Friend Indeed ("Friend Indeed", the "App") is operated by Friend Indeed Limited ("we", "us", "our"), a private company limited by shares incorporated in the Federal Republic of Nigeria with registration number [RC NUMBER] and registered office at [REGISTERED OFFICE ADDRESS, NIGERIA]. For the purposes of data-protection law, Friend Indeed Limited is the data controller of the personal information described in this policy.
You can reach our privacy team at [privacy@friendindeed.example]. Our Privacy Officer or Data Protection Officer (where one is required by applicable law) is [DPO NAME], contactable at [dpo@friendindeed.example]. See Section 26 for full contact details, including our representatives for the EU/EEA and the UK.
Friend Indeed is a private, closed-circle social notification utility. It lets a person who needs help post a request and notifies that person's mutual contacts — friends who have saved the person in their phone and whom the person has saved in return — so that those friends may choose to help, including by sending a personal gift of money directly to one another using their own external payment methods.
Global availability. Friend Indeed is available worldwide, and this Privacy Policy applies to all users globally. The general protections described in this policy apply to everyone, wherever they use the App; the country- and region-specific notices in Sections 21–24 add rights for users in those places and supplement, rather than replace, those general protections.
This policy applies to the Friend Indeed mobile applications and any related websites or support channels we operate that link to it. It does not apply to third-party services (for example, your bank, mobile-money provider, or any payment app) that you use to send or receive money — those services have their own privacy policies.
This Privacy Policy is part of, and should be read with, our Terms & Conditions, which contain binding provisions stating that Friend Indeed is not a money transmitter, does not provide escrow or wallets, does not take custody or control of funds, and strictly prohibits the solicitation or repayment of loans. The Terms & Conditions govern all use of the App and are available at [https://www.friendindeed.example/terms]. Our Community Guidelines and Safety & Fraud Policy also apply.
We practise data minimisation and collect only what the App needs to work. The categories below identify what we collect, whether it is required or optional, and why.
| Data | Required? | Why we collect it |
|---|---|---|
| Telephone number | Required | Your account identifier and login credential (verified by one-time code); used to match you with your mutual contacts, and shown on your profile to those mutual contacts (who, by definition, already have your number). |
| First name and last name | Required | So your friends can recognise who is asking for help and who is on their contact list. |
| Data | Required? | Why we collect it |
|---|---|---|
| Social-media handles | Optional | To enrich your profile so friends can recognise and connect with you. |
| Receiving account details (e.g., a bank account number or mobile-money handle) | Optional | Shown to your mutual contacts as part of your help requests (not on your profile), purely as your instruction for how they may choose to send you a gift. We do not use these details to move, process or verify any money. You are responsible for ensuring they are accurate and appropriate to share with your mutual contacts. See Sections 4 and 14. |
| Profile picture | Optional | To enhance your profile and help friends identify you. |
The specific third-party service providers and software development kits (SDKs) we use to provide, secure and analyse the App are listed in Section 10. Data these tools collect on our behalf is treated as our collection and is disclosed here and in our Google Play Data Safety form and Apple App Privacy label.
To remove any doubt about our role, we confirm that Friend Indeed does not:
The optional receiving account details you may add (Section 3.2) are stored only so they can be displayed to your mutual contacts as your instruction. They are your account details for receiving gifts — not a payment instrument we operate — and we do not use them to initiate or verify any transaction.
The heart of Friend Indeed is its closed circle: a help request is only ever shown to, and can only be answered by, your mutual contacts — people whom you have saved in your phone and who have also saved you in theirs. Strangers never see or respond to your requests.
To make this work, with your permission the App reads your device address book to identify which of your contacts also use Friend Indeed. We have engineered this to be privacy-protective:
We use a combination of automated checks and human review to keep the App safe:
We may use personal information to investigate impersonation, identity theft, fraudulent help requests, or other misuse of the platform, and we may ask you for additional information to verify your identity, investigate suspected misuse, enforce our policies, or comply with legal obligations.
