2.1 The information we collect about you

2.1.1 Personal Data

2.1.1.1 Identification Data

We collect information that can uniquely identify you or verify your identity. This includes, but is not limited to: your first, middle, and last name; date of birth; gender; nationality; biometric identifiers (where applicable); government-issued identification numbers such as National Identification Number (NIN), Bank Verification Number (BVN), international passport number, driver's licence number, and other similar identifiers; as well as identification documents or photographs used for verification or authentication purposes.

2.1.1.2 Contact Details

We collect information that enables us to contact you or communicate with you regarding our services. This includes your residential or mailing address, email address, phone numbers, and any other similar contact information you provide during account creation, onboarding, service usage, or customer support interactions.

2.1.1.3 Employment-Related Data

We collect information relating to your professional background, role, and suitability where required for recruitment processes, service provision, due diligence, vendor management, or regulatory compliance. This includes your job title or position, employer details, work history, professional qualifications, certifications, references, and other employment-related information relevant to our business relationship or engagement processes.

2.1.2 Financial Information

2.1.3 Sensitive Personal Data

We may process certain categories of sensitive personal data about you where necessary and permitted by applicable law. This may include, without limitation, health information, biometric data used for unique identification (such as fingerprints, facial recognition data, or voice recordings), criminal conviction information, as well as data relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual orientation. We only collect or use sensitive personal data when it is essential for delivering our products or services to you, when required for reasons of substantial public interest, to comply with a legal obligation, or where we have obtained your explicit consent.

2.1.4 Access Credentials

When you subscribe to any of our products, particularly our digital products, you may be required to provide a User ID, a password, details from a token response device, password hints, and similar security information used for authentication and account access. You may also be required to use biometric identification to access your account and authenticate transactions. While this information is required to ensure that you carry out transactions securely, appropriate security measures have been implemented to protect this data, including encryption and storage in a secured environment.

2.1.5 Usage Data

2.1.5.1 Geo-Location Information

We may request access to or permission to track location-based information from your mobile device, either continuously or while you are using our mobile application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device's settings.

2.1.6 Mobile Device Access

We may request access or permission to certain features on your mobile device, including your mobile device's camera, calendar, Bluetooth, contacts, storage, and other features. If you wish to change our access or permissions, you may do so in your device's settings.

2.1.7 Mobile Device Data

We may automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information, IP address, and diagnostic data.

2.1.8 Use of Analytics

2.1.9 Tracking and Cookies Data

2.1.10 Information from Social Networks or Online Accounts

This includes information from any social media profiles or any accounts that you share with us.

2.1.11 Information Which You Have Consented to Us Using

Other personal data which we collect includes image recordings — this could include CCTV images of you at our offices, but only for surveillance, monitoring and auditing purposes, to help forestall crime.

We collect and process your personal data through secure systems for the following lawful and legitimate purposes:

3.1 Provision of Financial Technology Services

• To create, verify, and manage customer accounts, agent profiles, and service enrolments.
• To process transactions, payments, transfers, and other financial operations.
• To authenticate users through passwords, PINs, tokens, or biometrics, and to maintain secure access to our platforms.

3.2 Customer Support and Relationship Management

• To communicate with you regarding your accounts, enquiries, requests, complaints, product updates, or service notifications.
• To provide technical support, resolve disputes, and enhance the overall customer experience.

3.3 Security, Fraud Prevention, and Risk Management

• To verify identities, prevent impersonation, and authenticate transactions.
• To detect, investigate, and prevent fraud, money-laundering, financial crime, unauthorized access, or misuse of our services.
• To maintain logs, monitor usage patterns, and ensure the security and integrity of our systems, networks, and digital channels.

3.4 Legal, Regulatory, and Compliance Obligations

• To comply with the Nigeria Data Protection Act (NDPA 2023), CBN regulations, Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) requirements, Know-Your-Customer (KYC) rules, tax obligations, and other applicable laws.
• To report to regulatory bodies and fulfil any lawful request by government or oversight agencies.
• To maintain required audit trails and statutory records.

3.5 Employment, Recruitment, and Vendor/Third-Party Management

• To assess job applications, verify credentials, and conduct pre-employment checks.
• To manage staff access rights, monitor system usage, and ensure workplace and information security.
• To conduct due diligence on vendors, partners, and agents, including suitability assessments and ongoing compliance monitoring.

3.6 Service Improvement and Business Operations

• To analyse service performance and improve our products, digital platforms, and internal processes.
• To conduct data analytics, quality assurance, customer experience studies, and performance monitoring.
• To operate, maintain, and enhance our online services, mobile applications, and customer-facing platforms.

