Privacy Policy

Last updated: 22 May 2026

Our Privacy Commitment: No Bindi is committed to protecting your personal data. This Policy transparently explains how we collect, use, retain, share and protect your data, in accordance with the laws of the Republic of Guinea-Bissau, ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection, the African Union Malabo Convention on Cybersecurity and Personal Data Protection (2014), and the European Union General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), applicable to users in the European diaspora.

1. Data Controller

The controller responsible for processing personal data collected through the No Bindi Platform is:

Entity:No Bindi
Registered office:Bissau, Republic of Guinea-Bissau
Support email:[email protected]
Privacy email:[email protected]
Legal email:[email protected]

For the purposes of the GDPR, No Bindi is the Data Controller of personal data belonging to users in the European diaspora. Where required by Article 27 of the GDPR, No Bindi will designate a Representative in the European Union, whose contact details will be published on this page.

2. Scope and Application

This Policy applies to all personal data collected and processed by No Bindi in connection with the use of the Platform, including:

  • The No Bindi mobile application (iOS and Android);
  • The website and marketing website (www.no-bindi.com);
  • Any other digital platforms or channels operated by No Bindi;
  • Communications by email, push notifications or other contact channels.

This Policy applies to all Users regardless of geographic location, including residents in Guinea-Bissau, ECOWAS member states, the European Union and any other jurisdiction.

It should be read together with the Terms of Use and the Cookie Policy, which form part of the overall contractual agreement.

3. Personal Data Collected

No Bindi collects personal data in different ways throughout your interaction with the Platform:

3.1 Data Provided Directly by the User

Registration Data

  • Name (username or full name, single field);
  • Valid email address;
  • Phone number (with country code);
  • Password (stored as an irreversible hash: never in plain text).

Profile Data (optional)

  • Profile photo (avatar), uploaded to our image storage server;
  • Biography (free text);
  • Location indicated by the user (city/region).

Listing Data

  • Item title, description and price;
  • Selected category and subcategory;
  • Item images (uploaded to the image storage server);
  • Listing location (city, optional geographic coordinates: if shared by the user);
  • Item condition (new, used, like new);
  • Brand, model, year (optional fields depending on category);
  • Listing status (active, sold, expired).

Communication Data (Chat)

  • Text messages sent and received in chat;
  • Images shared in chat;
  • Geographic location coordinates (only when the user voluntarily chooses to share them in chat);
  • Price offers and negotiation data submitted through the chat features;
  • Conversation metadata (date, time, read status, typing indicator).

Review Data

  • Rating (1 to 5 stars);
  • Written comment (optional).

Premium Plan Data

  • Selected subscription plan;
  • Proof of payment (image uploaded for review by No Bindi);
  • Subscription start and end dates;
  • Indicated payment method (bank card data are not stored).

Report Data

  • Type of report (listing, user or message);
  • Reason and description of the report;
  • Evidence submitted (if applicable).

Profile Verification Data

  • WhatsApp number (optional, voluntarily provided for identity verification);
  • Social media link (e.g. Instagram, Facebook) (optional, voluntarily provided for verification);
  • Identity document photo (optional, voluntarily uploaded for internal review). No Bindi recommends that the user write by hand on the document copy the phrase "I authorise the use of this copy for profile verification on the No Bindi platform" and sign below, as a safeguard against misuse — this is recommended but not mandatory;
  • Verification request status (not started, pending, under review, approved, rejected);
  • Rejection reason (where applicable).

3.2 Automatically Collected Data

Authentication and Session Data

  • Access token: valid for 60 minutes;
  • Refresh token: securely stored in the database; invalidated on logout;
  • Token issuance and expiry date and time;
  • Log of authentication actions (login, logout, failed attempts) with IP address and user agent: for security purposes.

Device Technical Data

  • Device type and model;
  • Operating system and version (iOS, Android);
  • Installed application version;
  • Unique device identifier (for push notifications);
  • IP address (used for security and anonymised after the retention period).

Behavioural and Usage Data

  • Categories and listings viewed;
  • Search history on the Platform;
  • Listings saved as favourites and price alerts generated;
  • Custom lists created, shared or followed;
  • Interactions with notifications (open, click, archive);
  • Navigation flow and features used.

Push Notification Data

  • Push notification token (Expo Push Token): anonymous device identifier for sending notifications;
  • Platform (iOS/Android);
  • Notification preferences (push, email, in-app, quiet hours).

