Legal
International transfers
Effective 29 April 2026 · Version 1.0
5.1 Why your data may leave Nigeria
The Site, like any modern web application, relies on infrastructure operated in multiple jurisdictions. Your personal data may be processed outside Nigeria for the following purposes:
- Hosting the Site on a global content delivery network (Vercel Inc., USA);
- Routing traffic and providing security services through Cloudflare, Inc. (USA, with PoPs worldwide);
- Processing donations through NowPayments OÜ (Estonia, EU) and the on-chain network confirmations that follow;
- Sending receipts via an email-delivery provider (Resend or Postmark, USA);
- Storing analytics with privacy-friendly providers (Vercel Analytics, USA; Plausible Analytics, EU).
We minimise cross-border transfers where reasonably possible, and apply contractual and technical safeguards in every case.
5.2 Lawful basis under the NDPA
Section 41 of the Nigeria Data Protection Act 2023 permits cross-border transfers where:
- (a) the destination jurisdiction provides an adequate level of protection, as determined by the Nigeria Data Protection Commission;
- (b) the transfer is necessary for the performance of a contract with the data subject;
- (c) the transfer is necessary on important grounds of public interest;
- (d) the data subject has given express, informed consent to the transfer, having been warned of the risks;
- (e) the transfer is to a recipient that has bound itself by appropriate safeguards, such as binding corporate rules or standard contractual clauses;
- (f) the transfer is necessary for the establishment, exercise, or defence of legal claims.
We rely on (b), (e), and (f) for the routine operation of the Site.
5.3 Lawful basis under the GDPR
Where you are in the EEA, the United Kingdom, or Switzerland, we rely on the derogations in Article 49 GDPR for occasional transfers, and on the European Commission's Standard Contractual Clauses (SCCs)(Decision 2021/914) for systematic transfers to processors outside the EEA. The SCCs are supplemented, where necessary, by transfer impact assessments performed in accordance with the European Data Protection Board's “Schrems II” guidance.
5.4 Recipients and locations
| Recipient | Function | Primary location | Safeguard |
|---|---|---|---|
| Vercel Inc. | Hosting & edge delivery | USA (with global edge) | SCCs + DPA |
| Cloudflare, Inc. | DNS, WAF, DDoS protection | USA (with global edge) | SCCs + DPA |
| NowPayments OÜ | Crypto payment processor | Estonia (EU) | EU adequacy / GDPR |
| Upstash, Inc. | Rate-limit & cache (Redis) | USA (multi-region) | SCCs + DPA |
| Resend / Postmark | Receipt email delivery | USA | SCCs + DPA |
| Plausible Insights OÜ | Privacy-friendly analytics | Estonia (EU) | EU adequacy |
5.5 The special case of public blockchains
When you make a contribution by sending cryptocurrency to a wallet address controlled by the Campaign or its processor, the transaction is recorded on a public, immutable, and globally-replicated ledger. By the nature of public blockchains, we have no way to limit the geographic scope of that replication. Where you choose to use a public blockchain, you accept that the transaction record will be visible to any party in the world that operates a node on that blockchain.
The transaction record on the blockchain is a hash, an amount, and the sender and receiver addresses. It does not, in itself, contain your name, email, or any other information you provide on the Site. However, it is technically possible for a third party to attempt to link a wallet address to a person - for example, through chain-analytics tools. We have no control over such attempts.
5.6 Changes
Where we add a new processor that materially changes the geographic scope of cross-border transfers, we will update this Section and post a notice on the Site at least fourteen (14) days before the change takes effect. For broader changes to the categories of personal data we collect, see Section 1.