Privacy Policy

1. Overview

Forj Technologies Ltd ("Forj", "we", "us", or "our") operates the Forj mobile application and associated website (collectively, the "Platform"). We are committed to protecting your personal data in accordance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and the General Data Protection Regulation (GDPR) where applicable.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have regarding your data. By creating an account on Forj, you acknowledge that you have read and understood this Policy.

Our registered data controller is: Forj Technologies Ltd, Lagos, Nigeria. Our Data Protection Officer can be reached at privacy@forjapp.com.

2. Data we collect

2.1 Data you provide directly

• Account data: Your name, email address, phone number, date of birth, and password (stored as a hashed value, never in plain text).
• Profile data: Photos, biography, professional title, employer, industry, education, interests, relationship intent, and other profile fields you complete.
• Professional verification data: OAuth tokens from LinkedIn, GitHub, or Behance used to verify your professional identity. We retrieve your publicly visible professional information only; we do not post on your behalf or access your connections list.
• Communications: Messages you send to other users through the in-app messaging system. Forj does not read your messages except when investigating a report or as required by law.
• Payment data: Billing information processed by our payment provider (Paystack). Forj does not store your card numbers or bank account details — these are held by Paystack under PCI-DSS compliance.
• Support communications: Emails, in-app support tickets, and any information you provide when contacting our support team.

2.2 Data collected automatically

• Usage data: Features you use, profiles you view, matches you make, and other in-app interactions (aggregated and anonymised for product analytics).
• Device data: Device type, operating system version, app version, and unique device identifier.
• Location data: Approximate city-level location used to show you relevant matches. Precise GPS location is never collected without explicit permission.
• Log data: IP address, access timestamps, and error logs retained for security and debugging purposes.

2.3 Data from third parties

• LinkedIn / GitHub / Behance: Professional profile data (name, job title, employer, education, portfolio) obtained via OAuth when you choose to verify your profile.
• Apple / Google: If you sign up using Sign in with Apple or Google, we receive your email address and name from that provider.

3. How we use your data

We use your personal data for the following purposes:

• To provide the Platform: Creating and managing your account, generating compatibility scores and match recommendations, enabling in-app messaging, and processing Premium subscriptions.
• To verify your identity: Confirming your professional identity via LinkedIn, GitHub, or Behance OAuth to maintain the integrity of the Forj community.
• To ensure safety: Detecting and preventing fraud, fake profiles, harassment, and other prohibited behaviour. Investigating reports filed by users.
• To improve the Platform: Analysing aggregated, anonymised usage data to improve matching quality, feature design, and overall product experience.
• To communicate with you: Sending match notifications, product updates, and support responses. You can manage notification preferences in Settings.
• To comply with legal obligations: Responding to lawful requests from Nigerian authorities or courts, and maintaining records as required by Nigerian law.

4. Legal basis for processing (GDPR/NDPR)

We process your personal data on the following legal bases:

• Contractual necessity: Processing required to deliver the services you signed up for (account creation, matchmaking, messaging, billing).
• Legitimate interests: Safety monitoring, fraud prevention, analytics, and platform improvement — balanced against your privacy rights.
• Consent: Marketing communications (you may withdraw consent at any time), optional data sharing for research purposes, and precise location access.
• Legal obligation: Compliance with NDPR, NDPA, and other applicable Nigerian law.

5. Data sharing

We do not sell your personal data. We share your data only in the following limited circumstances:

• With other Forj users: Your profile information (photos, bio, profession, interests) is visible to other users in accordance with your privacy settings. Your email, phone number, and full name are never shared with other users without your explicit consent.
• With service providers: Trusted third parties who assist in operating the Platform, including Paystack (payment processing), AWS (cloud infrastructure), Firebase (push notifications), and analytics providers. All processors are bound by data processing agreements.
• For safety and legal compliance: When required to investigate serious safety incidents, respond to valid legal process, or comply with Nigerian law enforcement requests. We will notify you of such disclosures where legally permitted to do so.
• In a business transfer: If Forj is acquired, merged, or undergoes a change of control, your data may be transferred to the new entity. You will be notified before any such transfer and given the option to delete your account.

6. Data retention

We retain your personal data only as long as necessary for the purposes described in this Policy:

• Active accounts: Data is retained for as long as your account is active.
• Deactivated accounts: Profile data is retained for 90 days, after which it is permanently deleted unless required for an ongoing safety investigation.
• Deleted accounts: Your data is permanently deleted from active systems within 30 days of account deletion. Anonymised aggregate data may be retained for analytics.
• Messages: In-app messages are retained for 12 months after your last session, then deleted.
• Payment records: Transaction records are retained for 7 years as required by Nigerian financial regulations.
• Safety reports: Reports and associated data may be retained for up to 3 years to support ongoing safety investigations.

7. Security

We implement appropriate technical and organisational measures to protect your personal data:

• All data in transit is encrypted using TLS 1.3.
• All data at rest is encrypted using AES-256.
• Passwords are hashed using bcrypt with a minimum cost factor of 12.
• Authentication tokens expire after 24 hours and are rotated on each session.
• Our infrastructure is protected by Cloudflare (DDoS, WAF) and regular penetration testing.
• Access to user data within Forj is restricted to authorised personnel only, on a need-to-know basis.

While we take security seriously, no system is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify affected users and the Nigeria Information Technology Development Agency (NITDA) within 72 hours, as required by the NDPA.

8. Your rights

Under the NDPR, NDPA, and GDPR (where applicable), you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Correct inaccurate or incomplete data. You can do this directly in Settings → Edit Profile.
• Right to erasure ("right to be forgotten"): Request permanent deletion of your account and all associated data. Go to Settings → Account → Delete Account, or email privacy@forjapp.com.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to restrict processing: Request that we limit how we process your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests, including for marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@forjapp.com. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the NITDA (Nigeria Information Technology Development Agency).

9. Children's privacy

Forj is intended exclusively for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that a user is under 18, we will immediately deactivate their account and delete their data. If you believe a minor has created an account on Forj, please report it to safety@forjapp.com.

10. International data transfers

Your data is primarily stored on servers located in Africa (AWS af-south-1, Cape Town). In some circumstances, data may be processed by third-party service providers in other regions. Where such transfers occur, we ensure appropriate safeguards are in place — including standard contractual clauses and adequacy decisions where available.

11. Cookies and tracking

The Forj mobile app does not use browser cookies. The Forj website uses cookies for session management, analytics, and performance. See our Cookie Policy for full details, including how to manage your cookie preferences.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification and email at least 14 days before the changes take effect. Your continued use of Forj after that date constitutes acceptance of the updated Policy. The current version and effective date are always shown at the top of this page.

13. Contact us

For privacy-related questions, data subject requests, or complaints:

• Data Protection Officer: privacy@forjapp.com
• General support: support@forjapp.com
• Postal address: Forj Technologies Ltd, Victoria Island, Lagos, Nigeria

You also have the right to lodge a complaint with the Nigeria Information Technology Development Agency (NITDA) at nitda.gov.ng.