Privacy Policy

1. General

Your use of the Website and the Invoice Creator and any dispute over privacy is subject to this Policy and any of our applicable Terms and Conditions of Use, including their applicable limitations on damages and the resolution of disputes. By visiting our Website and using the Invoice Creator you are accepting and consenting to the practices described in this Policy.

2. What Does This Privacy Policy Cover?

This Privacy Policy covers our collection, use and disclosure of information about identifiable individuals ("Personal Information"). Personal Information may be collected about users and visitors to the Website, as well as our customers and their end users who use the Services.

This Privacy Policy covers the activities of Cobbo Nigeria Ltd. only and does not apply to the practices of companies we do not own or control.

Account holders and their customers. When you, as an account holder, add your own customers and their details to create and send invoices, you are the controller of that customer information and Cobbo Nigeria Ltd. acts as a processor handling it on your behalf and on your instructions. You are responsible for having a lawful basis to provide that information to us.

3. Collection & Use of Personal Information

When you register for and use the Services, Cobbo Nigeria Ltd. collects the following Personal Information:

• i ) Account details — your name, email address, password (stored in hashed form), and, if you sign in with Google, the basic profile information Google provides (your email, name and a unique account identifier).
• ii ) Business details — your business name, email, phone, address, website, category and registration number (CAC).
• iii ) Financial details — bank account information you add to appear on your invoices (account name, account number and bank name), which we store in encrypted form, and payment records relating to your subscription (such as transaction references and the payment authorisation returned by our payment provider). We do not store full card numbers; card payments are handled by our payment provider.
• iv ) Customer information — the details you enter about your own customers to create invoices, such as their name, email, phone, address and notes.
• v ) Usage and device data — your IP address, browser/user-agent, the pages and actions taken in the Services, and login history. We keep an activity log of key actions for security and audit purposes.
• vi ) Invoice and transaction history — the invoices, line items, payments and ledger entries you create within the Services.

Use Personal Information to:

• Authenticate access to the Account and provide access to the Services.
• Provide, operate, maintain and improve the Services.
• Send technical notices, updates, security alerts and support and administrative messages.
• Provide and deliver the Services and features you request, process transactions, and send related information.
• Communicate with customers about services, features, surveys, newsletters, offers, and promotions.
• Investigate and prevent fraudulent transactions and unauthorized access.
• Personalize and improve the Services and provide content that matches your interests.
• Monitor and analyze trends, usage, and activities in connection with the Services.
• Enable you to communicate, collaborate, and share files with users you designate.

4. Disclosure of Personal Information With Third Parties

Service Providers and Business Partners. We rely on a small number of trusted third parties to operate the Services and we share only the Personal Information each one needs to perform its function. These providers are not permitted to use your information for any purpose beyond providing their service to us. They currently include:

• Paystack — processes subscription payments and recurring charges; receives your email, payment amount and transaction details.
• Cloudinary — hosts images you upload, such as your business logo and signature.
• Google — provides "Sign in with Google" authentication and reCAPTCHA protection against automated abuse; this involves processing of sign-in data and limited device/usage signals.
• Email/SMTP provider — delivers transactional emails (such as verification, invoices and security alerts) and, where you have not opted out, categorized emails (such as summaries, reminders and newsletters).

Business Transfers. If our business is acquired by a third party, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information may be made available to the new controlling entity, where permitted under applicable law.

As Required by Law. We may disclose your Personal Information to third parties without your consent if we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be causing injury to our rights or property, or as required by applicable law, regulation, or legal process.

5. Retention

We will keep your Personal Information for as long as it remains necessary for the identified purpose or as required by law. You may delete your account at any time from your account settings; when you do, your account is deactivated and your data is marked as deleted and removed from everyday use of the Services.

Because we use soft-deletion, some records may be retained in our systems for a period after deletion, and we may retain certain information for longer where necessary to comply with legal obligations, resolve disputes, prevent fraud or abuse, or for legitimate business purposes. All retained Personal Information remains subject to this Privacy Policy. If you would like your retained data permanently erased, you can contact us using the details in the "Contact Us" section below.

6. Access, Correction & Accuracy Rights

You have the right to access the Personal Information we hold about you in order to verify what we have collected and our uses of that information. Upon receipt of your written request, we will provide you with a copy of your Personal Information, subject to applicable limitations.

We will make every reasonable effort to keep your Personal Information accurate and up to date, and will provide you with mechanisms to update, correct, delete or add to your Personal Information as appropriate.

7. Where We Store Your Data

All information you provide to us is stored on our secure servers. We use industry-standard safeguards to protect your data: information is transmitted over encrypted SSL/TLS connections, sensitive fields such as your bank account details are encrypted at rest, passwords are stored in hashed form, and we support two-factor authentication for added account security. Unfortunately, the transmission of information via the internet is not completely secure; although we will do our best to protect your personal data, we cannot guarantee the security of data transmitted to our Website, and any transmission is at your own risk.

8. Our Use of Cookies & Tracking Mechanisms

We use cookies and similar technologies that are necessary to operate the Website and the Invoice Creator securely. We do not use advertising or cross-site targeting cookies. The cookies we set are:

• i ) Session cookies — keep you signed in and maintain your session as you move through the Services.
• ii ) "Remember me" cookies — keep you signed in between visits if you choose that option.
• iii ) Security cookies — protect against cross-site request forgery (CSRF) and other abuse.
• iv ) reCAPTCHA — Google reCAPTCHA may set cookies and process limited device signals to distinguish humans from automated abuse on our forms.

Most web browsers automatically accept cookies. You can edit your browser options to block them; however, most site features will not function if you disable the strictly necessary cookies.

9. Marketing Emails & Communication Preferences

We send two kinds of email. Transactional and security emails — such as account verification, password resets, invoice delivery, team invitations and important service or security notices — are necessary to provide the Services and cannot be opted out of while you have an account.

Non-essential emails are grouped into categories — for example marketing and newsletters, periodic summaries (digests), reminders, and account notifications. You can opt out of these at any time using the one-click unsubscribe link included in the email, or by contacting us. We honour these preferences and suppress further emails in a category once you unsubscribe.

10. Your Rights Under the Nigeria Data Protection Act

We process Personal Information in accordance with the Nigeria Data Protection Act, 2023 (NDPA) and the framework administered by the Nigeria Data Protection Commission (NDPC). Depending on the circumstances, our legal basis for processing your information includes your consent, the performance of our contract with you (providing the Services), compliance with our legal obligations, and our legitimate interests in operating and securing the Services.

Subject to applicable law, you have the right to:

• i ) Access the Personal Information we hold about you.
• ii ) Rectify information that is inaccurate or incomplete.
• iii ) Erase your Personal Information ("right to be forgotten"), subject to our legal and legitimate retention needs.
• iv ) Restrict or object to certain processing, including direct marketing.
• v ) Data portability — receive a copy of information you provided in a usable format.
• vi ) Withdraw consent at any time where processing is based on consent, without affecting processing already carried out.

To exercise any of these rights, contact us using the details in the "Contact Us" section below. You also have the right to lodge a complaint with the Nigeria Data Protection Commission.

11. Changes To Our Privacy Policy

This Policy may change from time to time. Any changes in the future will be posted on our Website and, where appropriate, notified to you by email. Continued use of the Invoice Creator will constitute acceptance of the Policy in place from time to time.