PapaEgo

Privacy Policy

Papa Ego Privacy Policy Privacy & Data Protection Privacy Policy How we collect, use, protect, and share your personal data ā€” and how to exercise your rights under Nigerian law. Effective Date 1 May 2026 Version 1.0 Legal Basis NDPA 2023 / CBN Regs DPO Contact dpo@papaego.com šŸ›”ļø NDPA 2023 Compliance: Papa Ego Technologies Limited is registered with the Nigeria Data Protection Commission (NDPC) and processes all personal data in accordance with the Nigeria Data Protection Act 2023, the CBN AML/CFT Regulations 2022, and applicable international data protection standards. Contents ā— 1. Data Controller ā— 2. What We Collect ā— 3. Why We Collect It ā— 4. Legal Basis ā— 5. Who We Share With ā— 6. International Transfers ā— 7. How Long We Keep It ā— 8. Your Rights ā— 9. Data Security ā— 10. Cookies & Tracking ā— 11. Children's Privacy ā— 12. Data Breach Response ā— 13. Changes to This Policy ā— 14. Contact & DPO Your Data Rights Access your data Correct inaccuracies Request erasure Data portability Object to processing Withdraw consent Exercise your rights by contacting our Data Protection Officer: dpo@papaego.com Your privacy matters to us. Papa Ego only collects data that is necessary for us to provide our services and meet our legal obligations. We will never sell your personal data to third parties. Section 01 Data Controller Papa Ego Technologies Limited ("Papa Ego", "we", "us", or "our") is the data controller responsible for your personal data. We are incorporated in Nigeria with CAC Registration No. 9463271, having our registered office at No. 474, Ikwere Road, Rumuigbo, Port Harcourt, Ikwerre, Rivers State, Nigeria. We are registered with the Nigeria Data Protection Commission (NDPC) and have appointed a Data Protection Officer (DPO) who can be contacted at dpo@papaego.com. This Privacy Policy applies to all personal data we collect from customers, website visitors, business contacts, and agents in connection with the use of the Papa Ego platform and services. Section 02 What Personal Data We Collect We collect personal data that is necessary for the provision of our cross-border payment services and for compliance with our legal obligations. The categories of data we collect include: Category Examples of Data Collected Source Identity Data Full legal name, date of birth, nationality, NIN, BVN, passport or national ID number, photographs You (registration & KYC) Contact Data Email address, phone number, residential and business address You Business Data CAC registration number, business name, nature of business, Tax Identification Number, shareholding and ownership structure You / CAC registry Transaction Data Payment amounts, currencies, beneficiary details, purpose of payment, supporting trade documentation, transaction history You / platform Financial Data Bank account details, source of funds information, bank statements You Compliance Data Sanctions screening results, risk ratings, EDD records, suspicious activity assessments Internal / screening providers Technical Data IP address, device type, browser information, login timestamps, session activity Platform / cookies Communications Data Emails, chat messages, complaints, and correspondence with our team You We do not collect: sensitive personal data such as health information, biometric data (other than where required for identity verification), or political opinions, except where specifically required by law or expressly consented to by you. Section 03 Why We Collect Your Data We use your personal data only for the following purposes: To Provide Our Services ā— To create and manage your account; ā— To verify your identity and complete KYC/CDD/EDD processes as required by the CBN; ā— To process, confirm, and settle your cross-border payment transactions; ā— To communicate with you about your transactions, account, and service updates; ā— To provide customer support and handle complaints. To Meet Our Legal and Regulatory Obligations ā— To comply with the CBN AML/CFT Regulations 2022 and the Money Laundering (Prevention and Prohibition) Act 2022; ā— To screen you and your transactions against applicable sanctions lists; ā— To file Suspicious Transaction Reports (STRs) with the NFIU where legally required; ā— To respond to requests from regulatory authorities, law enforcement, and courts; ā— To maintain records as required by Nigerian law (minimum 5 years from transaction date). To Protect Our Business and Your Security ā— To detect, prevent, and investigate fraud, financial crime, and unauthorised access; ā— To manage and mitigate operational, legal, and compliance risks; ā— To ensure the security and integrity of our platform. With Your Consent ā— To send you marketing communications about new services, features, or promotions (you can opt out at any time); ā— For any other processing purpose for which we have obtained your specific, informed consent. Section 04 Legal Basis for Processing We process your personal data on the following legal bases as recognised under the