Privacy Policy

The data controller for all personal data processed through the Knovia platform is Bookbloom LLC, a limited liability company registered in the United States of America. Knovia is a consumer brand operated by Bookbloom LLC.

For any privacy-related enquiry, to exercise your rights, or to contact our data protection team, write to: privacy@knovia.co. Our postal address is available on request.

When you create a buyer account and use the platform, we collect:

• Account data: Your name, email address, and the date your account was created.
• Purchase data: Materials purchased, purchase timestamps, amounts paid, and payment references. We do not store full card numbers — payment processing is handled by Fincra and Stripe (see Section 6).
• Session and access logs: Pages accessed within each purchased material, timestamps of access, session start and end times, and whether a session was online or offline. These logs are maintained for the lifetime of the purchase relationship and are used to determine refund eligibility and to resolve payment disputes.
• Device data: A device fingerprint derived from your browser user agent, screen resolution, and timezone. This is used to enforce the two-device limit per account. We do not use device fingerprints for advertising or tracking purposes.
• IP address: Recorded per session for security and fraud prevention purposes.
• Review content: If you submit a rating or review, the content of that review is stored and displayed publicly on the listing.
• Offline cache activity: Page access events that occur while offline are timestamped locally and synced to our servers when connectivity is restored. The timing and content of offline access is recorded in the same session log as online access.

Lecturers provide all data listed under Section 2, plus additional data required for identity verification and payout processing:

• Legal name: Stored privately. Used for all transactional correspondence, payout notifications, verification notices, receipts, and internal audit logging. Never shown publicly on any platform surface.
• Display name (pen name): Stored and used for all public-facing platform surfaces, including material listings and your public profile.
• Date of birth and nationality: Collected as part of Layer 1 identity verification.
• Residential address and phone number: Collected for verification and payout compliance purposes.
• Government ID type and number: Stored encrypted. Used for Layer 1 verification compliance only. Never displayed in any UI after submission.
• Hold-up photo (Layer 1): A photo of you holding your government ID, submitted during Layer 1 verification. Analysed by Anthropic Claude Vision API for identity verification. The image is deleted after the verification outcome is final (approved or rejected).
• Institutional email address (Layer 2, Path A): Used to send a single verification confirmation link only. Never used for any platform communication after verification. Stored in the verification record.
• Employment documents (Layer 2, Path B): Documents submitted to verify employment at an academic institution. Stored securely and retained as part of your verification record.
• Bank account details: Account name, bank name, and account number. Stored encrypted. Displayed in the UI masked to the last four digits only.
• Locked field change history: A permanent audit log of any changes to your legal name, date of birth, or primary email address, retained indefinitely even after account deletion.

We explicitly do not collect or store the following:

• Bank Verification Number (BVN): We do not collect or process BVNs.
• Full card numbers: Card payment details are processed entirely by Fincra and Stripe. We receive only transaction confirmations and references — never raw card data.
• Advertising or behavioural data: We do not build advertising profiles, track you across other websites, or share your data with advertising networks.
• Institutional email for communications: A lecturer's institutional email, if provided for Layer 2A verification, is never used for platform communications of any kind after the verification link is sent.

We process personal data only where a valid legal basis exists. The primary bases we rely on are:

We use the following third-party service providers to operate the platform. Each processor receives only the minimum data necessary for their function and is bound by appropriate data processing agreements.

We apply additional protections to sensitive categories of data:

• Government ID numbers and bank account details are encrypted at rest using industry-standard encryption. They are accessible only to systems that require them for their specific operational purpose.
• Bank account numbers are masked in all platform UIs — only the last four digits are displayed.
• Hold-up photos submitted during Layer 1 verification are transmitted securely to Anthropic's API for analysis and are permanently deleted from all systems once the verification outcome is final. They are not stored in our primary database.
• All personal data is transmitted over HTTPS. Data at rest in our database (Supabase, US-hosted) is encrypted using AES-256.
• Access to personal data is restricted to platform systems and personnel with a documented operational need. All access is logged.

Under the Nigeria Data Protection Act 2023 (NDPA) and applicable US law, you have the following rights in relation to your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate data. Note that certain identity fields (legal name, date of birth, primary email) are locked after verification and can only be changed through our support process with legal documentation.
• Right to erasure: You may request deletion of your account and personal data. Note that certain data is subject to mandatory retention periods (see Section 9) and cannot be deleted regardless of this request.
• Right to restrict processing: You may request that we pause processing of your data in certain circumstances.
• Right to data portability: You may request your personal data in a structured, machine-readable format.
• Right to object: You may object to processing based on legitimate interest.

To exercise any of these rights, email privacy@knovia.co with your full name, the email address associated with your account, and a clear description of your request. We will respond within 14 days. Identity verification may be required before we can process your request. There is no fee for reasonable requests.

We retain personal data for only as long as necessary for its original purpose or as required by law:

Knovia uses only the minimum cookies necessary to operate the platform. We do not use advertising cookies, third-party tracking cookies, or behavioural profiling cookies.

We use three cookies:

For full details on how to manage or block cookies, see our Cookie Policy. Note that blocking the session cookie will prevent you from logging in.

Knovia's infrastructure is hosted primarily in the United States. By using the platform, your data is processed in the US. We use the following US-based processors: Supabase, Vercel, Anthropic, and Resend.

For users in Nigeria, your rights under the Nigeria Data Protection Act 2023 (NDPA 2023) are preserved regardless of where your data is processed. Where required by applicable law, we apply appropriate safeguards — including Standard Contractual Clauses (SCCs) — for international transfers.

We do not transfer personal data to countries that do not provide an adequate level of data protection without appropriate safeguards in place.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Nigeria Data Protection Bureau (NDPB) within 72 hours of becoming aware of the breach, as required by the NDPA 2023.
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Breach notifications to users will include: a description of the nature of the breach, the categories of data affected, the likely consequences, and the steps we are taking to address it.

Knovia is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has created an account, we will immediately delete their account and all associated data.

Users aged 13–17 may use the platform only with the consent of a parent or guardian, which is confirmed at account creation. If you believe a minor under 13 has created an account without parental consent, please contact us at privacy@knovia.co.

Knovia will not disclose any user data — including whether a specific individual holds an account on the platform — to academic institutions, employers, or any third party in response to informal requests.

User data is disclosed only where required by a court order or binding legal process under applicable law. This applies regardless of whether the requesting institution employs a registered lecturer on the platform.

This commitment is made under the Nigeria Data Protection Act 2023, which governs user data rights on this platform. Lecturers who are concerned about the relationship between their use of the platform and their institutional obligations should review the platform's Terms of Service and ensure that their listing activity does not violate any employment contract or institutional policy. The platform accepts no liability for institutional consequences arising from a lecturer's decision to sell on the platform.

We may update this Privacy Policy from time to time. For material changes — those that affect how we use your data or your rights — we will provide at least 14 days' notice via email to your registered address and via an in-platform notification before the changes take effect.

For minor changes (corrections, clarifications, or changes that do not affect your rights), we may update this page without prior notice, updating the "Last updated" date above.

Continued use of the platform after the effective date of a material change constitutes acceptance of the updated policy.

For all privacy-related queries, rights requests, and data protection concerns:

privacy@knovia.co

For general legal matters: legal@knovia.co