NaijaTopup

Privacy Policy

Last updated: May 10, 2026

NaijaTopup ("we", "us", "our") operates naijatopup.com and the NaijaTopup mobile/web wallet (collectively, the "Service"). This Privacy Policy explains what personal data we collect when you use the Service, how we use it, who we share it with, and the rights you have over it. We are committed to handling your data in line with the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR).

1. Who we are

NaijaTopup is a Nigerian VTU (virtual top-up) platform that resells airtime, mobile data, cable TV subscriptions, electricity tokens, exam pins and social-media boost services. For privacy questions, contact us at support@naijatopup.ng or on WhatsApp at +2349052864128.

2. Information we collect

We only collect what we need to deliver the Service safely:

  • Account details: name, email address, phone number, password (stored as a one-way hash) and a 4-digit transaction PIN (also hashed).
  • Transaction details: the recipient phone number, smart-card / meter / exam-board reference, amount, network/provider, plan code, status, and any reference returned by our upstream provider.
  • Wallet activity: deposits, debits, refunds, referral earnings and balance adjustments made by an admin.
  • Device & usage data: IP address, browser/user-agent string and timestamps. Captured at signup and on sensitive actions to detect fraud and abuse.
  • Communications: messages you send us by email, WhatsApp or phone, plus delivery logs for transactional emails we send you.
  • Cookies: a session cookie and a CSRF cookie are set when you sign in. We do not use third-party advertising cookies.

We do not collect your bank card numbers, BVN or NIN. Card details are handled directly by our PCI-DSS-compliant payment processors (e.g. Paystack, Monnify) and never reach our servers — we only receive a payment-status callback.

3. How we use your information

We use your data to:

  • create and secure your account, and let you sign in;
  • place orders with our upstream providers and credit the airtime, data, token or pin you bought;
  • process wallet funding, refunds for failed transactions and referral earnings;
  • send transactional emails (purchase receipts, failed-transaction alerts, password-changed alerts, wallet-funded confirmations);
  • verify cable smart-cards and electricity meters before you pay;
  • detect and prevent fraud, including duplicate accounts and abuse of our referral programme;
  • comply with our legal and regulatory obligations in Nigeria.

We do not sell your personal information, and we do not send marketing emails without your consent.

4. Who we share information with

We share the minimum data required with these categories of recipients:

  • Upstream service providers — when you buy a service we forward only the data needed to fulfil it (e.g. recipient phone number for airtime, smart-card number for cable, meter number for electricity). Our current upstreams include vtugate.com (VTU services) and resellersmm.com (social-media boost).
  • Payment processors — Paystack, Monnify or other licensed Nigerian payment partners process your card or bank-transfer deposits. They receive only what is needed to take payment.
  • Email delivery — outbound transactional emails are sent through our SMTP provider.
  • Hosting — our website is hosted on commercial cloud infrastructure inside or outside Nigeria with industry-standard security.
  • Authorities — if compelled by a valid court order, regulator or law-enforcement request in Nigeria.

We never sell, rent or trade your personal information to third parties for their own marketing.

5. International transfers

Some of our processors may store data outside Nigeria. Where that happens, we rely on contractual safeguards and the legitimate-interest / contract-performance bases under the NDPA to ensure your data continues to be protected to a comparable standard.

6. How long we keep your data

  • Account data — kept while your account is open and for up to 6 years after closure, to meet financial and tax record-keeping requirements.
  • Transaction records — kept for at least 6 years from the transaction date for accounting, audit and dispute-resolution purposes.
  • Server logs — kept for up to 90 days for security and abuse monitoring, then rotated.
  • Marketing preferences — kept until you change them.

7. How we protect your data

  • Passwords and transaction PINs are stored as one-way hashes — even our staff cannot read them.
  • The site is served over HTTPS with HSTS enabled.
  • All requests that change account state require a CSRF token.
  • Wallet debits use atomic database row locks to prevent double-spending.
  • Sensitive configuration (API keys, database credentials) lives in server-side environment files that are not web-accessible.
  • Failed transactions are auto-refunded to your wallet — we never silently keep your money.

No system is 100% secure, but if we ever discover a personal-data breach that is likely to risk your rights, we will notify you and the Nigeria Data Protection Commission (NDPC) in line with the NDPA.

8. Your rights

Under the NDPA / NDPR, you have the right to:

  • access the personal data we hold about you;
  • correct data that is wrong or out of date;
  • request deletion of your account and data, subject to records we are legally required to keep;
  • object to or restrict certain processing;
  • port a copy of your data to another service in a common format;
  • withdraw any consent you have previously given;
  • lodge a complaint with the Nigeria Data Protection Commission at ndpc.gov.ng.

To exercise any of these rights, email support@naijatopup.ng from the address on your account. We respond within 30 days.

9. Children

NaijaTopup is not intended for children under 18. If you believe a minor has created an account, contact us and we will delete the account and any associated data.

10. Cookies

We use only the cookies needed to run the Service: a session cookie that keeps you signed in, and a CSRF cookie that protects sensitive actions. We do not use third-party advertising or cross-site tracking cookies. You can clear cookies in your browser at any time, but signing out and back in will recreate them.

11. Third-party links

Pages on the Service may link to external sites (for example, our social profiles, payment gateways or upstream provider help pages). This Privacy Policy does not apply to those sites — please review their own privacy notices.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or in-app message.

13. Contact us

Questions, concerns, or data-subject requests: