
Privacy Policy
1. Introduction and Identity of the Data Controller
VestraPay Nigeria Limited ("VestraPay", "we", "us", or "our") is a financial technology company licensed by the Central Bank of Nigeria (CBN), with its registered office in Nigeria. We provide digital payment solutions, electronic funds transfer services, payment processing infrastructure, and related financial services to individuals and businesses (collectively, "Services").
This Privacy Policy explains how VestraPay collects, uses, stores, discloses, and protects personal data in the course of providing our Services. It applies to all persons who interact with us, including customers, prospective customers, merchants, business partners, website visitors, and employees, each to the extent relevant to their relationship with us.
VestraPay is a Data Controller under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR). This Privacy Policy is issued in compliance with:
- The Nigeria Data Protection Act 2023 (NDPA)
- The Nigeria Data Protection Regulation 2019 (NDPR) and its Implementation Framework
- CBN Consumer Protection Framework 2016 (as amended)
- CBN Regulatory Framework for BVN Operations and Watch List for the Nigerian Banking Industry
- Central Bank of Nigeria (Anti-Money Laundering, Combating the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations 2022
- Any other applicable Nigerian law or regulation governing data protection and financial services
By accessing our platform, website, mobile application, or using any of our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Policy, please discontinue use of our Services.
2. Definitions
For the purposes of this Privacy Policy, the following terms shall have the meanings assigned to them:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, whether supplied directly by the data subject or obtained otherwise, including but not limited to name, identification number, location data, online identifiers, biometric data, financial data, or other factors specific to the identity of that person. |
| Processing | Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction. |
| Data Subject | An identified or identifiable natural person whose personal data is processed by VestraPay. |
| Consent | Any freely given, specific, informed, and unambiguous indication by the data subject by which they, through a statement or clear affirmative action, signify agreement to the processing of their personal data. |
| Data Controller | A person who determines the purposes and means of processing personal data. VestraPay is the Data Controller for all personal data processed in connection with its Services. |
| Data Processor | A person who processes personal data on behalf of and under the authority of a Data Controller, other than an employee of the Data Controller. |
| DPO | Data Protection Officer, the person designated by VestraPay to monitor compliance with data protection obligations. |
| NDPA | Nigeria Data Protection Act 2023. |
| NDPR | Nigeria Data Protection Regulation 2019. |
| Sensitive Personal Data | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation. |
3. Categories of Personal Data Collected
VestraPay collects personal data that is necessary and proportionate for the lawful provision of our Services. The categories of personal data we collect include the following:
3.1 Identity and Verification Data
- Full legal name and date of birth
- Government-issued identification documents: National Identification Number (NIN), Bank Verification Number (BVN), international passport, driver's licence, or voter's card
- Facial photographs and biometric data (where required for KYC verification)
- Proof of address documents
- Business registration documents (for corporate customers)
- Tax identification numbers (TIN)
3.2 Contact and Communication Data
- Email address and phone number
- Residential or business address
- Communication preferences
- Records of correspondence with VestraPay customer support
3.3 Financial and Transaction Data
- Bank account details and card information (to the extent required for transaction processing)
- Transaction history, amounts, frequencies, counterparties, and merchant details
- Wallet balances and account statements
- Source of funds declarations
- Beneficiary details provided by you for transfer purposes
3.4 Device and Technical Data
- IP address, device identifiers (IMEI, MAC address), device type, and operating system
- Browser type and version
- Login timestamps and session durations
- Geolocation data (where enabled or required for fraud prevention)
- Cookies and similar tracking technologies (see Section 11)
3.5 Usage and Behavioural Data
- Log data reflecting how you interact with our platform, mobile application, or API
- Features accessed, screens viewed, and actions taken within our Services
- Transaction patterns and behavioural analytics used for fraud and AML monitoring
3.6 Compliance and Risk Data
- Politically Exposed Person (PEP) status and sanctions screening results
- Risk classification (as determined under our KYC and CDD frameworks)
- Reports filed with the Nigerian Financial Intelligence Unit (NFIU) as required by law (not disclosed to data subjects where prohibited)
- Due diligence documentation gathered under the Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA 2022)
3.7 Special Categories of Data
VestraPay does not intentionally collect sensitive personal data unless strictly necessary for regulatory compliance (e.g., biometric data collected as part of BVN-based identity verification mandated by the CBN). Where sensitive data is processed, it is done on the basis of legal obligation or with your explicit consent, and subject to enhanced safeguards.
