Privacy Policy

KetaPay Technologies Limited ("KetaPay", "we", "our", "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use the KetaPay platform, website, or mobile application (collectively, the "Service").

This Policy is issued in compliance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation (NDPR) 2019, and all applicable guidelines issued by the Nigeria Data Protection Commission (NDPC). It should be read together with our Terms and Conditions.

KetaPay Technologies Limited is the Data Controller responsible for your personal data. We are registered with the Nigeria Data Protection Commission (NDPC) as required under the NDPA 2023.

Contact details

• Data Protection Officer (DPO): dpo@ketapay.ng
• General privacy enquiries: privacy@ketapay.ng
• Registered address: 14 Adeola Odeku Street, Victoria Island, Lagos, Nigeria.
• NDPC registration number: available on request.

We collect personal data that is necessary to provide the Service, comply with our legal and regulatory obligations, prevent fraud, and improve user experience. The categories of data we collect include:

Identity & contact data

• Full legal name, date of birth, gender.
• Email address, phone number, residential address.
• Bank Verification Number (BVN) — required by CBN regulations.
• National Identification Number (NIN) and government-issued ID documents.
• Selfie/liveness verification images for KYC purposes.
• Business name, CAC registration number, and corporate documents (for business accounts).

Financial & transaction data

• Bank account details, card numbers (tokenised — we never store raw card data).
• Transaction history, escrow amounts, disbursement records.
• Source of funds declarations where required by AML regulations.
• Dispute records and resolution outcomes.

Technical & usage data

• IP address, device type, browser type, and operating system.
• App version, session duration, pages visited, features used.
• Cookies and similar tracking technologies (see Cookie Policy below).
• Error logs and crash reports for debugging purposes.

Communications data

• Messages sent through the KetaPay in-app messaging system.
• Support tickets, emails, and chat logs with our support team.
• Survey responses and feedback you provide voluntarily.

We collect your personal data through the following means:

• Directly from you — when you register, complete KYC verification, initiate a transaction, or contact support.
• Automatically — through cookies, analytics tools, and server logs when you use the Service.
• From third parties — identity verification partners (Sumsub, Youverify), credit bureaus, fraud prevention services, and financial institutions as permitted by law.
• From public sources — regulatory databases, CAC registry, and sanction screening lists.

Under the NDPA 2023, we must have a lawful basis to process your personal data. Depending on the activity, we rely on one or more of the following:

• Contract performance — processing necessary to provide the escrow Service you have requested.
• Legal obligation — processing required by the CBN, NFIU, EFCC, NDPC, or other regulatory authorities (e.g. KYC/AML obligations).
• Legitimate interests — fraud prevention, security monitoring, service improvement, and internal analytics, provided these do not override your rights.
• Consent — for optional data uses such as marketing communications and non-essential cookies. You may withdraw consent at any time.
• Vital interests — where processing is necessary to protect someone's life in an emergency.

We use your personal data only for the purposes for which it was collected, or for compatible purposes. These include:

• Creating and managing your account, and verifying your identity.
• Processing escrow transactions, holding funds, and disbursing payments.
• Complying with KYC, AML/CFT, and other regulatory requirements.
• Detecting, investigating, and preventing fraud, money laundering, and other financial crimes.
• Resolving disputes between Buyers and Sellers.
• Sending transactional notifications (SMS, email, push) about your account and transactions.
• Providing customer support and responding to your enquiries.
• Improving the Service through usage analysis and product research.
• Sending marketing communications where you have opted in.
• Meeting audit, legal, and compliance obligations.

We may share your personal data with the following categories of recipients, strictly on a need-to-know basis:

Regulatory & law enforcement

• Central Bank of Nigeria (CBN) — as required under our payment service licence.
• Nigerian Financial Intelligence Unit (NFIU) — suspicious transaction reports.
• Economic and Financial Crimes Commission (EFCC) — upon lawful request.
• Nigeria Data Protection Commission (NDPC) — for regulatory compliance.
• Courts and tribunals — where required by court order or legal process.

Service providers & processors

• Identity verification providers (Sumsub, Youverify) — for KYC processing.
• Payment processors and financial institutions — to facilitate fund transfers.
• Cloud infrastructure providers — for hosting and data storage (data remains within agreed jurisdictions).
• Analytics and fraud detection tools — to improve security and performance.
• Legal and professional advisors — under strict confidentiality obligations.

Transaction counterparties

When you are involved in an escrow transaction, we share limited information (display name, verification status) with the other party as necessary to complete the transaction. We do not share your full identity documents or financial details with counterparties.

We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law. Key retention periods include:

• Transaction records — minimum 5 years from the date of the transaction, as required by CBN regulations.
• KYC documents — minimum 5 years from the end of the business relationship, per AML/CFT requirements.
• Support communications — 2 years from ticket resolution.
• Dispute records — 7 years for legal limitation purposes.
• Marketing preferences — until you withdraw consent or close your account.
• Audit logs — 7 years as required by applicable financial regulations.

When data is no longer required, we securely delete or anonymise it in accordance with our data destruction policy.

We implement industry-standard technical and organisational measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction:

• Encryption at rest using AES-256 for all sensitive data including KYC documents and financial records.
• Encryption in transit using TLS 1.3 for all data exchanged between your device and our servers.
• Role-based access controls — staff access personal data only on a strict need-to-know basis.
• Multi-factor authentication required for all internal systems.
• Regular penetration testing and vulnerability assessments by independent security firms.
• Incident response plan with defined breach notification procedures.

Under the NDPA 2023 and NDPR, you have the following rights regarding your personal data:

• Right to access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your data where it is no longer necessary, subject to legal retention obligations.
• Right to restrict processing — request that we limit how we use your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
• Right to lodge a complaint — file a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

To exercise any of these rights, contact our DPO at dpo@ketapay.ng. We will respond within 30 days as required by the NDPA 2023. We may need to verify your identity before processing your request.

We use cookies and similar tracking technologies on our website and app. Cookies are small text files stored on your device that help us provide and improve the Service.

Types of cookies we use

• Strictly necessary cookies — essential for the Service to function (authentication, session management). Cannot be disabled.
• Functional cookies — remember your preferences (language, region settings).
• Analytics cookies — help us understand how users interact with the Service (e.g. page views, feature usage). We use privacy-respecting analytics tools.
• Security cookies — support fraud detection and protect against unauthorised access.

You can manage your cookie preferences through our Cookie Banner or your browser settings. Disabling non-essential cookies will not affect your ability to use the core Service.

KetaPay primarily processes and stores data within Nigeria. Where we engage service providers who process data outside Nigeria (for example, cloud infrastructure providers), we ensure appropriate safeguards are in place in accordance with the NDPA 2023, including:

• Standard contractual clauses (SCCs) approved by the NDPC.
• Adequacy decisions where the receiving country has been deemed to provide adequate data protection.
• Binding corporate rules where applicable within multinational service provider groups.

You may request details of the safeguards in place for any specific international transfer by contacting dpo@ketapay.ng.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email and in-app notification at least 14 days before the changes take effect.

The date at the top of this page indicates when the Policy was last updated. Continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the changes.