1. Introduction

This Privacy Policy sets out the basis on which we collect, use, disclose, store, and protect your personal data in connection with your access to and use of the Burger King® Nigeria Mobile Application (the “App”). The App is owned and operated by Allied Food and Confectionary Services Limited (“Allied”, “we”, “us”, or “our”), the duly authorized franchisee of the Burger King® brand within the Federal Republic of Nigeria.

By accessing or using the App, you confirm that you have read, understood, and agreed to be bound by the terms of this Privacy Policy. If you do not agree with the terms of this Privacy Policy, you must refrain from accessing or using the App.

2. Scope

This Privacy Policy applies to all individuals who access or use the Burger King® Nigeria Mobile Application (the “App”), and governs the collection, processing, use, disclosure, storage, and protection of personal data obtained or processed in connection with such access or use. This Policy is issued pursuant to the Nigeria Data Protection Act, 2023, including all regulations, directives, subsidiary legislation, guidelines, and codes of conduct issued thereunder, as well as any amendments, re-enactments, or replacements thereof. It also applies in accordance with any other applicable data protection and privacy laws and regulations in force within the Federal Republic of Nigeria.

3. Legal Definitions

For the purpose of this Policy:

• Personal Data refers to any information that relates to an identified or identifiable individual.

• Processing means any operation performed on Personal Data including but not limited to collection, use, storage, disclosure, transfer, deletion, etc.

• Data Subject means the individual to whom the Personal Data relates.

• Data Controller refers to the person or entity that determines the purposes and means of the processing of Personal Data.

• NDPA refers to the Nigeria Data Protection Act, 2023.

4. Data Controller

The Data Controller responsible for the collection and processing of personal data through the Burger King® Nigeria Mobile Application (the “App”) is:

Allied Food and Confectionary Services Limited
Plot 274 Ajose Adeogun Street,
Victoria Island, Lagos, Nigeria.

If you have a question regarding how your personal data is handled, please contact our Data Protection Officer at:
Email: dpo@burger-king.ng
Phone: +2347074533614

Allied Food and Confectionary Services Limited (“Allied”) operates the App under a franchise agreement with the Burger King® brand. For the purposes of applicable data protection laws, including the Nigeria Data Protection Act (NDPA) and any other relevant regulations, Allied is the legal entity that determines the purposes and means of processing personal data collected via the App. As such, Allied is the designated Data Controller under applicable data protection law.

5. Categories of Personal Data We Collect and Legal Bases for Processing

In the course of your use of the Burger King® Nigeria Mobile Application (the "App"), Allied Food and Confectionary Services Limited ("Allied", "we", or "us") may collect and process the following categories of personal data. The legal bases for such processing are provided in accordance with the Nigeria Data Protection Act, 2023 (“NDPA”) and, other data protection laws in Nigeria.

a. Personal Identification Data

• Full name

• Email address

• Phone number

• Delivery address

• Date of birth (where required for age verification)

Legal bases:

• Performance of a contract (e.g., for account creation and food delivery)

• Legal obligation (e.g., age verification for specific promotions)

• Consent (where explicitly required)

b. Account and Login Data

• Username and password (encrypted)

• App usage preferences and settings

Legal bases:

• Performance of a contract

• Legitimate interest (e.g., to secure your account and provide personalized app experiences)

c. Transactional Data

• Order history and in-app purchases.

• Payment method

• Billing and invoicing information

Legal bases:

• Performance of a contract

• Legal obligation (e.g., for financial reporting)

• Legitimate interest (e.g., to maintain transaction records)

Note: We do not store your full payment card details. All payment transactions are processed securely by third-party providers in accordance with applicable financial regulations and Payment Card Industry Data Security Standard (PCI DSS).

d. Technical and Usage Data

• Device information (e.g., mobile device ID, OS, browser type)

• IP address

• App usage logs

• Geolocation data (if you consent and you may withdraw your consent at any time via app settings)

Legal bases:

• Legitimate interest (e.g., to monitor and improve app functionality and security)

• Consent (for geolocation and tracking features)

e. Marketing and Communication Data

• Your preferences in receiving promotional content

• Responses to surveys, promotions, or customer feedback forms

Legal bases:

• Consent (for direct marketing communications) and you may withdraw your consent at any time via app settings

• Legitimate interest (e.g., to conduct user satisfaction surveys and improve service)

f. Any other information you voluntarily provide via the App or customer support.

