SwissPay Africa Ltd | Data Protection Policy

1. Introduction

SwissPay Africa Ltd ("SwissPay", "we", "us", or "our") is committed to protecting the privacy and personal data of everyone who uses our platform, app, or services. This Data Protection Policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have over your information.

SwissPay is a payment platform that processes transactions online when internet is available, and offline when it is not. Because we handle financial transactions and personal information, we take data protection seriously and comply with applicable data protection laws.

This policy applies to all users of the SwissPay app, SwissPay wearables, the SwissPay website (swisspay.africa), and any other SwissPay services.

2. Who We Are

Data Controller: SwissPay Africa Ltd
Email: legalandcompliance@swisspay.africa
Phone: +234 8138858089
Website: www.swisspay.africa

The data controller is the organisation responsible for deciding how and why your personal data is collected and used. If you have any questions about this policy or how your data is handled, contact us at the details above.

Data Protection Officer (DPO): [Insert DPO name and contact email once appointed]

Note: Under the Nigeria Data Protection Act 2023, organisations processing personal data at scale are required to designate a Data Protection Officer. SwissPay should appoint a DPO or engage a licensed Data Protection Compliance Organisation (DPCO) before launch.

3. Regulatory Framework

SwissPay complies with the following data protection laws and frameworks:

Nigeria Data Protection Act 2023 (NDPA) — The primary data protection legislation in Nigeria. It governs how organisations collect, store, process, and transfer personal data of Nigerian residents.
CBN Consumer Protection Framework — The Central Bank of Nigeria's guidelines for the protection of financial consumers, including requirements for data privacy, transparency, and complaint resolution in financial services.
Nigeria Data Protection Regulation 2019 (NDPR) — Where applicable, we also observe the principles established under the NDPR as a complement to the NDPA.
International Users — If you access SwissPay from outside Nigeria — including from countries in the European Economic Area — we apply equivalent standards of data protection consistent with applicable international frameworks, including the General Data Protection Regulation (GDPR) where it applies to you.

4. Data We Collect

We only collect data that is necessary to provide and improve our services. The categories of personal data we may collect include:

Identity and Contact Data

Full name
Phone number
Email address (where provided)
Profile photograph (where uploaded)

Financial and Transaction Data

Transaction amounts and timestamps
Sender and recipient identifiers
Wallet balance and transaction history
Payment narrations

Device and Technical Data

Device type and operating system
NFC and BLE identifiers used during payment
App version and usage logs
IP address and approximate location (for fraud detection purposes)

Onboarding and Verification Data

Identity verification documents (where required for account registration or compliance)
Agent or merchant registration information

Waitlist and Communication Data

Name, phone number, and email address submitted via the waitlist form
User type selected at sign-up (commuter, trader, merchant, etc.)

We do not collect sensitive personal data such as biometric data, health information, or political opinions unless explicitly required by law and with your prior consent.

5. How We Collect Your Data

We collect your data in the following ways:

Directly from you — when you register for an account, fund your wallet, make or receive a payment, submit a waitlist form, or contact us
Automatically — when you use the SwissPay app or wearable, including device identifiers, transaction logs, and usage data
From partners — from banking partners such as VFD Microfinance Bank and Parallex Bank in connection with regulated financial services
From agents — where a SwissPay agent assists with your onboarding or account setup

6. Why We Use Your Data

We use your personal data only for the purposes for which it was collected. Our lawful bases for processing are:

To provide our services (contractual necessity)

Process your payments online and offline
Maintain your wallet and transaction history
Authenticate your identity during transactions
Enable offline transaction reconciliation when connectivity is restored

To comply with legal obligations

Meet Know Your Customer (KYC) requirements under CBN regulations
Report to regulatory bodies as required by Nigerian financial services law
Retain transaction records for the legally required period

To protect legitimate interests

Detect and prevent fraud, money laundering, and unauthorised access
Maintain the security and integrity of the SwissPay platform
Monitor system performance and resolve technical issues

With your consent

Send you launch notifications and product updates (waitlist communications)
Send marketing communications where you have opted in
You may withdraw consent at any time by contacting us or using the unsubscribe link in any communication

7. Offline Data Processing

SwissPay includes an offline payment mode that operates when internet connectivity is unavailable. The following applies specifically to offline data:

