Data Protection and Privacy Policy

Effective Date: 14 May 2026

Last Updated: 14 May 2026

1. Introduction

1.1 Bash Engineering Limited (“Bash”, “we”, “us” or “our”) is committed to protecting the privacy and personal data of individuals who interact with our website, mobile applications, and ticketing and event management platform (together, the “Platform”).

1.2 This Data Protection and Privacy Policy (this “Policy”) explains how we collect, use, disclose, retain and protect personal data, and sets out the rights of Data Subjects in respect of such personal data. It applies to all users of the Platform, including Ticket Buyers, Event Organisers, Vendors and visitors to our websites and applications.

1.3 This Policy has been prepared in compliance with: (a) the Nigeria Data Protection Act 2023 (the “NDPA”); (b) the Nigeria Data Protection Commission General Application and Implementation Directive, as amended from time to time (the “GAID”); (c) applicable guidelines issued by the National Information Technology Development Agency (NITDA); and (d) where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK Data Protection Act 2018, in respect of Data Subjects located in the European Union or United Kingdom.

1.4 By accessing or using the Platform, you acknowledge that you have read, understood and agree to be bound by this Policy. If you do not agree with this Policy, please do not use the Platform.

2. Definitions

• Data Controller means the entity which determines the purposes and means of the processing of personal data.
• Data Processor means an entity which processes personal data on behalf of a Data Controller.
• Data Subject means an identified or identifiable natural person to whom personal data relates.
• Event Organiser means any person or entity using the Platform to create, promote, manage or sell tickets to an event.
• NDPC means the Nigeria Data Protection Commission.
• Personal Data means any information relating to an identified or identifiable Data Subject, as defined under the NDPA.
• Processing means any operation or set of operations performed on Personal Data, including collection, recording, organisation, storage, alteration, retrieval, use, disclosure, transmission, erasure or destruction.
• Sensitive Personal Data means Personal Data relating to race or ethnic origin, religious or political beliefs, health, sex life or sexual orientation, genetic or biometric data, trade union membership or criminal convictions.
• Ticket Buyer means any person who purchases or attempts to purchase a ticket through the Platform.
• Vendor means any person or entity offering goods or services to Event Organisers via the Platform’s vendor marketplace.

3. Data Controller

3.1 For the purposes of the NDPA, the Data Controller of Personal Data processed in connection with the Platform is:

• Bash Engineering Limited
• Email: privacy@usebash.io

3.2 Where the Platform is used by an Event Organiser to sell tickets or manage attendee data, the Event Organiser is an independent Data Controller in respect of Personal Data relating to its event attendees. In such cases, Bash processes that Personal Data as a Data Processor on behalf of the Event Organiser, subject to a separate Data Processing Agreement. In respect of account, billing, fraud-prevention and Platform-wide records, Bash remains an independent Data Controller.

4. Data Protection Officer

4.1 We have appointed a Data Protection Officer (the “DPO”) who is responsible for overseeing our compliance with this Policy and applicable data protection laws. The DPO may be contacted at:

• Email: dpo@usebash.io

5. Categories of Personal Data We Collect

5.1 We collect and process the following categories of Personal Data:

5.2 Account and identity data

• Full name, date of birth and gender (where voluntarily provided);
• Email address, phone number, postal address;
• Government-issued identification (where required for identity verification, fraud prevention or regulatory compliance);
• Account credentials (passwords are stored in hashed form only).

5.3 Transaction and ticket data

• Records of tickets purchased, events attended or registered for;
• Payment-related data, which is processed by and tokenised through our licensed third-party payment partners (currently Paystack and Flutterwave). We do not store full card numbers or card verification values;
• Billing address, transaction amount, currency, date and time of transaction, and transaction reference.

5.4 Event Organiser and Vendor data

• Business or organisation name, registration number (e.g., RC number with the Corporate Affairs Commission), tax identification number;
• Contact details of authorised representatives;
• Bank account details for payout of ticket proceeds (net of commission);
• Event information (including event name, venue, date, programme and pricing);
• Vendor service catalogue, pricing and availability.