Where the EU/UK GDPR or Nigeria's NDPA 2023 applies, we rely on the following lawful bases:
| Purpose | Lawful basis |
|---|---|
| Creating your account; identifying you to friends; matching; posting requests; delivering notifications; providing optional paid features | Performance of a contract with you (GDPR Art. 6(1)(b); NDPA s.25) |
| Accessing your contacts for matching; the optional email you provide via the feedback form; optional marketing; any non-essential device telemetry | Consent, which you may withdraw at any time (GDPR Art. 6(1)(a); NDPA ss.25–26) |
| Including sensitive details in a help request (e.g., financial hardship or health) | Explicit consent for special-category data (GDPR Art. 9(2)(a); NDPA s.30) — see Section 9 |
| Fraud prevention, safety, security, abuse-handling and service improvement | Legitimate interests (GDPR Art. 6(1)(f); NDPA s.25), balanced against your rights |
| Meeting legal, regulatory, safety and law-enforcement obligations | Legal obligation (GDPR Art. 6(1)(c); NDPA s.25) |
A help request inherently signals possible financial hardship, and you may choose to include health or other personal details (for example, "help with surgery costs"). Under the GDPR/UK GDPR this can be special-category data (Art. 9); under the NDPA it is sensitive personal data; and under California law it is sensitive personal information. Before you publish a request that contains health, disability, mental-health, medical, or other special-category information, we ask you to give your explicit consent through a separate, specific confirmation at the time you create the request; we do not treat the act of posting a request, by itself, as that consent. We share it only with your mutual contacts, never publicly. You can delete a request at any time, and you should include only what you are comfortable sharing with your friends. We do not use sensitive information to infer characteristics about you for advertising.
We share personal information only as described here.
Everything described here is shared only within your closed circle of mutual contacts, and is controlled by you. On your profile, your mutual contacts can see your name, telephone number, profile picture, and any social-media handles you add. When you post a help request, the request itself — together with any receiving account details you include so your friends know how to send help — is shown to your mutual contacts as part of that request (not on your profile). Your mutual contacts also see the request's status (for example, open, closed, or fulfilled) and its amounts — the amount requested, the amount gifted, and an amount still pending your acknowledgement. When a mutual contact logs a gift toward your request, the amount they log is shared with you so you can acknowledge it; until you do, it counts toward the pending total, and once acknowledged it moves into the amount gifted shown to the circle. Your other mutual contacts see only these aggregate totals — not who gifted or how much any individual gave. These figures are user-reported and are not amounts the App processes or verifies (Section 4). Your telephone number is visible only to your mutual contacts, who by definition already have it. This sharing is the core purpose of the App.
We use a limited set of service providers who process personal data only on our instructions and are bound by contract to protect it. We maintain an up-to-date list; the current categories are:
| Category | Provider |
|---|---|
| Backend hosting | Google Cloud Run (Google LLC) |
| Authentication, push notifications & file storage (profile photos, transfer proofs) | Firebase (Google LLC) |
| SMS one-time-code delivery | Termii (primary); Africa's Talking (fallback) |
| In-app purchases (Angel membership, request-extension) | Apple — App Store (iOS); Google Play (Android) |
We share your phone number with the SMS providers solely to deliver your one-time verification code. Payment for in-app purchases is handled entirely by Apple or Google; we receive only the store receipt token, never your card details.
Only in connection with optional in-app purchases, which they process. We do not receive your payment details from them.
We may disclose information to regulators, courts, or competent law-enforcement, judicial, regulatory and financial-intelligence authorities where we reasonably believe, after reviewing the request, that disclosure is required or permitted by applicable law or is necessary to prevent fraud, harm, or unlawful activity. We review legal requests and disclose information only to the extent we reasonably believe is lawful.
If we are involved in a merger, acquisition or asset sale, subject to this policy and applicable law.
We are based in Nigeria and use Google Cloud (Cloud Run) and Firebase (Google LLC) to store and process your information, which may be hosted in [HOSTING REGION(S)]. This means your information may be transferred across borders, including outside Nigeria, the EEA and the UK, where data-protection laws may differ and where it may, in some circumstances, be accessible to foreign authorities under local law.
When we transfer personal information internationally we use appropriate safeguards, including:
You may request a copy of the relevant safeguards using the contact details in Section 26.