4. How We Collect Personal Data
VestraPay collects personal data through the following means:
4.1 Directly from You
- During onboarding and account registration
- When you complete KYC/identity verification processes
- Through your use of our payment, transfer, or wallet features
- When you contact our customer support team
- When you respond to surveys, promotions, or feedback requests
4.2 From Third Parties
- Identity verification agencies and credit bureaus (e.g., CRC Credit Bureau, CreditRegistry)
- The Nigeria Inter-Bank Settlement System (NIBSS) for BVN verification
- Correspondent banks and payment scheme operators
- Sanctions and PEP screening databases
- Fraud prevention and AML/CFT service providers
- Regulatory authorities (where permitted by law)
- Business partners or merchants through whom you access VestraPay-powered services
5. Legal Basis for Processing
VestraPay processes personal data on the following lawful bases as provided under the NDPA 2023 and the NDPR 2019:
| Legal Basis | Processing Activities |
|---|---|
| Contractual Necessity | Processing required to open and manage your account, execute transactions, provide customer support, and perform all activities necessary to deliver the Services you have requested from VestraPay. |
| Legal Obligation | Processing required to comply with CBN regulations, the MLPPA 2022, CBN AML/CFT/CPF Regulations 2022, NFIU reporting obligations, tax regulations, court orders, and other applicable laws. This includes mandatory KYC/CDD, transaction monitoring, suspicious activity reporting, and record retention. |
| Consent | Processing for marketing communications, optional data sharing with non-regulatory third parties, and the use of non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing. |
| Legitimate Interests | Processing for fraud prevention, security threat detection, network and information security, business analytics (in aggregate and anonymised form), and improving the quality of our Services, where such interests are not overridden by your fundamental rights and freedoms. |
| Vital Interests | Processing in exceptional circumstances necessary to protect the life or safety of a data subject or another person. |
| Public Task | Processing in the exercise of official authority or the performance of a task carried out in the public interest, including regulatory and supervisory obligations imposed by the CBN and other competent authorities. |
6. Purposes of Processing
VestraPay processes personal data for the following purposes:
6.1 Service Delivery
- Registering and maintaining your VestraPay account
- Processing payment transactions, fund transfers, and collections
- Issuing receipts, statements, and notifications
- Providing access to and managing your digital wallet
6.2 Identity Verification and KYC
- Verifying your identity as required by the CBN Customer Due Diligence (CDD) Regulations
- Conducting enhanced due diligence (EDD) on higher-risk customers
- Screening against PEP and sanctions lists (UN, OFAC, EU, HMT, and local designations)
6.3 Compliance and Risk Management
- Monitoring transactions for suspicious activity in accordance with the MLPPA 2022
- Filing Suspicious Transaction Reports (STRs) and Currency Transaction Reports (CTRs) with the NFIU
- Maintaining mandatory records in accordance with CBN AML/CFT/CPF Regulations 2022
- Meeting obligations under the CBN Consumer Protection Framework
6.4 Fraud Prevention and Security
- Detecting and preventing unauthorised access, fraudulent transactions, and cyberattacks
- Investigating security incidents
- Administering device and session-level authentication controls
6.5 Customer Support and Communications
- Responding to inquiries, complaints, and dispute resolution requests
- Sending transactional notifications (e.g., payment confirmations, security alerts)
- Communicating service updates, policy changes, and regulatory notices
6.6 Marketing (Consent-Based)
- Sending promotional offers, product updates, and newsletters, where you have provided consent
- Conducting customer satisfaction surveys and market research
- You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting our DPO.