5.5 Technical and device data

• IP address, device identifiers, operating system, browser type and version;
• Approximate geographic location (derived from IP address);
• Date and time of access, pages and features accessed;
• Cookies and similar tracking technologies (see our Cookie Policy).

5.6 Communications data

• Records of correspondence, support tickets, queries and feedback;
• Responses to surveys and marketing communications.

5.7 AI features and usage data

Where we introduce AI-assisted features within the Platform (for example, event or vendor recommendations, or tools that help Event Organisers plan events), we may process your prompts, inputs and interactions with those features, the outputs generated and any associated feedback. We will not permit third-party AI systems to train their own models on your inputs unless you have provided specific, informed consent.

5.8 Sensitive Personal Data

We do not ordinarily collect Sensitive Personal Data. Where an Event Organiser requires such data for the purposes of a particular event (for example, dietary or accessibility information), we will process that data as a Data Processor on the Event Organiser’s instructions and in accordance with the NDPA.

6. How We Collect Personal Data

6.1 We collect Personal Data:

• (a) directly from you when you register an account, purchase a ticket, list an event, list a vendor service, contact us, respond to a survey, or otherwise use the Platform;
• (b) automatically, through cookies, log files and similar technologies, when you use the Platform;
• (c) from third parties, including payment service providers (such as Paystack and Flutterwave), identity verification providers, fraud-prevention services, analytics providers, and social media platforms where you choose to sign in via those platforms; and
• (d) from Event Organisers, in respect of Ticket Buyers and attendees of their events.

7. Purposes and Lawful Bases of Processing

7.1 We process Personal Data for the following purposes, relying on the lawful bases set out under the NDPA (and, where applicable, the GDPR):

7.2 Performance of a contract

To create and administer your account; process ticket purchases; deliver tickets; remit proceeds to Event Organisers (net of commission); facilitate vendor bookings; and otherwise perform our obligations under our Terms and Conditions.

7.3 Legitimate interests

To operate, improve and secure the Platform; prevent and detect fraud and abuse; conduct analytics; enforce our terms; develop, test and improve features (including AI features); and pursue lawful commercial interests, in each case where such interests are not overridden by the rights and interests of Data Subjects.

7.4 Consent

For direct marketing communications; the use of non-essential cookies; the processing of any Sensitive Personal Data voluntarily submitted by you; and any other processing for which consent is the appropriate lawful basis. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

7.5 Legal obligation

To comply with applicable laws and regulations, including tax, anti-money laundering, consumer protection, financial services, cybercrime and data protection laws; to respond to lawful requests from public authorities; and to fulfil statutory reporting obligations.

7.6 Vital interests

To protect the vital interests of a Data Subject or another natural person, such as in cases of threats to life or serious harm.

7.7 Public interest

Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, to the extent applicable.

8. Automated Decision-Making and AI Processing

8.1 Certain features of the Platform may use artificial intelligence and automated processing, including: (a) recommending events and vendors; (b) assisting Event Organisers in planning events; (c) detecting fraudulent transactions and abuse; and (d) providing customer support via automated tools.

8.2 We do not use automated decision-making (including profiling) that produces legal or similarly significant effects concerning you without human involvement, save where: (a) it is necessary for entering into or performing a contract with you; (b) it is authorised by law; or (c) it is based on your explicit consent.

8.3 Where we use AI-enabled features, we: (a) take reasonable steps to ensure the accuracy and fairness of the outputs; (b) maintain human oversight of material decisions; (c) inform you about the logic involved and the significance of the processing; and (d) afford you the right to request human review of any decision that significantly affects you.

