Customer Privacy Policy

Introduction

Kabocash Technologies Limited ("we", "us", "our", or "Kabocash") is committed to protecting your privacy and personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA 2023).

This Privacy Policy explains how we collect, use, process, store, and protect your personal data when you use our website https://kabocash.com ("Website"), our mobile application ("App"), and any other services we provide (collectively, "Services"). This policy applies to all users, visitors, and customers ("you", "your", or "Data Subject").

By using our Services, you acknowledge that you have read, understood, and agree to the data processing practices described in this Privacy Policy. Where required by law, we will obtain your explicit consent before processing your personal data.

Data Controller Information

Kabocash Technologies Limited is the data controller responsible for your personal data. We are registered in Nigeria with our principal place of business at: Rijiyar Zaki, Rumfar Shehu Quarters. Kano State, Nigeria.

Kabocash Technologies Limited
Email: privacy@kabocash.com

Data Protection Officer

In compliance with the NDPA 2023, we have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws.

Data Protection Officer Contact:
Email: dpo@kabocash.com

You may contact our DPO for any questions, concerns, or complaints regarding the processing of your personal data or to exercise your data subject rights.

Categories of Personal Data We Collect

In accordance with the NDPA 2023, we collect and process the following categories of personal data:

1. Identity and Contact Information

• Full name (first name, middle name, surname)
• Date of birth
• Gender
• Nationality
• Email address
• Phone number(s)
• Residential address
• Postal address

2. Identification and Verification Documents

• Bank Verification Number (BVN)
• Biometric data (facial recognition, fingerprints) for identity verification
• Photographs and selfies for KYC purposes

3. Financial Information

• Bank account details (account number, bank name, account name)

4. Technical and Usage Data

• IP address and geolocation data
• Device information (device type, operating system, unique device identifiers)
• Browser type and version

5. Communication Data

• Customer support inquiries and correspondence
• Feedback and survey responses
• Marketing preferences and communication history
• Call recordings (where applicable and with your consent)

6. Sensitive Personal Data

In accordance with Section 65 of the NDPA 2023, we may process the following categories of sensitive personal data only with your explicit consent and where necessary for our legitimate business purposes:

• Biometric data (for identity verification and fraud prevention)

How We Collect Your Personal Data

We collect your personal data through the following methods:

Direct Collection

• When you register for a Kabocash account
• When you complete Know Your Customer (KYC) verification
• When you initiate or receive transactions through our Services
• When you contact our customer support team
• When you complete forms, or questionnaires
• When you subscribe to our newsletters or marketing communications
• When you participate in promotions, contests, or events

Automated Collection

• Through cookies and similar tracking technologies on our Website and App
• Through server logs and analytics tools
• Through your device when you use our mobile application
• Through monitoring of your interactions with our Services

Third-Party Sources

• Identity verification service providers
• Credit reference agencies and fraud prevention agencies
• Financial institutions and payment processors
• Publicly available sources and databases
• Social media platforms (where you choose to connect your account)
• Business partners and affiliates

Legal Basis for Processing Personal Data

In compliance with the NDPA 2023, we process your personal data based on the following legal grounds:

1. Consent (Section 26 NDPA 2023)

We process certain categories of your personal data based on your freely given, specific, informed, and unambiguous consent. You have the right to withdraw your consent at any time by contacting our Data Protection Officer.

2. Contractual Necessity (Section 27 NDPA 2023)

Processing is necessary for the performance of our contract with you or to take steps at your request before entering into a contract. Without processing your personal data, we cannot provide our financial services to you.

3. Legal Obligation (Section 28 NDPA 2023)

We are required to process your personal data to comply with legal and regulatory obligations, including:

• Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) laws
• Know Your Customer (KYC) regulations
• Central Bank of Nigeria (CBN) regulations
• Nigerian Financial Intelligence Unit (NFIU) requirements
• Tax laws and reporting obligations
• Court orders and law enforcement requests

4. Legitimate Interests (Section 29 NDPA 2023)

We process your personal data where necessary for our legitimate business interests or those of a third party, provided such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:

• Fraud prevention and detection
• Network and information security
• Risk management and assessment
• Business development and improvement of our Services
• Marketing and customer relationship management
• Internal administrative purposes

5. Vital Interests (Section 30 NDPA 2023)

In rare circumstances, we may process your personal data to protect your vital interests or those of another person, such as in medical emergencies.

