Sokofa logo

Legal

Privacy Policy

Last updated: 25 May 2026 ·  Effective: 25 May 2026

Sokofa Ltd is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have under UK and EU data protection law.

Privacy PolicySeller AgreementReturns & Refunds

Who We Are

Sokofa Ltd (“Sokofa”, “we”, “us”, or “our”) is the data controller responsible for the personal data processed through sokofa.com and our associated apps and services.

Sokofa Ltd — Data Controller

Email: privacy@sokofa.com

Address: 24 Halmyre Street, Edinburgh EH6 8QD, United Kingdom

We are registered as a data controller with the UK Information Commissioner's Office (ICO). Our ICO registration number is available on request.

Data We Collect

We collect personal data in the following categories, depending on how you interact with Sokofa:

Buyers

  • Account information: name, email address, phone number, password (stored as a one-way hash)
  • Order & shipping data: delivery address, billing address, order history, item preferences
  • Payment data: processed exclusively by our payment providers (Stripe and Paystack). We do not store card numbers or bank credentials.
  • Wishlist & cart data: products saved or added to cart during a session
  • Reviews: written feedback and ratings you leave on products
  • Device & usage data: IP address, browser type, pages viewed, referral source, time on site (via cookies and analytics tools)

Sellers (Vendors)

  • Business information: store name, store description, profile photo, location, social media handles
  • Identity verification: government-issued ID and certification documents uploaded during onboarding
  • Product data: product listings, images, descriptions, pricing, stock levels
  • Bank account information: used for vendor payouts; stored encrypted
  • Sales & analytics: order history, revenue figures, commission calculations
  • Social connections: see the Social Storefront & Instagram section below

All users

  • Communications: emails, support tickets, WhatsApp messages, and push notifications you send to or receive from us
  • Technical logs: server request logs, error reports, and security event data retained for up to 90 days

How We Use Your Data

PurposeData used
Processing & fulfilling ordersName, address, order details, payment confirmation
Account creation & managementEmail, name, password hash
Seller onboarding & verificationID documents, bank details, store info
Customer supportCommunications, order history, account details
Sending transactional emails & notificationsEmail, phone, push notification tokens
Marketing & promotional messages (opt-in only)Email, name, purchase history
Platform analytics & improvementsUsage data, device data
Fraud prevention & securityIP address, login events, payment signals
Legal complianceAny data required by applicable law
Social Storefront featureInstagram OAuth token, post content, import history
Social Storefront feature

Social Storefront & Instagram Data

Sokofa offers a Social Storefront feature that allows sellers to connect their Instagram account and import product posts directly into their Sokofa shop. This section explains exactly what data is collected, how it is used, and how to disconnect at any time.

What we access when you connect Instagram

When a seller authorises Sokofa via Instagram/Meta OAuth, we request the following permissions:

  • instagram_basic — to read your Instagram username, profile picture, follower count, and recent media posts
  • pages_show_list — required by Meta to link a business Instagram account to a Facebook Page

We do not request permission to post, comment, send messages, or take any action on your Instagram account. We only read your media.

Data stored when you connect Instagram

  • Your Instagram username and account ID
  • Your OAuth access token (stored encoded; used to fetch your posts on demand)
  • Token expiry date (Meta tokens expire after 60 days)
  • Profile picture URL and follower count (for display purposes inside your vendor dashboard)
  • Connection status and the date you last synced posts

Data stored when you import posts

When you choose to import posts from Instagram, we store the following for each imported post:

  • Instagram post ID and permalink (direct URL)
  • Post caption text
  • Image URLs (publicly accessible Instagram CDN links)
  • Media type (photo, carousel, or video thumbnail)
  • Original posting date and time
  • A status flag showing whether the post has been converted to a product draft
Imported posts are never published automatically. A seller must manually review, complete, and submit each product for admin approval before it becomes visible to customers.

How we use this data

  • To display your Instagram posts inside the import queue in your vendor dashboard
  • To pre-fill draft product listings with your post's image and caption when you choose to convert a post
  • To generate analytics events (e.g. how many posts were imported, converted, or published) — used only for product improvement and your own vendor reporting
  • To attribute orders to Instagram where a customer arrived via a Sokofa product link shared on Instagram

We do not use your Instagram data to train machine-learning models, sell to third parties, or display your Instagram content publicly anywhere outside your vendor dashboard.

Token storage and security

Your Meta OAuth access token is encoded and stored in our database, which is protected by Supabase row-level security, encrypted at rest (AES-256), and accessible only to server-side processes under your vendor account. It is never exposed in API responses or browser-side code.

Tokens expire automatically after 60 days. When a token expires, we update the connection status to “expired” and prompt you to reconnect. Expired tokens are not used to make any requests.

How to disconnect Instagram

You can revoke Sokofa's access to your Instagram at any time by:

  1. Going to Vendor Dashboard → Social → Social Connections and clicking “Disconnect”
  2. Visiting Instagram → Settings → Apps and Websites and removing Sokofa from the connected apps list

Disconnecting removes the stored access token and marks the connection as revoked. Your imported posts and any product drafts created from them remain in your vendor account until you request their deletion (see below).

How to request deletion of your Instagram data

You can request that Sokofa permanently deletes all data collected through the Instagram connection — including your OAuth token, connection record, imported post data, and any analytics events linked to your Instagram account — at any time. Product drafts created from imported posts are also deleted unless they have already been published, in which case they become standard Sokofa product records.

