Privacy Policy
Last updated: May 2026 β effective immediately
At Kistoria, your privacy is a priority. This Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it. We are committed to complying with the Nigeria Data Protection Act (NDPA), the South African Protection of Personal Information Act (POPIA), and the General Data Protection Regulation (GDPR) as it applies to users in the European Union.
01Who We Are
Kistoria is the controller of your personal data. Contact us with any privacy questions.
Kistoria ("we," "us," or "our") is the data controller responsible for your personal data. We operate the Kistoria platform, a creative community for bloggers, artists, podcasters, and creators across Africa and beyond.
Contact: privacy@kistoria.com β for all privacy-related enquiries, data access requests, or complaints.
02Data We Collect
We only collect data that is necessary to run the platform and serve you well. Here is exactly what and why.
The following table sets out every category of personal data we collect, the specific purpose, and the legal basis under which we process it:
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Name, username, email | Create and manage your account | Contract performance |
| Date of birth, gender | Age verification and personalisation | Contract performance |
| Profile picture, bio, social links | Build your public creator profile | Contract performance |
| Password (stored only as a one-way cryptographic hash) | Authenticate your account | Contract performance |
| Content you publish (posts, gallery, shorts, podcast, shop listings) | Display your content to other users | Contract performance |
| Content you publish | Generate AI summaries and SEO descriptions (optional feature, processed on our own servers β see Section 8) | Legitimate interest; you may opt out |
| Purchase history, wallet balance, transactions | Process payments and maintain financial records | Contract performance; legal obligation (7-year retention) |
| IP address, device type, browser, OS | Security, fraud prevention, and abuse detection | Legitimate interest |
| Email address | Transactional emails (verification, password reset, purchase receipts) | Contract performance |
| Email address | Newsletter and marketing emails | Consent (you may unsubscribe at any time) |
| Google account ID and verified email (if you use Google Sign-In) | Authenticate via Google OAuth | Contract performance |
| Session cookies (strictly necessary) | Keep you logged in during your session | Strictly necessary β no consent required |
| Analytics cookies (if you consent) | Understand how the platform is used and improve it | Consent (you may withdraw via cookie settings) |
| Error and crash data | Diagnose and fix bugs via our error-monitoring provider | Legitimate interest |
We do not collect sensitive categories of data (health, religious beliefs, political opinions, sexual orientation) unless you voluntarily include such information in public content you create, in which case you consent to its publication.
03How We Share Your Data
We do not sell your data. We share it only with the service providers we need to run the platform, and we name them all here.
Kistoria does not sell, rent, or trade your personal data to third parties for marketing purposes. We share data only with the following named service providers ("data processors"), each of whom is bound by appropriate data protection agreements:
Our cloud hosting provider: Hosting of the Kistoria platform and the storage of your account, content, and transaction data
Our caching infrastructure provider: In-memory caching and background job queuing for platform performance
Our payment processor (Paystack): Payment processing for shop transactions and wallet top-ups. They handle your payment card data under PCI-DSS standards. Kistoria never stores your card numbers.
Google LLC: Google OAuth for Sign in with Google. Google receives your Google account ID and verified email at the time of authentication.
Our error-monitoring provider: Crash and error diagnostics. May receive your IP address and limited request data in error reports. No content or account passwords are transmitted.
Our email delivery service (SMTP): Delivery of transactional emails (verification, password reset, receipts). Your email address is shared for delivery purposes only.
We may also disclose your data if required by law, court order, or government authority, or to protect the rights, property, or safety of Kistoria, our users, or the public.
04Cookies
We use strictly necessary cookies to keep you logged in. We only use analytics cookies if you say yes.
Cookies are small files stored in your browser. We use:
- Strictly necessary:Authentication session cookies (HttpOnly, Secure) that keep you logged in. These cannot be disabled as the platform cannot function without them. They require no consent.
- Analytics (optional):Used only if you accept via the cookie consent banner on your first visit. These help us understand how the platform is used. You may withdraw consent at any time via the cookie settings link in our footer.
We do not use third-party advertising cookies or tracking pixels from social media networks without your explicit consent.
