1. Who We Are (Our Identity and Role as Data Controller)

This Privacy Policy applies to the MetWaqf application and the website www.metrowaqf.org (collectively, the “Platform”).

The Platform is operated by The Metropolitan Waqf, a non-profit organisation registered with Nigeria’s Corporate Affairs Commission (IT160342) and headquartered in Abuja, Federal Capital Territory (“MetWaqf”, “we”, “us”, or “our”).

For the purposes of the Nigeria Data Protection Act (NDPA) 2023 and the EU General Data Protection Regulation (GDPR), The Metropolitan Waqf is the Data Controller of the personal information we process. Our Platform enables users to make charitable donations, follow ongoing projects, and support charitable causes aligned with their values.

2. Information We Collect

We collect and process the following categories of data when you use our Platform:

• Personal and Contact Information: Your name, email address, or other regulatory obligations for large-value donations).
• Transaction and Financial Data: Donation amounts, preferred Waqf causes, payment method details, transaction reference, and donation history.

Note: We do not store your complete payment card or bank details. All payment processing is handled by secure, Payment Card Industry Data Security Standard (PCI-DSS) compliant partners.

• Technical and Usage Data: Device type, operating system, IP address, browser type, app usage statistics, and other analytical data. This data is collected through cookies and similar tracking technologies to improve your experience. We only use non-essential cookies with your explicit consent (see Section 9).
• Voluntary Information: Messages, dedications, or comments attached to donations; feedback or correspondence with our support team; and responses to surveys.

3. How We Use Your Information

We process your information for the following specific purposes, and we only process the data necessary for each purpose:

• To facilitate your donations and process payments.
• To provide you with donation receipts, acknowledgments, and Waqf records.
• To maintain accurate donor histories and manage your preferences.
• To communicate project updates, progress reports, and new charitable opportunities (you may opt out of marketing communications at any time).
• To ensure compliance with our legal and regulatory obligations (e.g., anti-money laundering and counter-terrorist financing laws).
• To improve user experience, optimize app performance, and enhance our service delivery.
• To enforce our Terms of Use and protect the integrity and security of the Platform.

We will never use your personal information for purposes incompatible with those stated above without informing you and, where required by law, obtaining your explicit consent.

4. Our Lawful Basis for Processing

We process your personal data on one or more of the following legal bases, depending on the specific activity:

• Consent: Where you have given clear, voluntary consent, such as for receiving marketing communications or for the use of non-essential cookies.
• Performance of a Contract: Where processing is necessary to fulfill a transaction or service you requested (e.g., processing your donation).
• Legal Obligation: To comply with applicable laws, such as NDPA, GDPR, AML/CFT laws, tax, or accounting requirements.
• Legitimate Interest: For our legitimate operational interests, such as improving our services, fraud prevention, and ensuring the security of the Platform, provided these interests do not override your fundamental rights and freedoms.

5. Disclosure of Your Information (Data Sharing)

We only share your data where necessary and lawful. We do not sell or lease your personal information to third parties.

• With Waqf Administrators or Beneficiaries: For accurate record-keeping, transparency, or acknowledgment. Where this includes personal data (e.g., your name on a dedication), it will be done with your consent or as per your request.
• With Service Providers (Data Processors): We use third-party service providers (e.g., payment gateways, cloud storage, and communication systems) who process data on our behalf. These parties are our Data Processors and are bound by strict contractual Data Processing Agreements (DPAs) that require them to protect your data and only use it for the purposes we instruct.
• With Regulators or Law Enforcement: When required by applicable law, a valid court order, or to protect our rights and the safety of others.
• With Our Affiliates: For internal administration, provided equivalent data protection safeguards are in place.

6. Data Retention

We retain your data only for as long as is strictly necessary to:

• Fulfill the purposes outlined in this Policy;
• Comply with statutory, legal, or accounting obligations (e.g., financial records); and
• Preserve the integrity of Waqf records.

When your data is no longer needed, we either securely delete or anonymize it in line with NDPA and GDPR standards. While specific periods are not listed here, they are defined in our internal data retention policy.

7. Data Security

We implement robust technical and organizational security measures to protect your data, including:

• End-to-end encryption of data in transit (e.g., SSL/TLS).
• Secure, PCI-DSS compliant payment gateways.
• Multi-factor authentication for sensitive operations.
• Restricted access controls, ensuring only authorized personnel can access personal data.
• Regular security training for our staff.

While we take all reasonable steps to protect your information, no online system is entirely secure. You share information with us at your own risk.

8. Your Data Protection Rights

Under the NDPA 2023 and, if you are in the European Economic Area (EEA), the GDPR, you have specific rights over your personal data. These include the right to:

• Access: Request access to the personal data we hold about you.
• Rectification (Correction): Request correction of inaccurate or incomplete data.
• Erasure (Deletion): Request the deletion of your information, subject to certain legal exceptions (e.g., where we must keep it for legal or accounting purposes).
• Withdraw Consent: Withdraw your consent at any time for any processing that is based on consent.
• Restriction: Request that we restrict certain uses of your data.
• Object to Processing: Object to our processing of your data, particularly where we rely on “Legitimate Interest” as our legal basis.
• Data Portability: Request the transfer of your data to another service in a structured, machine-readable format.
• Lodge a Complaint:
• In Nigeria: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your rights have been violated.
• In the EEA: You have the right to lodge a complaint with the data protection Supervisory Authority in your country of residence.

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 13.

9. Cookies and Tracking Technologies

Our Platform uses cookies and similar technologies. A cookie is a small file placed on your device.

• Strictly Necessary Cookies: These are essential for the Platform to function (e.g., to process your donation or keep you logged in). They do not require your consent but we inform you of their use.
• Analytical/Performance & Marketing Cookies: These are non-essential and help us understand how users interact with our site, improve our services, and provide relevant information.
• Your Consent: We will only use non-essential cookies if you provide your explicit, opt-in consent via our cookie consent banner. You can manage or withdraw your cookie consent at any time through our cookie settings panel or your browser settings. Disabling some cookies may affect the Platform’s functionality.

10. Cross-Border Data Transfers

We are a Nigerian organisation, but we use global service providers (e.g., cloud servers). This means your data may be transferred or stored outside Nigeria or, if you are in the EEA, outside the EEA.

When we conduct such transfers, we ensure your data is protected by implementing lawful safeguards as required by the NDPA and GDPR. These safeguards include:

• Transferring to countries deemed to have adequate data protection laws by the Nigeria Data Protection Commission or the European Commission (Adequacy Decisions).
• Using specific contracts approved for this purpose, such as the Standard Contractual Clauses (SCCs).

11. Children’s Privacy

Our services are intended for users aged 18 and above. We do not knowingly collect personal information from minors. For users in the EEA, the digital age of consent is 16 (or as low as 13, depending on the member state). If you believe a child’s data has been submitted to us, please contact us immediately for its prompt removal.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect operational, legal, or technological changes. When we make material updates (e.g., change how we use your data), we will notify you through the App, website, or email. Where required by law, we will seek your consent for these changes.

13. Contact Us & Data Protection Officer

If you have any questions, complaints, or requests regarding this Privacy Policy or our data practices, please contact our Legal Advisers who is responsible for overseeing our data protection compliance.

Attention: The Metropolitan Law Firm

Email: consult@metlawfirm.com

Phone: +2349095533128

Address: Block A3, Phase II, Sani Zangon Daura Estate, Kado, Abuja, Federal Capital Territory, Nigeria.