3.3 Data Received from Third Parties

In certain circumstances, No Bindi may receive data from external sources, including image storage services (uploaded image URLs) and aggregated analytics data (anonymised Platform behaviour).

4. Purposes of Processing

The personal data collected is processed exclusively for the following specific and legitimate purposes:

Service Provision

  • Creation, management and authentication of user accounts;
  • Email address verification (6-digit code);
  • Publishing, moderating and searching listings;
  • Facilitating real-time communications between buyers and sellers;
  • Managing the favourites, price alert and custom list system;
  • Sending relevant notifications (messages, favourites, updates);
  • Managing the voluntary profile verification process and awarding the verification badge.

Security and Fraud Prevention

  • Detection and prevention of fraudulent, abusive or illegal activities;
  • Logging authentication actions to detect unauthorised access;
  • Content moderation and report management;
  • Compliance with legal obligations on anti-money laundering (AML) and counter-terrorism financing (CTF).

Personalisation and Service Improvement

  • Personalising listing recommendations based on browsing behaviour;
  • Analysing usage patterns to improve the user experience;
  • Development of new features;
  • Conducting studies and statistical analyses (anonymised data).

Institutional Communications

  • Sending communications about the service, terms updates and security alerts;
  • Responding to support requests and complaints;
  • Sending marketing communications and promotions (only with the user's express consent).

Compliance with Legal Obligations

  • Compliance with legal and regulatory obligations in Guinea-Bissau;
  • Cooperation with judicial and regulatory authorities under legal order;
  • Retaining data for the legally required period.

6. Retention and Storage Periods

No Bindi retains personal data only for the period strictly necessary to fulfil the purposes for which it was collected, or for the legally required period. Once that period expires, the data is securely deleted or irreversibly anonymised.

Data TypeRetention Period
Access token60 minutes
Refresh tokenUntil logout or configured expiry
Registration data and active accountFor the duration of the account
Data after account deletion90 days (for reactivation requests), then deleted
Photos and images (listings, avatar)For the duration of the account or listing
Listing and transaction history5 years (tax/accounting obligation)
Chat messagesUntil account deletion + 90 days
Authentication logs (IP, action)12 months, then anonymised
Behavioural and browsing data13 months (raw data); anonymised thereafter
Push notification tokensUntil permission revocation or account deletion
Support and complaints data3 years after case closure
Premium payment proof5 years (tax obligation)

When a user requests account deletion, personal identification data will be anonymised within 30 days, except where the law requires retention for a longer period (tax data, data required for defence in pending legal proceedings).

7. International Data Transfers

Personal data processed by No Bindi may be transferred to or accessible from third countries in the context of using cloud infrastructure services and third-party services integrated into the Platform. No Bindi ensures that such transfers take place with appropriate safeguards, including:

  • Entering into standard contractual clauses or data processing agreements (DPA) with service providers;
  • Selecting providers with internationally recognised security certifications (ISO 27001, SOC 2, etc.);
  • For users in the EU: transfers to countries not recognised as adequate by the European Commission are carried out under the safeguards provided for in Chapter V of the GDPR (Articles 46 et seq.).

Within ECOWAS, data transfers between member states are facilitated by the framework established by Supplementary Act A/SA.1/01/10. For transfers to countries outside ECOWAS, No Bindi verifies whether the destination country offers an adequate level of data protection.

8. Sharing with Third Parties

never sells your personal data to third parties for commercial purposes. Data may be shared with the following categories of recipients:

Cloudinary (Image Storage)

All images uploaded to the Platform (listing photos, profile avatars, chat images and Premium payment proofs) are stored in the Cloudinary image storage service. Cloudinary acts as a data processor bound by confidentiality and security agreements, processing data solely for image storage and delivery purposes.

Email Provider (SMTP / Resend)

Transactional emails (email verification code, password reset code, account notifications and service communications) are sent through an email provider (configured SMTP or Resend service). These providers have access only to the destination email address and the content of the sent email, and are bound by confidentiality agreements.

Expo (Push Notifications)

Push notifications to the mobile application are sent through the Expo Push Notification Service by Expo, Inc. For this purpose, the user's device push notification token (an anonymous identifier) is transmitted to the Expo service. Expo does not have access to any other personal data of the user.