Purposes of Data Processing

We process your personal data for the following purposes:

Service Provision and Account Management

• Creating, managing, and maintaining your Kabocash account
• Verifying your identity and conducting KYC/AML checks
• Processing your transaction instructions and payment requests
• Providing customer support and responding to your inquiries
• Sending you service-related notifications and updates
• Managing your preferences and settings

Transaction Processing and Financial Services

• Processing domestic and international money transfers
• Facilitating currency exchange transactions
• Authorization, clearing, and settlement of transactions
• Transaction reconciliation and dispute resolution
• Generating transaction receipts and statements

Compliance and Legal Obligations

• Complying with AML/CTF regulations and reporting requirements
• Conducting sanctions screening and watchlist checks
• Responding to regulatory inquiries and audits
• Maintaining records as required by law
• Cooperating with law enforcement and judicial authorities
• Establishing, exercising, and defending legal rights and claims

Security and Fraud Prevention

• Detecting, preventing, and investigating fraud and financial crimes
• Monitoring transactions for suspicious activity
• Protecting against unauthorized access and cyber threats
• Conducting security assessments and risk analysis
• Implementing authentication and access controls

Business Operations and Improvement

• Analyzing usage patterns and customer behavior
• Conducting market research and customer surveys
• Developing and improving our products and services
• Testing new features and functionalities
• Optimizing user experience and interface design
• Performing data analytics and business intelligence

Marketing and Communications

• Sending promotional materials and marketing communications (with your consent)
• Personalizing content and offers based on your preferences
• Conducting targeted advertising campaigns
• Managing loyalty programs and promotional events
• Sending newsletters and product updates

Data Sharing and Disclosure

In accordance with Section 43 of the NDPA 2023, we may share your personal data with the following categories of recipients:

Service Providers and Processors

We engage third-party service providers who process personal data on our behalf under strict contractual obligations, including:

• Payment processors and financial institutions
• Identity verification and KYC service providers
• Cloud hosting and data storage providers
• IT infrastructure and security service providers
• Customer support and communication platforms
• Analytics and marketing service providers
• Professional advisors (lawyers, accountants, auditors)

Financial Institutions and Partners

• Banks and financial institutions for transaction processing
• Payment networks and card schemes
• Mobile money operators and payment gateways
• Currency exchange partners
• Correspondent banks for international transfers

Regulatory and Law Enforcement Authorities

• Central Bank of Nigeria (CBN)
• Nigerian Financial Intelligence Unit (NFIU)
• Economic and Financial Crimes Commission (EFCC)
• Nigeria Data Protection Commission (NDPC)
• Federal Inland Revenue Service (FIRS)
• Law enforcement agencies and courts (pursuant to legal obligations)
• Other regulatory bodies as required by law

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

With Your Consent

We may share your personal data with other third parties where you have provided explicit consent for such disclosure.

Cross-Border Data Transfers

In accordance with Sections 44-48 of the NDPA 2023, we may transfer your personal data outside Nigeria to countries that may not provide the same level of data protection as Nigeria. Such transfers are necessary for:

• Processing international money transfers and cross-border payments
• Utilizing cloud services and data storage infrastructure
• Engaging international service providers and partners
• Complying with international regulatory requirements

When transferring your personal data internationally, we ensure adequate safeguards are in place, including:

• Transferring data only to countries with adequate data protection laws as determined by the Nigeria Data Protection Commission
• Implementing Standard Contractual Clauses approved by the NDPC
• Ensuring recipients are certified under recognized data protection frameworks
• Obtaining your explicit consent where required
• Implementing appropriate technical and organizational security measures

You have the right to obtain information about the safeguards we have implemented for international data transfers by contacting our Data Protection Officer.

Data Security Measures

In compliance with Section 40 of the NDPA 2023, we implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, destruction, or loss. Our security measures include:

Technical Security Measures

• End-to-end encryption for data transmission using industry-standard SSL/TLS protocols
• Encryption of sensitive data at rest using AES-256 or equivalent standards
• Multi-factor authentication (MFA) for account access
• Secure password policies and hashing algorithms
• Regular security patches and software updates
• Intrusion detection and prevention systems
• Firewalls and network segmentation
• Regular vulnerability assessments and penetration testing
• Secure API integrations with third-party services
• Data loss prevention (DLP) technologies

Organizational Security Measures

• Access controls based on the principle of least privilege
• Role-based access management for employees and contractors
• Background checks for employees with access to personal data
• Mandatory data protection and security training for all staff
• Confidentiality agreements and non-disclosure obligations
• Incident response and business continuity plans
• Regular security audits and compliance assessments
• Physical security controls for data centers and offices
• Secure disposal procedures for data and equipment

Your Security Responsibilities

While we implement robust security measures, you also have a responsibility to protect your personal data:

• Keep your account credentials confidential and do not share them with anyone
• Use strong, unique passwords and change them regularly
• Enable multi-factor authentication on your account
• Log out of your account after each session, especially on shared devices
• Be vigilant against phishing attempts and suspicious communications
• Report any unauthorized access or security concerns immediately
• Keep your device and software updated with the latest security patches

Please note that while we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to taking all reasonable steps to safeguard your information.

