RatedBy is social-commerce trust infrastructure. We process personal data and business information to help buyers check vendors, help vendors verify and correct their records, receive complaints, prevent abuse, and protect the integrity of the Trust Index.
Data controller
RatedBy is the data controller for the public website, buyer lookup, vendor claim, complaint, verification, payment-plan, and API services unless a separate written contract says otherwise. Privacy requests should be sent to privacy@getratedby.com.
Information we collect
We may collect lookup inputs, account and authentication details, buyer or vendor preferences, device and rate-limit identifiers, vendor profile and branch information, complaint submissions, evidence files or links, correction requests, claim and review records, payment-plan metadata, support messages, source evidence, and operational logs needed to run and secure the service.
Verification data
Where a vendor starts verification or a review requires it, we may process verification data through approved providers such as Mono Lookup. This can include BVN/NIN checks, CAC/business registration lookup, bank account name validation, TIN/address checks, and compliance screening where available and lawful. Raw verification responses are kept for 30 days, then hard deleted; extracted verification status is kept only for the approved retention period.
How we use information
We use information to return lookup results, assess and explain trust signals, receive and review complaints, process vendor claims and corrections, verify business identity, prevent fraud and platform abuse, run paid plans, support customers, maintain security, comply with legal duties, and defend RatedBy or users in disputes.
Legal bases
Under the Nigeria Data Protection Act, 2023 and similar laws where they apply, our legal bases may include contract performance, consent where required, legitimate interests in trust and safety, legal obligation, dispute handling, and fraud prevention. You may withdraw consent where consent is the basis, but this will not affect processing already carried out lawfully.
Device data and cookies
We may use cookies, local storage, and device identifiers for functional settings, rate limits, fraud prevention, recent searches, language, region, buyer/vendor mode, and explanation-depth preferences. Non-essential tracking should not be introduced without a clear consent path. See our cookie policy for the full inventory.
Trust Index and automated outputs
Trust Index outputs are evidence-based decision support, not a legal finding or guarantee. Where an output materially affects a vendor profile or paid API response, we keep audit trails and correction paths so a vendor can request human review, dispute evidence, and correct inaccurate records.
What we do not do
We do not sell personal data. We do not publish raw complaint narratives, filer identity, private evidence, raw verification responses, service-role credentials, or backend-only scoring details on public profile pages. Verification data is not sold, publicly exposed, or used to provide financial services.
Sharing
We share data only when required to operate RatedBy. This can include infrastructure, database, email, payment, analytics, verification, and support providers; legal or regulatory requests; dispute review; abuse prevention; approved B2B API customers receiving permitted fields; or a business transfer with equivalent privacy commitments.
International processing
RatedBy may use infrastructure and providers outside your country. Where data moves across borders, we expect equivalent security, access-control, and confidentiality commitments from our processors.
Retention
Retention follows the canonical data-retention matrix. Buyer lookup history is kept for 12 months, complaint and evidence records may be kept for 7 years, payment records may be kept for 7 years, notification logs for 30 days, B2B API logs for 90 days, and raw crawl or API artifacts for 30 days unless a legal hold applies.
Security
We use access controls, environment separation, backend-only service credentials, logging limits, and row-level security to reduce misuse. No internet service can guarantee perfect security, so we also monitor abuse and restrict access where needed.
Your rights
You can ask to access, correct, delete, restrict, object to, or export eligible personal data. You may also object to direct marketing, withdraw consent where consent applies, and lodge a complaint with a data protection authority. Some fraud, dispute, legal, accounting, or security records may be retained where law or platform integrity requires it. See our data protection page for how to exercise these rights.
Children
RatedBy is not intended for children. If we learn that a child has submitted personal data without appropriate authority, we will take reasonable steps to remove or restrict it.
Changes
We may update this policy as the product, legal requirements, or operating markets change. Material changes will be reflected on this page with a new effective date.
Contact
For privacy requests, contact privacy@getratedby.com.
Related
Other legal documents that work alongside this policy.