Offline transactions are authorised and encrypted locally on your device using NFC and BLE technology
Transaction records are stored securely on the device and reconciled with our central systems automatically when connectivity is restored
No transaction data is ever permanently stored only on a device — all records are synchronised and backed up to SwissPay's secure servers upon reconnection
Offline transaction data is subject to the same encryption standards, retention policies, and user rights as online transaction data

8. How We Share Your Data

We do not sell your personal data. We do not share your data with advertisers. We may share your data only in the following circumstances:

Banking and financial partners — We share necessary transaction data with VFD Microfinance Bank and Parallex Bank to facilitate regulated payment processing and maintain our operating licence arrangements.
Service providers — We engage third-party providers to support our technology infrastructure, data storage, and customer communications. These providers are contractually bound to process your data only on our instructions and in accordance with applicable data protection law.
Regulatory and law enforcement bodies — We may disclose your data to the Central Bank of Nigeria, the Nigeria Data Protection Commission (NDPC), law enforcement, or other authorities where required by law or to prevent fraud and financial crime.
Business transfers — In the event of a merger, acquisition, or sale of SwissPay's business, your data may be transferred to the successor entity. We will notify you in advance of any such transfer.

We will never share your data with third parties for their own marketing purposes.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes set out in this policy, or as required by law.

Data Category	Retention Period
Account and identity data	Duration of account, plus 7 years after closure
Transaction records	7 years (CBN regulatory requirement)
Waitlist sign-up data	Until launch notification is sent, then deleted unless you become a user
Device and technical logs	12 months rolling
Marketing communications data	Until you unsubscribe or withdraw consent

After the applicable retention period, your data is securely deleted or anonymised.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include:

End-to-end encryption for all payment data, online and offline
Secure server infrastructure with access controls and monitoring
Encrypted local storage for offline transaction data on devices
PIN protection and session authentication on the SwissPay app
Regular security reviews and vulnerability assessments

In the event of a data breach that is likely to affect your rights and freedoms, we will notify you and the Nigeria Data Protection Commission within the timeframes required by the NDPA 2023.

11. Your Rights

Under the Nigeria Data Protection Act 2023, you have the following rights regarding your personal data:

Right to access — You may request a copy of the personal data we hold about you.
Right to rectification — You may ask us to correct any inaccurate or incomplete personal data.
Right to erasure — You may request that we delete your personal data where it is no longer necessary for the purposes it was collected, subject to our legal retention obligations.
Right to restrict processing — You may ask us to limit how we use your data in certain circumstances.
Right to data portability — You may request that we provide your data in a structured, commonly used format so you can transfer it to another provider.
Right to object — You may object to our processing of your data where we rely on legitimate interests as our lawful basis.
Right to withdraw consent — Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint — If you believe your data protection rights have been violated, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng.

To exercise any of these rights, contact us at legalandcompliance@swisspay.africa. We will respond within 30 days of receiving your request.

12. Cookies and Tracking

The SwissPay website (swisspay.africa) may use cookies and similar technologies to improve your browsing experience and understand how visitors use the site.

Essential cookies — Required for the website to function. Cannot be disabled.
Analytics cookies — Help us understand visitor behaviour so we can improve the site. You may opt out at any time.
Marketing cookies — Used to deliver relevant communications. Only placed with your consent.

You can manage your cookie preferences through your browser settings or our cookie consent tool at any time.

13. Children's Data

SwissPay services are not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact us at legalandcompliance@swisspay.africa and we will delete it promptly.

14. International Data Transfers

SwissPay primarily stores and processes data within Nigeria. Where data is transferred outside Nigeria — for example, to cloud infrastructure providers with servers in other jurisdictions — we ensure appropriate safeguards are in place in accordance with the NDPA 2023, including data transfer agreements that meet the Commission's requirements.

15. Changes to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices, services, or legal obligations. When we make significant changes, we will notify you via the SwissPay app or by email. The "Last Updated" date at the top of this page will always reflect the most recent version. We encourage you to review this policy periodically.

16. Contact Us

If you have any questions, concerns, or requests relating to this Data Protection Policy or how we handle your personal data, please contact us:

SwissPay Africa Ltd
Email: legalandcompliance@swisspay.africa
Phone: +234 8138858089
Website: www.swisspay.africa

For complaints that we have not resolved to your satisfaction, you may contact the Nigeria Data Protection Commission:
Nigeria Data Protection Commission (NDPC)
Website: www.ndpc.gov.ng

This policy was last reviewed in March, 2036. It should be reviewed by a qualified legal professional before publication and updated whenever SwissPay's data practices, regulatory status, or applicable laws change.