6. How we Collect Personal Data

We collect data:

• When you create an account or update your profile

• When you place orders or make payments

• When you interact with the App (e.g., navigation, usage)

• When you contact customer support or complete surveys

• From third-party service providers (e.g., payment or delivery services)

7. How We Use Your Personal Data

We collect and process your personal data strictly in accordance with applicable laws, including the Nigeria Data Protection Act (NDPA) 2023, and solely for legitimate, specific, and lawful purposes. The purposes for which your personal data may be processed include, but are not limited to, the following:

• Account Registration and Management: To establish, maintain, and administer your user account on the App, including authentication and user preference storage.

• Order Fulfilment and Payment Processing: To facilitate and execute your orders for products and services, process payments through authorized third-party payment providers, and deliver your selected items to your designated location.

• Customer Support Services: To provide responsive and effective customer care, handle complaints, process feedback, and respond to inquiries regarding orders or service experience.

• App Improvement and User Experience Optimization: To analyze usage trends, monitor app performance, diagnose technical issues, and enhance overall user experience through updates and feature development.

• Transactional Communications: To send non-promotional, service-related communications such as order confirmations, delivery status updates, payment receipts, and changes to the Terms of Use or Privacy Policy.

• Direct Marketing and Promotional Outreach (with your prior consent): To send marketing messages, promotional offers, loyalty program updates, and customer satisfaction surveys via email, push notifications, or SMS. You retain the right to withdraw consent at any time.

• Legal and Regulatory Compliance: To comply with applicable laws, regulations, and obligations imposed by government authorities or courts, including recordkeeping, tax obligations, and regulatory reporting.

• Fraud Prevention and Security Enforcement: To detect, investigate, and prevent fraudulent transactions, misuse of the App, unauthorized access, and any activity that may compromise the integrity or security of our systems, users, or network.

All data processing activities are carried out in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization and accuracy

8. Disclosure of Your Personal Data

We may disclose your personal data to third parties strictly in accordance with applicable data protection laws and only for the purposes outlined in this Privacy Policy. Such disclosures may include:

•   Service Providers and Processors

Third-party vendors who perform functions on our behalf, including but not limited to payment processing, delivery and logistics, cloud hosting, customer support, analytics, and marketing services. These third parties act as data processors and are bound by contractual obligations to process your data only on our instructions and in compliance with applicable data protection laws.

•   Affiliates and Franchise Partners

Where necessary for the fulfilment of services or internal administrative purposes, we may share your data with our affiliates, franchisor, or group companies, subject to appropriate confidentiality and data protection safeguards.

• Regulatory, Governmental, or Law Enforcement Authorities

We may disclose your data if required to do so under applicable law, regulation, legal process, or enforceable governmental request, including to meet national security or law enforcement requirements.

• Professional Advisors

We may share your data with our legal counsel, auditors, tax consultants, or insurers in the context of legitimate business operations, legal claims, risk management, or compliance obligations.

We do not sell, rent, or otherwise disclose your personal data to third parties for their own commercial purposes.

9. International Data Transfers

In the course of providing our services, your personal data may be transferred to, and processed in, jurisdictions outside the Federal Republic of Nigeria. Where such transfers occur, we ensure that they are carried out in compliance with the Nigeria Data Protection Act 2023 and any other applicable data protection laws.

International transfers of your personal data shall only occur under one or more of the following conditions:

• Adequacy Decision: The recipient jurisdiction has been officially designated by the Nigeria Data Protection Commission (NDPC) as providing an adequate level of data protection based on its upholding of principles and safeguards that are substantially similar to the conditions for lawful processing provided under the Nigerian Data Protection Act (NDPA)

• Appropriate Safeguards: The transfer is subject to appropriate safeguards, such as the use of Standard Contractual Clauses, Binding Corporate Rules, or other lawful mechanisms recognized under the NDPA 2023, which provide enforceable rights and effective legal remedies for data subjects.

