Cashxpress Nigeria Limited Privacy Notice

Last updated: 20.05.2024

1. Introduction

This Privacy Notice (“Notice”) outlines your use of our Website and App: https://cashx.ng/ (“the Website URL”) and your rights concerning our collection, use, storage, and protection of your personal data when you visit, access, browse, and/or use our Website or App. Your privacy is important to us.

Please note that this Notice does not apply to any products, services, websites, or content offered by third parties that have their own privacy notices. Additionally, it does not apply to job applicants, candidates applying for employment, or employees and non-employee workers whose personal data is subject to different privacy notices. Such individuals will receive specific privacy notices in the context of their employment or working relationship with us.

2. The data we process

Personal data means any information about an individual from which that person can be directly or indirectly identified. We do not consider personal data to include information that has been made anonymous such that it does not identify a specific user.

In connection with our services, we collect personal and financial information from you while you use our products, services, and websites. We may ask you to provide us with certain personal data directly to contact or identify you, and some automatically for our Website to function effectively.

When you use our application, we collect and synchronize certain information with your prior consent. We require your permission to collect data to understand your identity better and correctly assess your creditworthiness. Your information will be securely encrypted and transferred to our server (https://api.cashx.ng/). We will not share the collected data with third parties without your consent, except as otherwise provided herein.

(a) Collection of SMS data

Purpose of the permission: Our app needs access to your SMS data as it is an important component for one of the stages of the credit assessment. As part of our customer assessment, this access will help us identify your bank accounts, analyze your cash flows, and review transaction amounts. This information also allows us to detect, prevent and combat fraud, including attempted money laundering or any other illegal activity that may be related to the services we provide. You are not obliged to provide access to SMS information, you have the choice to approve or decline it. However, if you decline, you may not be able to use all the features of the app. Also, we may not be able to accurately assess your risk profile and creditworthiness.

Type of Data Collection: We exclusively monitor SMS within the Customer’s inbox to discern their various accounts and cash flow patterns. Our data collection and processing encompass telephone data, including SMS logs.

Security of Data:

We use the HTTPS protocol to encrypt and transmit your SMS information to our server (https://api.cashx.ng/). The data we collect is not shared with third parties without your permission.

(b) Collection of Call Data

We request access to your call log to enhance our fraud detection measures and improve customer support. This data helps us verify account ownership by cross-referencing contact details and call history. Additionally, it assists in identifying unusual account activity, such as multiple login attempts or suspicious transactions, ensuring the security of your transactions and account information. We handle this information with the highest standards of confidentiality and encryption for privacy and data security. We don’t require access to your call log but encourage its use for enhanced security and functionality. Declining this permission may limit app features and our ability to monitor account security effectively.

Type of Data Collection: We exclusively monitor call logs to discern various account activities and enhance fraud detection measures. Our data collection and processing encompass telephone data, including call history logs.

Security of Data: We utilize the HTTPS protocol to encrypt and securely transmit your call log data to our server at https://api.cashx.ng/. Your call log information is treated with the utmost confidentiality and is never shared with third parties unless we have obtained your explicit consent.

(c) Collection of Location Information

  • We collect data about your geographic location to assess customer risk
  • We upload location data to our highly secure CashX server (https://api.cashx.ng/)

Security of Data: You will be notified by your device’s operating system when the Application attempts to collect information about your geographic location. Attention: If you do not allow the Application to collect information about your geographic location, you will not be able to access all the functions of the Application and you will not be able to use them

(d) Collection of Phone Device Information

We may gather certain device information, including hardware details (such as the operating system, Android version, IMEI number, IMSI number, MAC address, serial number, Android ID, screen size, and other hardware specifics), and serial number to uniquely identify the device. This helps us ensure that unauthorized devices are not used for fraudulent activities on your behalf.

The collected data will be securely uploaded to the CashX server (https://api.cashx.ng/) with high-level protection measures in place.

Personal data that we collect when a client interacts with our service includes:

Service UsersAll Visitors
First and last nameThe domain name of the Internet service provider (ISP)
Email addressDate and time of your visits
Phone numberThe Internet protocol address used to connect your device to the Internet for identification purposes
Account passwordWeb pages visited, duration and frequency of visit
Login email addresses and passwords
Recorded phone conversations with us
Financial information (including, but not limited to, ATM card details, Bank Verification Number (BVN), Banking details etc.)
Transactional data (information relating to payment)
Other information we collect include: residential address, government-authorised ID number, property value, and other lifestyle information.