We keep personal information only as long as needed for the purposes in this policy:
We use appropriate technical and organisational measures to protect personal information, including one-way hashing (SHA-256) of contact telephone numbers on your device, TLS/HTTPS for data in transit, on-device protections (a hashed PIN and an optional biometric lock), access controls and least-privilege permissions, monitoring and logging, and secure, reputable cloud infrastructure. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.
Data breaches. We maintain a data-breach response process and will notify you and the relevant supervisory authority within the timeframes required by law — for example, within 72 hours of becoming aware of a notifiable breach for the supervisory authority under the GDPR/UK GDPR (Arts. 33–34), and as required under the NDPA (ss.39–40) and PIPEDA.
Receiving account details. The optional receiving account details you provide are displayed to your mutual contacts as text instructions. While we protect this data with the measures above, you are responsible for verifying a recipient's details before sending any money outside the App, and we are not liable for transfers sent to incorrect, out-of-date, or fraudulently altered account instructions.
The App itself does not rely on advertising cookies. We and our service providers use device identifiers and similar technologies within the App (for example, for authentication, push notifications, analytics and crash reporting, as listed in Section 10). Any website we operate that links to this policy may use strictly necessary and, with your consent where required, analytics cookies; where that applies, a separate cookie notice will be provided on the website.
We make these core privacy rights available to all users globally, subject to identity verification and applicable law. Region-specific detail is in Sections 21–24.
To exercise any right, contact us (Section 26) or use the in-app controls. We will verify your identity and respond within the time limits set by applicable law. You may use an authorised agent where the law allows.
You can delete your account at any time from within the App ([Settings → Account → Delete Account]); a web-based route is also available at [https://www.friendindeed.example/delete-account].
When you delete your account, we anonymise your profile rather than keep it: your first and last name are replaced with a generic label, and your phone number, profile photo, receiving/bank details and social links are removed. We permanently delete your synced contacts and friend links, your blocks, your device push tokens, your app settings and preferences, your saved requests, your notification inbox, your Angel beneficiary settings, your feedback (including any feedback email), and your on-device data (PIN, device identifier and biometric setting). We also delete your authentication account so your login cannot be reused.
We retain, in anonymised form, the records that other people rely on: your past help requests and the transfer history between you and the friends you transacted with, and notifications that already sit in other users' inboxes. These no longer identify you; we keep them to preserve the integrity and accuracy of those other users' records and to meet legal, tax, safety and fraud-prevention obligations.
You must be 18 or older to use Friend Indeed. We do not knowingly collect personal information from anyone under 18, regardless of any local law that may define a "child" by a younger age. If we learn that we have collected information from someone under 18, we will delete it promptly. Contact us (Section 26) if you believe a minor has provided us information.
The App's core function is to notify your mutual contacts of help requests, and to notify you of activity relevant to you, by push notification and/or SMS. By creating an account and enabling notifications you consent to receive these service messages, which are necessary to provide the App. Where required by law (including the U.S. Telephone Consumer Protection Act), we obtain your express consent before sending messages and honour opt-outs. You can control push notifications in your device settings; some service messages are essential to the App and cannot be switched off while you hold an account. Any optional marketing messages are sent only with your separate consent and you can opt out at any time.
We may restrict or refuse access to the App where required by applicable sanctions, export-control laws, or similar legal restrictions.
This section supplements our policy and applies to residents of U.S. states that have enacted comprehensive consumer-privacy laws — including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states as their laws take effect. It serves as our notice at collection under applicable state law.
The following applies to California residents.
| Category (Cal. Civ. Code §1798.140) | Collected | Examples |
|---|---|---|
| Identifiers | Yes | Name, telephone number, email address (only if you provide it via the feedback form), device/app identifiers, IP address |
| Customer-records information | Yes | Receiving account details you choose to add |
| Internet/network activity | Yes | App usage, diagnostics, crash logs |
| Sensitive personal information | Yes | Financial-hardship status implied by a request; any health or similar details you include |
| User content | Yes | Help-request text and images, profile picture, social handles |
| Geolocation (precise) | No | — |
| Biometric information | No | — |
Sources: you; your device; and your selections within the App. Business/commercial purposes: as in Sections 6–7. Disclosures: to the service providers and recipients in Section 10. Sale/share: we do not sell or share personal information, including sensitive personal information, for cross-context behavioural advertising, and we do not use sensitive personal information beyond the purposes permitted by the CPRA.