• Explicit Consent: You have explicitly consented to the proposed transfer after being informed of any potential risks due to the absence of an adequacy decision or appropriate safeguards.

• Other Permitted Grounds: The transfer is otherwise permitted under applicable law, including where it is necessary for the performance of a contract between you and us, for important reasons of public interest, or for the establishment, exercise, or defence of legal claims.

We take all reasonable steps to ensure that any third party located outside Nigeria who receives your personal data provides an adequate level of protection for such data in accordance with applicable legal requirements.

10. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purpose of satisfying any legal, regulatory, tax, accounting, or reporting obligations, or as otherwise permitted or required under applicable law.

Where no longer required for the purpose for which it was collected or processed, and there is no continuing legal or legitimate business need to retain it, we will either securely delete, de-identify, or anonymise the personal data in accordance with applicable data protection laws and our internal data retention policies.

The specific retention period may vary depending on the type of data, the context in which it was collected, and the applicable statutory or regulatory requirements.

11. Your Data Protection Rights

In accordance with the Nigeria Data Protection Act 2023, you have the following rights in relation to your personal data:

Right of Access – You have the right to request access to the personal data we hold about you, including the purposes for which it is processed and the categories of data concerned.

Right to Rectification – You have the right to request that we correct any inaccurate or incomplete personal data concerning you.

Right to Erasure – You may request the deletion of your personal data where there is no lawful basis for continued processing.

Right to Restrict or Object to Processing – You have the right to object to or request the restriction of processing of your personal data in certain circumstances, including where processing is based on our legitimate interests.

Right to Data Portability – Where applicable, you may request to receive your personal data in a structured, commonly used and machine-readable format, and to have that data transmitted to another controller.

Right to Withdraw Consent – Where we rely on your consent to process personal data, you may withdraw such consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

Right to Lodge a Complaint – You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe that we have violated your data protection rights.

You may exercise any of the above rights by contacting our Data Protection Officer (DPO) at:
dpo@burger-king.ng

12. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing of your personal data, in accordance with the Nigeria Data Protection Act 2023 and applicable global standards. Such measures include, but are not limited to:

• The encryption of sensitive and transactional data during transmission and storage

• Role-based access controls and multi-factor authentication procedures

• Deployment of secure, industry-compliant hosting and server environments

• Regular monitoring, testing, and assessment of our systems for vulnerabilities and potential threats

Notwithstanding the foregoing, you acknowledge that no system or method of electronic transmission or storage is entirely secure. As such, while we are committed to safeguarding your personal data, we cannot guarantee its absolute security.

You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any unauthorized use of your account or other security breaches.

13. Children's Privacy

This App is intended solely for use by individuals who are eighteen (18) years of age or older. We do not knowingly collect personal data from individuals under the age of 18. If you are under 18, you are not permitted to use the App or provide any personal data through it.

In the event that we become aware that we have inadvertently collected personal data from a person under the age of 18 without appropriate consent or legal basis, we shall take immediate steps to delete such data from our systems.

If you believe that we may have collected personal data from a minor in error, please contact us promptly using the contact details provided in Section 16 of this Policy.

14. Third-Party Services and Links

The App may contain links to, or integrate with, third-party services, including, but not limited to, payment gateways, delivery platforms, customer support tools, and analytics providers. These third parties operate independently and are governed by their own privacy policies and practices.

We do not accept responsibility or liability for the content, privacy practices, or data protection measures of such third parties. We strongly encourage you to review the privacy policies of any third-party services you access through the App prior to submitting any personal data to them.

15. Changes to this Privacy Policy

We reserve the right to amend, update, or revise this Privacy Policy from time to time to reflect changes in legal, regulatory, or operational requirements, or to reflect changes in our data processing activities.

Where such changes are material, we shall notify you by appropriate means, which may include in-app notifications or email (where we have your contact details). Your continued use of the App following the publication or notification of such changes constitutes your acceptance of the revised Privacy Policy.

We encourage you to periodically review this Privacy Policy to remain informed about how we collect, use, and protect your personal data.