Privacy Policy

Business Profile Information

• Business name, trading name, and description
• Business type (vendor, business, enterprise, aggregator)
• Physical address, city, and state
• Business registration number and incorporation documents
• Tax identification number
• Industry/sector information
• Unique business short code (auto-generated 6-digit identifier)

Contact Information

• Email address and phone number
• Website URL
• Social media profiles (Facebook, Twitter, Instagram)
• Callback URLs for API integrations

Financial Information

• Bank account details (account name, number, bank name, bank code)
• Settlement account information for multiple payment processors
• Virtual wallet account numbers
• Settlement frequency preferences (hourly, daily, weekly, monthly)
• Transaction processing charges and fee configurations

Business Verification (KYC)

• Director and business owner information
• Certificate of incorporation
• Proof of business address
• KYC reference ID and verification status
• Business approval documentation

Team Members and Users

• Full names and phone numbers of business users
• User roles (owner, admin, user)
• Device tokens for push notifications (iOS/Android)
• Device platform, device ID, and metadata
• Last activity timestamps

POS Terminal Information

• Terminal ID, serial number, and name
• Processor type (Spoutpay, FETS, Grupp) and vendor information
• Virtual account numbers linked to terminals
• Settlement preferences and charge profiles

API Integration Data

• API keys and secret keys for authentication
• Webhook callback URLs and preferences
• Integration metadata and configurations

Personal Information

• First name and last name
• Email address and phone number
• Gender (optional)
• Date of birth
• Residential address
• Unique customer ID

Identity Verification

• Bank Verification Number (BVN)
• Government-issued ID documents (Driver's License, National ID, International Passport)
• Selfie/photo verification
• Proof of address documents
• KYC reference ID and tier level (Tier 1, 2, or 3)

Wallet and Card Information

• Virtual account number (NUBAN)
• Wallet ID and balance information
• Card Primary Account Number (PAN) - securely stored
• Card name and status (active, blocked, unassigned)
• Transaction limits and tap-and-pay limits
• Date card was assigned to you

Security Information

• PIN (encrypted with bcrypt hashing - never stored in plain text)
• Password (encrypted with AES-256-CBC for PIN login support)
• Session tokens for authentication
• Device information for security monitoring

Payment Methods

We create secure "fingerprints" of your payment methods using SHA-256 hashing to identify them without storing full card details:

• Card BIN (first 6 digits) and last 4 digits
• Card scheme (Visa, Mastercard, Verve, etc.)
• Masked account numbers (displayed as ****1234)
• Bank codes and bank names (for bank transfers)
• Payment method usage tracking (first used, last used, transaction count)

Transaction Data

• Transaction amounts, dates, and times
• Merchant names and locations where you spent
• Transaction status (successful, pending, failed)
• Payment channel used (card, bank transfer, Debby wallet)
• Transaction reference numbers (RRN)
• Wallet funding and spending history

Communication Preferences

• Email receipt preferences
• Wallet funding notification preferences
• WhatsApp notification opt-in status
• Marketing communication preferences

For Merchants

We use merchant information to:

• Process and facilitate payment transactions
• Manage POS terminals and payment channels
• Calculate and process settlements to your bank account
• Verify your business identity and comply with KYC requirements
• Provide API access for business integrations
• Send transaction notifications and alerts
• Generate business analytics and reports
• Prevent fraud and unauthorized access
• Provide customer support and technical assistance
• Improve our services and develop new features
• Comply with legal and regulatory obligations

For Customers

We use customer information to:

• Create and manage your Debby wallet and virtual account
• Issue and manage your Debby spending card
• Process payments at merchant locations
• Authorize transactions using your PIN
• Send transaction receipts and notifications via email or WhatsApp
• Track your spending history and provide transaction summaries
• Verify your identity to prevent fraud and comply with regulations
• Process wallet funding from bank transfers or card withdrawals
• Enable loyalty programs and cashback rewards
• Send you important service updates and security alerts
• Provide customer support and resolve issues
• Improve our wallet and card services

Payment Processors and Financial Institutions

We work with trusted third-party payment processors and financial institutions to facilitate transactions, including:

• Payment processors for POS transactions, funds transfers, and wallet operations
• Virtual account service providers for account creation and management
• Nigerian banks for virtual account infrastructure and fund inflows
• Banking partners for settlements and transfers to your bank account

KYC and Verification Services

We use third-party KYC and identity verification services to verify customer and business identity documents, Bank Verification Numbers (BVN), and address information in compliance with Nigerian regulations.

