Folda

Privacy Policy

Last updated: April 2026

This policy explains, in plain language, what personal information Folda collects when you use our document management service, why we collect it, how we protect it, and the choices and rights you have.

1. Who we are

Folda ("Folda", "we", "us", "our") is operated by Folda Technologies. We provide a secure platform for individuals and small businesses to store, organise, scan, share, and renew their important documents. Our website is myfolda.com. For privacy questions, contact privacy@myfolda.com.

Folda is the data controller for the personal information we process about you in connection with your account and use of the service. Where we process information on your behalf (for example, the contents of documents you upload), we act as your data processor.

2. Scope

This policy applies to your use of the Folda website, web application, mobile-optimised experience, installable PWA, browser push notifications, transactional emails, and any related services (collectively, the "Service"). It does not apply to third-party sites we link to.

3. Information we collect

3.1 Information you give us

  • Account information: name, email address, password (hashed), profile photo, and any identifiers from social sign-in (Google, Apple) or passkey enrollment.
  • Identity Vault data: structured personal details you choose to save (such as date of birth, NIN, BVN, address, next of kin) used to auto-fill service request forms.
  • Documents you upload: files of any supported type (PDFs, images, scans), along with the filename, category, tags, folder, expiry date, and any notes you add.
  • KYC packs: the slot configuration, accepted document tags, and the documents you assign to each slot.
  • Folda Secure vault items: end-to-end encrypted ciphertext only (we cannot read the plaintext). See section 5.
  • Service requests: the form fields you submit when requesting a document service (passport, CAC, driver's license, etc.).
  • Feature requests, support messages, and contact form submissions.
  • Payment details: handled by our payment processor (Paystack). We store only the subscription reference, plan, status, and billing period — never your card number.

3.2 Information collected automatically

  • Authentication metadata: session tokens, IP address, device/user-agent, sign-in events, and passkey usage timestamps for security auditing.
  • Usage data: pages visited, features used, error logs, and performance metrics. We use this to improve the product and we do not run third-party advertising trackers.
  • Push notification subscription: the browser endpoint and keys you generate when you opt in to push notifications.
  • Cookies / local storage: required cookies for authentication and session, and local storage for preferences (theme, dismissed banners, demo mode flag).

3.3 Information from third parties

  • Sign-in providers (Google, Apple) share your name, email, and a unique identifier when you choose to log in with them.
  • OCR / scanning provider: when you scan a document we send the image to our scan service to extract document type, expiry date, and structured fields. The provider acts as our processor and does not retain the file after processing.

4. How we use your information

  • To create and operate your account, including authentication and passkey support.
  • To store, organise, preview, and serve back the documents you upload.
  • To run the document scanner and auto-fill metadata such as expiry dates.
  • To compute KYC pack readiness scores and notify you when a document is missing or expiring.
  • To deliver requested document services (passport, CAC, etc.) and update you on their status.
  • To send transactional emails (sign-up confirmation, password reset, expiry reminders, service updates, payment receipts).
  • To send browser push notifications that you have explicitly opted in to.
  • To process subscription payments and manage billing through Paystack.
  • To prevent fraud, abuse, and unauthorised access, and to investigate security incidents.
  • To respond to support requests, feature requests, and legal obligations.
  • To improve the Service, fix bugs, and develop new features.

We do not sell your personal information and we do not share it with advertisers.

5. Folda Secure (zero-knowledge encryption)

Folda Secure is an opt-in encrypted vault for your most sensitive items (PINs, passwords, BVN, account numbers, recovery phrases, sensitive scans). It is engineered so that only you can read its contents.

  • When you create your vault PIN, an encryption key is derived on your device using PBKDF2 with a user-specific salt.
  • Every item is encrypted in your browser with AES-GCM before being sent to our servers. We receive only ciphertext, an initialisation vector, and the salt.
  • We never see, store, or transmit your PIN or your decryption key. Folda staff, administrators, and infrastructure providers cannot decrypt your vault.
  • For convenience, your unlocked vault session is held briefly in memory on your device and is wiped on tab close, sign-out, or after a short inactivity timeout.
  • If you forget your PIN, your vault items cannot be recovered by us. Keep it safe.