Data Retention and Deletion

In accordance with Section 41 of the NDPA 2023, we retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, regulatory, accounting, and reporting requirements.

Retention Periods

• Active Account Data: Retained for the duration of your active account relationship with us
• Transaction Records: Retained for a minimum of 7 years from the date of transaction, as required by Nigerian financial regulations and tax laws
• KYC/AML Documentation: Retained for a minimum of 7 years after account closure, as required by CBN and NFIU regulations
• Communication Records: Retained for 3-7 years depending on the nature of the communication
• Marketing Data: Retained until you withdraw consent or for a maximum of 3 years of inactivity
• Technical and Usage Data: Retained for 12-24 months for analytics and service improvement purposes
• Legal and Compliance Records: Retained for the duration required by applicable laws or until the resolution of any legal proceedings

Data Deletion

Upon expiry of the applicable retention period, we will securely delete or anonymize your personal data using industry-standard methods, including:

• Secure deletion from active databases and backup systems
• Anonymization or pseudonymization where data must be retained for statistical purposes
• Physical destruction of hardware containing personal data
• Ensuring third-party processors also delete your data in accordance with our instructions

Please note that we may retain certain personal data beyond the standard retention periods where required by law, for the establishment, exercise, or defense of legal claims, or where you have exercised your right to object to processing and we need to verify whether we have overriding legitimate grounds.

Your Data Subject Rights

Under the NDPA 2023, you have the following rights regarding your personal data. You may exercise these rights by contacting our Data Protection Officer:

1. Right to Access (Section 31 NDPA 2023)

You have the right to request confirmation of whether we process your personal data and to obtain access to such data. You may request:

• A copy of your personal data in our possession
• Information about the purposes of processing
• The categories of personal data being processed
• The recipients or categories of recipients of your data
• The retention period or criteria for determining the retention period
• Information about the source of your data (if not collected directly from you)

We will provide the first copy of your data free of charge. Additional copies may be subject to a reasonable administrative fee.

2. Right to Rectification (Section 32 NDPA 2023)

You have the right to request correction of inaccurate, incomplete, or outdated personal data. We will make reasonable efforts to verify the accuracy of new information before updating our records.

3. Right to Erasure/Right to be Forgotten (Section 33 NDPA 2023)

You have the right to request deletion of your personal data in the following circumstances:

• The personal data is no longer necessary for the purposes for which it was collected
• You withdraw consent on which processing is based and there is no other legal ground for processing
• You object to processing and there are no overriding legitimate grounds
• The personal data has been unlawfully processed
• The personal data must be erased to comply with a legal obligation

Please note that this right is not absolute. We may be unable to delete your data if retention is necessary for:

• Compliance with legal or regulatory obligations (e.g., AML/KYC requirements)
• The establishment, exercise, or defense of legal claims
• Archiving purposes in the public interest

4. Right to Restriction of Processing (Section 34 NDPA 2023)

You have the right to request restriction of processing of your personal data in the following situations:

• You contest the accuracy of the personal data (restriction applies during verification)
• The processing is unlawful but you prefer restriction instead of erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of our legitimate grounds

5. Right to Data Portability (Section 35 NDPA 2023)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where:

• Processing is based on your consent or on a contract
• Processing is carried out by automated means

We will provide your data in CSV, JSON, or PDF format, as appropriate.

6. Right to Object (Section 36 NDPA 2023)

You have the right to object to processing of your personal data where:

• Processing is based on legitimate interests or public interest
• Processing is for direct marketing purposes (including profiling)
• Processing is for scientific, historical research, or statistical purposes

Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

7. Right to Withdraw Consent (Section 37 NDPA 2023)

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

8. Right to Lodge a Complaint (Section 38 NDPA 2023)

You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated:

Nigeria Data Protection Commission
Website: https://ndpc.gov.ng
Email: info@ndpc.gov.ng

Exercising Your Rights

To exercise any of your data subject rights, please contact our Data Protection Officer at dpo@kabocash.co. We will respond to your request within 30 days as required by the NDPA 2023. In complex cases, we may extend this period by an additional 30 days and will inform you of the extension and reasons.

