Data Protection and
Privacy Policy.

1. Introduction

This Data Protection & Privacy Policy ("Policy") explains how PeerPay Digital Assets Limited (“PeerPay”, “we”, “our”, or “us”) collects, uses, stores, discloses, and protects personal data obtained through our platform and services. PeerPay Network operates under the Nigeria Data Protection Act 2023 (NDPA), and is subject to regulation by the Nigeria Data Protection Commission (NDPC) and Central Bank of Nigeria (CBN).

By using PeerPay’s Network services or accessing our systems, you consent to the practices described in this Policy.

2. Legal Basis for Data Processing

We collect and process personal data based on one or more of the following legal grounds:

• Consent from the data subject
• Necessity for contract performance
• Compliance with a legal obligation (e.g. CBN, NDPC directives)
• Legitimate interest (e.g. fraud prevention, network security)

3. Categories of Data We Collect

Depending on the service or transaction, we may collect:

4. Purpose of Processing

We use your data for the following purposes:

• Onboarding and identity verification (KYC/AML)
• Creation and enforcement of financial commitments
• Settlement processing and reconciliation
• Compliance with legal and regulatory obligations
• Risk monitoring, fraud prevention, and auditing
• Communication and support
• System improvement and analytics

5. Data Storage and Security

PeerPay implements industry-standard technical and organisational security measures, including:

• AES-256 encryption at rest, TLS 1.3 in transit
• Biometric-secured access to data centers
• Role-based access control and key vaults (e.g. AWS KMS)
• Zero-trust architecture with multi-factor authentication
• Quarterly internal penetration testing and ISO/IEC 27001-aligned policies
• Annual external penetration testing and ISO/IEC 27001-aligned policies

6. Data Sharing and Disclosure

We do not sell or rent personal data. We may disclose data to:

• Regulatory bodies (CBN, NDPC) on lawful request
• Participating banks, PSPs, and licensed institutions involved in a commitment
• Third-party processors under strict contracts
• Law enforcement agencies upon legal warrant or order

All data sharing complies with NDPA standards, including Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) for any foreign data transfer.

7. Data Subject Rights

Under the NDPA, you have the following rights:

• Right to Access: Request a copy of your data.
• Right to Rectification: Correct inaccuracies in your data.
• Right to Erasure: Request deletion (subject to legal retention).
• Right to Object: Object to specific types of processing.
• Right to Portability: Receive data in a machine-readable format.
• Right to Lodge a Complaint: File with NDPC or PeerPay’s Data Protection Officer.

Requests may be sent to security@peerpaynetwork.com and will be processed within 30 days as mandated by the NDPA.

8. Data Retention

• Personal data is retained for a minimum of 7 years in compliance with CBN and NDPC regulations.
• Biometric and financial data are retained only as long as necessary to fulfill lawful obligations or resolve disputes.

9. Cross-Border Data Transfers

Data may be processed outside Nigeria only if:

• The destination country offers adequate data protection, or
• Data Subject provides explicit consent, or
• NDPC-approved safeguards, such as SCCs, are in place

10. Breach Notification

In the event of a data breach affecting personal data:

• PeerPay will notify affected users and NDPC within 72 hours.
• Remedial measures will be communicated along with mitigation options.

11. Children’s Privacy

PeerPay does not knowingly collect data from persons under 18. Any such data will be promptly deleted upon discovery.

12. Policy Update’s

This Policy may be updated to reflect changes in law or PeerPay operations. Changes take effect upon publication, with users notified via email or platform banners when material changes occur.