Legal
Privacy Policy
Effective 2026-05-27 · Version v1.0-draft
Reviewed-by-counsel-required
This Privacy Policy is a comprehensive draft prepared as a starting point. It must be reviewed and customised by a qualified Nigerian (and, if expanding to the UK/EU, English) solicitor with privacy-law expertise before TCWS goes live or collects any personal data.
This Privacy Policy explains how TheCupWeShare ("TCWS", "we", "us", "our") collects, uses, shares, retains, and protects personal data when you visit our website, apply for or hold a membership, attend Gatherings, purchase Provisions, contribute to Causes, or otherwise interact with us. It also explains your rights under the Nigeria Data Protection Act 2023 and Nigeria Data Protection Regulation 2019 (collectively, "NDPR"), the EU General Data Protection Regulation ("GDPR") for visitors and members in the EU/EEA/UK, and the California Consumer Privacy Act / CPRA ("CCPA") for California residents.
1. Who We Are & Contact
Data Controller. TheCupWeShare Limited, a company registered in Nigeria with registered office in Lagos, is the data controller for personal data processed in connection with the Service.
Contact.
- Email: privacy@thecupweshare.com
- Data Protection Officer (DPO): dpo@thecupweshare.com (placeholder — to be appointed before launch)
- EU/UK representative (where required): to be appointed prior to launch in those regions
2. Data We Collect
We collect and process the categories of personal data set out in the table below. We aim to collect the minimum necessary for the purposes described in §3.
| Category | Examples | Source |
|---|---|---|
| Identity | Full name, preferred name, date of birth (for 18+ verification), profile photo | From you |
| Contact | Phone number (for OTP login), email address, city, neighbourhood (optional) | From you |
| Application essays | Free-text answers to application questions about your hopes, life stage, and reason for applying | From you |
| PIL profile (Personal Identity Layer) | Self-described identity, interests, values, life chapter, conversation comfort preferences | From you |
| Safety Net contacts | Names, phone numbers, relationships of up to five trusted contacts | From you (you must have authority to share these) |
| Journal entries | Private notes, reflections, post-Gathering thoughts | From you |
| Voice transcripts | Recordings shared as "voices", text transcripts derived from them | From you |
| Location & check-ins | City, Gathering venue check-ins, carpool pickup/drop-off addresses (geocoded) | From you |
| Payment metadata | Transaction IDs, amounts, currencies, card brand, last-4 of card, billing country — not full card numbers | Payment processors (Paystack / Stripe) |
| Device & usage | IP address (truncated for analytics), browser type, OS, app version, session timestamps, feature interactions, push-subscription IDs | Automatically |
| Communications | Direct messages with other Members, support tickets, emails to staff | From you |
We do not knowingly collect data from anyone under 18. We do not collect government ID numbers (e.g., BVN, NIN). We do not collect biometric identifiers.
3. How We Use Your Data & Legal Basis
We use your data for the following purposes, relying on the legal bases set out below.
- Provide and operate the Service — including account creation, OTP authentication, placement into a Circle, hosting Gathering RSVPs, generating QR passes. Legal basis: performance of a contract (NDPR §11(2)(b); GDPR Art 6(1)(b)).
- Process payments — including memberships, tickets, Provisions orders, Causes donations. Legal basis: performance of a contract; legal obligation (financial-records keeping).
- Personalise placement and content — using PIL profile + application essays to suggest a Circle and prepare facilitator briefings. Legal basis: legitimate interest in providing a quality community; you may object (see §7).
- Send transactional and service emails — including OTP codes, RSVP confirmations, payment receipts, weekly digests, account notices. Legal basis: performance of a contract; legitimate interest.
- Run the Safety Net feature — storing your trusted contacts and exposing them, under audited break-glass conditions, to a designated admin in case of welfare-concern emergencies. Legal basis: explicit consent at the time of adding each contact; vital interests (NDPR §11(2)(d); GDPR Art 6(1)(d) and Art 9(2)(c)) for emergency access.
- Improve the Service — using aggregated, de-identified analytics to understand how features are used. Legal basis: legitimate interest; for cookie-based analytics, consent.
- Protect the Service and Members — detecting fraud, abuse, harassment, and breach of these Terms. Legal basis: legitimate interest; legal obligation.
- Marketing (opt-in only) — newsletter and campaign emails (separate from transactional). Legal basis: consent; withdrawable at any time.
- Comply with legal obligations — including tax, accounting, and lawful requests from regulators or law-enforcement. Legal basis: legal obligation.