3. Cookies

Cookies are tools used to collect information automatically from you when you visit a Website. Our website utilises cookies to set user preferences while on our Website and also track page visits and access to content.

4. Lawful bases for processing data

We are required to process your data under at least one of these lawful bases:

  1. Legitimate interest: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided your rights and interests do not outweigh those interests.
  2. Consent: You have given explicit consent for us to process your data for a specific purpose.
  3. Contract: If your data processing is necessary for a contract you have with us or because we have asked you to take specific steps before entering into that contract.
  4. Legal obligation: If the processing of your data is necessary where there is a statutory obligation on us.
  5. Device Permissions for Personal Data Access: Depending on your specific device, we may request permissions to access your device data as described above. By default, these permissions must be granted by you before the relevant information can be accessed. You can revoke these permissions at any time through your device settings or by contacting our support team using the provided contact details. The exact procedure for managing app permissions may vary based on your device and software.

5. Purpose of processing your data and the lawful basis

Purpose of ProcessingLawful Bases

To administer our business.

To help us develop, improve, customise or restructure our services.

To enforce our terms of service and any terms and conditions of any other agreements for our services.

Run a credit check on you to determine your creditworthiness.

Administer your account and relationship with us and communicate with you through telephone calls, mail, email, text (SMS) messages, push notifications, or other electronic means. (We record or keep transcripts of communications to check your instructions to us, analyse, assess, and improve our services, for training and quality purposes and to investigate any complaint you may make or as evidence in any dispute between you and us).

Enhance data security.

Legitimate interest, contract

To take statistical data and analytics for our use internally.

To send you service-related messages.

To analyse site usage and provide, maintain and improve the content and functionality of the Site.

To send marketing or promotional messages to you.

Legitimate interest

To send marketing or promotional messages to you.

Access your device.

Consent

To secure your data and prevent fraud.

Verify your identity as part of our identity authentication process.

Legitimate interest, legal obligation.

To address your inquiries, process your registration, and complete your transactions.

To notify you of any changes to our service, solving issues via live chat support, phone or email, including any bug fixing.

To enable registered users to log in to our mobile App.

To enable an easy and effective payment system.

Contract
To inform you whenever there are changes to our terms of business or services.Legal obligation, contract

To fulfill our Know Your Customer (KYC) obligation.

To fulfill legal requirements where needed.

Legal obligation

6. Your rights as a data subject

The law vests you with certain rights as a data subject. They include the right to:

  1. access personal data we hold about you by requesting a copy of the personal data we hold;
  2. rectify such information where you believe it to be inaccurate;
  3. restrict the processing of your data in certain circumstances;
  4. object to the processing of your data where we intend to process such data for marketing purposes;
  5. where feasible, receive all personal data you have provided to us —in a structured, commonly used, and machine-readable format, and transmit the information to another data controller;
  6. request the erasure of your data (also known as the right to be forgotten);
  7. withdraw your consent to the processing of your personal data; and
  8. lodge a complaint with a relevant authority, where you have reason to believe that we have violated the term(s) of this Privacy Notice. (You may complain or seek redress from us within 30 (thirty) days from when you first detected the alleged violation.)

You may seek to exercise any of the above rights at any time by emailing us at [email protected].

The supervisory authority is the Nigerian Data Protection Commission (“NDPC”), and you can send your complaint via email to [email protected].

7. Who do we share your data with?

We may share your data with the following third parties:

Third partiesPurpose of data sharing

Financial institutions

We collaborate with various financial institutions to create and offer our product, and we may only use this information to market our related products unless the customer has consented to other uses.

Credit Bureau Institutions

We disclose your personal data to obtain your credit score and credit report as well as assess your creditworthiness from one or more Credit Rating Bureaus on your behalf to facilitate responsible lending practices and help you access the best possible financial solutions.

Service providers

We may share your information with third-party service providers to enable us to fulfill our contractual obligations towards you or carry out our operations seamlessly. These third-party service providers or sub-processors include Google, Microsoft, Paystack, Flutterwave, Prembly, and trusted recovery agents.

Law enforcement, government officials

We may disclose your data according to a subpoena, or court order when we need to do so to comply with law or credit/debit card rules; or when we believe, in our sole discretion, that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of our User Agreement.

