Home

Effective May 2026

Privacy policy.

What we collect, why we collect it, who we share it with, and how to make us delete it.

What we collect

At signup: first name, last name, email, password (hashed with bcrypt), optionally phone number, optionally referral code.

When you play: your answers, scores, time-per-question, IP address, and a device fingerprint (a sha256 hash of browser characteristics. We cannot reconstruct your device from this).

When you pay: Paystack transaction references and amounts. We never see your card number. Paystack handles that. Mobile-money phone numbers if you register them for payouts.

For KYC tier 2: a copy of your government ID document, stored encrypted and only accessed by reviewing admins (every access is audit-logged with the admin's identity and timestamp).

Why we collect it

  • Operate the service (the obvious bit).
  • Pay you winnings (account name must match bank/mobile-money account).
  • Comply with anti-fraud and anti-money-laundering law (KYC at tier 2).
  • Detect multi-accounting (device fingerprints).
  • Send you transactional emails (verification, password reset, withdrawal status).

Who we share it with

Paystack for deposits and bank payouts. Mobile money providers (MTN, Vodafone, M-Pesa, Airtel, Orange, Telecel) only the phone number and amount, when you request a payout to that channel. Firebase Cloud Messaging a token (no PII) so we can send push notifications you've subscribed to.

We do not sell your data. We do not share data with advertisers. We share with law enforcement only on a valid legal request.

How long we keep it

Account data: while your account is active, plus 7 years after closure for financial records (regulatory requirement). KYC documents: 5 years after account closure, then permanently deleted. Device fingerprints: 18 months from last use, then permanently deleted.

Your rights

You can request a copy of all data we hold on you, export of your transaction history, correction of inaccurate data, or deletion of your account. Email privacy@popquizafrica.com from your registered email address. We respond within 30 days.

Note: data we are legally required to retain (financial records, KYC, audit log) cannot be immediately deleted on request. We will retain only what law requires and delete the rest.

Cookies

We use a session cookie (POPQUIZ_SESSION) to keep you logged in. We do not use tracking cookies or third-party advertising cookies.

Security

Passwords are bcrypt-hashed. KYC documents sit outside the public webroot, served only through audit-logged admin endpoints. All traffic is over HTTPS. Two-factor authentication is available and recommended.

Contact

Data protection enquiries: privacy@popquizafrica.com
General support: help@popquizafrica.com

Read Terms of Service Back to home