Cloud Infrastructure Provider (Server and Database)

Platform data is stored and processed on cloud infrastructure servers (currently Render.com for the server and Neon or equivalent for the PostgreSQL database). These providers act as data processors with restricted data access for hosting purposes, subject to contractual security and confidentiality obligations.

Platform Users

Certain profile information is visible to other users: name, profile photo, indicated location and published listings. Reviews received are public on the reviewed user's profile. Location sharing in chat only occurs when the user explicitly chooses to share it.

Competent Authorities

No Bindi will share data with judicial, law enforcement, tax or regulatory authorities when: (i) legally required by court or regulatory order; (ii) to protect the rights, property or safety of No Bindi, its users or third parties; (iii) for the prevention or investigation of crimes. No Bindi will notify the affected user whenever legally permitted.

Successors in the Event of Corporate Restructuring

In the event of a merger, acquisition, demerger or sale of No Bindi's assets, personal data may be transferred to the successor entity, which will be bound by this Policy. Users will be notified with adequate prior notice.

9. Data Subject Rights

Users have the following rights regarding their personal data, exercisable free of charge, except in cases of manifestly unfounded or excessive requests:

Right of Access

Art. 15 GDPR | ECOWAS | Malabo

Obtain confirmation of the processing of your data and access a copy of the personal data No Bindi processes about you, as well as information on purposes, data categories, recipients and retention periods.

Right to Rectification

Art. 16 GDPR

Request the correction of inaccurate or incomplete data. Most profile data can be corrected directly in the account settings within the application.

Right to Erasure ("Right to be Forgotten")

Art. 17 GDPR | ECOWAS | Malabo

Request the deletion of your data when: it is no longer necessary for the purposes for which it was collected; you have withdrawn consent; you object to processing; the data has been processed unlawfully. Subject to legal exceptions (retention due to legal obligation, defence in legal proceedings).

Right to Restriction of Processing

Art. 18 GDPR

Request the temporary suspension of processing of your data in certain circumstances: contesting the accuracy of the data, unlawfulness of processing, necessity of the data for legal defence.

Right to Data Portability

Art. 20 GDPR | ECOWAS

Receive your data in a structured, commonly used and machine-readable format (e.g. JSON, CSV) and transmit it to another controller, where technically feasible.

Right to Object

Art. 21 GDPR

Object to the processing of your data for direct marketing purposes (with immediate effect) or on the basis of legitimate interests (subject to case-by-case assessment).

Right to Withdraw Consent

Art. 7(3) GDPR | ECOWAS

Withdraw consent given at any time, without affecting the lawfulness of processing carried out before the withdrawal.

Right to Lodge a Complaint

Art. 77 GDPR | Malabo

Lodge a complaint with the competent data protection authority in your country of residence, without prejudice to any other legal remedy.

How to exercise your rights?

Send your request to [email protected] stating the right you wish to exercise and your identification. No Bindi will respond within 30 days (extendable by a further 60 days in complex cases, with notification). Account deletion can be requested directly in the application Settings.

10. Automated Decision-Making

No Bindi uses algorithmic systems for the following purposes:

  • Recommendation personalisation: The algorithm analyses browsing and search history to present relevant listings in the user's feed;
  • Fraud and prohibited content detection: Automated algorithms analyse listings and behaviours to detect potential violations of the Terms of Use, flagging them for human review;
  • Content moderation: Automated systems for detecting inappropriate content in listings.

Pursuant to Article 22 of the GDPR, users have the right not to be subject to decisions based solely on automated processing that produce significant legal effects. Where No Bindi takes decisions affecting the User (account suspension, listing removal), the right to human intervention, expression of point of view and appeal is guaranteed, in accordance with Section 18.2 of the Terms of Use.

11. Data Security

No Bindi implements technical and organisational security measures appropriate to the level of risk, in accordance with the state of the art and international information security standards:

11.1 Technical Measures

  • Encryption of all communications in transit via TLS 1.2/1.3 (HTTPS mandatory);
  • Encryption of data at rest in the database;
  • Password storage as a salted hash (bcrypt);
  • JWT token-based authentication with automatic expiry (60 minutes for access token);
  • Rate limiting on all sensitive endpoints (login, password recovery, registration);
  • HTTP security headers (Helmet) on all API responses;
  • Audit logging of all administrative and authentication actions.