3.7 Marketing, Communications, and Personalisation

• To send relevant product or service information, promotions, or updates based on your preferences, where you have consented or where permitted by law.
• To analyse marketing interactions to improve the relevance of the content we share.

3.8 Protection of Individuals, Assets, and Embedly's Interests

• To safeguard the vital interests of customers, employees, or the public, including during emergencies.
• To protect Embedly's facilities, assets, staff, and customers through monitoring systems.
• To protect Embedly's rights, integrity, reputation, and financial stability.

3.9 Other Legitimate and Lawful Purposes

Any additional purpose that is compatible with the original reason for collection, permitted under applicable laws, and consistent with this Privacy Notice.

We process personal data based on one or more of the following lawful bases as provided under the Nigeria Data Protection Act (NDPA) 2023:

4.1 Consent

Where required by law, we obtain your consent before processing your personal data. This applies to situations such as certain marketing communications, optional service features, and specific uses of sensitive personal data where explicit consent is required. You may withdraw your consent at any time, subject to legal or contractual restrictions.

4.2 Performance of a Contract or Pre-Contractual Processes

4.3 Compliance with Legal and Regulatory Obligations

As a regulated entity, we process personal data to comply with obligations under applicable laws, regulations, and supervisory requirements. These include KYC, AML/CFT requirements, tax obligations, regulatory reporting, identity verification mandates, and obligations from the CBN or other competent authorities.

4.4 Protection of Vital Interests

We may process personal data where necessary to protect your vital interests or those of another individual — for example, in emergency situations, fraud prevention scenarios, or matters involving personal or public safety.

4.5 Legitimate Interests

4.6 Public Interest or Exercise of Official Authority

In certain circumstances, we process personal data in the public interest or in the exercise of official authority, particularly where required for regulatory oversight, financial system stability, anti-fraud initiatives, or national security-related obligations placed on financial institutions.

To the extent permissible under applicable law, we may use your information for the following legitimate actions:

• Determine your eligibility for our products and services.
• Verify your identity when you access your account information.
• Administer your accounts or other products and services that we or our partners/affiliates may provide to you.
• Respond to your requests and communicate with you.
• Understand your financial needs.
• Prevention of crime, fraud, money laundering or terrorism financing activities.
• Managing our risks.
• Reviewing credit or loan eligibility.
• Marketing the products and services of Embedly, related entities and affiliates. You can change your mind on how you wish to receive marketing messages from us or opt out of receiving such messages at any time.
• Process transactions, design products and profile customers.
• Notify you about changes to our Services.
• Provide customer care and support, including troubleshooting, data analysis, testing, security, fraud-detection, and account management.
• Process your information for audit, statistical or research purposes to understand trends and curate products suitable to our customers' needs.
• Monitor our conversations with you when we speak on the telephone for quality assurance, verification, and fraud prevention purposes.
• Recover any debts that you may owe Embedly.
• Carry out analysis to evaluate and improve our business.
• Monitor the usage of our Services.
• Detect, prevent and address technical issues.
• Prevent fraud and enhance security of your account or our service platform.
• Comply with and enforce applicable legal and regulatory requirements, relevant industry standards, contractual obligations and our policies.
• Provide you with tailored content and marketing messages.
• For other purposes required by law or regulation.

We may share or disclose your personal data only as permitted by law, for legitimate business purposes, or where necessary to provide our services. All third parties we share data with are required to comply with appropriate confidentiality, data protection, and security obligations.

6.1 Internal Sharing

We may share your data within Embedly, including its subsidiaries, to enable service delivery, compliance activities, risk management, and operational support.

6.2 Government Ministries, Departments, Agencies & Regulators

We may disclose your personal data to government authorities, supervisory bodies, and regulators where required for compliance with NDPA 2023 and other laws, reporting obligations, investigations, audits, or lawful requests, and matters involving national security, public interest, or law enforcement.

6.3 Authorized Service Providers and Data Processors

We share data with carefully selected third parties who process information on our behalf. These include technology and cloud service providers, card processors, switching companies, payment partners, customer support providers, and outsourced operational partners. These parties are strictly required to protect your data in line with contractual and legal requirements.

6.4 Professional Advisers and External Auditors

We may disclose data to external auditors, legal advisers, tax consultants, and other professionals who assist us in meeting legal, regulatory, and governance obligations.

6.5 Financial Partners

Where necessary for financial transactions or credit-related activities, your data may be shared with credit bureaus, credit reference agencies, correspondent banks, guarantors, and partners involved in processing transactions.

6.6 Third-Party Partners

We may share personal data with approved partners who provide contractual, statutory, or employment-related services such as insurance providers, benefits administrators, or due-diligence partners. We do not share data with third parties for their own marketing purposes.

