Cashxpress Nigeria Limited Privacy Policy 1. Introduction This Privacy Policy outlines your use of our Website and App CashX and your rights concerning our collection, use, storage, and protection of your personal data when you visit, access, browse, and/or use our Website or App. Your privacy is important to us. Please note that this Privacy Policy does not apply to any products, services, websites, or content offered by third parties that have their own privacy policies. Additionally, it does not apply to job applicants, candidates applying for employment, or employees and non-employee workers whose personal data is subject to different privacy policies. Such individuals will receive specific privacy policies in the context of their employment or working relationship with us. 2. The data we process Personal data means any information about an individual from which that person can be directly or indirectly identified. We do not consider personal data to include information that has been made anonymous such that it does not identify a specific user. In connection with our services, we collect personal and financial information from you while you use our products, services, and websites. We may ask you to provide us with certain personal data directly to contact or identify you, and some automatically for our Website to function effectively. When you use our application, we collect and synchronize certain information with your prior consent. We require your permission to collect data to understand your identity better and correctly assess your creditworthiness. Your information will be securely encrypted and transferred to our server. We will not share the collected data with third parties without your consent, except as otherwise provided herein. Personal data that we collect when a client interacts with our service includes: - Service Users: First and last name, Email address, Phone number, Recorded phone conversations with us - All Visitors: The domain name of the Internet service provider (ISP), Date and time of your visits, The Internet protocol address used to connect your device to the Internet for identification purposes, Web pages visited, duration and frequency of visit Financial information (including, but not limited to, ATM card details, Bank Verification Number (BVN), Banking details etc.) Transactional data (information relating to payment) Other information we collect include: residential address, government-authorised ID number, property value, and other lifestyle information. Collection of Phone Device Information We may gather certain device information, including hardware details (such as the operating system, Android version, IMEI number, IMSI number, MAC address, serial number, Android ID, screen size, and other hardware specifics), and serial number to uniquely identify the device. This helps us ensure that unauthorized devices are not used for fraudulent activities on your behalf. 3. Cookies Cookies are tools used to collect information automatically from you when you visit a Website. Our Website utilises cookies to set user preferences while on our Website and also track page visits and access to content. 4. Lawful bases for processing data We are required to process your data under at least one of these lawful bases: Legitimate interest: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided your rights and interests do not outweigh those interests. Consent: You have given explicit consent for us to process your data for a specific purpose. Contract: If your data processing is necessary for a contract you have with us or because we have asked you to take specific steps before entering into that contract. Legal obligation: If the processing of your data is necessary where there is a statutory obligation on us. Device Permissions for Personal Data Access: Depending on your specific device, we may request permissions to access your device data as described above. By default, these permissions must be granted by you before the relevant information can be accessed. You can revoke these permissions at any time by contacting our support team using the provided contact details. The exact procedure for managing app permissions may vary based on your device and software. 5. Purpose of processing your data and the lawful basis Legitimate interest, contract: - To administer our business. - To help us develop, improve, customise or restructure our services. - To enforce our terms of service and any terms and conditions of any other agreements for our services. - Run a credit check on you to determine your creditworthiness. - Administer your account and relationship with us and communicate with you through telephone calls, mail, email, text (SMS) messages, push notifications, or other electronic means. (We record or keep transcripts of communications to check your instructions to us, analyse, assess, and improve our services, for training and quality purposes and to investigate any complaint you may make or as evidence in any dispute between you and us). - Enhance data security. Legitimate interest: - To take statistical data and analytics for our use internally. - To send you service-related messages. - To analyse site usage and provide, maintain and improve the content and functionality of the Website. - To send marketing or promotional messages to you. Consent: - To send marketing or promotional messages to you. - Access your device. Legitimate interest, legal obligation: - To secure your data and prevent fraud. - Verify your identity as part of our identity authentication process. Contract: - To address your inquiries, process your registration, and complete your transactions. - To notify you of any changes to our service, solving issues via live chat support, phone or email, including any bug fixing. - To enable registered users to log in to our mobile App. - To enable an easy and effective payment system. Legal obligation, contract: - To inform you whenever there are changes to our terms of business or services. Legal obligation: - To fulfill our Know Your Customer (KYC) obligation. - To fulfill legal requirements where needed. 6. Your rights as a data subject The law vests you with certain rights as a data subject. They include the right to: access personal data we hold about you by requesting a copy of the personal data we hold; rectify such information where you believe it to be inaccurate; restrict the processing of your data in certain circumstances; object to the processing of your data where we intend to process such data for marketing purposes; where feasible, receive all personal data you have provided to us — in a structured, commonly used, and machine-readable format, and transmit the information to another data controller; request the erasure of your data (also known as the right to be forgotten); withdraw your consent to the processing of your personal data; and lodge a complaint with a relevant authority, where you have reason to believe that we have violated the term(s) of this Privacy Policy. (You may complain or seek redress from us within 30 (thirty) days from when you first detected the alleged violation.) You may seek to exercise any of the above rights at any time by emailing us at support_dpo@cashx.ng. The supervisory authority is the Nigerian Data Protection Commission (“NDPC”), and you can send your complaint via email to info@ndpc.gov.ng. 7. Who do we share your data with? We may share your data with the following third parties: Third parties&Purpose of data sharing 7.1 Financial institutions - We collaborate with various financial institutions to create and offer our product, and we may only use this information to market our related products unless the customer has consented to other uses. 7.2 Credit Bureau Institutions - We disclose your personal data to obtain your credit score and credit report as well as assess your creditworthiness from one or more Credit Rating Bureaus on your behalf to facilitate responsible lending practices and help you access the best possible financial solutions. 