Privacy Policy

Summary

• We are not data hoarders. We only keep what is required and delete it when no longer necessary.
• We will be lying to you if we say we do not use your data. We do! But it is to provide services to you, to fulfill our legal obligation, respond to your enquiries, and manage our relationship with you.
• You have data protection rights, lots of them actually. You can exercise your rights here: https://forms.gle/JNBNZFKKisvaWVby5

What type of data do we hold about you?

1. If you are a customer:
   • Contact details including;
     1. Email address
     2. Phone number
     3. Address
   • Personal details including;
     1. Name
     2. Date of birth
     3. Identity documents eg. National Identification Number slip, International Passport and Drivers Licence.
     4. Source of funds
     5. Bank account number
   • Biometric information including;
     1. Facial identification/Selfie (at onboarding or verification)
     2. Fingerprint identification for optional security measures.
   • Technical information including;
     1. IP address and geolocation
     2. Device information
     3. Operating system
     4. Web log information
   • Purchase details,
   • Travel rule information including the name and wallet address of your beneficiary/sender, their account number in destination exchange, physical address and such other information required under applicable law or requested by counterparty exchange
   • Information about your business activities with us including your
   • Information about your inquiries and our dealings.
2. If you are a prospective customer:
   1. Contact details, such as email.
   2. Personal details, such as name.
   3. Information about your business activities with us.
   4. Information about your inquiries and our dealings.
3. If you are just visiting our website:
   1. We keep log files generated from our servers, this includes the IP addresses assigned to you.

How do we collect your data?

We collect your data at different points of your interaction with our platform. For visitors on our platform, we collect cookie data in accordance with our Cookie Notice and log IP addresses of website visitors.

For our customers and prospective customers, we collect personal data when you are completing our initial sign-up and onboarding form. In some cases, we may allow you import relevant data from other exchanges to enable you to exercise your right to data portability and reduce sign-up time.

For our customers, we collect business information, purchase details, travel rule information, customer complaints etc. from your frequent interaction on our platform.

What we do with the data

1. Regulatory compliance

   We use your data to comply with applicable regulations. For instance, the law requires us to properly identify our customers. We use the personal data you provide to us to identify you and your transactions on our platform. We may also share your data with relevant law enforcement agencies on request where backed by applicable law.

2. Fraud and Criminal Investigations

   In certain instances, we may need to conduct fraud investigations on certain customers on our platform when we detect suspicious activity. This is to help us determine that your activity is not fraudulent and that you remain in full control of your account.

3. Service Provisioning

   We use your data to provide services to you, respond to your enquiries, customer support, improve our services, and manage our relationship with you. For instance, your login information is personal data to you which only you may use to access our services.

4. Security

   We use your data such as fingerprint, phone number and email address. to verify that the person truly accessing your profile on our platform is truly yourself.

What is our lawful basis for using your data?

We rely on appropriate legal bases determined by our compliance team and documented in accordance with the extant data protection laws. In appropriate circumstances, the following are our lawful bases;

1. Contractual Performance

   When you use our website, mobile application or any of our platforms through which we provide our service, you automatically agree to our Terms of Service. This is our contract with you and we would require your data at different intervals of the provision of our service to you.
   
   For instance, we have to request personal data to complete your orders with us. We also need personal data to identify you and your activity on our platform and resolve any issues you may be encountering with the use of our platform.

2. Regulatory Compliance

   We are required under different laws and financial regulations to collect, process, and store your data when you use our platform to access financial services. Some of these laws include the Money Laundering (Prevention and Prohibition) Act 2022, Securities and Exchanges Commission’s Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing (“AML/CFT/CPF”) Regulations, 2022.

3. Legitimate Interests

   Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not outweighed by your rights and interests. These legitimate interests include but is not limited to;

   1. delivering, developing, and improving our website.
   2. enabling us to enhance, customise or modify our services and communication.
   3. determining whether marketing campaigns are effective.
   4. enhancing data security.
   
   

   In each case, these legitimate interests are only valid if they are not outweighed by your rights and interests.

4. Consent

   On rare occasions, where our processing activity is not covered by the lawful bases above, we may rely on your consent to process your data. Where this is the case, we will inform you and seek your consent before such processing activity.
   You have the right to refuse to consent or withdraw your consent at any time by contacting us at nazzadesk@gmail.com. However, we should mention that consent withdrawal will not affect the lawfulness of any processing carried out before you withdraw your consent.

Storage and Transfer of data

1. The personal data we collect is processed in Nigeria and in any data processing facilities operated by the third parties identified below.
2. If we transfer or store your information outside Nigeria in this way, we will take steps to ensure that your privacy rights continue to be protected as outlined in this Privacy Notice.
3. The following services keep us running by storing or processing your data on our behalf:
   1. Payments
   2. Hosting & Email Services
4. The nature of our service and available technology require us to store your data on servers that may not be in Nigeria. In some instances, we may also be required to share your data with third parties including complementary service providers, law enforcement agencies, and other entities.
5. However, we rely on the appropriate data transfer mechanism or any of its relevant exceptions to transfer data outside Nigeria. We would ensure appropriate safeguards are in places before transferring data outside Nigeria.
6. Where your consent is required for such transfer under applicable law, we will request for your consent before we transfer such data.
7. Generally, we do not transfer your data to any third party or engage in any third party request through our website. However, we may share your data with third parties:
   1. If we have to complete an order on your behalf.
   2. If you give your explicit consent.
   3. If there is a legal obligation on us to share such data under existing laws and regulations.
   4. If there is a court judgement, injunction or any other binding legal directive.