6.7 Law Enforcement, Courts and Public Authorities

We may disclose your information to law enforcement agencies, courts, or public authorities where required by law or where such disclosure is necessary to protect rights, prevent fraud, or investigate wrongdoing.

6.8 Protection of Vital Interests and Safety

Data may be shared with emergency services or relevant authorities when necessary to protect your life, safety, or the vital interests of others.

6.9 Mergers, Acquisitions or Corporate Restructuring

If Embedly undergoes a merger, acquisition, reorganisation, or asset transfer, your personal data may be shared with relevant parties, provided appropriate safeguards are in place.

6.10 Cross-Border Transfers

Where data must be transferred outside Nigeria — for example, for cloud hosting, payment processing, or technology support — we ensure that such transfers comply with NDPC requirements, including adequacy decisions, legally binding agreements, contractual safeguards, and other lawful mechanisms. We take all steps reasonably necessary to ensure your data remains secure and protected.

6.11 Your Consent

Where required by law, or where no other lawful basis applies, we will seek your consent before sharing your personal data. You may withdraw your consent at any time, subject to contractual or legal limitations.

We have implemented appropriate organisational and technical measures to keep your Personal Information/Data confidential and secure. This includes the use of encryption, access controls and other forms of security to ensure that your data is protected. We require all parties including our staff and third-parties processing data on our behalf to comply with relevant policies and guidelines.

Where you have a password which grants you access to specific areas on our site or to any of our services, you are responsible for keeping this password confidential. We request that you do not share your password or other authentication details with anyone.

Although we have taken measures to secure and keep your information confidential, please be aware that no method of transmission over the Internet, or method of electronic storage can guarantee 100% security at all times. While we strive to use reasonable means to protect your Personal Data, we cannot guarantee its absolute security.

We retain your Information for as long as the purpose for which the information was collected continues. The information is then securely destroyed unless its retention is required to satisfy legal, regulatory, internal compliance or accounting requirements or to protect Embedly's interests.

Please note that regulations may require Embedly to retain your personal data for a period longer than specified even after the end of your relationship with us.

You are responsible for making sure the information provided to Embedly is accurate and should inform us of any changes as they occur, so that we can update your information accordingly.

Any changes will affect only future uses of your Personal Information. Subject to applicable law, which might from time to time oblige us to store your Personal Information for a certain period, we will respect your wishes to correct inaccurate information. Otherwise, we will hold your Personal Information for as long as we believe it will help us achieve our objectives as detailed in this Privacy Policy.

You have certain rights in relation to the personal data we collect as provided by the Nigeria Data Protection Act (NDPA 2023). These rights include:

• A right to confirmation and access — to know whether we process your personal data and to request access to that information.
• A right to rectification or update — to correct or update any inaccurate or incomplete personal data in our possession.
• A right to erasure ("right to be forgotten") — to request the deletion of your personal data where it is no longer necessary or has no lawful basis for retention.
• A right to restrict processing — to request that we temporarily suspend the processing of your personal data while a request or objection is being resolved.
• A right to object to processing — to object to certain types of processing, including direct marketing.
• A right to data portability — to request that your personal data be provided to you in a commonly used electronic format or transferred to another party where technically feasible.
• A right to withdraw consent — to withdraw your consent to processing. This will not affect the legality of processing carried out before the withdrawal.
• A right to be informed of data sources — to know the origin of your data where it was not provided directly by you.
• A right against automated decision-making — to be informed of, and object to, decisions made solely by automated means that significantly affect you.
• A right to lodge a complaint — to make an official complaint to the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated.

These rights are subject to certain limitations as provided under the Nigeria Data Protection Act 2023.

We operate and communicate through our designated pages and accounts on some social media platforms to communicate and engage with our customers. We monitor and record comments and posts made about us on these channels so that we can improve our Services. The general public can access and read any information posted on these sites. Please note that any content you post to such social media platforms is subject to the applicable social media platform's terms of use and privacy policies.

Our Services may allow you to connect and share your actions, comments, content, and information publicly or with friends. We are not responsible for maintaining the confidentiality of any information you share publicly or with friends. We also do not control the privacy practices of third parties. Please contact those sites and services directly if you want to learn about their privacy practices.

This Privacy Policy is effective as of the date stated above and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on our website.

Based on the changing nature of privacy laws, user needs and our business, we may modify this Privacy Policy from time to time. Any change to our privacy policy will be communicated on our website, via email or by placing a notice on our Platform and this will be effective as soon as published. Your continued use of the Services after we post any modifications constitutes your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.

If you have any questions, comments or requests in relation to this Privacy Policy or objections, complaints or requirements in relation to the use of your personal data, please contact us by sending an email to EmbedlyCs@sterling.ng or write a letter addressed as follows:

Embedly
9th Floor, Sterling Towers
20 Marina, Lagos.