Privacy policy

1. Who we are

odata.ng ("we", "us", "our") operates the website at https://odata.ng, our mobile applications, and the public REST API at https://www.odata.ng/api. We provide a wallet you can fund and use to buy mobile data, airtime, electricity tokens, cable TV subscriptions and education pins — either from a dashboard or programmatically from your own application.

This policy applies to everyone who uses our website, app or API. Questions? Reach us at support@odata.ng.

2. Information we collect

We deliberately keep the data we collect small. The only personal data we ask for at signup is:

• Your full name (used as the account name on your funding virtual accounts).
• Your Nigerian phone number (used as your sign-in identifier and on delivery confirmations).
• The state you live in.
• A password, which we store only as a one-way bcrypt hash — we never see your plaintext password.

Once your account is created we also generate and store:

• A unique API token you can use to call the API from your own applications.
• One or more virtual bank account numbers issued by our payment partners (PaymentPoint for PalmPay accounts, Zainpay for Zain MFB accounts) so you can fund your wallet by bank transfer.
• A record of every transaction you make on the platform (data, airtime, bill payments, cable subscriptions, education pins, wallet credits and debits).

For security and abuse prevention we also keep technical records:

• The IP address of failed login attempts (kept long enough to enforce rate limits).
• A session cookie (ODATASESS) — strictly necessary to keep you signed in.
• Standard server logs (timestamp, request path, response code).

We do not collect your email address, BVN, NIN, date of birth, gender, address, photo, contacts, location or any device identifiers beyond what the browser exposes in its request headers.

3. How we use your information

We use the information above only to operate the service:

• To fulfil your purchases. When you buy data or airtime we forward the request to the upstream network operator via our delivery partners.
• To credit your wallet when you transfer money into one of your virtual accounts.
• To send transactional notifications about your purchases or deposits.
• To prevent abuse. Failed login attempts are throttled per phone number.
• To respond to support requests when you email us.
• To comply with applicable Nigerian law, including responding to lawful requests from regulators.

We do not sell your data, we do not show third-party advertising, and we do not profile you for marketing.

4. Who we share information with

To deliver the service we share the minimum information needed with the following categories of processors:

• Delivery partners. When you buy data, airtime or bill payments we send the destination phone or meter number and the plan id to upstream vending partners so they can fulfil the request. We do not share your name, password or wallet balance with them.
• Virtual account providers. To issue funding accounts we share your name and phone number with PaymentPoint (for PalmPay accounts) and Zainpay (for Zain MFB accounts).
• Payment networks and banks. When someone sends money to one of your funding accounts, the originating bank shares the sender's name and account with us via the virtual account provider so we can show it on your statement.
• Hosting providers. Our servers are hosted in Nigeria; standard server logs sit on that infrastructure.

We may also disclose information when required by law (court order, regulator request, fraud investigation).

5. Security

We protect your account with the following measures:

• Passwords are stored as bcrypt hashes; we cannot read them even on request.
• Sessions are HttpOnly, SameSite=Lax cookies sent only over HTTPS.
• The site runs on HTTPS-only with HSTS enabled.
• Failed login attempts are rate-limited per phone number.
• Wallet credits flow through an idempotency gate so a provider retry can never credit the same deposit twice.
• Wallet debits hold a per-user advisory lock for the duration of the purchase so two parallel requests can't double-spend.

No system is perfectly secure. If you believe your account has been compromised, email us at support@odata.ng immediately.

6. How long we keep your data

We keep your account record and transaction history for as long as your account exists, so that you can audit your own spending. Failed-login records are kept for a short rolling window (long enough to enforce rate limits). On account deletion we remove your name, phone, password hash and API token, and we anonymise your transaction history (we keep the numerical record for our books but not the personal identifiers).

7. Your rights

You can:

• Access the data we hold about you (your dashboard shows your account, wallet history and active transactions; ask us if you want anything else in writing).
• Correct your full name or state at any time from the dashboard.
• Rotate your API token from the dashboard.
• Delete your account by emailing support@odata.ng with a request from the phone number associated with the account.

8. Cookies

We use one strictly-necessary cookie (ODATASESS) to keep you signed in. We do not use analytics, advertising or third-party tracking cookies.

9. Children

odata.ng is intended for users 18 years or older. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, email us so we can remove the account.

10. Changes to this policy

We will update this page if our practices change. The "Last updated" date at the top of this page is the easiest way to tell when something changed. Material changes will also be announced inside the dashboard.

11. Contact us

If you have questions about this policy, your data, or how to exercise the rights above, email support@odata.ng. We aim to reply within one business day.