for the personal data you provide to us.
2. Scope & Applicable Law
This Privacy Policy applies to all personal data processed by Teklofts Limited in connection with our website, mobile platform, and e-commerce operations. Because we operate across multiple jurisdictions, we comply with all of the following frameworks simultaneously:
United Kingdom
- UK GDPR (post-Brexit retained General Data Protection Regulation)
- Data Protection Act 2018 (DPA 2018)
- Privacy and Electronic Communications Regulations 2003 (PECR)
- Supervised by the Information Commissioner's Office (ICO)
Nigeria
- Nigeria Data Protection Regulation 2019 (NDPR)
- Nigeria Data Protection Act 2023 (NDPA)
- Consumer Protection Council Act
- Supervised by the Nigeria Data Protection Commission (NDPC)
Zimbabwe
- Cyber and Data Protection Act 2021 (CDPA)
- Postal and Telecommunications Act
- Supervised by the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)
3. What Personal Data We Collect
We collect and process the following categories of personal data:
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | First name, last name, username, title | Account creation, order processing |
| Contact Data | Email address, phone number, billing address, delivery address | Order fulfilment, communications |
| Financial Data | Payment card type, last 4 digits (full card data is processed by our payment providers — we never store raw card numbers) | Payment processing |
| Transaction Data | Order history, products purchased, returns, refunds | Order management, legal compliance |
| Technical Data | IP address, browser type and version, device identifiers, operating system, time zone | Security, fraud prevention, analytics |
| Usage Data | Pages visited, search queries, click behaviour, session duration | Service improvement, marketing analytics |
| Profile Data | Username, password (hashed), purchase preferences, wishlists | Personalisation, account management |
| Marketing & Communications Data | Email marketing preferences, communication opt-ins/opt-outs | Sending relevant marketing (with consent) |
| Location Data | Country, city (derived from IP or entered at checkout) | Delivery routing, applicable law determination, tax calculation |
4. How We Collect Your Data
4.1 Direct Interactions
You provide data directly when you:
- Create an account or register on our website
- Place an order or make a purchase
- Subscribe to our newsletter or marketing communications
- Contact us by email, phone, or via contact forms
- Complete surveys or provide product reviews
- Participate in promotions or competitions
4.2 Automated Technologies
We automatically collect Technical and Usage Data when you interact with our website using:
- Cookies and similar tracking technologies (see Section 11)
- Web analytics tools (e.g., Google Analytics with IP anonymisation enabled)
- Server log files recording access requests
4.3 Third Parties
We may receive data about you from:
- Payment processors (e.g., Stripe, Flutterwave, Paystack) — transaction status and payment confirmation
- Delivery and logistics partners — delivery status updates
- Social media platforms — if you choose to log in or interact via social sign-in
- Fraud prevention services — risk scoring and identity verification
- Public databases — for compliance and sanctions screening
5. Lawful Basis for Processing
Under UK GDPR and equivalent Nigerian/Zimbabwean frameworks, we must have a lawful basis for every processing activity. The table below explains our basis for each activity:
| Processing Activity | Lawful Basis |
|---|---|
| Processing your order and managing delivery | Contract — necessary to fulfil your purchase agreement |
| Processing payment and issuing refunds | Contract — necessary to fulfil your purchase agreement |
| Sending order confirmations and shipping updates | Contract — necessary transactional communications |
| Complying with tax, accounting, and regulatory requirements | Legal Obligation — required by applicable law |
| Fraud detection and prevention | Legitimate Interests — to protect our business and customers from fraud |
| Website analytics and performance improvement | Legitimate Interests — to improve our services (balanced against your interests) |
| Sending marketing emails and newsletters | Consent — only where you have opted in; you may withdraw at any time |
| Personalising your shopping experience | Consent (cookies) or Legitimate Interests (purchase history) |
| Responding to legal claims or regulatory investigations | Legal Obligation and Legitimate Interests |
6. How We Use Your Personal Data
We use your personal data for the following purposes:
- Order fulfilment: Processing purchases, managing deliveries, handling returns and refunds
- Account management: Creating and maintaining your customer account
- Customer service: Responding to enquiries, complaints, and support requests
- Payment processing: Facilitating secure payment transactions via our third-party payment providers
- Legal compliance: Meeting our obligations under UK, Nigerian, and Zimbabwean law including tax reporting and anti-money-laundering checks
- Security and fraud prevention: Monitoring for suspicious activity, preventing unauthorised access
- Service improvement: Analysing usage patterns to improve website functionality and product range
- Marketing (with consent): Sending promotional emails, offers, and product updates where you have opted in
- Logistics routing: Using your delivery address and location data to determine the appropriate fulfilment route across our Nigeria, UK, and Zimbabwe operations
We will not use your data in any way that is incompatible with the purposes for which it was collected, without first obtaining your consent or establishing a new lawful basis.
