Privacy Policy

Last updated: 26 May 2026

CitiTasker ("we", "our", or "us") is committed to protecting your personal information. This Privacy Policy explains what we collect, how we use it, who we share it with, and the rights you have under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation (NDPR).

If you do not agree with how we handle your data as described here, please do not use the CitiTasker platform.

1. Who we are

CitiTasker operates an online services marketplace connecting individuals and businesses ("Posters") with verified service providers ("Taskers" and "Agencies") across Nigeria. We are headquartered in Lagos, Nigeria.

You can reach our Data Protection Officer at dpo@cititasker.com for any privacy-related question.

2. Information we collect

2.1 Information you provide directly

• Account details — full name, email address, phone number, password, profile photo
• Identity verification (KYC) — National Identity Number (NIN) or Bank Verification Number (BVN), date of birth, address proof, facial biometric for liveness checks
• For Taskers and Agencies — skill categories, work history, hourly rate, service area, bank account details for payouts, agency CAC registration details (for agencies)
• Payment information — bank account number, bank name, card authorisation reference (we do not store full card numbers — these stay with our PCI-compliant payment processor Paystack)
• Task content — descriptions, photos, attachments, location data, messages exchanged with other users, dispute submissions
• Communications — support tickets, feedback, survey responses

2.2 Information collected automatically

• Device and usage data — IP address, browser type, operating system, pages visited, actions taken, timestamps
• Location data — when you grant permission, we use GPS coordinates to surface nearby Taskers or tasks
• Cookies and similar technologies — see our Cookie Policy

2.3 Information from third parties

• Verification providers — Dojah supplies NIN, BVN, facial-match, and address-verification results
• Payment processors — Paystack returns transaction outcomes, refund status, and saved authorisation tokens for recurring bookings
• OAuth providers — if you sign in with Google, we receive your email, name, and profile picture
• Referral attribution — when you sign up via a referral code, we record the referrer's identifier

3. How we use your information

We process your data to:

• Create and manage your CitiTasker account
• Verify your identity (KYC) before allowing bidding, withdrawals, or agency operation
• Match Posters with relevant Taskers using location, ratings, and trust score
• Process payments, including escrow holds, payouts, recurring auto-charges, and refunds
• Detect and prevent fraud, abuse, and Anti-Money-Laundering (AML) risk
• Provide customer support and resolve disputes
• Send transactional notifications (in-app, SMS via Termii, email via Resend)
• Improve our services through aggregated analytics
• Comply with our legal obligations under Nigerian law

We do not use your information to train AI models without your explicit consent.

4. Legal basis for processing

Under the NDPA, we rely on the following bases:

• Contract performance — to deliver the marketplace services you've signed up for
• Legal obligation — to satisfy KYC, AML, tax, and consumer-protection laws
• Legitimate interest — fraud prevention, network security, product improvement
• Consent — for marketing communications, optional location use, push notifications (you can withdraw consent any time)

5. Who we share information with

• Other platform users — Taskers see relevant Poster information when working a job, and vice versa. We never share contact information directly; messaging is moderated and on-platform.
• Service providers — Paystack (payments), Dojah (KYC), Termii (SMS), Resend (email), Cloudinary (file storage), Google (analytics, OAuth, Maps). Each provider receives only the data necessary for their function and is bound by confidentiality.
• Law enforcement and regulators — when required by court order, regulatory directive, or to defend our legal rights.
• Business transfers — if CitiTasker is acquired, merged, or restructured, your data may transfer to the successor entity under the same protections.

We do not sell your personal information to third parties.

6. International transfers

Some of our service providers (e.g., Cloudinary, Resend) are located outside Nigeria. We rely on Standard Contractual Clauses and equivalent legal safeguards to protect your data during these transfers, in line with NDPA Section 41.

7. Data retention

• Account data — retained for as long as your account is active, plus 7 years thereafter to comply with financial record-keeping obligations.
• KYC records — 5 years from your last transaction (CBN AML/CFT requirement).
• Transaction records — 7 years (FIRS tax requirement).
• Communication logs — 2 years from the related task's completion, then deleted unless required for an ongoing dispute or investigation.
• Dispute evidence — retained for the dispute's lifecycle plus 3 years.

You can request earlier deletion in cases where legal retention obligations have lapsed (see Section 9).

8. Security

We protect your data through:

• Encryption in transit (HTTPS/TLS 1.2+) and at rest (database-level encryption)
• Hashed passwords using bcrypt with 12 rounds
• Timing-safe comparison for one-time passwords
• HTTP-only cookies for authentication tokens
• Role-based access control for internal staff
• Audit logs for sensitive operations (bank account changes, withdrawals, identity updates)
• Regular vulnerability assessments

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the Nigeria Data Protection Commission (NDPC) within 72 hours as required by the NDPA.

9. Your rights

Under the NDPA, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion subject to our legal retention obligations
• Restriction — limit how we process certain data
• Portability — receive your data in a machine-readable format
• Object — to processing based on legitimate interest, including profiling
• Withdraw consent — for processing where consent was the basis
• Complaint — lodge a complaint with the Nigeria Data Protection Commission

To exercise any of these rights, email dpo@cititasker.com. We respond within 30 days.

10. Children

CitiTasker is not intended for use by anyone under 18. We do not knowingly collect data from minors. If you believe a child has provided us information, contact us and we will delete it.

11. Marketing communications

We send promotional emails and SMS only when you have opted in. Every marketing message includes an unsubscribe link or instruction. Transactional messages (payment confirmations, dispute updates, security alerts) are not marketing and cannot be turned off without closing your account.

12. Cookies

For details on the cookies and similar technologies we use, see our Cookie Policy.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date and, for material changes, notify you in-app and by email at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance.

14. Contact us

• General privacy questions: privacy@cititasker.com
• Data Protection Officer: dpo@cititasker.com
• Postal address: CitiTasker, Lagos, Nigeria (to be updated with registered office)