Our Commitment to Your Privacy, Security & Responsible Data Use

At SparkPay, safeguarding your personal information is not just a legal requirement — it’s a core part of our mission to earn and keep your trust. This Privacy & Use of Data Policy explains how we collect, process, store, and share your data in line with NDPR, GDPR‑equivalent frameworks, and applicable financial regulations. It also outlines your rights, the safeguards we put in place, and how you can control your information at any time.

SparkPay Privacy & Use of Data Policy

Effective Date: 06/06/2025Last Updated: 12/08/2025

SparkPay (“we,” “our,” “us”) is committed to safeguarding the privacy and confidentiality of your personal and financial data. This Privacy & Use of Data Policy explains in detail how we collect, process, store, protect, and share your information when you use our mobile applications, web portals, APIs, or any other services provided by SparkPay.

Our practices comply with the Nigeria Data Protection Regulation (NDPR), the General Data Protection Regulation (GDPR) where applicable, the Central Bank of Nigeria (CBN) Guidelines, and other relevant laws. By using SparkPay services, you consent to this Policy. If you disagree with its terms, you should discontinue use of our services.

1. Introduction

This Policy outlines what data we collect, how we use it, our legal bases for processing, how long we retain it, and the rights and choices available to you.

2. Information We Collect

We collect the following categories of information:

2.1 Identification Data

  • Full name, date of birth, gender.
  • Bank Verification Number (BVN).
  • Government‑issued ID (passport, national ID, driver’s license).
  • Biometric data (facial recognition, fingerprint for verification).

2.2 Contact Information

  • Email address, phone number, physical address.

2.3 Financial Data

  • Wallet balances and transaction history.
  • Linked bank accounts and card details.
  • Virtual card numbers, expiry, and CVV (tokenized/secured).

2.4 Technical & Device Data

  • IP address, device model, operating system version.
  • Device identifiers (e.g., IMEI, MAC address).
  • App usage statistics, performance metrics, and crash reports.

2.5 Communication Data

  • In‑app chat messages, email correspondence, and call recordings (where applicable).
  • Dispute resolution records and support attachments.

2.6 Compliance & Risk Data

  • Sanctions and Politically Exposed Person (PEP) screening results.
  • AML/CFT risk scoring and ongoing monitoring outputs.
  • Fraud flags and transaction monitoring alerts.

2.7 Optional Data

  • Marketing preferences, surveys, and feedback responses.

3. How We Collect Information

  • Directly from you during account creation, KYC verification, and service use.
  • Automatically via our apps, website, and APIs (cookies/SDKs, analytics, device fingerprinting).
  • Through third‑party providers (KYC services, payment processors, gift card issuers).
  • From legal/regulatory databases and compliance partners.

4. Purpose of Data Use

4.1 Service Delivery

  • Wallet management, payment processing, virtual card issuance, gift card transactions, and bill payments.
  • Crypto buy/sell where available and permitted by law.

4.2 Compliance Obligations

  • KYC/AML/CFT checks and ongoing sanctions screening.
  • Regulatory reporting (e.g., CTR/STR) to relevant authorities.

4.3 Security & Fraud Prevention

  • Suspicious activity detection, account takeover prevention, device intelligence.
  • AI‑based risk scoring and transaction monitoring.

4.4 Service Improvement & Analytics

  • Performance monitoring, bug resolution, and product analytics to enhance UX.

4.5 Communication

  • Transaction alerts, service announcements, and status updates.
  • Marketing messages where you have given consent (opt‑in/opt‑out supported).

5. Legal Basis for Processing

  • Contractual necessity to deliver requested services.
  • Compliance with legal obligations (CBN, NDPR, FATF‑aligned standards).
  • Legitimate interests (security, fraud prevention, service reliability and improvements).
  • Consent for optional marketing and certain analytics/cookies.

6. Data Storage & Security Measures

6.1 Encryption

  • TLS 1.3 for data in transit.
  • AES‑256 for data at rest.
  • HSM‑based key management for sensitive credentials.

6.2 Access Control

  • Role‑based access, least‑privilege, and multi‑factor authentication.

6.3 Monitoring & Auditing

  • Real‑time system health checks and immutable audit logs.

6.4 Redundancy & Backups

  • Geo‑redundant storage and daily encrypted backups.

7. Data Sharing & Third Parties

We do not sell your data. We share it only where necessary, with:

  • Banking partners for payments and withdrawals.
  • KYC providers (e.g., Dojah, Smile Identity) for verification.
  • Crypto and gift card service providers for fulfillment.
  • Regulatory bodies as required by applicable law.
  • Technology partners (hosting, analytics, communications) under strict DPAs.

All third parties are bound by data protection agreements and security obligations.

8. International Data Transfers

Where data is transferred outside Nigeria, we use appropriate safeguards (e.g., Standard Contractual Clauses) and secure transfer mechanisms in line with NDPR and GDPR requirements.

9. Data Retention

  • KYC data: minimum 5 years after account closure.
  • Transaction data: at least 7 years for regulatory/audit purposes.
  • Support communications: 2 years.
  • Marketing consent records: retained until consent is withdrawn.

10. Your Rights

  • Access, rectification, and deletion (subject to legal retention duties).
  • Restriction or objection to certain processing.
  • Withdraw consent for non‑essential processing.
  • Data portability to another service provider.

Requests can be made via email to privacy@sparkpay.ng. We respond within 30 days in line with NDPR requirements.

11. Automated Decision‑Making

Certain services (e.g., fraud detection, transaction risk scoring) may involve automated processing. You may request human review of such decisions where required by law.

12. Cookies & Tracking Technologies

We use cookies/SDKs for:

  • Session management and authentication.
  • Performance optimization and analytics.
  • Security and fraud prevention.

You can manage preferences via your device or browser settings.

13. Incident Response & Breach Notification

  • Notify affected users within required timelines (e.g., 72 hours under GDPR) or as mandated by NDPR.
  • Inform relevant regulatory authorities as applicable.
  • Take immediate steps to mitigate harm and prevent recurrence.

14. Children’s Privacy

Our services are intended for users aged 18 and above. We do not knowingly collect data from minors without lawful consent.

15. Changes to This Policy

We may update this Policy to reflect changes in technology, regulation, or our services. Material changes will be communicated via in‑app notices or email. The “Last Updated” date will be revised accordingly.

16. Contact Us

Email: privacy@sparkpay.ng
Address: KM 20, Lekki Epe Expressway, Lagos, NG

General support: support@sparkpay.africa
Bitbloom Technologies Limited, Lagos, Nigeria.

Last updated: December 18, 2025