05How Long We Keep Your Data
We keep your data only as long as we need to. Here are the specific timeframes.
| Data Type | Retention Period |
|---|---|
| Account data (name, email, profile) | Retained while your account is active. Deleted within 30 days of account closure on request. |
| Content you publish | Retained while published. Deleted within 30 days of user-initiated removal. |
| Transaction and payment records | 7 years (Nigerian tax and financial legal obligation). |
| Security logs (login attempts, IP) | 90 days. |
| Password reset and verification tokens | 1β24 hours (single-use; expire automatically). |
| Newsletter subscription | Until you unsubscribe. |
| Error/crash reports | 90 days. |
| Analytics data (if consented) | 13 months rolling. |
06Your Rights
You have real rights over your data. Here is what you can ask us to do, and how.
Under Nigerian NDPA, South African POPIA, and GDPR (as applicable), you have the right to:
- Access:Request a copy of the personal data we hold about you.
- Rectification:Ask us to correct inaccurate or incomplete data.
- Erasure:Ask us to delete your data ('right to be forgotten'), subject to our legal retention obligations.
- Portability:Receive your data in a structured, machine-readable format.
- Restriction:Ask us to pause processing of your data while a dispute is resolved.
- Objection:Object to processing based on legitimate interest.
- Withdraw consent:Withdraw any consent you have given (e.g., newsletter, analytics) at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at privacy@kistoria.com. We will respond within 30 days. Where we cannot fulfill a request (e.g., due to legal retention obligations), we will explain why.
You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or, for South African users, the Information Regulator of South Africa.
07Data Security
We use industry-standard technical and organisational measures to protect your data.
We implement the following security measures:
- Passwords are hashed using a strong, industry-standard one-way algorithm β never stored in plaintext
- Authentication sessions use short-lived access tokens and long-lived session cookies marked HttpOnly and Secure
- HTTPS enforced on all connections with HTTP Strict Transport Security (HSTS)
- Session tokens are cryptographically hashed before storage; reuse of invalidated tokens is detected and triggers automatic session termination
- Sessions are invalidated immediately on password change and other security-relevant account events
- Payment data handled exclusively by PCI-DSS-compliant processors β Kistoria never stores card numbers
- Database and infrastructure access restricted to application servers via private networking, not publicly accessible
- Automated rate limiting and brute-force protection on all authentication endpoints
Data breach response: In the event of a breach that risks your rights and freedoms, we will notify the NDPC within 72 hours of discovery and inform affected users without undue delay, including the nature of the breach, what data was affected, and steps we are taking.
08AI Features
Our AI features run entirely on Kistoria's own servers. Your content is never sent to any external AI company.
Kistoria offers optional AI-powered features including AI-generated content summaries and SEO descriptions for blog posts. These features are powered by AI models running on Kistoria's own secure infrastructure.
What this means for your privacy:
- Your content is processed entirely within Kistoria's own secure infrastructure β it is not sent to any external AI provider for processing.
- Your content is not used to train AI models. The AI processes your content in real-time to generate the output and does not retain or learn from it.
- AI summaries and SEO descriptions are generated automatically when you publish or edit a post. You may request removal by contacting us.
AI moderation is also used to help review comments for harmful content. This processing is based on our legitimate interest in maintaining a safe community.
09International Data Transfers
Your data may be stored on servers outside Nigeria. We ensure it is protected wherever it goes.
Kistoria's infrastructure may store or process data in countries outside Nigeria, including within the European Economic Area or the United States (for example, our hosting and error-monitoring providers). Where data is transferred outside Nigeria, we ensure that appropriate safeguards are in place in compliance with the NDPA, including standard contractual clauses, adequacy decisions, or equivalent protections recognised by the Nigeria Data Protection Commission.
10Children's Privacy
Kistoria is not intended for children under 13. We do not knowingly collect data from minors.
Kistoria is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13 without parental consent, we will delete that data promptly. If you believe a child under 13 has provided us with personal data, please contact us at privacy@kistoria.com.
11Changes to This Policy
We will tell you when this Policy changes and what changed.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page at least 30 days before the changes take effect. We encourage you to review this Policy periodically. Your continued use of Kistoria after the effective date of any change constitutes acceptance of the updated Policy.
12Contact & Complaints
Questions or concerns? We are here to help. Regulators are also an option.
For any privacy questions, data requests, or complaints, contact our Privacy team at privacy@kistoria.com. We aim to respond within 30 days.
If you are not satisfied with our response, you have the right to complain to the relevant supervisory authority:
- Nigeria: Nigeria Data Protection Commission (NDPC) β ndpb.gov.ng
- South Africa: The Information Regulator β inforegulator.org.za
- European Union: Your local Data Protection Authority
This policy covers the Kistoria platform at kistoria.com. Also see our Terms and Conditions.
Β© 2026 Kistoria. All rights reserved.