7.3 Service providers - We may share your information with third-party service providers to enable us to fulfill our contractual obligations towards you or carry out our operations seamlessly. These third-party service providers or sub-processors include Google, Microsoft, Paystack, Flutterwave, Prembly, and trusted recovery agents. 7.4 Law enforcement, government officials - We may disclose your data according to a subpoena, or court order when we need to do so to comply with law or credit/debit card rules; or when we believe, in our sole discretion, that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of our User Agreement. 7.5 Legal and Regulatory Authorities - We may disclose your information if we believe it is reasonably necessary to comply with a law, regulation, order, subpoena, or audit, or to protect any person’s safety, or to address fraud, security, or technical issues. Note that if you wish to prevent your device’s operating system from sharing your Personal Data with CashX or with the third parties mentioned for profiling purposes, you can do so by setting up your device appropriately. This involves changing the privacy settings on your device to disable or restrict any advertising tracking features. For more information on how to do this, please see the following links: iOS Devices: https://support.apple.com/en-us/HT202074; Android Devices: https://support.google.com/ads/answer/2662922?hl=en. 8. How long do we keep your data The personal data we process will be stored for as long as necessary to fulfill the purposes described in this Privacy Policy. However, we will also retain data subject to relevant provisions of applicable laws, resolve disputes, prevent fraud and abuse, and enforce our legal agreements and policies. In addition, we delete your data for targeted marketing purposes once you unsubscribe from our marketing communications or withdraw consent by clicking the “unsubscribe button” or sending an email to support_dpo@cashx.ng. Please note that your data may be retained for a longer period, notwithstanding your request to delete it, where there is a legal requirement to do so. However, we utilize this information to enhance and customize our service. It may be uploaded to our servers or stored on your device. If you nominate someone as your guarantor, you confirm that you have their approval to process their data (name and contact details) for this loan facility. 9. How your data is stored We value the security and integrity of your personal data. To ensure this, we have implemented comprehensive measures spanning physical, technical, and administrative domains. These measures are designed to mitigate potential risks, such as data loss, misuse, unauthorised access, disclosure, and alteration. Our protective strategies include: Utilising firewalls and encrypting data to shield it from external threats. Implementing physical access controls to safeguard our infrastructure and assets. Establishing stringent information access authorisation controls to ensure only designated personnel can access sensitive data. Where there is an actual or suspected data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay and use our best effort to remedy the violation within one (1) month from the date we notify you. 10. Automated decision-making We use an automated decision-making system to make automated decisions based on personal information we have about you. This helps us ensure our decisions are quick and fair based on what we know. We use automated processing to predict the probability that you may be eligible for a product/service or determine the best order or manner to display products to you. 11. International transfer of data In the course of our operations, we may transfer personal data outside our country of operation. We ensure any cross-border data transfers adhere to all necessary data protection regulations. This means that before transferring personal data, we either confirm that the recipient country has robust data protection laws or, if not, employ specific contractual terms and other appropriate safeguards to protect the data. In cases where the destination country might not meet stringent data protection standards, we will leverage the relevant data transfer mechanism, seek authorisation from the regulator, or obtain your consent before proceeding and inform you of any risks. Should you wish to learn more about how we ensure data protection during these transfers, details will be provided upon request. 12. Security of your data We prioritise the security of your personal data by employing advanced technical, physical, and administrative safeguards, including encryption, controlled access, and regular security training for our staff. Our proactive measures are designed to prevent unauthorised access, loss, or misuse of your information. In the rare event of a data breach, we have procedures in place to swiftly respond, mitigate potential harm, and notify affected data subjects as required by law. We continuously adapt our security practices to address evolving challenges and threats. 13. Marketing and communications We use your personal data to offer tailored marketing content, send promotional communications, and occasionally request feedback through surveys. We respect your communication preferences and provide easy options for you to opt out or adjust settings. We are committed to transparency, never sharing your data with third parties for their marketing without your explicit consent. Any significant changes to our marketing practices will be communicated to you promptly. We only send marketing communications to you with your consent. You may choose to opt out of our marketing emails by clicking on the ‘unsubscribe’ button at the bottom of the page or sending an email to support_dpo@cashx.ng. Similarly, instructions for opting out will be provided via SMS or push notifications. 14. Complaints If you have any inquiries or complaints, please contact us at support_dpo@cashx.ng. Our Data Protection Officer will examine your concerns and update you on the resolution process. We inform you that you may complain to the regulatory authority (NDPC) at info@ndpc.gov.ng if your complaints are not satisfactorily addressed. 15. Changes to this policy Our Privacy Policy may evolve over time to reflect changes in our practices, technologies, legal requirements, or other factors. Any significant modifications will be prominently communicated on our Website or directly to you. We encourage you to regularly review our Privacy Policy to stay informed. The date of the last update can always be found at the top of this policy. 16. Contact Us If you have any questions relating to this, your rights under this Privacy Policy, or are not satisfied with how we manage your personal data, kindly reach out to us at support_dpo@cashx.ng.