Privacy Policy

Last updated: July 2026 · Compliant with NDPA 2023 (Nigeria) and equivalent regimes per market.

This Privacy Policy explains what data SureOrder collects, why we collect it, how we store it, who we share it with, and your rights as a data subject. Plain English, no dark patterns.

Who operates SureOrder. SureOrder is a product operated by HAG Ai Services, a Nigerian business registered with the Corporate Affairs Commission (CAC No. 9557647). Throughout this policy, "SureOrder", "we", "us" and "our" refer to HAG Ai Services in its capacity as the operator of the SureOrder platform at sureorder.online.

1. Who we are

SureOrder ('we', 'us', 'our') is an AI commerce operating system that helps merchants run orders from social channels (WhatsApp, Instagram, TikTok, Facebook, X), websites, payment links and offline walk-in customers — through a single merchant screen.

We are reachable at [email protected] for privacy questions, data-access requests or complaints.

2. What data we collect

Merchant data: business name, contact email + phone, sales-channel handles (e.g. WhatsApp Business number, Instagram handle), product catalog, order records, payment events, and dispatch records.

Customer data (collected by the merchant via SureOrder on behalf of the merchant): customer name, phone number, delivery address, order content and order timeline. SureOrder is a data processor for this category; the merchant is the data controller.

Operational data: AI extraction results, message intent classifications, fraud-trust signals (risk band, signal flags), reconciliation exceptions, AI auto-resolution rates.

Technical data: IP address, browser/device user-agent, session cookie (HMAC-signed, no third-party tracking), session timestamps.

3. Why we collect it

To deliver the SureOrder service the merchant signed up for: capturing inbound messages, drafting orders, presenting the merchant's own bank details for payment, tracking payment and dispatch status, and helping the merchant update customers.

To run the AI extraction and fraud-trust scoring that turns messages into orders and flags risk before goods are dispatched.

To produce the merchant's own analytics — sales, customer history, channel performance.

To improve the SureOrder product. We do not sell merchant data, customer data, or any aggregated customer-identifiable data to third parties.

4. How we store and protect it

Data is stored on infrastructure we control. Sessions are stateless HMAC-signed cookies — we hold no centralised session store that can be stolen wholesale.

SureOrder never processes card payments and never holds your money. Customers pay merchants by bank transfer directly into the merchant's own bank account. We store the merchant's own payout bank details — so the storefront can show customers where to pay — and the transfer-proof screenshot a customer uploads; we do not collect or store customer card numbers, bank logins, or any payment credentials.

API keys (cloudflared tunnel credentials, AI provider keys) are held server-side and never sent to the browser.

Sensitive data (customer phone, address) is access-controlled per merchant — one merchant cannot read another merchant's data through the application.

5. How long we keep it

Active merchant data is retained for the lifetime of the merchant's account.

Order and message data is retained for at least 7 years post-creation to support merchant accounting, audit and dispute resolution, in line with typical commercial-records requirements.

Customer data is retained while the merchant relationship is active. On merchant termination, customer data is either returned to the merchant in machine-readable form or deleted, per the merchant's instruction.

Logs (IP, request) are retained for 90 days for security and abuse-investigation purposes.

6. Who we share it with

Infrastructure providers that run the platform for us — cloud hosting, and the transactional email provider we use to send merchant sign-in codes — under data-processing terms, only as needed to operate the service.

AI providers (OpenAI, Anthropic and equivalents) — message text and product-catalog context for order extraction and reply drafting, under each provider's data-processing terms. We do NOT send payment credentials, full customer profiles, or merchant secrets.

Connected platforms you choose to link (Meta for WhatsApp / Facebook / Instagram; Google for YouTube) — see section 12.

We do NOT share your data with payment processors or courier companies, because SureOrder does not process your payments or book your deliveries: customers pay you directly into your own bank account, and you arrange your own dispatch.

Law enforcement, with valid legal process, when we are compelled to.

Nobody else. We do not sell data to advertisers or data brokers.

7. Your rights (NDPA 2023 + equivalent)

Under the Nigerian Data Protection Act 2023 (and equivalent regimes in markets we operate in), you have the right to: access your data, request correction of inaccurate data, request deletion, restrict processing, port your data to another service, and object to processing.

Send any such request to [email protected]. We respond within 14 days. If you are unhappy with our response, you may complain to the Nigeria Data Protection Commission (NDPC) or the equivalent regulator in your jurisdiction.

8. Cookies + browser storage

We use one functional cookie — the session cookie that keeps the merchant signed in. It is HMAC-signed, holds no personal data, and is not used for tracking or advertising.

We do not embed third-party analytics, ad pixels, or social-media tracking on the merchant application surface.

9. Children's data

SureOrder is a B2B merchant tool and is not directed at children. We do not knowingly collect data from anyone under 16. If we discover such data, we delete it.

10. Cross-border transfers

Some of our processors (e.g. AI providers, email infrastructure) operate outside Nigeria / the country you are in. Where we transfer data across borders we rely on each processor's recognised safeguards (Standard Contractual Clauses, NDPC adequacy decisions where they exist, or comparable protections).

11. Changes to this policy

We update this page when our practices change materially. The last-updated date appears at the top. We notify active merchants by email when changes meaningfully affect their data.

12. Connected social & messaging platforms (Meta, Google/YouTube)

When a merchant connects a WhatsApp Business, Facebook Page, or Instagram Professional account, SureOrder receives — through Meta's official APIs and only for that connected account — inbound messages, the sender's platform-scoped identifier (a Facebook/Instagram-scoped user ID, or a WhatsApp phone number), the message text, and the sender's display name where Meta provides it.

When a merchant connects a YouTube channel (via Google sign-in), SureOrder receives — through the YouTube Data API and only for that connected channel — new comments on the channel's videos (comment text, the commenter's public display name and channel ID, and the video commented on), and can post the merchant's replies to those comments. We do not access the merchant's private YouTube data, watch history, or subscriptions. SureOrder's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.

We use connected-platform data solely to turn messages and comments into order drafts for the merchant and to let the merchant reply. We do not post to a merchant's feed, read unrelated content, or access anything beyond the permissions the merchant granted at connection.

Access tokens are encrypted at rest and can be revoked at any time — by the merchant disconnecting the channel in SureOrder, by removing SureOrder from their Facebook/Instagram settings, or from their Google Account's third-party access settings (myaccount.google.com/permissions). SureOrder is a data processor for this platform data; the connecting merchant is the data controller.

13. How to request data deletion

If you contacted a SureOrder merchant via WhatsApp, Facebook Messenger or Instagram and want the personal data we hold about you deleted, email [email protected] stating the platform and the handle or number you messaged from. We remove your personal identifiers (name, phone, platform handle) and redact your message content, and respond within 14 days.

Automated deletion via Meta: if you remove SureOrder through your Facebook or Instagram settings, Meta notifies our Data Deletion Request callback and we anonymise the data held for your account automatically. You receive a confirmation code prefixed 'DEL-'; quote it to [email protected] to check status.

14. Contact

Privacy questions, data-access requests, complaints: [email protected].

Postal correspondence: address available on request via the same email.

© 2026 HAG Ai Services. SureOrder is a product of HAG Ai Services.TermsHome