Privacy Policy
Your privacy matters to us. This policy explains how PayLupe collects, uses, and protects your personal information when you use our platform.
We collect only what we need to provide our services. We never sell your data. We use bank-grade encryption to protect your information. You can request access, correction, or deletion of your data at any time.
Introduction
PayLupe Technologies Limited (“PayLupe”, “we”, “us”, or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, store, share, and protect information obtained through our website at paylupe.com, our mobile application, and all related services (collectively, the “Platform”).
By accessing or using our Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our services immediately.
This policy is designed in compliance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and other applicable data protection laws.
Information We Collect
We collect different types of information to provide and improve our services. The information we gather falls into the following categories:
Personal Identification Data
- Full name, email address, and phone number provided during registration
- Profile photograph (if uploaded)
- Date of birth and gender (when provided for identity verification)
- Government-issued identification details for KYC compliance
Financial & Transaction Data
- Wallet balance and transaction history (top-ups, withdrawals, gift card trades, airtime/data purchases, electricity payments)
- Bank account details (bank name, account number, account holder name) for withdrawal processing
- Payment reference numbers and transaction statuses
- Gift card details submitted during trades (card codes, PINs, proof images)
Technical & Usage Data
- Device information: device type, operating system, browser type and version, unique device identifiers
- Log data: IP address, access times, pages viewed, referring URL, and actions taken on the Platform
- App usage analytics: features used, session duration, crash reports
- Location data: approximate location derived from IP address (we do not collect precise GPS location)
Communications Data
- Messages and correspondence exchanged with our support team
- Feedback, reviews, and survey responses
- Email and push notification preferences
How We Use Your Data
We process your personal information for the following purposes:
Service Delivery
- Process wallet top-ups, withdrawals, and transfers
- Facilitate gift card trading and VTU purchases
- Execute airtime, data, and electricity bill payments
- Verify your identity and maintain account security
Security & Compliance
- Detect and prevent fraud, money laundering, and unauthorized transactions
- Verify your identity per KYC/AML regulations
- Protect against security threats and abuse
- Comply with legal obligations and regulatory requirements
Communication
- Send transaction confirmations and receipts
- Deliver important service updates and security alerts
- Respond to your support requests and inquiries
- Send promotional content (only with your consent)
Improvement & Analytics
- Analyze usage patterns to improve our Platform
- Develop new features and services
- Conduct research and analytics for better user experience
- Personalize your experience based on preferences
Legal Basis for Processing
We process your personal data based on the following legal grounds, as required under the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR):
- Contractual Necessity: Processing required to perform our agreement with you, including processing transactions, maintaining your wallet, and delivering our core services.
- Consent: Where you have given explicit consent, such as for marketing communications, non-essential cookies, and optional data sharing.
- Legal Obligation: Processing required to comply with applicable laws, including anti-money laundering (AML) regulations, tax obligations, and requests from regulatory authorities.
- Legitimate Interest: Processing necessary for our legitimate business interests, such as fraud prevention, service improvement, and platform security, balanced against your rights and freedoms.
Data Sharing & Disclosure
We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:
| Recipient | Purpose |
|---|---|
| Payment Processors | Paystack and similar providers to process top-ups, withdrawals, and bank verifications |
| VTU Service Providers | Third-party providers to fulfill airtime, data, and electricity purchases on your behalf |
| Cloud Infrastructure | Secure hosting and storage providers that process data on our behalf under strict agreements |
| Regulatory Authorities | When required by law, court order, or government regulation (e.g., CBN, NITDA, EFCC) |
| Analytics Partners | Aggregated, anonymized data for platform performance analysis and improvement |
All third-party service providers are contractually obligated to protect your data and may only use it for the specific purposes we engage them for.
Data Security
Protecting your data is fundamental to our business. We implement comprehensive security measures including:
Encryption
All data transmitted between your device and our servers is encrypted using TLS 1.2+ (HTTPS). Sensitive data at rest is encrypted using AES-256.
Access Controls
Strict role-based access controls limit who can view your data. All admin actions are logged in audit trails for accountability.
Authentication
Your account is protected by hashed passwords, 4-digit transaction PINs (bcrypt-hashed), and optional biometric authentication.
While we employ industry-standard security practices, no system is completely impervious to threats. We encourage you to protect your account by using a strong password, keeping your transaction PIN confidential, and enabling biometric lock on the mobile app.
Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.
- Account Data: Retained for the duration of your account and up to 12 months after account closure or deactivation.
- Transaction Records: Retained for a minimum of 6 years as required by Nigerian financial regulations and anti-money laundering laws.
- Gift Card Trade Data: Proof images and card details are retained for 90 days after trade completion, then permanently deleted.
- Support Communications: Retained for up to 24 months to ensure continuity of service and dispute resolution.
- Usage & Analytics Data: Aggregated and anonymized after 12 months; raw data is deleted.
When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you.
Your Rights
Under the Nigeria Data Protection Act (NDPA) 2023 and applicable data protection laws, you have the following rights regarding your personal information:
Right of Access
Request a copy of the personal data we hold about you, including how it is processed and who it is shared with.
Right to Rectification
Request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.
Right to Erasure
Request deletion of your personal data, subject to legal retention requirements (e.g., financial records we must keep for regulatory compliance).
Right to Restrict Processing
Request that we limit how we process your data in certain circumstances, such as when you contest the accuracy of data.
Right to Data Portability
Request your personal data in a structured, commonly used, machine-readable format for transfer to another service provider.
Right to Object
Object to the processing of your data for direct marketing purposes or where processing is based on legitimate interests.
Right to Withdraw Consent
Withdraw your consent at any time for processing activities based on consent, without affecting the lawfulness of prior processing.
How to exercise your rights: Send your request to support@paylupe.com with the subject line “Data Privacy Request”. We will respond within 30 days. You may also contact the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated.
Children's Privacy
PayLupe is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at support@paylupe.com. We will take steps to delete such information from our systems promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes:
- The “Last updated” date at the top of this page will be revised.
- For significant changes, we will notify you via email or an in-app notification before the changes take effect.
- Continued use of the Platform after changes are posted constitutes your acceptance of the revised policy.
We encourage you to review this policy periodically to stay informed about how we protect your information.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:
PayLupe Data Protection Office
This Privacy Policy constitutes a legally binding agreement between you and PayLupe Technologies Limited. By using our Platform, you signify your acceptance of this policy. This policy should be read together with our Terms of Service.