Brunches Cafe

Legal

Privacy Policy

Last updated: June 2026

Brunches Cafe ("we", "us", "our") operates this website and our café in PSSDC Road, Encounter House, Magodo, Lagos. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in line with the Nigeria Data Protection Act, 2023 (NDPA), the Nigeria Data Protection Regulation (NDPR) 2019, and other applicable Nigerian laws.

1. Data controller

The data controller is Brunches Cafe. For any privacy-related inquiry, contact us at support@brunchescafe.com or +234 913 500 1162.

2. Information we collect

  • Account details: full name, email, phone number, optional avatar.
  • Order details: items ordered, delivery address, city, landmark, notes.
  • Payment data: handled by Paystack. We store only the payment reference and status — never your card number, CVV, or PIN.
  • Loyalty data: points balance, lifetime spend, tier.
  • Communications: messages you send via our contact form or WhatsApp.
  • Technical data: device, browser, IP address, and cookies used to operate the site.

3. Lawful basis for processing

We rely on the following lawful bases under section 25 of the NDPA:

  • Contract: to fulfil your order and provide our service.
  • Consent: for marketing communications and optional loyalty features. You may withdraw consent at any time.
  • Legitimate interest: to keep our service secure and prevent fraud.
  • Legal obligation: tax, accounting, and regulatory record-keeping.

4. How we use your data

  • To process and deliver your orders.
  • To send order confirmations and delivery updates.
  • To operate our loyalty programme.
  • To respond to your enquiries.
  • To improve our menu, service, and website.
  • To comply with applicable Nigerian law.

5. Sharing your data

We share data only with trusted processors who help us run our service:

  • Paystack — payment processing (PCI-DSS certified).
  • Delivery partners — only the address details required to deliver your order.
  • Cloud hosting providers — for secure storage and operation of the platform.
  • Lawful requests — where required by a Nigerian court, the NDPC, or other competent authority.

We do not sell your personal data.

6. Data retention

We keep order and payment records for at least 6 years to comply with the Companies and Allied Matters Act (CAMA) 2020 and tax law. Account data is kept while your account is active and deleted within 90 days of a verified deletion request, except where retention is required by law.

7. Your rights under the NDPA

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion (subject to legal retention obligations).
  • Object to or restrict certain processing.
  • Withdraw consent at any time.
  • Receive your data in a portable format.
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

To exercise any of these rights, email support@brunchescafe.com.

8. Security

We use industry-standard safeguards including TLS encryption in transit, encryption at rest, role-based access controls, and Row-Level Security on our database. No system is perfectly secure; if a breach occurs we will notify you and the NDPC within 72 hours as required by the NDPA.

9. Cookies

We use essential cookies to keep you signed in, remember your cart, and operate the site. We do not use third-party advertising cookies.

10. Children

Our service is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Changes

We may update this policy. Material changes will be highlighted on this page. Continued use of our service after an update constitutes acceptance.

12. Contact

Brunches Cafe · PSSDC Road, Encounter House, Magodo, Lagos
Email: support@brunchescafe.com
Phone: +234 913 500 1162