9. Disclosure of Personal Data

9.1 We may disclose Personal Data to the following categories of recipients:

• (a) Event Organisers, in respect of their Ticket Buyers (limited to what is reasonably necessary for event administration);
• (b) Vendors, where you engage their services through the Platform;
• (c) payment service providers (including Paystack, Flutterwave and any other licensed Payment Service Solution Provider engaged by us) for the purpose of processing payments and complying with applicable financial regulations;
• (d) cloud hosting providers, IT infrastructure providers and software-as-a-service vendors engaged to support the Platform;
• (e) analytics providers, advertising partners and marketing service providers (where applicable and in accordance with your consent);
• (f) identity verification, fraud-prevention and anti-money-laundering service providers;
• (g) professional advisers (such as lawyers, auditors and accountants) subject to appropriate duties of confidentiality;
• (h) regulatory authorities, law enforcement agencies and courts, where required by law or in response to a lawful request;
• (i) any prospective or actual purchaser, investor, financier or successor-in-title of all or part of our business, subject to appropriate confidentiality undertakings; and
• (j) third parties with your consent or at your direction.

9.2 We do not sell Personal Data to third parties.

10. International Data Transfers

10.1 We are based in Nigeria, but we use service providers located in other jurisdictions. Personal Data may therefore be transferred to, stored in, or accessed from, countries outside Nigeria.

10.2 Before transferring Personal Data outside Nigeria, we take steps to ensure that the recipient jurisdiction provides an adequate level of protection or that appropriate safeguards are in place, as required by the NDPA and the GAID. Such safeguards may include: (a) transfer to a country identified by the NDPC as providing adequate protection; (b) transfer subject to binding contractual clauses approved by or compliant with NDPC guidance; (c) transfer pursuant to your explicit, informed consent; or (d) transfer necessary for the performance of a contract with you or in your interest.

10.3 For Data Subjects located in the European Union or United Kingdom, any transfer of Personal Data to Nigeria or to a third country will be made in accordance with the GDPR and/or UK GDPR, including through the use of Standard Contractual Clauses or other appropriate transfer mechanisms.

11. Data Retention

11.1 We retain Personal Data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The retention periods we apply are determined by reference to: (a) the nature of the Personal Data; (b) the purpose of processing; (c) applicable statutory, regulatory or contractual retention requirements (including tax, anti-money-laundering, consumer protection and financial services laws); and (d) our legitimate interests in retaining records for the resolution of disputes and the enforcement of our rights.

11.2 By way of guidance: (a) account data is retained for as long as your account remains active, and for a reasonable period thereafter to address any post-closure matters; and (b) transaction records are retained for a minimum of six (6) years from the date of the transaction, in line with applicable financial and tax record-keeping requirements.

11.3 Where Personal Data is no longer required, we will securely delete, destroy or anonymise it, save where retention is required by law.

12. Data Security

12.1 We implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or access. These measures include: (a) encryption of Personal Data in transit and, where appropriate, at rest; (b) role-based access controls and multi-factor authentication; (c) secure coding practices and periodic vulnerability assessments; (d) logging and monitoring; (e) staff training and confidentiality obligations; and (f) contractual obligations imposed on our service providers.

12.2 While we take reasonable steps to protect Personal Data, no method of transmission over the internet or storage is completely secure. You are responsible for safeguarding your account credentials and for notifying us promptly of any actual or suspected unauthorised access to your account.

13. Personal Data Breaches

13.1 In the event of a Personal Data breach likely to result in a risk to the rights and freedoms of Data Subjects, we shall: (a) notify the NDPC within seventy-two (72) hours of becoming aware of the breach, in accordance with the NDPA and GAID; (b) where the breach is likely to result in a high risk, notify affected Data Subjects without undue delay; and (c) document the circumstances of the breach, its effects and remedial action taken.