Authentication and Infrastructure Services

We use third-party authentication and cloud infrastructure providers to manage user authentication, secure password storage, session management, and application hosting.

Communication Services

• Email service providers for sending OTPs, receipts, and notifications
• SMS and messaging services for OTP delivery and transaction alerts
• Push notification services for mobile app notifications

Business Partners

• For Customers: Your transaction information is shared with the merchant where you make purchases
• For Merchants: Your customer data is only accessible to your authorized business users

Legal and Regulatory Authorities

We may disclose your information to government authorities, regulators, or law enforcement when required by law, to comply with legal processes, to protect our rights and property, or to investigate fraud and security issues.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide choices regarding your data.

Encryption

• Passwords: Hashed using bcrypt (industry-standard algorithm)
• PINs: Hashed with bcrypt using 10 salt rounds - never stored in plain text
• Stored Passwords (PIN Login): Encrypted with AES-256-CBC with unique initialization vectors
• Payment Methods: Fingerprinted using SHA-256 hashing to protect card data
• Data Transmission: All external API calls use HTTPS/TLS encryption

Access Controls

• Role-based access control (RBAC) for different user types
• Multi-factor authentication support
• Token-based authentication with expiration and refresh mechanisms
• API key and secret key authentication for business integrations
• Session management and automatic logout after inactivity

Database Security

• PostgreSQL database with parameterized queries to prevent SQL injection
• Sensitive data masking for display purposes (e.g., ****1234)
• Regular database backups and disaster recovery procedures
• Soft deletes for data retention and recovery

Monitoring and Auditing

• Transaction audit trails with full request/response logging
• User activity monitoring (last sign-in, device tracking)
• Automated fraud detection and prevention systems
• Regular security assessments and penetration testing

Network Security

• HTTPS/TLS for all external communications
• Webhook signature validation for callbacks
• API rate limiting and usage tracking
• Environment variables for sensitive credentials

Merchant Data

• Business profile and KYC data: Retained while your account is active and for 7 years after closure
• Transaction records: Retained permanently for accounting, tax, and regulatory compliance
• Settlement history: Retained for 7 years minimum
• API logs: Retained for 90 days for debugging and support purposes

Customer Data

• Customer profiles: Retained while your wallet/card is active
• Transaction history: Retained for 7 years minimum for compliance
• BVN and KYC documents: Retained as required by Nigerian regulations (minimum 7 years)
• OTPs: Automatically deleted after 60 seconds or upon use
• Deleted accounts: Data soft-deleted with option for permanent deletion upon request

Access and Portability

• Request a copy of your personal information
• Export your transaction history in CSV format
• Access your wallet and card information through our mobile app

Correction and Updates

• Update your profile information through the app or dashboard
• Correct inaccurate information by contacting support
• Update your communication preferences

Deletion and Restriction

• Request deletion of your account and personal data (subject to legal retention requirements)
• Deactivate your wallet or card
• Opt-out of marketing communications
• Restrict certain data processing activities

Objection and Consent

• Object to processing of your data for specific purposes
• Withdraw consent for marketing communications
• Opt-out of email or WhatsApp notifications (except essential service messages)

Types of Cookies We Use

• Essential Cookies: Required for authentication, session management, and security
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our services (Google Analytics, PostHog)
• Device Tokens: For push notifications (Firebase Cloud Messaging)

Device Information We Collect

• Device type and model
• Operating system and version
• IP address
• Browser type
• Device ID for fraud prevention
• Last active timestamp