6.7 Product Development and Analytics
- Analysing usage patterns to improve our Services, features, and user experience
- Conducting internal risk modelling and business analytics (primarily in aggregated or anonymised form)
7. Disclosure and Sharing of Personal Data
VestraPay does not sell, rent, or trade your personal data. We share personal data only as described below and only to the extent strictly necessary:
7.1 Regulatory and Law Enforcement Authorities
We are required by law to disclose personal data to regulatory, supervisory, and law enforcement authorities, including:
- The Central Bank of Nigeria (CBN)
- The Nigerian Financial Intelligence Unit (NFIU)
- The Nigeria Data Protection Commission (NDPC)
- The Economic and Financial Crimes Commission (EFCC)
- The Independent Corrupt Practices and Other Related Offences Commission (ICPC)
- Courts of competent jurisdiction and other government bodies, pursuant to valid legal process
7.2 Financial Infrastructure and Payment Partners
- NIBSS and other payment switching companies necessary for transaction routing and settlement
- Correspondent and settlement banks
- Card scheme operators (where applicable)
7.3 Service Providers and Data Processors
We engage third-party service providers who process personal data strictly on our behalf and under binding data processing agreements, including:
- Identity verification and KYC technology providers
- Cloud infrastructure and hosting providers
- IT security and fraud detection vendors
- Customer support platform providers
- SMS and email notification services
- Legal, audit, and professional advisers (subject to professional confidentiality obligations)
7.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of VestraPay's assets, personal data may be transferred as part of that transaction. Where required by law, we will notify affected data subjects before such a transfer occurs.
7.5 With Your Consent
With your explicit consent, we may share your personal data with third parties for purposes not covered by this Policy, including with merchants or financial institutions you specifically authorise to access your account data.
8. Cross-Border Transfers of Personal Data
Where VestraPay transfers personal data outside Nigeria, we ensure that such transfers comply with Part VII of the NDPA 2023 and that adequate protection is afforded to the data. We implement one or more of the following safeguards:
- Transfers to countries that have been designated by the NDPC as providing adequate protection for personal data
- Execution of Standard Contractual Clauses (SCCs) or equivalent contractual arrangements approved by the NDPC
- Binding corporate rules where transfers occur within a corporate group
- Specific derogations permitted under the NDPA (e.g., transfers necessary for the performance of a contract, or for the establishment, exercise, or defence of legal claims)
You may request information about our cross-border transfer safeguards by contacting our DPO.
9. Data Retention
VestraPay retains personal data for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements. The following minimum retention periods apply:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| KYC and identity documents | 5 years after end of business relationship | MLPPA 2022, s.26; CBN AML/CFT Regulations 2022 |
| Transaction records | 5 years after transaction date | MLPPA 2022; CBN Regulations |
| AML/CFT reports and STRs | Minimum 5 years | MLPPA 2022; NFIU Guidelines |
| Customer communications and complaints records | 3 years after resolution | CBN Consumer Protection Framework |
| Marketing and consent records | Until consent is withdrawn or 2 years of inactivity | NDPA 2023; NDPR 2019 |
Upon expiry of applicable retention periods, personal data will be securely erased, anonymised, or pseudonymised in accordance with our Data Retention and Disposal Policy. Extended retention may apply where data is subject to active legal proceedings, regulatory inquiry, or audit.
10. Your Rights as a Data Subject
Subject to applicable law, you have the following rights in respect of your personal data held by VestraPay:
| Right | Description |
|---|---|
| Right of Access (s.34 NDPA) | You have the right to request confirmation of whether VestraPay processes your personal data and, if so, to obtain a copy of that data and information about how it is processed. |
| Right to Rectification (s.35 NDPA) | You have the right to request the correction of inaccurate or incomplete personal data held about you. |
| Right to Erasure (s.36 NDPA) | You have the right to request the deletion of your personal data where: it is no longer necessary for the purposes for which it was collected; you withdraw consent (where consent was the legal basis); or processing is unlawful. This right is subject to applicable retention obligations under financial services and AML law. |
| Right to Restrict Processing (s.37 NDPA) | You have the right to request that we limit the processing of your personal data in specified circumstances, such as while a rectification request is being considered. |
| Right to Data Portability (s.38 NDPA) | Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller. |
| Right Not to Be Subject to Automated Decisions (s.40 NDPA) | You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you, except where permitted by law. |
| Right to Withdraw Consent | Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. |
| Right to Lodge a Complaint | You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at: ndpc.gov.ng, or to seek judicial remedy in a court of competent jurisdiction. |
To exercise any of these rights, please submit a written request to our DPO at sarah@vestrapay.com. We will respond within 30 days of receiving your request, as required under the NDPA 2023. We may need to verify your identity before processing your request.
