AFRIFF Film & Content Market

1. Who we are

The data controller is AFRIFF Film & Content Market, operated by the Africa International Film Festival (AFRIFF). We are responsible for deciding how your personal data is collected and used in connection with market registration, pass fulfilment, onsite operations, and related digital experiences.

Registered address: AFRIFF Secretariat, Lagos, Nigeria. Privacy enquiries: operations@afcm.app.

2. Data we collect

We collect the minimum personal and business details needed to run the market, fulfil your orders, and keep the venue secure. The table below summarises the primary data sets.

Process	Categories	Notes
Registration & purchase	Name, email, phone, company/organisation (optional), badge selection, selected days, access codes, payment references (no card numbers)	Collected directly from you through the AFCM web app.
Pass printing with Liveet	Name, company (if provided), badge type/SKU, validity dates, access code, order reference, and where required your email and phone number for pick-up coordination	Transmitted securely to Liveet solely to personalise and print badges.
Customer support & incident logs	Contact details, ticket information, conversation history	Used to resolve queries and maintain audit trails.
Marketing updates (optional)	Email address, name, stated areas of interest	Collected only with opt-in consent; you may unsubscribe at any time.

We do not collect payment card numbers, national identifiers, or biometric data. Please avoid supplying sensitive personal information unless we specifically request it for legal compliance.

3. How we use your data

We rely on the lawful bases outlined in the NDPA. Most processing is necessary to perform our contract with you or to take steps at your request before entering into a contract. Marketing messages are sent only with consent.

Purpose	Examples	Lawful basis
Registration & ticketing	Create attendee accounts, allocate passes, process payments, send access links	Contract performance (NDPA s.25(1)(b))
Pass fulfilment	Share minimal details with Liveet to personalise and print credentials	Contract performance
Security & fraud prevention	Access logs, duplicate detection, incident response	Legitimate interests balanced against your rights
Marketing updates	Market brief emails, partner spotlights	Consent (you may withdraw at any time)

4. Who we share data with

We never sell personal data. We only share it with trusted processors who help us run the market, and we bind them to written data protection agreements that mirror NDPA requirements.

Liveet (Authorised Printing Partner)

Liveet receives only the information needed to personalise your badge: your name, company or project name (if you provided one), badge type/SKU, pass validity dates, your badge access code, the related order reference, and—where badge pick-up coordination requires it—your email address and phone number. Liveet processes this data solely to print the credential, keeps it in encrypted storage, and deletes it within7 days of completing the print job. Liveet is contractually forbidden from using the data for any other purpose and must provide a deletion certificate to AFCM on request.

Other key processors include Paystack (payments), Supabase (database and authentication), Vercel and Cloudflare (hosting and edge delivery), email/SMS providers, customer support tooling, and monitoring platforms such as Sentry (if enabled). Each provider only receives the data that is necessary for the task at hand, and many act as sub-processors of Supabase or Paystack under their respective agreements.

A public summary of our sub-processors, including locations and DPAs, is maintained and updated regularly. Contact us if you would like the latest copy.

5. International transfers

Some infrastructure providers (for example Supabase or Vercel) host data in the European Union or other regions. Where personal data leaves Nigeria, we rely on contractual safeguards, access controls, and encryption to keep it protected. Liveet operates within Nigeria; if this changes we will update this notice and our sub-processor register.

6. Retention

We keep your personal data only as long as necessary for the stated purpose or to meet legal/accounting obligations:

Registration records, orders, and support history are retained for up to 24 months after the festival to help us honour duplicate requests and financial reporting requirements.
Liveet deletes print files within 7 days of completing production.
Metadata logs (for example webhook status) are auto-purged within 30 days.

You may request deletion sooner, subject to legal allowances. See Section 8 for how to exercise your rights.

7. Security

We apply layered technical and organisational controls: TLS 1.2+ in transit, encryption at rest, role-based access controls with multi-factor authentication for staff, webhook HMAC signatures, audit logs, and a restricted print environment at Liveet (no external storage devices, misprints shredded, clean-desk policy). We routinely review these measures and adapt them to address new threats.

8. Your rights

Under the NDPA you have the right to:

Request access to the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion when the data is no longer needed or where consent is withdrawn.
Object to processing or ask us to restrict how we use your data in certain circumstances.
Receive a copy of the data you provided in a portable format.

To exercise these rights, email operations@afcm.app. We will acknowledge within 48 hours and aim to resolve requests within 30 days. For security we may ask for an order reference or additional verification before acting. If we rely on Liveet or another processor during the retention window, we will instruct them to erase or return the relevant data as well.

If you are unhappy with how we handle your data, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC). We encourage you to contact us first so we can attempt to resolve any issue quickly.

9. Contact

Primary privacy contact: operations@afcm.app. For escalation or legal notices, copy: legal@afcm.app.

10. Changes to this policy

We will update this policy when our processing changes or when laws evolve. Material updates will be announced via the AFCM website or email. Archived versions and change logs are available on request. Continued use of our services after an update signifies your acceptance of the revised policy.