13.2 If you believe that a breach has occurred, please notify our DPO immediately at dpo@usebash.io.

14. Your Rights as a Data Subject

14.1 Subject to applicable law and to reasonable verification of your identity, you have the following rights in respect of your Personal Data:

• (a) Right of access — to obtain confirmation as to whether we are processing your Personal Data, a copy of such data, and information about the processing.
• (b) Right of rectification — to request correction of Personal Data that is inaccurate or incomplete.
• (c) Right to erasure — to request the deletion of your Personal Data where it is no longer necessary, where you have withdrawn consent, or where it has been unlawfully processed, subject to exceptions under applicable law.
• (d) Right to restrict processing — to request that we restrict the processing of your Personal Data in certain circumstances (for example, where you contest its accuracy).
• (e) Right to object — to object to the processing of your Personal Data in certain circumstances, including processing for direct marketing purposes.
• (f) Right to data portability — to receive your Personal Data in a structured, commonly used and machine-readable format, and to transmit that data to another controller, where technically feasible.
• (g) Right to withdraw consent — to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
• (h) Right not to be subject to automated decision-making — to request human review of a decision based solely on automated processing that produces a legal or similarly significant effect on you.
• (i) Right to lodge a complaint — to lodge a complaint with the Nigeria Data Protection Commission (or, where applicable, the data protection authority in your jurisdiction) if you believe that our processing of your Personal Data is in breach of applicable law.

14.2 To exercise any of these rights, please contact our DPO at the details set out in Clause 4. We will respond to your request within the time limits prescribed by applicable law (generally within one (1) month of receipt, subject to extension in complex cases).

14.3 We may charge a reasonable administrative fee or refuse to act on requests that are manifestly unfounded or excessive, in accordance with applicable law.

15. Children’s Data

15.1 The Platform is not directed at children. Consistent with the NDPA, we treat any person under the age of eighteen (18) as a child. We do not knowingly collect Personal Data from a child without verifiable parental or guardian consent, and we do not knowingly collect Personal Data from any child under the age of thirteen (13) under any circumstances.

15.2 If we become aware that we have inadvertently collected Personal Data from a child in breach of Clause 15.1, we will take reasonable steps to delete such data.

15.3 Where the Platform is used to purchase tickets for events at which children will be present, the Event Organiser shall be responsible for obtaining appropriate parental consent where required.

16. Cookies and Similar Technologies

The Platform uses cookies and similar tracking technologies. Please refer to our Cookie Policy for detailed information about the cookies we use, the purposes for which we use them and how you can manage your preferences.

17. Third-Party Links and Services

The Platform may contain links to third-party websites, applications or services. This Policy does not apply to the practices of any third party, and we are not responsible for the content or privacy practices of such third parties. We encourage you to review the privacy policies of any third party before providing them with Personal Data.

18. International Users

18.1 The Platform is operated from Nigeria. If you access the Platform from a jurisdiction outside Nigeria, you do so at your own initiative and are responsible for compliance with applicable local laws.

18.2 For Data Subjects in the European Union or United Kingdom, references in this Policy to the NDPA shall be read as references to the GDPR or UK GDPR (as applicable), and the rights set out in Clause 14 shall be read consistently with those regimes. Where GDPR or UK GDPR provides for additional rights or protections not expressly set out in this Policy, such additional rights or protections shall apply to you.

18.3 For Data Subjects in other jurisdictions, we will comply with applicable local data protection laws to the extent required.

19. Changes to this Policy

19.1 We may amend this Policy from time to time to reflect changes in our practices, technology, legal requirements or for other operational reasons. The revised Policy shall be posted on the Platform, and the “Last Updated” date shall be amended accordingly.

19.2 Where the amendment is material, we shall take reasonable steps to notify you (for example, by email or through a prominent notice on the Platform). Your continued use of the Platform following such notification shall constitute acceptance of the amended Policy.

20. Annexure — Supplementary Notice for Event Organisers and Vendors

Where you access the Platform as an Event Organiser or Vendor, the following additional provisions apply:

• You acknowledge that you are an independent Data Controller in respect of Personal Data relating to your event attendees, customers and end users, and that you are responsible for compliance with applicable data protection laws in that capacity.
• You are bound by our Data Processing Agreement, which governs the terms on which Bash processes Personal Data on your behalf as a Data Processor.
• You shall provide appropriate notices and obtain all consents required from Data Subjects in connection with the data you provide to us or instruct us to process.
• You shall promptly notify Bash of any Personal Data breach or regulatory inquiry relating to Personal Data processed through the Platform.