There are two ways to make a deletion request:

  1. Via the data deletion page — visit sokofa.com/terms/data-deletion, enter your registered email address, and submit the form. You will receive a confirmation email with a reference code within 24 hours.
  2. Via email — email privacy@sokofa.com with the subject line “Instagram Data Deletion Request” and include your Sokofa account email address. We will confirm receipt within 48 hours and complete the deletion within 30 days.
Meta-initiated deletion: If you remove Sokofa from your connected apps directly through Instagram or Facebook, Meta will automatically send a deletion request to Sokofa. We process these within 30 days and will send a status URL to your registered email so you can verify the deletion was completed.

After deletion is confirmed, your Instagram data will be permanently removed from Sokofa's live database. Encrypted backups are purged within 90 days in line with our backup rotation schedule.

Meta / Facebook data policy

When you use the Instagram connection feature, your interaction with Meta's OAuth is also governed by Meta's own privacy policy: facebook.com/privacy/policy. Sokofa is not responsible for Meta's data practices.

Cookies & Tracking Technologies

We use cookies and similar technologies on sokofa.com. Here is a summary of what we use:

CategoryExamplesBasis
Strictly necessarySession cookie, cart token, auth tokenContract / Legitimate interest
AnalyticsGoogle Analytics 4, Google Tag ManagerConsent
Marketing pixelsFacebook Pixel, TikTok Pixel, Pinterest TagConsent
PreferencesCurrency preference, recently viewedLegitimate interest

You can manage or disable non-essential cookies through your browser settings. Note that disabling cookies may affect the functionality of the website (e.g. keeping items in your cart).

Sharing Your Data

We do not sell, rent, or trade your personal data. We share it only in the following circumstances:

  • With sellers — buyers' name, shipping address, and order details are shared with the relevant seller to fulfil the order
  • Payment processors — Stripe (UK/EU) and Paystack (Nigeria). Each provider has their own privacy policy.
  • Shipping & logistics partners — DHL and other couriers receive delivery address data to dispatch orders
  • Email & communications providers — Resend (transactional email) and Twilio (SMS); data is processed under data processing agreements
  • Analytics & marketing tools — Google Analytics, Google Tag Manager, Facebook Pixel, TikTok Pixel, and Pinterest Tag receive anonymised or pseudonymised usage data. This is subject to your cookie consent.
  • Cloud infrastructure — Supabase (database, UK/EU region), Vercel (hosting), Netlify (deployment). These providers act as data processors under data processing agreements.
  • Legal authorities — if required by law, court order, or to protect the safety of users or the platform
  • Business transfers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred. We will notify you before your data is transferred.

Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

Right of access

Request a copy of all personal data we hold about you (subject access request).

Right to rectification

Ask us to correct any inaccurate or incomplete data.

Right to erasure

Request deletion of your data where there is no overriding legal reason to keep it ("right to be forgotten").

Right to restriction

Ask us to pause processing your data in certain circumstances.

Right to data portability

Receive your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests, including profiling for direct marketing.

Right to withdraw consent

Withdraw consent to marketing or cookies at any time without affecting prior processing.

Rights related to automated decisions

Not to be subject to decisions made solely by automated processing that significantly affect you.

To exercise any of these rights, email privacy@sokofa.com. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

Data Retention

Data typeRetention period
Active customer account dataRetained while account is active
Inactive customer accountsArchived after 24 months of inactivity, deleted after 36 months
Order records7 years (UK tax and accounting law)
Payment records7 years (financial regulation)
Vendor identity documentsDuration of seller relationship + 5 years
Instagram OAuth tokensUntil disconnected or token expires (max 60 days); revoked tokens deleted within 30 days
Social import recordsRetained with vendor account; deleted if vendor account is closed
Marketing consent recordsRetained until consent is withdrawn + 3 years
Server & security logs90 days
Analytics data (anonymised)26 months (Google Analytics default)

Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised access. These include:

  • Encryption in transit: all data exchanged with sokofa.com is protected by TLS/HTTPS
  • Encryption at rest: database and file storage encrypted with AES-256
  • Access control: row-level security policies restrict database access; sensitive fields (tokens, bank details) are accessible only to server-side processes
  • Password hashing: all passwords are stored as bcrypt hashes (12 salt rounds); plaintext passwords are never stored
  • Service role isolation: our server uses a Supabase service role key — never exposed to browser clients
  • Security monitoring: automated alerting for unusual login patterns and data access

Despite these measures, no method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at security@sokofa.com.

If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, in accordance with UK GDPR Article 33.

International Data Transfers

Sokofa is a UK company that operates a global marketplace. As a result, your data may be transferred to and processed in countries outside the UK and European Economic Area (EEA), including Nigeria (for Paystack payment processing) and the United States (for Vercel hosting and Meta/Instagram services).

Where we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Adequacy decisions by the UK Secretary of State (where applicable)
  • Standard contractual clauses (SCCs) approved by the ICO or European Commission
  • Data processing agreements with all processors

Children's Privacy

Sokofa is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact privacy@sokofa.com and we will delete the data promptly.

Sellers connecting the Social Storefront Instagram feature must be at least 18 years old, in line with Meta's terms of service.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. When we make a material change, we will:

  • Update the “Last updated” date at the top of this page
  • Send an email notification to registered users if the change significantly affects how we use your data
  • Where required, seek fresh consent before using your data in a new way

We encourage you to review this policy periodically. Continued use of Sokofa after a change is posted constitutes acceptance of the updated policy.

Contact & Complaints

For any questions, requests, or concerns about this Privacy Policy or how we handle your data:

Sokofa Ltd — Data Controller

Email: privacy@sokofa.com

Address: 24 Halmyre Street, Edinburgh EH6 8QD, United Kingdom

If you are not satisfied with our response, or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office

Website: ico.org.uk/make-a-complaint

Helpline: 0303 123 1113

Privacy Policy — Sokofa | Sokofa