Nigeria Data Protection Act 2023: Legal Basis When We Rely on It Contract Performance Processing necessary to provide our Services to you and to fulfil our obligations under our Terms of Service. Legal Obligation Processing required to comply with Nigerian law, CBN regulations, AML/CFT requirements, tax obligations, and court or regulatory orders. Legitimate Interests Processing necessary for our legitimate business interests, such as fraud prevention, platform security, and improving our services ā€” where these interests are not overridden by your rights. Consent Marketing communications and any processing that is not otherwise covered by the above bases. You may withdraw consent at any time without affecting the lawfulness of prior processing. Section 05 Who We Share Your Data With We do not sell your personal data. We may share your data with the following categories of third parties, strictly on a need-to-know basis and subject to appropriate data protection safeguards: Regulatory Authorities and Law Enforcement We are legally required to share information with the Nigerian Financial Intelligence Unit (NFIU), the Central Bank of Nigeria (CBN), the Economic and Financial Crimes Commission (EFCC), and other regulatory authorities and law enforcement agencies where required by law. We may not be able to inform you when such disclosures are made. Correspondent Banks and Payment Partners We share transaction and identity data with our correspondent banking partners and payment processing partners as necessary to execute your transactions. All such partners are bound by AML/CFT compliance obligations and data protection agreements. Sanctions Screening Providers We use third-party sanctions screening services to check your name and transaction details against applicable sanctions lists. These providers receive only the minimum data necessary for screening purposes. Technology and Service Providers We share data with technology vendors, cloud hosting providers, and professional services firms (legal, audit, compliance) who support our operations. All such vendors are bound by data processing agreements and are prohibited from using your data for any purpose other than providing services to Papa Ego. Business Transfers In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the successor entity, subject to the same data protection standards. Papa Ego does not share your personal data with third parties for marketing or advertising purposes. Section 06 International Data Transfers Given Papa Ego's cross-border payment operations involving China, the United States, Mexico, and other countries, your personal data may need to be transferred to and processed in countries outside Nigeria. When we transfer your data internationally, we take the following safeguards: ā— We transfer data only to countries that provide an adequate level of data protection as recognised by the NDPC, or where we have implemented appropriate safeguards; ā— We use standard contractual clauses or data processing agreements with all international recipients; ā— Where required by law (such as for AML/CFT reporting), we transfer data to foreign regulators and law enforcement pursuant to legal obligations; ā— We conduct transfer impact assessments where required for transfers to higher-risk jurisdictions. Cross-Border Payment Processing: When you make a payment to an overseas supplier, certain transaction data (amount, beneficiary details, payment purpose) must be shared with correspondent banks in the payment corridor (e.g., Mexico, US, China) as a necessary part of processing your transaction. Section 07 How Long We Keep Your Data We retain your personal data only for as long as necessary for the purposes for which it was collected, and as required by applicable law: Data Type Retention Period Legal Basis KYC and identity documents Minimum 5 years from account closure; 7 years recommended CBN AML/CFT Regulations; MLPPA 2022 Transaction records Minimum 5 years from transaction date; 7 years recommended CBN Regulations; legal obligation Compliance records (STRs, screening) 7 years from creation NFIU requirements Customer communications 5 years from last contact Legitimate interests / legal obligation Technical logs 12 months from creation Security / legitimate interests Marketing consent records Until consent withdrawn + 3 years Consent When data is no longer required, it will be securely deleted or anonymised in accordance with our Data Retention Policy. Section 08 Your Data Rights Under the Nigeria Data Protection Act 2023, you have the following rights with respect to your personal data: Right to Access You have the right to request a copy of the personal data we hold about you and information about how we process it. Right to Rectification You have the right to request correction of any inaccurate or incomplete personal data we hold about you. Right to Erasure You may request deletion of your personal data where we no longer have a lawful basis to process it, subject to our legal retention