Privacy Policy

Moments Technologies Ltd ("Moments", "we", "us") operates the Moments event platform at momentstonight.com. We are the data controller responsible for your personal data when you use our Platform.

This policy explains what data we collect, why we collect it, who we share it with, and what rights you have. It applies to all users of the Platform, including attendees, organizers, and door staff.

For privacy questions, contact our data protection team at legal@momentstonight.com.

We collect different types of data depending on how you interact with the Platform:

We process your personal data under the following legal bases, in compliance with the Nigeria Data Protection Act 2023 (NDPA) and, where applicable, the EU General Data Protection Regulation (GDPR):

• Contract performance: Processing necessary to deliver the services you signed up for — account management, ticket purchases, payout processing, and event management.
• Legitimate interest: Security monitoring, fraud prevention, platform improvement through anonymized analytics, and enforcing our terms. We balance these interests against your privacy rights.
• Legal obligation: Where we are required to retain or disclose data by law (e.g., financial transaction records, tax reporting, responding to valid legal requests).
• Consent: For optional processing such as marketing communications. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

We use your data to:

• Authenticate you and maintain your session
• Process ticket purchases and deliver QR codes
• Provide organizers with attendee information for their events
• Process payouts to organizers
• Send transactional notifications (order confirmations, event updates, payout status)
• Detect and prevent fraud and unauthorized access
• Improve the Platform through anonymized usage analytics
• Respond to support requests and resolve disputes
• Comply with legal obligations and enforce our terms

We do not sell your personal data to third parties. We do not use your data for targeted advertising or profiling.

• Event organizers: When you buy a ticket, the organizer receives your name and email for guest list and communication purposes. Organizers are independent data controllers for attendee data they receive and must handle it in accordance with applicable law.
• Payment processors: Paystack processes all card transactions and bank payouts. Your payment data is subject to their privacy policy. We do not store card details on our servers.
• Infrastructure providers: We use cloud hosting, email delivery, and monitoring services that process data on our behalf under data processing agreements with appropriate security obligations.
• Legal and regulatory: We may disclose data if required by law, court order, or regulatory request, or to protect the safety, rights, or property of our users or the public.
• Business transfers: In the event of a merger, acquisition, or asset sale, user data may be transferred to the acquiring entity. We will notify affected users before data is transferred and becomes subject to a different privacy policy.

We do not share data with advertisers, data brokers, or social media platforms.

Your data is stored on secure servers with industry-standard protections. We implement:

• Encryption in transit (TLS/HTTPS) and at rest for all stored data
• Access tokens stored in memory only — never in localStorage or cookies accessible to JavaScript
• httpOnly cookies for refresh tokens with automatic rotation
• Rate limiting on all API endpoints
• Role-based access controls for internal systems

No system is perfectly secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security against every possible threat.

We retain your data only as long as necessary for the purposes described in this policy:

• Account data: Retained while your account is active and for 30 days after deletion to allow recovery.
• Financial records: Transaction records are retained for a minimum of 6 years as required by applicable financial regulations and tax law.
• Scan and verification logs: Retained for 12 months for fraud prevention and dispute resolution, then anonymized or deleted.
• Security logs: IP addresses and access logs are retained for up to 90 days for security monitoring, then purged.

When data is no longer needed, we securely delete or anonymize it so it can no longer be associated with you.

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request that we correct inaccurate or incomplete data
• Deletion: Request that we delete your account and associated data, subject to legal retention requirements
• Portability: Request your data in a structured, commonly used, machine-readable format (JSON or CSV)
• Restriction: Request that we limit processing of your data in certain circumstances
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing
• Complaint: Lodge a complaint with a supervisory authority (see Section 14)

To exercise any of these rights, contact us at legal@momentstonight.com. We will respond within 30 days. We may ask for verification of your identity before processing your request.

We use minimal cookies and local storage:

• Session cookie: httpOnly cookie for authentication refresh. Essential for the Platform to function. Cannot be disabled while using the Platform.
• Theme preference: localStorage to remember your light/dark mode choice. No personal data is stored.
• IndexedDB (scanner only): Used by the door scanner for offline guest list caching. Data is event-scoped and cleared after the event ends.

We do not use tracking cookies, third-party analytics cookies, advertising pixels, or social media widgets. Because we only use strictly necessary cookies, no cookie consent banner is required — but you can clear browser storage at any time.

In the event of a personal data breach that is likely to result in a risk to your rights, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights, via email and platform notification
• Document the breach, its effects, and the remedial actions taken

We maintain an incident response plan and conduct regular security reviews to minimize the likelihood and impact of breaches.

Moments is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly and terminate the associated account.

If you believe a minor has provided us with personal data, please contact us immediately at legal@momentstonight.com.

Your data may be processed in countries other than where you reside, including countries that may not have data protection laws equivalent to those in your jurisdiction.

Where we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses, data processing agreements, and verification that receiving parties maintain adequate security measures. You may contact us to obtain details of the specific safeguards applied to any transfer.

When an organizer receives attendee data (names, emails) through ticket sales, the organizer becomes an independent data controller for that data. Organizers are responsible for:

• Using attendee data only for purposes related to their event
• Complying with applicable data protection laws in their jurisdiction
• Responding to data access and deletion requests from their attendees
• Not sharing attendee data with third parties for marketing purposes without the attendee's explicit consent

Moments is not responsible for how organizers handle attendee data after it has been provided to them through the Platform.

If you are unsatisfied with how we handle your data or a privacy complaint, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:

• Nigeria: Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
• European Union / EEA: Your local Data Protection Authority under the GDPR
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk

We encourage you to contact us first at legal@momentstonight.com so we can try to resolve your concern directly.

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or platform notification at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

Questions about this policy or your data? Contact our privacy team at legal@momentstonight.com or visit our contact page.