Data Protection Policy

Last Updated: December 2024

1. Introduction

Soephay is committed to protecting your personal data in accordance with applicable data protection laws, including the Nigeria Data Protection Regulation (NDPR) and General Data Protection Regulation (GDPR). This Data Protection Policy explains how we protect and handle your personal information.

2. Data Controller

Soephay is the data controller responsible for your personal data. We determine the purposes and means of processing your personal information.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contractual Necessity: To provide our services and fulfill our contractual obligations
  • Legal Obligation: To comply with financial regulations, anti-money laundering laws, and KYC requirements
  • Legitimate Interests: To prevent fraud, ensure security, and improve our services
  • Consent: When you explicitly consent to specific data processing activities

4. Data Protection Principles

We adhere to the following principles:

  • Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and transparently
  • Purpose Limitation: We collect data only for specified, explicit, and legitimate purposes
  • Data Minimization: We collect only data that is necessary for our purposes
  • Accuracy: We keep your data accurate and up-to-date
  • Storage Limitation: We retain data only for as long as necessary
  • Integrity and Confidentiality: We protect data against unauthorized access and loss
  • Accountability: We are responsible for demonstrating compliance with data protection principles

5. Data Security Measures

5.1 Technical Safeguards

  • Encryption: AES-256-GCM encryption for data at rest and TLS 1.3 for data in transit
  • Field-Level Encryption: Sensitive fields (BVN, NIN, passwords) are encrypted individually
  • Access Controls: Role-based access control and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Secure Coding: Regular security audits and vulnerability assessments

5.2 Organizational Safeguards

  • Employee training on data protection
  • Strict confidentiality agreements
  • Regular security audits and compliance reviews
  • Incident response procedures
  • Data breach notification protocols

6. Your Data Protection Rights

Under data protection laws, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data (subject to legal requirements)
  • Right to Restrict Processing: Request limitation of data processing
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for data processing at any time
  • Right to Lodge a Complaint: File a complaint with the data protection authority

7. Data Sharing and Third Parties

7.1 Service Providers

We share data with trusted service providers who assist in:

  • Payment processing (Flutterwave, Paystack)
  • Bill payments (VTpass)
  • SMS and email delivery (Termii, Twilio, AWS SES)
  • Cloud hosting and infrastructure
  • KYC verification (YouVerify)

All service providers are contractually obligated to protect your data and comply with data protection laws.

7.2 Legal Requirements

We may disclose data when required by:

  • Court orders or legal processes
  • Regulatory authorities (CBN, NDIC, etc.)
  • Law enforcement agencies
  • Anti-money laundering and fraud prevention requirements

8. International Data Transfers

Your data may be transferred to and processed in countries outside Nigeria. We ensure appropriate safeguards are in place, including:

  • Standard contractual clauses
  • Adequacy decisions by data protection authorities
  • Binding corporate rules

9. Data Retention

We retain your personal data for:

  • Account Data: For the duration of your account plus 7 years (regulatory requirement)
  • Transaction Records: Minimum 7 years (financial regulations)
  • KYC Documents: 7 years after account closure
  • Marketing Data: Until you opt-out or withdraw consent

After retention periods expire, we securely delete or anonymize your data.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant data protection authority within 72 hours
  • Notify affected users without undue delay
  • Provide details of the breach and mitigation measures
  • Offer support and guidance

11. Children's Data

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it immediately.

12. Automated Decision-Making

We may use automated systems for:

  • Fraud detection and prevention
  • Risk assessment
  • Transaction monitoring

You have the right to request human review of automated decisions that significantly affect you.

13. Updates to This Policy

We may update this Data Protection Policy to reflect changes in our practices or legal requirements. We will notify you of material changes through our website, email, or app notifications.

14. Contact Us

For data protection inquiries or to exercise your rights, please contact us:

  • Data Protection Officer: dpo@soephay.com
  • Email: privacy@soephay.com
  • Phone: +2348074382484
  • Address: Soephay Data Protection Office, Nigeria

15. Regulatory Authority

If you are not satisfied with how we handle your data protection concerns, you have the right to lodge a complaint with:

  • Nigeria Data Protection Commission (NDPC)
  • Your local data protection authority
← Back to Home