obligations. Right to Portability You have the right to receive your personal data in a structured, machine-readable format and to have it transferred to another data controller. Right to Object You may object to processing based on legitimate interests, including for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds. Right to Withdraw Consent Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing. How to Exercise Your Rights To exercise any of the above rights, please submit a written request to our Data Protection Officer at dpo@papaego.com. We will acknowledge your request within 24 hours and respond within 30 days as required by the NDPA. We may need to verify your identity before processing your request. Limitations on Rights Please note that certain rights are subject to limitations where processing is necessary for compliance with our legal obligations (including AML/CFT laws), for the prevention of fraud, or for the establishment, exercise, or defence of legal claims. In such cases, we will explain the applicable limitation when responding to your request. Right to Complain If you are not satisfied with our response to your data rights request, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng. Section 09 Data Security We take the security of your personal data seriously and implement robust technical and organisational measures to protect it against unauthorised access, loss, alteration, or disclosure. Our security measures include: Technical Measures ā— Encryption of all customer data in transit (TLS 1.2+) and at rest (AES-256 or equivalent); ā— Multi-factor authentication (MFA) for all system access; ā— Role-based access controls ā€” staff can only access data necessary for their role; ā— Regular penetration testing and vulnerability assessments; ā— Security patch management and continuous monitoring; ā— Secure data centres with physical access controls. Organisational Measures ā— Mandatory data protection training for all staff; ā— Data protection impact assessments (DPIAs) for high-risk processing activities; ā— Data processing agreements with all third-party vendors; ā— Incident response procedures for data breaches; ā— Annual external cybersecurity audits and ISO 27001 alignment. No system is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. If you suspect unauthorised access to your account, please contact us immediately at security@papaego.com. Section 10 Cookies & Tracking Technologies Our website and platform use cookies and similar tracking technologies to enhance your experience and to support our security and analytics functions. Cookie Type Purpose Can Be Disabled? Strictly Necessary Essential for the platform to function ā€” session management, security, authentication No ā€” required Analytics Help us understand how users interact with our platform so we can improve it Yes Preference Remember your settings and preferences (language, display settings) Yes Marketing Track visits across websites to deliver relevant advertisements (only with consent) Yes You can manage your cookie preferences through our cookie settings panel, accessible from the footer of our website. Please note that disabling certain cookies may affect the functionality of the platform. Section 11 Children's Privacy Papa Ego's services are designed exclusively for businesses and are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a person under 18, please contact us immediately at dpo@papaego.com and we will promptly delete such data. Section 12 Data Breach Response In the event of a data breach that poses a risk to your rights and freedoms, Papa Ego will: 1. Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required by the NDPA 2023; 2. Notify affected individuals without undue delay where the breach poses a high risk to their rights; 3. Document all breaches, including those that are not reportable, in our internal breach register; 4. Take immediate steps to contain the breach, investigate its cause, and implement remedial measures. If you believe your personal data has been compromised, please report it immediately to security@papaego.com. Section 13 Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. We will notify you of material changes by email and by posting the updated policy on our website, with at least 14 days' notice before the changes take effect. The effective date at the top of this policy indicates when it was last updated. Your continued use of our services after the effective date of any changes constitutes acceptance of the updated policy. Section 14 Contact Us & Data Protection Officer For all data protection enquiries, to exercise your rights, or to raise a concern about how we handle your personal data, please contact our Data Protection Officer: Data Protection Officer ā€” Papa Ego Technologies Limited DPO Email: dpo@papaego.com General: privacy@papaego.com Security: security@papaego.com Address: No. 474, Ikwere Road, Rumuigbo, Port Harcourt, Ikwerre, Rivers State, Nigeria NDPC: Nigeria Data Protection Commission ā€” www.ndpc.gov.ng