Please note that certain rights may be limited where their exercise would interfere with our obligations under applicable law, including AML/CFT and financial services regulations.
11. Cookies and Tracking Technologies
VestraPay uses cookies and similar technologies on our website and mobile application. These technologies help us deliver a secure, functional, and optimised experience.
11.1 Types of Cookies We Use
- Strictly Necessary Cookies: Essential for the operation of our platform, including session management, authentication, and fraud prevention. These cookies cannot be disabled without affecting core functionality.
- Functional Cookies: Enable enhanced features and personalisation, such as remembering your preferences and language settings.
- Analytical and Performance Cookies: Used to understand how users interact with our platform, identify usage patterns, and improve performance. Analytics data is aggregated and anonymised where possible.
- Marketing Cookies: Used, with your consent, to deliver relevant advertisements and measure the effectiveness of marketing campaigns. These are not used without your explicit opt-in.
11.2 Managing Cookies
You can control cookie settings through your browser or device settings. For our mobile application, you may manage tracking preferences through the in-app settings menu. Please note that disabling certain cookies may affect the functionality of our Services.
12. Data Security
VestraPay implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. Our security measures include:
- Encryption of data in transit (TLS/SSL) and at rest
- Role-based access controls limiting data access to authorised personnel on a need-to-know basis
- Multi-factor authentication for access to critical systems
- Regular security assessments, penetration testing, and vulnerability management
- Endpoint protection and network monitoring systems
- Staff training on data protection and information security
- Incident response procedures compliant with NDPA 2023 notification requirements
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, VestraPay will notify the NDPC without undue delay and, where required, will also notify affected data subjects in accordance with the NDPA 2023.
While we take all reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We encourage you to safeguard your account credentials and to notify us immediately if you suspect any unauthorised access to your account.
13. Children's Privacy
VestraPay's Services are not directed to persons under the age of 18. We do not knowingly collect or process personal data of minors. If we become aware that personal data has been collected from a minor without parental or guardian consent, we will take steps to delete such data promptly. If you believe we may have inadvertently collected data relating to a minor, please contact our DPO immediately.
14. Links to Third-Party Services
Our platform or communications may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to such third-party services, and VestraPay is not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access.
15. Updates to This Privacy Policy
VestraPay may update this Privacy Policy from time to time to reflect changes in our Services, business practices, or applicable legal requirements. Where we make material changes, we will notify you through the contact details you have provided or via a prominent notice on our platform, with reasonable notice prior to the changes taking effect.
The most recent version of this Privacy Policy will always be available on our website and mobile application. Your continued use of our Services after the effective date of any update constitutes your acceptance of the revised Policy.
16. Contact Us and Data Protection Officer
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you may contact VestraPay's Data Protection Officer:
| Contact Details | |
|---|---|
| Role | Data Protection Officer (DPO) |
| Organisation | VestraPay Nigeria Limited |
| sarah@vestrapay.com | |
| Regulatory Body | Nigeria Data Protection Commission (NDPC) |
| NDPC Website | www.ndpc.gov.ng |
We are committed to working with you to resolve any concerns regarding your personal data. If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).
17. Schedule: Key Regulatory References
This Privacy Policy is informed by, and should be read alongside, the following key regulatory instruments:
| Instrument | Relevance |
|---|---|
| Nigeria Data Protection Act 2023 (NDPA) | Primary data protection legislation; governs all processing of personal data in Nigeria. |
| Nigeria Data Protection Regulation 2019 (NDPR) | Supplementary regulatory framework; implementation guidelines remain operative where not superseded by NDPA. |
| Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA) | Mandates KYC, customer due diligence, record retention, and suspicious transaction reporting obligations. |
| CBN AML/CFT/CPF Regulations 2022 | CBN-specific AML/CFT/CPF compliance obligations applicable to financial institutions, including record-keeping and customer identification requirements. |
| CBN Consumer Protection Framework 2016 (as amended) | Governs VestraPay's obligations to treat customers fairly, manage complaints, and protect consumer data. |
| Companies and Allied Matters Act 2020 (CAMA) | Governs corporate obligations, including statutory record-keeping requirements. |
| NFIU goAML Reporting Guidelines | Governs submission of financial intelligence reports to the NFIU. |
| FATF Recommendations | International standards for AML/CFT that inform CBN regulatory requirements. |