Privacy Policy
Last updated: April 2026
xHerbs (“we”, “us”, “our”) operates xherbs.store (the “Platform”). This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and what rights you have. By using the Platform you agree to the practices described below.
1. Information We Collect
1.1 Account Information
When you create an account we collect your full name, email address, and optionally your phone number. If you sign in with Google or Apple, we receive the name and email associated with that account.
1.2 Delivery Addresses
We collect street address, city, state, phone number, and an optional label (e.g. “Home”, “Work”) for each saved address. You may store multiple addresses and mark one as default.
1.3 Order & Payment Data
When you place an order we record the items purchased, quantities, prices, delivery fees, coupon codes applied, and order status. Payment is processed entirely by Boldswitch; we never see or store your card number, bank login, or USSD PIN. Boldswitch returns a transaction reference, payment status, and payer email, which we store alongside your order.
1.4 Seller Information
Sellers provide additional data during onboarding: business name, bio, store banner and logo, location (state and city), social links (Instagram, WhatsApp, website), bank account details (account number, account name, bank name), product or service listings, and delivery zone settings. Healers may also provide specialties, healing paths, years of experience, consultation type, and session rate.
1.5 Identity Verification (Sellers)
Seller identity verification is handled by Ssync, a third-party KYC provider. During verification Ssync may collect your National Identification Number (NIN), a selfie, or other identity documents. xHerbs does not collect or store these documents; we only receive a verified/not-verified status from Ssync. Ssync’s own privacy policy governs how they handle your identity data.
1.6 Messages & Chat
The Platform includes a messaging system between buyers and sellers. We store the full content of text messages, as well as metadata for media attachments (images, videos, documents, and voice notes) including file name, file size, media type, and duration. We also track message delivery and read status with timestamps. Payment requests sent through chat are recorded.
1.7 Browsing & Preference Data
We store certain preferences in your browser’s local storage (not cookies): recently viewed products (up to 12), your preferred delivery state and city, shopping cart contents, cookie consent choice, and seller application drafts. This data stays on your device and is not sent to our servers unless you take an action that requires it (e.g. placing an order).
1.8 Activity Data
We record your wishlist items, sellers you follow, product reviews and ratings you submit, notification preferences, and reports you file against products or sellers.
1.9 Technical Data
Our infrastructure providers automatically collect your IP address for rate limiting, bot prevention, and security purposes. We do not currently run any analytics or tracking scripts (no Google Analytics, no tracking pixels). If we add analytics in the future we will update this policy and request consent where required.
2. How We Use Your Information
- Process and fulfil orders, calculate delivery fees, and apply coupon discounts
- Send transactional emails: order confirmations, shipping updates, delivery confirmations, return/refund status, and digital product delivery links
- Send transactional SMS: one-time passwords (OTPs) for login and registration
- Enable buyer-seller messaging and track delivery/read status for message reliability
- Verify seller identity (via Ssync) and resolve bank account names (via Boldswitch) during onboarding
- Encrypt and securely store seller bank details for automated payouts
- Prevent fraud and abuse through rate limiting and CAPTCHA challenges
- Enforce our Terms of Service and respond to reports of policy violations
- Comply with Nigerian tax, accounting, and legal requirements
Marketing communications. We may send promotional emails or newsletters, but only if you opt in. Both are off by default. You can manage these in your account notification settings at any time.
3. Third-Party Services
We rely on the following third-party processors to operate the Platform. Each receives only the data necessary for its function:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database hosting, authentication, real-time subscriptions | All account, order, product, and message data |
| Boldswitch | Payment processing, bank account resolution, seller payouts | Email, order amount, buyer/seller IDs, bank details for resolution |
| Cloudinary | Image and media storage (product photos, chat attachments, review photos) | Uploaded files and associated metadata |
| Mailgun | Transactional email delivery | Recipient email, name, and email content (order details, notifications) |
| Termii | SMS and OTP delivery | Phone number and one-time passcode |
| Ssync | Seller identity verification (KYC) | NIN, selfie, identity documents (collected directly by Ssync, not stored by xHerbs) |
| Cloudflare | CAPTCHA (Turnstile) for bot prevention on login and registration | IP address, browser signals |
| Upstash | Rate limiting to prevent abuse | IP-based request counts (no personal identifiers) |
We do not sell, rent, or trade your personal data to any third party for advertising or marketing purposes.
