4.1 Scope and application
This Policy applies to all personal data processed by the Bank — whether on its own premises, on the customer's device, in cloud infrastructure, or by a contracted third-party processor — and to all employees, contractors, vendors, agents, and partners who access such data.
4.2 Key definitions
- Personal data — any information relating to an identified or identifiable natural person.
- Sensitive personal data — data revealing health, biometrics, political views, religious or philosophical beliefs, sexual orientation, trade-union membership, or criminal records.
- Processing — any operation performed on personal data, whether automated or not.
- Data subject — the individual to whom the personal data relates.
- Controller — the entity that determines the purposes and means of processing.
- Processor — the entity that processes personal data on behalf of a controller.
4.3 Principles of processing
The Bank processes personal data in accordance with the following NDPA principles:
- Lawfulness, fairness, and transparency.
- Purpose limitation — collection for specified, explicit, and legitimate purposes.
- Data minimisation — adequate, relevant, and limited to what is necessary.
- Accuracy — kept up-to-date and corrected without delay.
- Storage limitation — retained no longer than necessary for the stated purpose.
- Integrity and confidentiality — protected by appropriate technical and organisational measures.
- Accountability — demonstrably compliant on request by the NDPC.
4.4 Categories of personal data we process
- Identity data — full name, date of birth, gender, nationality, government-issued ID number (BVN, NIN, passport, driver's licence).
- Contact data — registered address, phone number, email address.
- Financial data — account numbers, transaction history, account balances, credit information.
- Device and technical data — device identifiers, IP address, operating system, app version, location (with consent), authentication logs.
- Biometric data — fingerprint or face template stored on the customer's device, used solely for local authentication. The Bank does not centrally store raw biometric data.
- Behavioural data — service-usage patterns, in-app navigation, marketing preferences.
4.5 Lawful bases for processing
The Bank relies on one or more of the following NDPA lawful bases:
- Performance of a contract with the data subject.
- Compliance with a legal or regulatory obligation (including AML/CFT, CBN reporting, and tax obligations).
- Protection of the vital interests of the data subject or another person.
- Performance of a task carried out in the public interest.
- Legitimate interests of the Bank or a third party, where these are not overridden by the rights of the data subject.
- Consent of the data subject (used only where another basis does not apply, and always informed, specific, freely-given, and revocable).
4.6 Rights of the data subject
Subject to the conditions in the NDPA, you have the following rights, exercisable through the Bank's Data Protection Officer:
- Right to be informed about how your data is processed.
- Right of access to your personal data.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure (within the limits of the Bank's legal and regulatory retention obligations).
- Right to restriction of processing.
- Right to data portability.
- Right to object to processing, including for direct marketing.
- Right not to be subject to a decision based solely on automated processing where that decision has legal or similarly significant effect on you.
4.7 Data Protection Officer (DPO)
The Bank shall appoint a Data Protection Officer who is the single accountable owner of the Bank's data-protection programme. The DPO is reachable at the registered office and may be contacted in writing at calistus@valuepaymfb.com marked "For the attention of the DPO" or at the postal address in the Contact Information document.
4.9 Cross-border transfers
Where personal data is transferred outside Nigeria, the Bank ensures one or more of the safeguards required by the NDPA — including adequacy decisions of the NDPC, binding contractual clauses, or the explicit informed consent of the data subject, as applicable.
4.10 Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected, or to meet a legal, regulatory, or contractual obligation. The following indicative retention periods apply:
| Category | Retention period | Basis |
|---|---|---|
| KYC and account records | At least 5 years after account closure | CBN AML/CFT regulations |
| Transaction records | At least 7 years from transaction date | Banking & tax law |
| Customer complaints | At least 6 years from resolution | CBN Consumer Protection Framework |
| Marketing data | Until consent is withdrawn, or 24 months of inactivity | NDPA consent basis |
| Server access and audit logs | 12 months minimum, longer for security investigations | NDPA security principle |
4.11 Security of processing
Personal data is protected through layered technical and organisational measures, including encryption in transit and at rest, hardware security modules for cryptographic key management, role-based access controls with least privilege, multi-factor authentication, segregation of duties, security monitoring through a dedicated Security Operations function, regular penetration testing, and vendor security due diligence.
4.12 Breach notification
In the event of a personal-data breach likely to result in risk to the rights and freedoms of data subjects, the Bank shall notify the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach, and shall notify affected data subjects without undue delay where the breach is likely to result in high risk to those individuals.
4.13 Data Protection Impact Assessments (DPIAs)
The Bank conducts a Data Protection Impact Assessment for any processing activity that is likely to result in a high risk to the rights and freedoms of data subjects — including new products, material changes to existing products, deployment of new processing technologies, and large-scale processing of sensitive data.
4.14 Children and minors
Where the Bank offers any service to a minor, processing of the minor's data is supported by the verifiable consent of a parent or legal guardian, and is limited to what is necessary for that service. Minor accounts are subject to enhanced controls and reduced limits.
4.15 Marketing
The Bank only sends direct marketing where it has a lawful basis to do so, and provides a clear, costless way for the data subject to opt out of further marketing at any time.
4.16 How to make a complaint
You may complain to the Bank's DPO using the contact details above. If you are not satisfied with our response, you may complain to the Nigeria Data Protection Commission. Contact details for the NDPC and other regulators are set out in the Contact Information document.
ValuePay Microfinance Bank Limited has received Approval-in-Principle from the Central Bank of Nigeria (ref. FPR/LAD/CON/MFB/015/047 dated 17 March 2026). The Bank shall not commence banking business until the grant of a final licence.