Categories of Data Subjects

If we collect or process your data, you are a data subject by definition of law. However, we do not offer our platform or any of our services to persons below 18. If at any point we discover we have provided our service to any person below 18, we will remove the personal data of such person and exit the customer. Tips or complaints related to this provision may be made compliance@mynazza.com

Your rights as a data subject

You have data protection rights. Loads of it actually. The following are your rights:

1. The right to request for access to your Personal Data.
2. The right to erase your Personal Data if it is no longer valid or necessary for the purposes for which it was collected or if it is incomplete. There is no charge for this.
3. The right to rectify or amend inaccurate or incomplete Personal Data.
4. The right to object to processing of your Personal Data if there are compelling legitimate grounds to do so and to the extent permitted by law or regulation.
5. The right to portability of data. You can request we move your personal data in a used and machine-readable format to another Data Controller. We would, where it is technically possible.
6. The right to lodge a complaint with the Court, Nigerian Data Protection Commission (NDPC) , or any other relevant supervisory authority.

Cookies

We do not store cookies or allow third-party requests on our website.

How can you exercise your rights?

To exercise any of your rights as a data subject, you may contact us directly via email or complete our data subject access request form on our privacy portal. We will review and respond to your request within thirty (30) days of receipt. We also respond to subject access requests from third parties provided we are able to validate the request in accordance with our internal privacy policy.

How long do we store your data?

We retain your data for the duration of the pendency of our relationship. However, we will also retain data, subject to relevant provisions of applicable laws. One of such law is the Nigerian Money Laundering Act 2022 which requires us to retain your data for at least five (5) years after the termination of our business relationship.

Upon the termination of our relationship, we would archive and stop actively using any personal data about you within 6 months from the last time of our relationship unless required for compliance purposes, to defend a legal issue or with your consent.

Technical and Organisational Measures

The Data Protection Officer may grant exceptions to certain sections of this policy having regard to factors including applicable law, inherent risk, residual risk, potential recurrence, proportionality, and such other factors prescribed by international standards for situations similar to that under review. The exceptions shall be well documented and the risk shall be explained to senior management and accepted before being granted.

Data Subject Access Requests

We are very particular about preserving your privacy and protecting your data. Therefore, to avoid the loss, theft, misuse and unauthorised access, disclosure, alteration, and destruction of your information, we have put in place a range of technical and organizational measures. We briefly highlight some of these measures below;

1. Technical Measures

   1. Data Encryption

      We use encryption technologies to protect your data during transmission and storage, ensuring that unauthorized parties cannot access or intercept it.

   2. Access Controls

      Our systems incorporate strict access controls, ensuring that only authorized personnel have access to your personal information based on a need to know and need to use.

   3. Regular Security Audits

      We are on course to implement regular security audits and assessments to identify and address potential vulnerabilities in our systems and infrastructure.

   4. Incident Response Plan

      In the event of a data breach or security incident, we have a well-defined incident response plan in place to minimize the impact and notify relevant authorities and individuals promptly.

2. Organisational Measures

   1. Employee Training

      Our employees undergo periodic data protection training to ensure they understand the importance of data protection and are equipped to handle personal information responsibly.

   2. Data Protection Contact (DPC)

      We have appointed a Data Protection Contact who oversees our data protection practices, ensures compliance, and acts as a point of contact for data subjects and supervisory authorities.

   3. Privacy by Design

      We integrate privacy considerations into our product and service development processes from the outset, adhering to the principle of privacy by design.

   4. Data Minimization

      We only collect and process the personal data necessary for the specific purposes outlined in this Privacy Notice, practicing data minimization principles.

Security of data

Security of your data requires joint efforts from yourself and Nazza, Despite our organisational and technical measures, we cannot completely guarantee the security of any information you transmit via our online channels, as the internet is not an entirely secure place. As such, we encourage you to keep your sensitive information such as your login information private.

Additionally, due to the nature of the blockchain, your transaction history may be visible to any person aware of your wallet address or transaction hash. Where you have reasons to believe your wallet address has been compromised, you may contact us for a change of wallet address. However, we can not always guarantee the creation of a new wallet address unless such request is backed by cogent and credible information. The decision to approve a new wallet address shall be solely at the discretion of the compliance officer.

Changes to our privacy notice

We will continually assess our data protection practices to ensure that your rights are guaranteed. To this end, we may amend this Privacy Notice at any time. In the event that changes are made, we will indicate at the top of this Privacy Notice when it was most recently updated or send you a notification that the Notice has been updated.

Please be assured that we will not use any previously collected personal data, to the extent that it is not collected under the new privacy policy, in a manner materially different than represented at the time it was collected.

Get in touch If you have any questions or concerns relating to this privacy notice, please contact us at;

No. 14D, Sheri Hills Cres. Imperial Vista Estate, Life Camp, Abuja compliance@mynazza.com

We will never spam you or sell your information.