7. Sharing Your Personal Data
We share personal data only where necessary and with appropriate safeguards in place. We never sell your personal data to third parties.
7.1 Categories of Recipients
| Recipient | Purpose | Safeguards |
|---|---|---|
| Payment processors (Stripe, Flutterwave, Paystack, Mobile Money providers) | Secure payment processing | PCI-DSS compliant; their own privacy policies apply |
| Logistics & delivery partners (DHL, local couriers in NG/ZW/UK) | Order delivery and tracking | Data processing agreements in place |
| IT & hosting providers (cloud infrastructure, email platforms) | Website operation and email delivery | Data processing agreements; EU/UK Standard Contractual Clauses where applicable |
| Analytics providers (Google Analytics) | Website performance analysis | Configured with IP anonymisation; data processing agreement in place |
| Legal & regulatory authorities (HMRC, FIRS, courts, law enforcement) | Legal compliance, court orders, prevention of crime | Disclosed only when legally required |
| Professional advisers (lawyers, accountants, auditors) | Professional advice and audit | Bound by professional confidentiality obligations |
| Fraud prevention services | Fraud detection and prevention | Contractually bound; data minimisation applied |
| Business successors | In the event of a merger, acquisition, or sale of assets | You will be notified; new entity must honour this policy |
8. International Data Transfers
Because Teklofts operates across Nigeria, the United Kingdom, and Zimbabwe, personal data may be transferred between these jurisdictions as part of normal business operations. We also use cloud service providers whose infrastructure may be located in other countries.
8.1 Transfer Mechanisms
We ensure all international transfers are protected by at least one of the following safeguards:
- Adequacy decisions: Where the destination country has been assessed as providing adequate data protection (e.g., UK → EEA adequacy)
- Standard Contractual Clauses (SCCs): Approved model clauses providing equivalent protections for transfers outside the UK/EEA
- International Data Transfer Agreements (IDTAs): UK-specific transfer mechanism used for transfers from the UK
- Binding Corporate Rules: Where applicable within our group of companies
- Consent: For specific transfers where you have given explicit informed consent
8.2 Nigeria–UK Data Flows
Data flows between Nigeria and the UK are protected by contractual safeguards consistent with both the NDPA 2023 and UK GDPR. Nigeria has not yet received a UK adequacy decision; accordingly, we use SCCs/IDTAs for such transfers.
8.3 Zimbabwe
Data involving Zimbabwean customers is processed in accordance with the Zimbabwe Cyber and Data Protection Act 2021. Transfers outside Zimbabwe are conducted only where necessary for fulfilment and subject to equivalent contractual protections.
You may request details of the safeguards in place for any specific transfer by contacting privacy@teklofts.com.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and to meet our legal, regulatory, accounting, and reporting obligations. Our retention periods are guided by the principle of data minimisation.
| Data Type | Retention Period | Reason |
|---|---|---|
| Order and transaction records | 7 years from date of transaction | UK tax law (HMRC) and Nigerian FIRS requirements; NDPR Article 2.7 |
| Customer account data (active) | Duration of account + 2 years of inactivity | Service provision; legal claims limitation periods |
| Customer account data (deleted) | 30 days after deletion request, then permanent erasure | To process any outstanding orders or returns |
| Payment records (tokenised) | 7 years | Financial regulations and audit requirements |
| Marketing consent records | Until consent withdrawn + 3 years | To demonstrate compliance if challenged |
| Website analytics (anonymised) | 26 months (Google Analytics default) | Service improvement |
| IP address logs and security logs | 12 months | Fraud detection and incident investigation |
| Customer service records | 3 years from resolution | Quality assurance and legal claims |
| Cookies (session) | Deleted when browser session ends | Temporary functional use |
| Cookies (persistent) | As set — maximum 13 months | Preference storage and analytics |
When data is no longer needed, it is securely deleted or anonymised in a way that means it can no longer be linked to you.
10. Your Data Protection Rights
You have significant rights over your personal data. The rights available to you depend on your jurisdiction; we honour all of the following for all users regardless of location, to the fullest extent applicable law permits.
Right of Access
Request a copy of the personal data we hold about you (a "Subject Access Request" or SAR). We will respond within 30 days (UK GDPR / NDPA), free of charge in most cases.
Right to Rectification
Request correction of inaccurate or incomplete personal data. We will act within 30 days.
Right to Erasure
Request deletion of your personal data ("right to be forgotten") where there is no overriding legitimate reason to retain it. Note: we may need to retain certain data for legal compliance.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes. We will stop unless we can demonstrate compelling legitimate grounds.
Right to Restriction
Request that we restrict processing of your data (e.g., while we verify the accuracy of disputed data).