4. Sharing & Third-Party Processors
We share your data only with the processors listed below, and only as needed to operate the Service. Each is contractually required to protect your data and use it solely on our instructions.
| Processor | Purpose | Region |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, realtime events | EU (Frankfurt) for production; US fallback |
| Paystack Payments Ltd. | NGN payments | Nigeria |
| Stripe, Inc. | FX payments (where applicable) | US / Ireland |
| Resend, Inc. | Transactional and digest email delivery | US |
| Anthropic, PBC | AI-assisted placement notes, facilitator briefings, archive insights, voice transcription (where the option is selected) | US |
| PostHog, Inc. | Product analytics (gated by consent — see §8) | US |
| OpenStreetMap (Nominatim) | Address geocoding for carpool routing | EU |
| Expo Application Services / VAPID Web Push | Mobile and web push-notification delivery | US / Global |
| Vercel, Inc. | Web hosting and edge function execution | Global edge network |
| Upstash, Inc. | Rate-limiting and ephemeral cache | US / EU |
| Sentry | Error monitoring | US / EU |
We do not sell personal data. We do not share data with advertising networks. We do not engage in cross-context behavioural advertising. We do not share Safety Net contacts with any third party (see §10).
We may disclose data when legally required (e.g., subpoena, court order), when investigating misconduct, or as part of a corporate transaction (in which case we will notify Members in advance).
5. International Transfers
TCWS operates in Nigeria. Some of our processors are based in the United States, the European Union, or other jurisdictions. Where we transfer your data outside Nigeria or the EEA/UK, we rely on appropriate safeguards including:
- European Commission Standard Contractual Clauses (SCCs);
- UK International Data Transfer Addendum (IDTA);
- NDPR-compliant data-transfer agreements;
- adequacy decisions where available;
- explicit consent where no other lawful basis applies.
You may request a copy of the safeguards in place for any specific transfer by emailing privacy@thecupweshare.com.
6. Retention
We retain personal data only as long as necessary for the purposes for which it was collected, subject to legal obligations.
- Account data: for the life of your account, plus 90 days post-termination (to allow for reactivation).
- Application data (declined): 12 months from decision date, then deleted.
- Payment records: 7 years (Nigerian tax and accounting law).
- Journal entries, voices, PIL profile: until you delete them or close your account, whichever is sooner.
- Safety Net contacts: until you remove them or close your account; immediately deleted on account closure.
- Break-glass audit log: 7 years (immutable record of admin access for accountability).
- Communications with support: 24 months.
- Analytics events: 24 months in identifiable form; aggregated thereafter.
- Backups: rolling 35-day backup retention; deleted records persist in backups until naturally aged out.
7. Your Rights (NDPR · GDPR · CCPA)
Depending on your jurisdiction, you have some or all of the following rights. We honour these rights for all Members regardless of jurisdiction, except where doing so conflicts with legal obligation.
| Right | NDPR | GDPR | CCPA |
|---|---|---|---|
| Access (know what we hold) | Yes | Yes | Yes |
| Rectification (correct errors) | Yes | Yes | Yes |
| Deletion / erasure | Yes | Yes | Yes |
| Portability (machine-readable export) | Yes | Yes | Yes |
| Restriction of processing | Limited | Yes | Limited |
| Objection (incl. to profiling) | Yes | Yes | Yes |
| Withdraw consent | Yes | Yes | n/a |
| Opt-out of "sale" / sharing | n/a | n/a | Yes (TCWS does not sell) |
| Non-discrimination | n/a | n/a | Yes |
| Lodge complaint with regulator | NDPC | Lead SA / ICO | CPPA |
TCWS does not "sell" personal data as defined under CCPA, and we do not engage in cross-context behavioural advertising. Nevertheless, you may submit an opt-out request and we will honour it.
To exercise any right, see §16. We will respond within 30 days (NDPR / GDPR) or 45 days (CCPA).
8. Cookies & Similar Technologies
We use a minimal set of cookies and similar technologies. The marketing site shows a consent banner; analytics cookies are only set after you click "Accept".
sb-access-token/sb-refresh-token(Supabase Auth) — HttpOnly, Secure session cookies for authentication; duration: session + 7 days refresh; strictly necessary.tcws_consent_v1(LocalStorage) — remembers your cookie consent choice; duration: 13 months; strictly necessary.ph_*(PostHog) — analytics; duration: up to 12 months; only set if you consent.push_subscription_id(Push subscription) — identifier for your push-notification endpoint; duration: until you unsubscribe.
You can withdraw analytics consent at any time via the cookie banner's "Manage" option or by clearing site-storage. PostHog will not initialise without your consent.
