Legal
Last updated: July 2026. Effective immediately. Applies to all Gopexly users worldwide with specific provisions for Nigerian residents. This policy also serves as Gopexly's Google Play Data Safety disclosure.
Gopexly is committed to being transparent about how it handles your personal data. This Privacy Policy explains what data we collect, why we collect it, how it is stored and processed, who can access it, how long we keep it, and the rights you have over it. Please read it carefully before using the platform.
Gopexly is a social investing platform operated from Lagos, Nigeria. We are the data controller for all personal information collected through the Gopexly website (gopexly.com) and mobile application (com.gopexly.app).
Data Controller: Gopexly
Contact: admin@gopexly.com
Location: Lagos, Nigeria
For all privacy-related enquiries, data access requests, deletion requests, or complaints, contact us at admin@gopexly.com. We will acknowledge your request within 5 business days and respond in full within 30 days.
We collect data across the following categories. For each category we specify whether it is stored persistently in our database or processed ephemerally (meaning it is used only in memory during a request and not retained afterwards).
We collect your full name, email address, username, hashed password (never stored in plain text — bcrypt is used), profile photo (if uploaded), biography, and country. This data is required to create and maintain your account. It is stored persistently in our PostgreSQL database hosted on Railway (United States). Without this data, you cannot use Gopexly.
When you add stocks to your portfolio, we store the stock ticker, number of shares, and purchase price you manually enter. This data is stored persistently so it is available across all your sessions and devices. It is entirely optional — you can use Gopexly without ever adding a stock to your portfolio. We do not connect to, access, or retrieve data from your brokerage account. We do not store any bank account numbers, card numbers, or banking credentials. Payment processing for Pro subscriptions is handled exclusively by Paystack, which operates under its own privacy policy.
Your exact portfolio naira values are private by default and are never displayed to other users. Only percentage allocations and percentage returns are visible when you choose to share portfolio information in a post.
Posts, comments, poll responses, and reactions you create on the social feed are stored persistently so other users can view and interact with them. Creating content is entirely optional. You may delete any post or comment you have created at any time and it will be removed from public view. A deleted post may remain in our database for up to 14 days for moderation and abuse-reporting purposes before permanent deletion.
If you grant push notification permission on your device, we collect and store a Firebase Cloud Messaging (FCM) push notification token. This token is stored persistently in our database and is used solely to deliver notifications to your device. It is not used for advertising or tracking. Collection of this identifier is optional — if you decline notification permission, no token is collected and the app remains fully functional.
We collect usage information including pages visited, features interacted with, and general session behaviour. This data is processed ephemerally — it is used in memory to serve your current request and is not individually linked to your account in our database. We generate only aggregated, anonymised summaries (such as total page views or feature usage counts) that cannot be used to identify you. We do not use third-party analytics platforms that share your individual data with advertisers.
Your IP address and HTTP request metadata (device type, browser, operating system) are processed by our infrastructure provider Vercel when your requests are handled. This data is processed ephemerally — it is not stored in our application database. Vercel may retain server logs for security and operational purposes under its own data retention policy. We use this data only to protect against abuse, enforce rate limits, and maintain platform security.
When you use Gopexly AI, your questions are sent to Groq's inference API for processing. We store a record of your AI usage (not the full content of each conversation) to enforce daily usage limits. We do not store the full text of your AI conversations in our database permanently. We do not use your AI interactions to train external AI models. Use of Gopexly AI is optional.
We use a single HttpOnly, Secure, SameSite session cookie containing a signed JWT token to keep you authenticated. This cookie does not track you across other websites. It expires at the end of your session or when you sign out. We do not use advertising cookies or third-party tracking pixels. There are no advertisements on Gopexly.
We process your personal data under the following legal bases in accordance with the Nigeria Data Protection Act 2023 (NDPA):
Contract performance: We process your account data, portfolio data, and content to deliver the Gopexly service you signed up for. Without this processing, we cannot provide the platform.
Consent: We process push notification tokens, optional profile data, and AI usage based on your consent. You may withdraw consent at any time without affecting your access to the core platform.
Legitimate interests: We process aggregated usage analytics, security logs, and abuse-prevention data based on our legitimate interest in operating a secure, functional platform. We have assessed that this processing does not override your rights.
Legal obligation: We may process and retain certain data where required by Nigerian law, court orders, or regulatory requirements from the Securities and Exchange Commission (SEC), the Nigeria Data Protection Commission (NDPC), or other competent authorities.
We use your personal data for the following specific purposes:
— Create and maintain your Gopexly account and authenticate your sessions.
— Display your portfolio performance and update it in real time as NGX prices change.
— Operate the social feed and display your posts, comments, and reactions to other users.
— Power the Gopexly AI assistant and enforce daily usage limits.
— Send you push notifications, security alerts, and in-app messages (with your permission).
— Process Pro subscription payments through Paystack and verify transaction status.
— Enforce our Terms and Conditions, detect abuse, and prevent fraud.
— Comply with legal obligations under Nigerian law and other applicable regulations.
— Generate anonymised, aggregated statistics to understand how the platform is used and improve it.
— Respond to your support requests, data access requests, and complaints.
We do not use your personal data for behavioural advertising, advertising profiling, or to sell to third parties under any circumstances.
We do not sell your personal data. We share data only as described below:
We work with the following providers who process data on our behalf under contractual data processing obligations. They are not permitted to use your data for their own purposes:
Vercel (United States): Hosts our web application and mobile app backend. Processes HTTP requests including IP addresses ephemerally.
Railway (United States): Hosts our PostgreSQL database where your account, portfolio, and content data is stored persistently.