Your California rights: to know, to delete, to correct, to opt out of sale/sharing (not applicable as we do neither), to limit use of sensitive personal information (we already limit it), and to non-discrimination. California's "Shine the Light" law: we do not share personal information with third parties for their own direct marketing. To exercise rights, contact us (Section 26); we will verify and respond within statutory timeframes, and you may use an authorised agent.
Depending on your state of residence, you may have the right to: confirm whether we process your personal information and to access it; delete it; correct it; obtain a portable copy of it; and opt out of the "sale" of personal information, of targeted advertising, and of profiling that produces legal or similarly significant effects. We do not sell personal information, serve targeted advertising, or carry out such profiling, so these opt-outs have nothing to apply to. Where a state law requires opt-in consent to process sensitive data (for example, information about health or a request that reveals it), we obtain that consent, as described in Section 9. You also have the right to appeal a decision on your request, and the right to be free from discrimination for exercising your rights.
Other U.S. states. Residents of other states may have additional privacy rights as new state laws come into force. Where required by law, we will honour those rights and provide mechanisms to exercise them. To exercise any right, contact us (Section 26); we will verify your request, respond within the timeframe set by your state's law, allow an authorised agent where permitted, and provide an appeal route where required.
The data controller is Friend Indeed Limited (Section 1). Our lawful bases are in Section 8. You have the rights in Section 16, including to lodge a complaint with a supervisory authority. As explained in Section 7, we do not use your personal information for automated decision-making that produces legal or similarly significant effects about you without human involvement. International transfers are addressed in Section 12.
We handle personal information in accordance with PIPEDA's ten fair-information principles, including accountability, identifying purposes, consent, limiting collection/use/retention, accuracy, safeguards, openness, individual access and challenging compliance. Meaningful consent: enabling contact-matching requires your express, opt-in action; consenting to this policy does not, by itself, authorise access to your address book. Cross-border processing: as noted in Section 12, your information may be stored or processed outside Canada (for example in [HOSTING REGION(S)]) and may be subject to the laws of those countries, including lawful access by their authorities. Challenging compliance: you may direct questions or complaints to our Privacy Officer at [privacy@friendindeed.example]; if unsatisfied, you may contact the Office of the Privacy Commissioner of Canada (priv.gc.ca), and Quebec residents may contact the Commission d'accès à l'information.
We process personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and applicable directives, and we recognise the authority of the Nigeria Data Protection Commission (NDPC). We provide the information required by s.27, rely on the lawful bases in s.25 (and, for sensitive data, s.30), and obtain consent that is informed, specific, freely given, unambiguous and withdrawable (s.26). You have the data-subject rights in s.34 and the rights of withdrawal and objection in ss.35–36. Cross-border transfers are made under ss.41–43 (Section 12), and we handle security and breaches under ss.39–40. Where we are required to appoint a Data Protection Officer or to register with the NDPC, we do so.
Friend Indeed is a social-notification platform for help between mutual contacts. It does not pool, hold, manage, invest, transmit, or control user funds, and does not operate as a regulated crowdfunding or securities offering. If you believe your data has been handled in violation of the NDPA, you may lodge a complaint with us (Section 26) and with the NDPC.
We may update this policy from time to time. We will update the "Last updated" date above and, for material changes, give you notice in the App or by other reasonable means before they take effect. Where a material change affects how we use your information in a way that requires your consent, we will ask for your renewed consent (for example, through an in-app notice requiring you to review and accept) rather than relying on continued use alone. Otherwise, continued use after an updated policy's effective date means the updated policy applies to your future use of the App, except where additional consent is required by law.
Friend Indeed Limited
Registered office: [REGISTERED OFFICE ADDRESS, NIGERIA]
Privacy team: [privacy@friendindeed.example]
Privacy Officer / Data Protection Officer (where required by law): [DPO NAME] — [dpo@friendindeed.example]
General support: [support@friendindeed.example]
EU representative (Art. 27, where required): [EU REPRESENTATIVE]
UK representative (where required): [UK REPRESENTATIVE]