9. Children
TCWS is for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If we learn that we have collected data from a minor, we will delete it as quickly as possible. If you believe a minor has provided us data, please email privacy@thecupweshare.com. We comply with the UK Children's Code (Age Appropriate Design Code) and the US Children's Online Privacy Protection Act (COPPA) by enforcing an 18+ age gate; minors are removed on discovery.
10. Safety Net & Break-Glass Access
Safety Net contacts are among the most sensitive data we hold. Access controls reflect this.
- By default, only you can read your Safety Net contacts.
- A designated TCWS administrator may break-glass access these contacts only under documented welfare-concern conditions (e.g., a credible report of self-harm risk, or after a Gathering at which you appeared in distress and did not respond to follow-up).
- Every break-glass event is recorded in an immutable audit log, including the admin identity, timestamp, brief reason, and the contact rows read.
- You will be notified by email and in-app within 72 hours of any break-glass access to your Safety Net.
- The break-glass audit log is retained for 7 years.
- You may opt out of the Safety Net feature entirely from settings, in which case nothing is stored and no break-glass access is possible.
11. Voice & Recording
Voice messages ("voices") you share through the Service are transcribed for accessibility and search. Transcription is performed either on-device (where the platform supports it) or by Anthropic's API under a data-processing addendum that prohibits Anthropic from training models on your data. Voice recordings and transcripts are stored only as long as you keep them on your profile; you may delete any voice at any time, and deletion propagates to backups within 35 days.
Recording of other Members is prohibited (see Terms §6.4). Anything you share within a Circle is intended for that Circle only.
12. Security
- All data in transit is encrypted using TLS 1.2+ / HTTPS.
- All data at rest is encrypted by Supabase's database storage layer.
- Row-Level Security (RLS) is enabled on every table, enforcing that one Member cannot read another's private data.
- The service-role key bypasses RLS and is restricted to a small set of administrative server-side actions, each individually audited.
- Secrets are rotated periodically and on personnel changes.
- Access to production data is restricted to named administrators with two-factor authentication.
- We perform regular dependency-vulnerability scans and patch high-severity CVEs within 14 days of disclosure.
No system is perfectly secure. If you discover a vulnerability, please report it responsibly to security@thecupweshare.com.
13. Data Breach Notification
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will:
- Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware, as required by the Nigeria Data Protection Act.
- Notify the relevant EU/UK supervisory authority within 72 hours where GDPR applies.
- Notify affected Members directly without undue delay, describing the nature of the breach, the data involved, the likely consequences, and the steps we are taking.
- Cooperate with affected Members and regulators to mitigate harm.
14. Automated Decision-Making
We use AI (Anthropic Claude) to assist with: suggesting which Circle to place an applicant into, generating facilitator briefings, and producing reflection summaries ("archive narrator").
These AI outputs are advisory only. A human administrator reviews and approves every applicant placement, and no AI-generated content is published to your Circle without your facilitator's review. You have the right to:
- Receive an explanation of the role AI played in any decision affecting you;
- Request that any AI-assisted decision be reviewed by a human (we will respond within 30 days);
- Object to AI-assisted personalisation features — in which case you will still be placed and briefed, but without AI-derived inputs.
15. Changes to This Policy
We may update this Policy from time to time. For material changes, we will notify you by email and via a prominent banner in the Service at least 14 days before the new version takes effect. Continued use of the Service after that date constitutes acceptance. Previous versions of this Policy are archived and available on request.
16. How to Exercise Your Rights
You can exercise most rights directly from your account:
- Export your data: visit Settings in the member app, then "Download my data". We deliver a JSON file containing all data associated with your account.
- Delete your account: visit Settings → Delete my account. This permanently deletes your account and associated personal data, subject to the legal retention schedule in §6.
- Correct your data: edit your profile, PIL, or Safety Net contacts from settings at any time.
- Manage marketing consent: toggle "Newsletter" in settings.
- Manage analytics consent: use the cookie banner's "Manage" option on any marketing page.
For any other request, email privacy@thecupweshare.com or dpo@thecupweshare.com. We may ask you to verify your identity before processing. We will respond within 30 days (45 days for CCPA), or notify you of an extension where the request is complex.
Right to complain. If you believe we have not adequately responded, you may complain to:
- Nigeria: Nigeria Data Protection Commission (NDPC), ndpc.gov.ng.
- UK: Information Commissioner's Office (ICO), ico.org.uk.
- EU/EEA: your local data-protection supervisory authority.
- California: California Privacy Protection Agency (CPPA), cppa.ca.gov.
Effective Date: 2026-05-27 · Version v1.0-draft · Draft pending counsel review.