Groq (United States): Processes your Gopexly AI queries in real time. Groq does not store your queries beyond the immediate inference request.
Paystack (Nigeria / Ireland): Processes subscription payments. Paystack handles all payment card data under its own PCI-DSS compliant privacy policy. We never receive or store your card details.
Firebase / Google (United States): Delivers push notifications to Android devices via Firebase Cloud Messaging. Your push notification token is shared with Firebase solely for this purpose.
Google Fonts (United States): Serves web fonts. May collect your IP address as part of font delivery.
Your public profile (username, display name, profile photo, biography), posts, comments, poll responses, and portfolio percentage performance (not naira values) are visible to other registered Gopexly users. You control what you choose to post and share. Content you do not explicitly post or share publicly remains private.
We may disclose your personal data to Nigerian law enforcement agencies, the NDPC, the SEC, or courts of competent jurisdiction where we are legally required to do so, or where necessary to protect the safety and rights of our users or the public. We will notify you of such disclosure where we are legally permitted to do so.
In the event of a merger, acquisition, restructuring, or sale of all or part of Gopexly's business, your personal data may be transferred to the successor entity. Any successor will be bound by this Privacy Policy and will be required to honour all commitments made herein. We will notify registered users of any such transfer before it takes effect.
Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion, except where legal retention is required.
Portfolio data: Retained for as long as your account is active. Deleted with your account.
Posts and comments: Retained until you delete them. Deleted posts are fully removed within 14 days. Some metadata may be retained for up to 90 days for moderation purposes.
Push notification tokens: Retained until you revoke notification permission or delete your account.
Payment records: Retained for 7 years in compliance with Nigerian tax and financial record-keeping requirements.
Security and abuse logs: Retained for up to 12 months for fraud detection and platform security purposes.
Anonymised analytics: Retained indefinitely as they cannot be used to identify you.
Under the Nigeria Data Protection Act 2023 (NDPA) and other applicable law, you have the following rights over your personal data. To exercise any of these rights, email admin@gopexly.com. We will respond within 30 days. We will not charge you a fee for exercising your rights unless your request is manifestly unfounded or excessive.
Right of access: You may request a copy of all personal data we hold about you. We will provide this in a structured, readable format.
Right of correction: You may update your name, username, profile photo, biography, and email at any time through your account settings. For corrections we cannot action directly, contact us.
Right of deletion: You may delete your account and all associated personal data at any time through Settings → Delete Account. We will complete deletion within 30 days, except for data we are legally required to retain.
Right of portability: You may request an export of your portfolio data in CSV format. Contact us at admin@gopexly.com to request your full data export.
Right to object: You may object to processing based on our legitimate interests. We will stop that processing unless we can demonstrate compelling legitimate grounds that override your rights.
Right to restrict processing: You may request that we restrict processing of your data while a dispute is being resolved.
Right to withdraw consent: Where processing is based on your consent (push notifications, optional profile fields), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to complain: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe we have violated your data protection rights.
In compliance with Google Play's Data Safety requirements, this section provides a plain-language summary of our data practices as disclosed in the Google Play Store listing.
No data collected by Gopexly is sold to third parties. No data is used for advertising or marketing profiling. Data shared with service providers (section 5.1) is solely for the purpose of delivering the Gopexly service.
We implement the following technical and organisational security measures to protect your personal data:
— All passwords are hashed using bcrypt with a salt factor of 10 or higher. Plain-text passwords are never stored.
— All data in transit between your device and our servers is encrypted using TLS 1.2 or higher.
— Session cookies are HttpOnly (inaccessible to JavaScript), Secure (HTTPS only), and SameSite:Strict (cannot be sent by other websites).
— All database queries use parameterised statements, preventing SQL injection attacks.
— Rate limiting is enforced on all authentication endpoints to prevent brute-force attacks.
— HTTP security headers are enforced including Content Security Policy, Strict-Transport-Security (HSTS), and X-Frame-Options.
— Access to production databases is restricted to authorised personnel only and protected by credential management.
— Push notification tokens are stored encrypted and used only for their stated purpose.
Despite these measures, no system connected to the internet is completely secure. You are responsible for maintaining the confidentiality of your password. Use a strong, unique password and enable any additional security features we make available.
Gopexly is operated from Nigeria but uses infrastructure providers based in the United States (Vercel, Railway, Groq, Firebase). By using Gopexly, you acknowledge that your data will be transferred to and processed in the United States. We ensure that all such transfers are governed by contractual data protection obligations with our service providers that require them to protect your data to a standard equivalent to or exceeding Nigerian data protection requirements.
Gopexly is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has registered on Gopexly, contact us immediately at admin@gopexly.com. We will delete the account and all associated data within 48 hours of receiving a verified request.
Gopexly processes personal data in compliance with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR). We do not process personal data in a manner that is unlawful, unfair, or that violates the dignity of natural persons.
Nigerian residents have all the rights set out in section 7 above. If you believe Gopexly has violated your rights under the NDPA or NDPR, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng. You also have the right to seek civil redress in a Nigerian court of competent jurisdiction.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. We will notify registered users of material changes via in-app notification and email at least 14 days before the change takes effect. The current version of this policy is always available at gopexly.com/privacy. The date at the top of this page indicates when it was last updated. Continued use of Gopexly after a policy update constitutes acceptance of the revised policy.
For all privacy-related matters including data access requests, deletion requests, corrections, objections, or complaints:
Email: admin@gopexly.com
Response time: Within 30 days of receipt
Platform: gopexly.com/privacy
Location: Gopexly, Lagos, Nigeria
© 2026 Gopexly · Nigeria's Social Investing Platform