Skip to main content
Qubicbox

Trust & Safety

Privacy notice

This notice explains how Qubicbox, including Qubicweb, Qlutterbox, Qubictry, Qverity, and E-Fraud Watch, collects, uses, stores, and protects personal data under NDPR, NDPA, and GDPR frameworks.

Last updated: 29 January 2026

Who we are

  • Qubicbox Technologies Limited (“Qubicbox”, “we”, “our”) operates Qubicweb, Qlutterbox, Qubictry, Qverity, and related trust tooling. We are the primary data controller for these services except where we explicitly act as a processor for enterprise partners.
  • Operational headquarters are in Lagos, Nigeria with TrustOps and engineering teams distributed across the EU/EEA.

Information we collect

  • Identity and verification data (names, pronouns, government IDs, certificates) required to issue badges or onboard agents.
  • Contact details (email, phone, messaging handles) for service updates, alerts, and double-opt-in flows.
  • Incident and listing context (narratives, artefacts, inspection logs, fraud evidence, TrustOps annotations) necessary for investigations.
  • Payment and escrow metadata (escrow IDs, payout accounts, invoice references) captured when operating Qlutterbox or Qubictry jobs.
  • Technical telemetry (IP, device fingerprints, session identifiers, moderation audit logs, MFA events) used to secure accounts and rate-limit abuse.

Purposes & lawful bases

  • Contract: fulfilling verification, escrow, dispute, or content distribution services requested by you or your organisation.
  • Legal obligation: complying with NDPR/NDPA, GDPR, AML/CFT, financial services, and consumer protection laws.
  • Legitimate interests: preventing fraud, monitoring platform health, improving moderation accuracy, and ensuring reliable communications. Legitimate Interest Assessments are reviewed annually.
  • Consent: optional marketing updates, waitlists, referrals, or community research programmes. Withdraw consent at any time via preferences or privacy@qubicbox.com.

Retention

  • Verification dossiers and TrustOps case files: active relationship plus 5 years to support appeals and regulatory audits.
  • Fraud reports and anonymised advisories: retained indefinitely after personal identifiers are removed.
  • Evidence uploads: 24 months unless a legal hold applies, then securely deleted from primary and backup storage.
  • Audit logs and access records: 36 months minimum for accountability.
  • Marketing preferences: until withdrawn; requests honoured within 72 hours.

International transfers

  • Primary hosting occurs in the European Union (Vercel EU region, AWS eu-west-1) with mirrored workloads in Nigeria/South Africa for latency. Transfers rely on Standard Contractual Clauses and NDPR adequacy requirements. Access is role-scoped and logged.

How we secure data

  • Encryption in transit (TLS 1.2+) and at rest (AES-256) across every storage layer.
  • Mandatory MFA for TrustOps, Curators, payout actors, and internal tooling.
  • Honeypots, adaptive rate limiting, and Cloudflare Turnstile on public forms.
  • Evidence sanitisation pipelines (EXIF stripping, malware scanning) before analysts review uploads.
  • Quarterly access reviews, vendor diligence, and rehearsed incident response playbooks.

Sharing & processors

  • Cloud & infrastructure: Vercel, AWS, Cloudflare, Supabase, Upstash, and Render (region-scoped).
  • Payments & escrow: Paystack, Flutterwave, regulated financial partners supporting the Qlutterbox marketplace.
  • Communications: Resend, WhatsApp Business Platform, Twilio Verify for MFA.
  • Law enforcement or regulators: only when legally compelled or necessary to prevent imminent harm. Every disclosure is logged in AuditLog.
  • We never sell personal data or allow unchecked processor sub-processing.

Your rights

  • Access, rectification, deletion, restriction, portability, and objection to processing based on legitimate interests.
  • Withdrawal of consent without affecting prior lawful processing.
  • NDPR-compliant rights to lodge complaints with the Nigeria Data Protection Commission (NDPC).
  • EU/EEA residents may also contact their local supervisory authority.

Exercising rights

  • Submit a request via privacy@qubicbox.com with the subject “Data Subject Request”.
  • Include identifiers (account email, phone number, ticket ID) so we can verify ownership. Responses are issued within one working day and fulfilled within 30 days unless complexity requires an additional 15 days.
  • Postal address: Qubicbox Data Protection Office, 12B Adeola Odeku Street, Victoria Island, Lagos, Nigeria.

Product-specific notes

  • Qubicweb & E-Fraud Watch: community submissions are reviewed and anonymised before publication. Reporters can stay anonymous; personal contact details remain private.
  • Qlutterbox & Qubictry: escrow payouts and guild membership require verified identity and payout details to comply with NDPR and financial regulations.
  • Qverity: biometric or document verification data is encrypted, access-logged, and deleted when verification expires unless retention is mandated by law.

Updates

  • We review this notice quarterly or whenever regulations, processors, or product scope changes. Updated versions appear here with a new revision date.
  • Latest revision: 29 January 2026.