PlantTogether logoPlantTogether
← Back

Privacy Policy

Effective date: 21 May 2026

PlantTogether ("PlantTogether", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and safeguard information when you use our website, mobile experience, and services (the "Platform").

This policy is issued in compliance with the Nigeria Data Protection Act, 2023 (NDPA), the Nigeria Data Protection Regulation, 2019 (NDPR) and its Implementation Framework, and other applicable Nigerian laws and guidelines issued by the Nigeria Data Protection Commission (NDPC). Where users are located outside Nigeria, we also aim to meet equivalent standards such as the GDPR.

1. Who we are (Data Controller)

PlantTogether is the data controller for personal data processed through the Platform. For any privacy-related question, request, or complaint, contact our Data Protection Officer (DPO) at privacy@planttogether.org.

2. Personal data we collect

2.1 Information you provide

  • Account details: name, email, phone number, password, profile photo.
  • Role-specific details: sponsor preferences, custodian application data (location, ID document, bank/payout details where applicable), NGO admin credentials.
  • Campaign content: campaign titles, dedications, messages, photos, and videos you upload.
  • Communications: messages you send to us or to other users on the Platform.

2.2 Information collected automatically

  • Device and log data: IP address, browser, operating system, timestamps, referring URLs.
  • Usage data: pages viewed, features used, interactions with campaigns and trees.
  • Location data: approximate location from IP and, where you grant permission, precise GPS for tree reporting.
  • Cookies and similar technologies (see Section 9).

2.3 Information from third parties

  • Authentication providers (e.g. Google sign-in) provide your name, email and profile picture.
  • Payment processors share transaction status and limited card metadata; we do not store full card numbers.

3. Lawful basis for processing (NDPA s.25 / NDPR 2.2)

We only process your personal data where we have a lawful basis, which may be:

  • Consent — e.g. marketing emails, optional location sharing.
  • Performance of a contract — e.g. creating your account, processing sponsorships, assigning custodians.
  • Legal obligation — e.g. tax, anti-fraud, regulatory reporting.
  • Legitimate interest — e.g. securing the Platform, preventing abuse, improving services, provided your rights do not override these interests.
  • Vital interest or public interest — in limited safety or environmental-reporting scenarios.

4. How we use your data

  • Create and manage your account and verify your identity (especially for custodians).
  • Process tree sponsorships, campaigns, and co-sponsor contributions.
  • Assign trees to custodians and track planting, growth, and survival.
  • Send transactional notifications (reports, milestones, reminders).
  • Display public impact data (e.g. tree locations on maps, campaign progress) — personal identifiers are minimised.
  • Detect, prevent, and investigate fraud, abuse, and security incidents.
  • Comply with legal, regulatory, and accounting obligations in Nigeria.
  • Improve and develop new Platform features.

5. Sharing your personal data

We do not sell your personal data. We share it only with:

  • Custodians and NGO administrators, to the limited extent needed to fulfil sponsorships (e.g. tree assignment, dedication message).
  • Service providers / data processors who help us operate the Platform — hosting, database, authentication, email, analytics, maps, and payment processing. These processors are bound by contract to protect your data and process it only on our instructions.
  • Authorities, where required by Nigerian law, court order, or a valid request from the NDPC or other competent regulator.
  • Successor entities, in the event of a merger, acquisition, or restructuring, subject to equivalent protections.

6. International data transfers

Some of our service providers (e.g. cloud hosting, authentication, analytics) are located outside Nigeria. Where we transfer personal data abroad, we rely on one of the lawful transfer mechanisms in Section 41 of the NDPA — including adequacy, contractual safeguards (standard contractual clauses), or your explicit consent — and ensure the recipient provides an adequate level of protection.

7. Data retention

We retain personal data only as long as necessary for the purposes set out in this policy, including to satisfy any legal, accounting, or reporting requirements. When data is no longer needed, it is deleted or anonymised. Indicative retention periods:

  • Active account data: for the life of your account.
  • Closed accounts: up to 24 months, then deleted or anonymised.
  • Transaction and financial records: at least 6 years (in line with Nigerian tax law).
  • Tree, GPS, and impact data: may be retained in anonymised form indefinitely for environmental reporting.

8. Your rights as a data subject

Under the NDPA and NDPR you have the right to:

  • Be informed about how your data is processed.
  • Access the personal data we hold about you.
  • Request correction of inaccurate or incomplete data.
  • Request deletion ("right to be forgotten") where applicable.
  • Restrict or object to certain processing, including direct marketing.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Request portability of data you provided to us, in a structured, machine-readable format.
  • Not be subject to solely automated decisions that significantly affect you.
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC).

To exercise any right, email privacy@planttogether.org. We will respond within 30 days as required by the NDPA.

9. Cookies and similar technologies

We use strictly necessary cookies to keep you signed in and secure the Platform, and limited analytics cookies to understand how the Platform is used. You can control cookies through your browser settings. Disabling essential cookies may break parts of the Platform.

10. Security

We apply organisational and technical safeguards aligned with the NDPA and NDPR — including encryption in transit (HTTPS/TLS), encryption at rest, role-based access control, least-privilege database policies (Row Level Security), and regular reviews. No system is perfectly secure; if we become aware of a personal data breach that is likely to harm you, we will notify you and the NDPC within 72 hours as required by law.

11. Children's data

The Platform is not directed to children under 18. We do not knowingly collect personal data from children. Where a school or guardian uses PlantTogether for educational campaigns, the responsible adult must provide and manage consent on the child's behalf.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform or by email at least 14 days before they take effect. The "Effective date" above shows the latest version.

13. Contact

Data Protection Officer
PlantTogether
Email: privacy@planttogether.org
Regulator: Nigeria Data Protection Commission — ndpc.gov.ng

Read our Terms of Service →