4. Information Shared with Sellers
When you place an order, the sellers fulfilling your items receive your delivery name, phone number, street address, city, and state so they can ship your order. Sellers can also see your display name and messages in buyer-seller chat. Sellers do not have access to your email address, payment details, or account settings.
5. Data Security
- All connections use HTTPS/TLS encryption in transit
- Authentication is managed by Supabase with secure session tokens
- Payment processing is PCI DSS compliant through Boldswitch — we never handle raw card data
- Seller bank account numbers and account names are encrypted at rest using AES-256-GCM before storage
- API endpoints are protected with rate limiting to prevent brute-force and abuse
- Login and registration forms are protected by Cloudflare Turnstile CAPTCHA
- Security headers are enforced: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, and X-Content-Type-Options
No system is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].
6. Cookies & Local Storage
Cookies. We use essential cookies only for authentication and session management (set by Supabase). We do not use advertising or analytics cookies.
Local storage. We store the following in your browser’s local storage: cookie consent preference, recently viewed products, preferred delivery location, shopping cart contents, and seller application form drafts. This data remains on your device and can be cleared through your browser settings.
A cookie consent banner is shown on your first visit. Declining cookies does not affect core Platform functionality since we rely on local storage rather than cookies for preference data.
7. Data Retention
- Account data is retained for as long as your account is active
- Order and transaction records are retained for 7 years after the order date for Nigerian tax and accounting compliance. This includes order items, amounts, delivery details, payment references, and fulfillment status
- Chat messages are retained for as long as both parties have active accounts. If either party deletes their account, messages are preserved for the remaining user but the deleted user's name is removed
- Seller bank details are retained while the seller account is active and deleted when the seller account is removed
- Product reviews remain visible after account deletion but are disassociated from the deleted account
- Rate limiting data (IP-based counters) expires automatically within minutes
- Rejected seller applications: application data is retained for 12 months to prevent duplicate submissions, then purged
8. Your Rights
You have the right to:
- Access — view your personal data in your account settings, order history, and saved addresses
- Correction — update your name, phone, email, addresses, and notification preferences at any time
- Deletion — permanently delete your account from account settings. This removes your profile, addresses, wishlist, follows, and notification preferences. Orders are preserved with your name removed for seller and accounting records
- Opt out of marketing — toggle promotional emails and newsletters off in notification settings (they are off by default)
- Data portability — request a copy of your data by emailing us
To exercise any of these rights, visit your account settings or contact us at [email protected].
9. Seller-Specific Practices
In addition to the data collected from all users, sellers should be aware of the following:
- Bank account details (account number and account name) are encrypted with AES-256-GCM before storage and are only decrypted when displayed to you in your settings or used for payout processing
- Identity verification documents are collected and processed by Ssync, not by xHerbs. We only store your verification status (verified/pending/rejected)
- Your public storefront (business name, bio, banner, logo, location, social links, ratings, and product listings) is visible to all Platform visitors
- If your seller account is deactivated, your storefront and listings are hidden from buyers but your data is retained. Contact us to request full deletion
- Seller earnings, payout history, and commission records are retained for 7 years for accounting purposes
10. Children’s Privacy
The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. International Data
xHerbs is based in Nigeria. Our infrastructure providers (Supabase, Cloudinary, Mailgun, Upstash) may process data in regions outside Nigeria. By using the Platform you consent to this transfer. We ensure all providers maintain appropriate security standards.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Platform. Your continued use of the Platform after the update constitutes acceptance. We encourage you to review this page periodically.
13. Contact Us
For privacy-related questions, data requests, or concerns, contact us at [email protected].