1. Introduction
Fetolsa LLC ("Fetolsa", "we", "us") operates Fetolsa Chat, an AI-powered ordering service that runs on top of a restaurant's existing WhatsApp Business number. This policy explains what we collect, why we collect it, how we use it, and the rights you have over your data.
Two groups of people are covered by this policy:
- Merchants — restaurant owners and staff who sign up for and operate a Fetolsa Chat account.
- Customers — people who place orders by sending WhatsApp messages to a merchant's number.
For Merchant data, Fetolsa is the data controller. For Customer order data, the Merchant is the data controller and Fetolsa is the data processor acting on the Merchant's instructions.
2. What we collect
From Merchants (at signup and during use):
- Business name, contact name, email address, phone number.
- WhatsApp Business Account ID and phone number ID (via Meta's Embedded Signup).
- Menu items, prices, photos, and operating hours that you upload.
- Payout bank account details (held by our payment processor, Paystack — Fetolsa stores only a reference, not full account numbers).
- Login credentials and session data for the merchant dashboard.
From Customers (when they message a merchant's WhatsApp number):
- WhatsApp phone number and display name.
- Message content (text, images, voice notes) sent to the merchant.
- Delivery address and location data provided to complete an order.
- Order history, item selections, and total spend with that merchant.
- Payment confirmation data from Paystack (we do not see or store card numbers).
Automatically: IP address, device type, and basic usage logs for the merchant dashboard. We do not place advertising trackers on customers' devices — they interact with Fetolsa only via WhatsApp.
3. How we use your data
| Purpose | Legal basis | Data used |
|---|---|---|
| Run the ordering bot (parse messages, confirm orders, send receipts) | Contract performance (with merchant); legitimate interest of merchant (with customer) | Customer messages, order items, phone number |
| Process payments and remit to merchants | Contract performance | Order totals, Paystack payment references, merchant bank reference |
| Improve our AI's understanding of Nigerian menu items and slang | Legitimate interest | Aggregated, de-identified message content |
| Send service emails to merchants (billing, outages, product updates) | Contract performance; legitimate interest | Merchant email and account status |
| Detect fraud, abuse, and policy violations | Legitimate interest; legal obligation | Account, payment, and message metadata |
| Comply with Nigerian tax, AML, and consumer-protection law | Legal obligation | Merchant business records and transaction logs |
We do not sell personal data. We do not use customer message content to train third-party AI models outside of our own service-improvement pipeline.
5. Data retention
| Data type | Retention period |
|---|---|
| Merchant account and billing records | Duration of subscription + 7 years (tax law) |
| Customer order history (per merchant) | Duration of merchant's account + 12 months |
| WhatsApp message logs | 90 days, then deleted or aggregated |
| AI prompt/response logs (for debugging) | 30 days |
| Marketing-site analytics | 13 months |
| Deleted account backups | Up to 30 days, then purged |
Merchants can request earlier deletion of their account data; see Section 6.
6. Your rights
Under the NDPR and NDPA, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Request deletion of data we are not legally required to keep.
- Object to or restrict certain processing.
- Receive a portable copy of data you have provided.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with the Nigeria Data Protection Commission (NDPC).
To exercise these rights, email privacy@fetolsa.app, or follow the step-by-step instructions on our Data Deletion Request page. For customer data tied to a specific merchant, we will route your request to that merchant, who is the data controller for the order relationship. We respond within 30 days.
7. International data transfers
Fetolsa is incorporated in the United States and uses cloud infrastructure that may store or process data outside Nigeria, including in the US and the EU. Where we transfer personal data of Nigerian data subjects abroad, we rely on the lawful bases permitted by the NDPA — including your consent, contract necessity, or transfer to a jurisdiction the NDPC has recognised as offering adequate protection — and we apply contractual safeguards with our processors.
8. Security
We use industry-standard measures to protect your data: encrypted connections (HTTPS/TLS), encryption at rest for databases and backups, hashed credentials, principle-of-least-privilege access for staff, audit logging, and regular review of our infrastructure. No system is perfectly secure, but we treat security incidents seriously and will notify affected merchants and the NDPC within 72 hours of confirming a breach that creates a real risk of harm.
9. Children
Fetolsa Chat is not directed to children under 13. We do not knowingly collect data from children. If you believe a child has used the service, contact us and we will delete the data.
11. Changes to this policy
We may update this policy as the service evolves. Material changes (anything affecting how data is shared, retained, or your rights) will be notified to merchants via email and to active Customers via a WhatsApp message on their next interaction. Continued use of the service after notification constitutes acceptance.
12. Contact
Privacy inquiries: privacy@fetolsa.app
Data protection officer (DPO): dpo@fetolsa.app
Principal office (mail):
Fetolsa LLC
30 N Gould St, Ste R
Sheridan, Wyoming 82801
Nigeria Data Protection Commission (NDPC): for complaints we cannot resolve. https://ndpc.gov.ng