To protect your privacy and security, we will verify your identity before processing your request. You may be required to provide additional information or documentation to confirm your identity.

Data Breach Notification

In accordance with Section 42 of the NDPA 2023, in the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach
• Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Provide clear and plain language information about the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach
• Provide contact details of our Data Protection Officer for further information
• Recommend measures you can take to mitigate potential adverse effects

We maintain a comprehensive incident response plan and conduct regular security assessments to minimize the risk of data breaches.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage patterns, and deliver personalized content. Cookies are small text files stored on your device when you visit our Website or use our App.

Types of Cookies We Use

• Essential Cookies: Necessary for the operation of our Services, including authentication and security
• Performance Cookies: Collect information about how you use our Services to help us improve functionality
• Functional Cookies: Remember your preferences and settings to provide enhanced features
• Analytics Cookies: Help us understand user behavior and measure the effectiveness of our Services
• Marketing Cookies: Used to deliver relevant advertisements and track campaign performance (with your consent)

Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Services. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block cookies from specific websites
• Block all cookies
• Delete all cookies when you close your browser

For more information about cookies and how to manage them, visit www.allaboutcookies.org.

Automated Decision-Making and Profiling

In accordance with Section 39 of the NDPA 2023, we may use automated decision-making processes, including profiling, for the following purposes:

• Fraud detection and prevention
• Risk assessment and credit scoring
• Transaction monitoring for AML/CTF compliance
• Personalization of services and recommendations
• Customer segmentation for marketing purposes

You have the right to:

• Obtain human intervention in automated decision-making processes
• Express your point of view regarding automated decisions
• Contest decisions made solely by automated means
• Request an explanation of the logic involved in automated decision-making

If you wish to exercise these rights, please contact our Data Protection Officer.

Children's Privacy

In accordance with Section 66 of the NDPA 2023, our Services are not intended for individuals under the age of 18 years. We do not knowingly collect, process, or solicit personal data from children under 18.

If you are under 18, please do not use our Services or provide any personal data to us. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact our Data Protection Officer immediately at dpo@kabocash.com. We will take prompt steps to delete such information from our systems.

In exceptional circumstances where we may need to process a child's data (e.g., for a minor's account with parental consent), we will:

• Obtain verifiable parental or guardian consent
• Implement enhanced privacy protections
• Limit data collection to what is strictly necessary
• Provide clear information to parents/guardians about data processing

Third-Party Links and Services

Our Website and App may contain links to third-party websites, applications, or services that are not operated or controlled by us. This Privacy Policy does not apply to such third-party services.

We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services before providing your personal data. Your interactions with third-party services are governed by their respective privacy policies and terms of service.

Marketing Communications

With your consent, we may send you marketing communications about our products, services, promotions, and events. You have the right to opt out of receiving marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Contacting our Data Protection Officer at dpo@kabocash.com
• Sending an email to dpo@kabocash.com

Please note that even if you opt out of marketing communications, we will still send you transactional and service-related messages that are necessary for the provision of our Services (e.g., transaction confirmations, account notifications, security alerts).

Data Protection Impact Assessments

In accordance with Section 49 of the NDPA 2023, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risks to your rights and freedoms. This includes:

• Large-scale processing of sensitive personal data
• Systematic monitoring of publicly accessible areas
• Automated decision-making with legal or significant effects
• Processing of biometric or genetic data
• New technologies or innovative processing methods

Our DPIAs assess the necessity and proportionality of processing operations, evaluate risks to data subjects, and identify measures to mitigate those risks.

Updates, Modifications & Amendments

We may update, modify, or amend this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the bottom of this policy
• Notify you via email or through a prominent notice on our Website or App
• Where required by law, obtain your consent for material changes
• Provide a reasonable notice period before the changes take effect

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

If you do not agree with any changes to this Privacy Policy, you must discontinue use of our Services and may request deletion of your account by contacting our Data Protection Officer.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Data Protection Officer
Kabocash Technologies Limited
Email: dpo@kabocash.com

Nigeria Data Protection Commission
For complaints or concerns about our data protection practices, you may also contact the NDPC:
Website: https://ndpc.gov.ng
Email: info@ndpc.gov.ng

Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Regulation 2019.

Any disputes arising from or relating to this Privacy Policy or our data processing practices shall be subject to the exclusive jurisdiction of the courts of Nigeria.

Last Updated: February 12, 2026

Effective Date: February 12, 2026

This Privacy Policy is compliant with the Nigeria Data Protection Act 2023 (NDPA 2023).