Legal and Regulatory Authorities

We may disclose your information if we believe it is reasonably necessary to comply with a law, regulation, order, subpoena, or audit, or to protect any person’s safety, or to address fraud, security, or technical issues.

Note that if you wish to prevent your device’s operating system from sharing your Personal Data with CashXpress or with the third parties mentioned for profiling purposes, you can do so by setting up your device appropriately. This involves changing the privacy settings on your device to disable or restrict any advertising tracking features. For more information on how to do this, please see the following links:

iOS Devices: https://support.apple.com/en-us/HT202074;

Android Devices: https://support.google.com/ads/answer/2662922?hl=en.

8. How long do we keep your data

The personal data we process will be stored for as long as necessary to fulfill the purposes described in this Notice. However, we will also retain data subject to relevant provisions of applicable laws, resolve disputes, prevent fraud and abuse, and enforce our legal agreements and policies. In addition, we delete your data for targeted marketing purposes once you unsubscribe from our marketing communications or withdraw consent by clicking the “unsubscribe button” or sending an email to [email protected].

Please note that your data may be retained for a longer period, notwithstanding your request to delete it, where there is a legal requirement to do so. However, we utilize this information to enhance and customize our service. It may be uploaded to our servers or stored on your device. If you nominate someone as your guarantor, you confirm that you have their approval to process their data (name and contact details) for this loan facility.

9. How your data is stored

We value the security and integrity of your personal data. To ensure this, we have implemented comprehensive measures spanning physical, technical, and administrative domains. These measures are designed to mitigate potential risks, such as data loss, misuse, unauthorised access, disclosure, and alteration.

Our protective strategies include:

  • Utilising firewalls and encrypting data to shield it from external threats.
  • Implementing physical access controls to safeguard our infrastructure and assets.
  • Establishing stringent information access authorisation controls to ensure only designated personnel can access sensitive data.

Where there is an actual or suspected data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay and use our best effort to remedy the violation within one (1) month from the date we notify you.

10. Automated decision-making

We use an automated decision-making system to make automated decisions based on personal information we have about you. This helps us ensure our decisions are quick and fair based on what we know. We use automated processing to predict the probability that you may be eligible for a product/service or determine the best order or manner to display products to you.

11. International transfer of data

In the course of our operations, we may transfer personal data outside our country of operation. We ensure any cross-border data transfers adhere to all necessary data protection regulations. This means that before transferring personal data, we either confirm that the recipient country has robust data protection laws or, if not, employ specific contractual terms and other appropriate safeguards to protect the data. In cases where the destination country might not meet stringent data protection standards, we will leverage the relevant data transfer mechanism, seek authorisation from the regulator, or obtain your consent before proceeding and inform you of any risks. Should you wish to learn more about how we ensure data protection during these transfers, details will be provided upon request.

12. Security of your data

We prioritise the security of your personal data by employing advanced technical, physical, and administrative safeguards, including encryption, controlled access, and regular security training for our staff. Our proactive measures are designed to prevent unauthorised access, loss, or misuse of your information. In the rare event of a data breach, we have procedures in place to swiftly respond, mitigate potential harm, and notify affected data subjects as required by law. We continuously adapt our security practices to address evolving challenges and threats.

13. Marketing and communications

We use your personal data to offer tailored marketing content, send promotional communications, and occasionally request feedback through surveys. We respect your communication preferences and provide easy options for you to opt out or adjust settings. We are committed to transparency, never sharing your data with third parties for their marketing without your explicit consent. Any significant changes to our marketing practices will be communicated to you promptly.

We only send marketing communications to you with your consent. You may choose to opt out of our marketing emails by clicking on the ‘unsubscribe’ button at the bottom of the page or sending an email to [email protected]. Similarly, instructions for opting out will be provided via SMS or push notifications.

14. Complaints

If you have any inquiries or complaints, please contact us at [email protected]. Our DPO will examine your concerns and update you on the resolution process.

We inform you that you may complain to the regulatory authority (NDPC) at [email protected] if your complaints are not satisfactorily addressed.

15. Changes to this notice

Our Privacy Notice may evolve over time to reflect changes in our practices, technologies, legal requirements, or other factors. Any significant modifications will be prominently communicated on our website or directly to you. We encourage you to regularly review our Privacy Notice to stay informed. The date of the last update can always be found at the top of this notice.

16. Contact Us

If you have any questions relating to this Notice, your rights under this Notice, or are not satisfied with how we manage your personal data, kindly reach out to us at [email protected].