Data Privacy Policy

Introduction

Smartpay Tech Global Ltd ("Smartpay") is committed to protecting the privacy and security of personal data entrusted to us by customers, partners, and stakeholders.

This Data Privacy Policy outlines how we collect, use, store, share, and protect personal data in compliance with the Nigeria Data Protection Regulation (NDPR), the General Data Protection Regulation (GDPR) (where applicable), and other relevant laws.

Scope

This policy applies to:

• All personal data processed by Smartpay through its payment application and related services (airtime, data, and bill payments).
• All employees, contractors, vendors, and partners who handle customer data on behalf of Smartpay.
• All forms of data (electronic, paper, or cloud-based).

Principles of Data Processing

Smartpay adheres to the following principles:

1. Lawfulness, Fairness & Transparency
2. Purpose Limitation
3. Data Minimization
4. Accuracy
5. Storage Limitation
6. Integrity & Confidentiality
7. Accountability

Categories of Personal Data Collected

Smartpay may collect and process the following categories of personal data:

• Identity Data — name, phone number, email address
• Transaction Data — airtime, data, and bill payment records
• Financial Data — bank account or wallet details
• Device & Technical Data — device IDs, IP addresses, app usage logs
• Customer Support Data — complaints and inquiries

Legal Basis for Processing

Processing of personal data is based on one or more of the following legal bases:

• Consent — explicit agreement from the data subject
• Contract — necessary for service delivery
• Legal Obligation — compliance with financial regulations
• Legitimate Interest — fraud prevention and service improvement

Rights of Data Subjects

As a Smartpay user, you have the following rights regarding your personal data:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent at any time

Data Sharing and Disclosure

Personal data may be shared with the following parties under strict data-sharing agreements:

• Licensed payment partners and telecom operators
• Regulators — CBN, NITDA, and the Financial Intelligence Unit (FIU)
• Third-party service providers engaged under contractual data protection obligations

International Data Transfers

Transfers of personal data outside Nigeria are permitted only to countries that provide an adequate level of data protection, or where appropriate contractual safeguards (such as Standard Contractual Clauses) are in place to ensure equivalent protection.

Data Security

Smartpay implements industry-standard technical and organisational security measures, including:

• Encryption in transit using TLS 1.2/1.3
• Encryption at rest using AES-256
• Role-based access control and multi-factor authentication (MFA)
• Firewalls, intrusion detection/prevention systems (IDS/IPS)
• Ongoing vulnerability management and security audits
• Secure software development practices
• Regular employee security awareness training

Data Retention & Disposal

• Transaction records — retained for 7 years as required by financial regulations
• User account data — retained for as long as the account remains active
• Post-retention — data is securely disposed of or anonymised when no longer needed
• Paper records — securely shredded in accordance with this policy

Breach Notification

In the event of a personal data breach, Smartpay will notify the Nigerian Data Protection Bureau (NDPB) and all affected individuals within 72 hours of becoming aware of the breach, as required by the NDPR.

Roles and Responsibilities

• Management — ensures organisation-wide compliance with this policy
• Data Protection Officer (DPO) — monitors compliance and responds to data subject requests
• Employees & Contractors — must comply with this policy in all data handling activities
• Vendors — bound by contractual data protection obligations

Policy Enforcement

Non-compliance with this policy by employees or contractors may result in disciplinary action, up to and including termination of employment. Non-compliance by vendors or third parties may lead to contract termination and may be reported to relevant regulatory authorities.

Policy Review

This policy is reviewed annually or whenever there are significant changes to applicable laws or regulations. Updates will be communicated to all relevant stakeholders in a timely manner.