11.2 Organisational Measures

  • Role-based access control (RBAC): user, moderator, super-admin: with principle of least privilege;
  • Confidentiality agreements with all staff and sub-processors with access to personal data;
  • Documented security incident response procedures;
  • Periodic reviews of security and privacy policies.

Important note: No security system is completely infallible. No Bindi cannot guarantee the absolute security of data transmitted over the internet. Users share responsibility for the security of their account, in particular by using a strong password and not sharing their access credentials.

12. Data Breaches

In the event of a personal data breach that puts users' rights and freedoms at risk, No Bindi undertakes to:

  • 72 hoursNotify the competent data protection authority within a maximum of of becoming aware of the breach, pursuant to Article 33 of the GDPR and the equivalent principles of the Malabo Convention;
  • without undue delayNotify affected users where the breach is likely to result in a high risk to their rights, indicating the nature of the breach, the categories of data affected and the measures taken;
  • Take immediate steps to contain the breach, minimise damage and prevent further occurrences;
  • Document all data breaches, including those that are not notified to the authorities.

13. Minors

No Bindi is intended exclusively for users aged 18 (eighteen) years or older. No Bindi does not intentionally collect personal data from persons under the age of 18.

If No Bindi becomes aware that it has inadvertently collected data from a person under the age of 18, it will immediately and permanently delete that data and close the associated account, without prejudice to any notification to the competent authorities.

Parents or legal guardians who detect improper use of the Platform by minors should immediately contact No Bindi at [email protected].

14. Cookies and Local Storage

The No Bindi Platform uses cookies (on the website) and AsyncStorage (in the mobile application) to store data locally on the user's device. These technologies are used to maintain the active session, save preferences and improve the user experience.

Locally stored data (AsyncStorage: mobile application)

  • Access token and refresh token (authentication) — stored in encrypted form via Keychain (iOS) and EncryptedSharedPreferences (Android), using expo-secure-store;
  • Language and theme preferences (light/dark);
  • Onboarding tutorial status;
  • Listing data cache for performance.

For detailed information on the types of cookies used, their purposes, retention periods and how to manage your preferences, please consult our Cookie Policy.

15. Regional and International Compliance

Guinea-Bissau

This Privacy Policy is drawn up in accordance with the national legislation of the Republic of Guinea-Bissau on personal data protection and electronic commerce currently in force. No Bindi will apply any specific provisions that may be adopted by the National People's Assembly relating to privacy and data protection.

ECOWAS: Supplementary Act A/SA.1/01/10 (2010)

The ECOWAS Supplementary Act on Personal Data Protection establishes principles applicable to data processing in West Africa. No Bindi complies with the principles of: lawfulness and fairness of processing, purpose limitation, proportionality and data minimisation, accuracy, storage limitation, security and respect for data subjects' rights.

African Union: Malabo Convention (2014)

The AU Convention on Cybersecurity and Personal Data Protection requires member states to adopt standards protecting citizens' data. No Bindi aligns its practices with the principles of the Malabo Convention, in particular the principles of consent, transparency, security and data subjects' rights (Articles 8 to 14).

European Union: For Users in the European Diaspora

For users resident in the European Economic Area (EEA), Regulation (EU) 2016/679 (GDPR) applies. European users benefit from all rights provided for in the GDPR, as detailed in Section 9 of this Policy, and have the additional right to lodge a complaint with the supervisory authority of their member state of residence. In Portugal: CNPD (cnpd.pt). In France: CNIL (cnil.fr).

16. Policy Changes

No Bindi may update this Privacy Policy to reflect changes in data processing practices, Platform features or applicable law. In the event of material changes that affect users' rights, No Bindi will notify registered users at least 30 (thirty) days in advance by email or in-app notification. The updated version will be published on this page with the date of the last revision.

Previous versions of this Policy may be requested by contacting [email protected].

17. Contact and Exercise of Rights

To exercise your rights, lodge complaints or obtain clarification about this Policy:

Privacy and Data Protection

[email protected]

Exercise of data subject rights: response within 30 days

General Support

[email protected]

General enquiries: response within 24–48 business hours

Legal Affairs

[email protected]

Formal complaints and legal requests: response within 10 business days

Address

No Bindi — Bissau, Republic of Guinea-Bissau

Without prejudice to the right to lodge a complaint with No Bindi, Users always have the right to lodge a complaint with the competent data protection authority in their jurisdiction of residence.