6. Sharing of documents

Documents stored in your standard Folda library are private by default. They are only shared when you create a share link. Each share link supports:

  • An optional expiry date.
  • An optional watermark.
  • A view counter so you can see how often it has been opened.
  • Instant revocation from your dashboard.

Anyone with an active share link can view the linked documents. Treat the link like a password.

7. How we share information with third parties

We share personal information only with the following categories of recipients:

  • Infrastructure providers who host our application, database, file storage, and backups. They process data on our instructions and are bound by confidentiality and security obligations.
  • Email delivery provider for transactional emails (account, security, service updates).
  • Push notification providers (the browser vendors you have chosen, e.g. Apple, Google, Mozilla) when you opt in to push notifications.
  • Payment processor: Paystack handles all card data and subscriptions. Their privacy policy applies to the payment step.
  • OCR / scan provider for document scanning, used only to return extracted fields.
  • Document service partners (e.g. agents who help process passport renewals, CAC registrations) — only when you explicitly submit a service request and only the documents and form fields needed to fulfil that request.
  • Recipients of your share links — anyone you choose to share a document with.
  • Legal authorities when required by law, valid legal process, or to protect rights, property, or safety. We will challenge overbroad requests.
  • Acquirers in the event of a merger, acquisition, or sale of assets, subject to this policy.

8. International transfers

Folda is built on cloud infrastructure that may store and process data in regions outside your country of residence. Where we transfer personal information internationally we rely on appropriate safeguards such as standard contractual clauses with our processors.

9. Security

  • All traffic is encrypted in transit using TLS.
  • Files and database fields are encrypted at rest by our storage providers.
  • Folda Secure items are additionally end-to-end encrypted on your device.
  • Authentication supports passkeys (WebAuthn), social sign-in, and password.
  • Row-level security policies in our database ensure each user can only access their own records.
  • Administrative access to production data is restricted, logged, and limited to investigations or user-requested support.

No method of transmission or storage is 100% secure. If we ever experience a breach affecting your data we will notify you and the relevant authorities as required by law.

10. Data retention

  • Active accounts: we retain your data for as long as your account is open.
  • Deleted documents: removed from our active storage immediately and from backups within 30 days.
  • Deleted accounts: personal data and uploaded files are deleted within 30 days, except where we are legally required to retain certain billing and tax records.
  • Email logs: we keep a record of transactional emails sent (recipient, template, status) for up to 12 months for deliverability diagnostics.
  • Suppression list: if you unsubscribe or an email bounces permanently we retain your address on a suppression list to prevent further sends.

11. Your rights and choices

  • Access: request a copy of the personal information we hold about you.
  • Correction: update your profile, identity vault, and document metadata at any time from Settings.
  • Deletion: delete individual documents, your Folda Secure vault, or your entire account from Settings.
  • Portability: download your documents at any time; request a structured export by email.
  • Objection / restriction: ask us to limit or stop certain processing.
  • Withdraw consent: for push notifications, marketing emails, or social sign-in.
  • Complain: to your local data protection authority (e.g. NDPC in Nigeria, ICO in the UK, your state DPA in the EU).

To exercise any of these rights, email privacy@myfolda.com. We respond within 30 days.

12. Email and notification preferences

Transactional emails (security alerts, document expiry, service request updates, billing receipts) are essential to the Service and cannot be turned off without closing your account. You can unsubscribe from all other emails using the link in the footer of any message or from the unsubscribe page. Push notifications can be revoked from your browser settings or your Folda settings page.

13. Children

Folda is not directed at children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

14. Cookies and similar technologies

We use the following limited categories:

  • Strictly necessary cookies for authentication, session, and CSRF protection.
  • Functional local storage to remember UI preferences (theme, dismissed banners, demo flag).
  • Service Worker cache to enable the installable PWA experience and offline-friendly assets.

We do not use third-party advertising or cross-site tracking cookies.

15. Demo mode

If you sign in to the public demo account, all data you create is shared with other demo users and is periodically wiped. Do not upload real personal documents to the demo.

16. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material we will notify you by email and post a banner in the app at least 14 days before they take effect. The "Last updated" date at the top reflects the latest version.

17. Contact us

Folda Technologies
Email: privacy@myfolda.com
Support: support@myfolda.com
WhatsApp: +234 816 018 6646