Right to Portability
Receive your personal data in a structured, commonly-used, machine-readable format (e.g., CSV or JSON) to transfer to another service, where technically feasible.
Automated Decision Rights
Not to be subject to solely automated decisions that produce significant legal or similarly significant effects. See Section 14.
Right to Withdraw Consent
Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing. Unsubscribe links are included in all marketing emails.
10.1 Nigeria-Specific Rights (NDPA 2023)
Nigerian data subjects additionally have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
10.2 Zimbabwe-Specific Rights (CDPA 2021)
Zimbabwean data subjects may escalate unresolved complaints to POTRAZ or the relevant Zimbabwean data protection authority.
11. Cookies & Tracking Technologies
We use cookies and similar technologies to make our website work, personalise your experience, and analyse usage. In accordance with UK PECR, Nigeria NDPR, and Zimbabwe CDPA, we obtain your consent before placing non-essential cookies.
| Cookie Type | Purpose | Consent Required | Duration |
|---|---|---|---|
| Strictly Necessary | Essential for the website to function (shopping cart, login sessions, security tokens) | No — exempt from consent | Session / 24 hours |
| Functional / Preference | Remember your preferences (language, currency, region) | Yes | Up to 12 months |
| Analytics / Performance | Measure website traffic and user behaviour (Google Analytics, anonymised) | Yes | Up to 13 months |
| Marketing / Targeting | Display relevant advertisements; retargeting campaigns | Yes | Up to 13 months |
Managing cookies: You can manage your cookie preferences at any time via our Cookie Preference Centre (accessible via the cookie banner on your first visit) or through your browser settings. Note that disabling strictly necessary cookies will affect website functionality.
woocommerce_cart_hash, woocommerce_items_in_cart, and wp_woocommerce_session_*. These are essential for your shopping cart to function and do not require consent.
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. Our security measures include:
- Encryption: All data in transit is encrypted using TLS 1.2 or higher (HTTPS). Stored sensitive data is encrypted at rest.
- Payment security: We use PCI-DSS compliant payment processors. We never store full payment card numbers.
- Access controls: Strict role-based access controls limit who can access personal data. All access is logged.
- Password security: Customer passwords are stored as salted hashes using WordPress's bcrypt implementation. We cannot see your password.
- Regular security testing: We conduct regular vulnerability assessments and penetration testing.
- Staff training: All staff handling personal data receive data protection training.
- Incident response: We maintain a data breach response procedure. In the event of a breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay where required by law.
13. Children's Privacy
Our website and services are not directed to children under the age of 16 (or such higher minimum age as required in a specific jurisdiction). We do not knowingly collect personal data from children without appropriate parental or guardian consent.
The age thresholds in our operating jurisdictions are:
- United Kingdom: 13 years (UK GDPR Article 8 as implemented in DPA 2018, s.9)
- Nigeria: 18 years (minor — NDPA 2023 requires parental consent)
- Zimbabwe: 18 years (minor under CDPA 2021)
We apply the most protective threshold — 18 years — across all markets. If you are a parent or guardian and believe your child has provided personal data to us without appropriate consent, please contact us at privacy@teklofts.com and we will delete the data promptly.
14. Automated Decision-Making & Profiling
We use limited automated processing in the following contexts:
- Fraud screening: Automated risk scoring of transactions to detect suspected fraud. If a transaction is flagged, a human reviews the decision before any action is taken.
- Personalised recommendations: Product recommendations based on your browsing and purchase history. This does not produce legal or similarly significant effects.
We do not make solely automated decisions that produce legal or similarly significant effects without human review. You have the right to request human review of any automated decision that affects you. Contact privacy@teklofts.com to exercise this right.
15. Marketing Communications
We will only send you marketing communications by email, SMS, or other channels where you have:
- Explicitly opted in during account registration or checkout, or
- Previously purchased from us and have not opted out of similar product communications (soft opt-in, permitted under UK PECR)
Every marketing communication will include a clear, functioning unsubscribe mechanism. You can also manage your preferences at any time via:
- Your account settings page on our website
- Emailing privacy@teklofts.com with the subject line "Unsubscribe"
Unsubscribe requests will be processed within 10 business days. We will retain a suppression record of your email address to ensure we do not contact you again.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the services we provide. When we make material changes, we will:
- Post the updated policy on this page with an updated effective date
- Display a prominent notice on our website for at least 30 days
- Email registered customers where the change materially affects their rights
- Request fresh consent where required by applicable law
Your continued use of our website and services after the effective date of a material change constitutes acceptance of the updated policy, to the extent permitted by law.
17. Contact, Supervisory Authorities & Complaints
17.1 Contact Us
For any questions, requests, or concerns about this Privacy Policy or our data practices:
17.2 Supervisory Authorities
If you are not satisfied with our response to your concern, you have the right to complain to the relevant supervisory authority in your jurisdiction: