Privacy Policy

1. Who we are

Wkrift is a personal finance tool operated by TrojBox (“we”, “our”, “us”). We help individuals track income, expenses, and foreign-exchange trades by parsing WhatsApp receipts. Our registered address is Lagos, Nigeria.

2. Data we collect

• Your email address and hashed password (via Supabase Auth)
• WhatsApp phone numbers you register on the platform
• Transaction data extracted from receipts you forward (amount, currency, direction, date)
• Bank account details you manually add (stored AES-256-GCM encrypted)
• Usage metadata — timestamps, log lines, error traces

We do not collect the body of your WhatsApp messages beyond what is needed to extract a receipt. Raw message text is not stored after parsing.

3. How we use your data

• To provide the Wkrift service — parsing, categorising, and displaying your transactions
• To send you end-of-day WhatsApp summaries if you opt in
• To process subscription payments via Paystack
• To detect and prevent fraud or abuse
• To improve the service (aggregated, anonymised analytics only)

We never sell your data to third parties.

4. Legal basis (NDPR)

We process your personal data under the Nigeria Data Protection Regulation (NDPR) 2019 on the basis of your consent (at account creation), the performance of our contract with you (service delivery), and our legitimate interests (fraud prevention, service reliability).

5. Data retention

We keep your data for as long as your account is active. If you delete your account, all personal data is deleted within 30 days, except where retention is required by law (e.g. financial records for audit purposes, kept for 7 years in anonymised form).

6. Third-party services

• Supabase — authentication and database hosting (EU/US). Processes email and transaction data.
• Meta (WhatsApp Business API) — message routing. Processes phone number and message metadata.
• Google Vision API — OCR for receipt images. Image data is sent to Google and not retained by them after processing.
• Paystack — payment processing. Subject to Paystack's own privacy policy.
• Railway / Vercel — cloud hosting.

7. Your rights (NDPR)

• Right to access your data
• Right to correct inaccurate data
• Right to erasure (“right to be forgotten”) — available from your Profile page
• Right to data portability — contact us to request a JSON export
• Right to withdraw consent at any time

To exercise any right, email privacy@wkrift.com. We will respond within 30 days.

8. Security

Bank account numbers are encrypted at rest with AES-256-GCM. All data in transit is protected by TLS 1.2+. Access to production databases is restricted to authorised personnel only.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect.

10. Contact

Questions? Email us at privacy@wkrift.com.