Privacy Policy

Last updated: May 22, 2026

1. Information We Collect

1.1 Information You Provide

• Account Information: Full name, phone number, email address, date of birth, gender, residential address.
• Identity Verification (KYC): National Identification Number (NIN), Bank Verification Number (BVN), government-issued ID documents, passport photographs.
• Financial Information: Bank account details for withdrawals, transaction history, loan applications and repayment records.
• Transfer PIN: A 4-digit PIN you set for authorizing transactions (stored in hashed/encrypted form only).
• Communications: Messages you send through our in-app support chat.

1.2 Information Collected Automatically

• Device Information: Device model, operating system, unique device identifiers, app version.
• Usage Data: Features accessed, transaction patterns, login timestamps, session duration.

1.3 Information Collected with Your Permission

• Phone Contacts: With your explicit consent, we access your contact list solely for credit assessment purposes. Contact data is aggregated (total count and unique numbers) and is never shared with third parties for marketing.

2. How We Use Your Information

• To create and manage your BemPay account and digital wallet.
• To process financial transactions including transfers, bill payments, airtime purchases, and withdrawals.
• To verify your identity as required by Nigerian financial regulations (KYC/AML compliance).
• To assess creditworthiness for loan applications using our internal credit scoring model.
• To create and manage your virtual bank account for receiving funds.
• To send transactional notifications (SMS, in-app) about account activity.
• To detect, prevent, and respond to fraud, security threats, and unauthorized activities.
• To provide customer support and respond to your inquiries.
• To improve our Services and develop new features.
• To comply with legal obligations and regulatory requirements.

3. Third-Party Service Providers

We work with trusted third-party providers to deliver our Services. These providers only access your data as necessary to perform their functions:

• Flutterwave: Payment processing, virtual account creation, bank transfers, and card payments.
• VTPass: Bill payments, airtime, data, electricity, cable TV, and other utility services.
• MultiTexter / Africa's Talking: SMS notifications for OTPs and transaction alerts.
• Railway / Vercel: Cloud infrastructure for hosting our API and web application.
• MongoDB Atlas / PostgreSQL: Secure database storage.

Each provider is contractually obligated to protect your data and use it only for the purposes we specify.

4. Data Security

We implement industry-standard security measures to protect your information:

• All data transmitted between your device and our servers is encrypted using TLS/SSL.
• Sensitive credentials (passwords, PINs, BVN, NIN) are hashed using bcrypt before storage — we never store them in plaintext.
• Authentication tokens are stored in encrypted secure storage on your device.
• Automatic session expiration after 15 minutes of inactivity.
• Transfer PIN required for all financial transactions.
• Duplicate identity detection to prevent fraudulent account creation.

5. Data Retention

We retain your personal data for as long as your account is active and as required by applicable laws and regulations. Financial transaction records are retained for a minimum of 6 years as required by Nigerian financial regulations. If you close your account, we will delete or anonymize your personal data within 90 days, except where retention is required by law.

6. Your Rights

Under the Nigeria Data Protection Regulation (NDPR) and other applicable laws, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Update or correct inaccurate personal data via your Profile settings.
• Deletion: Request deletion of your account and personal data, subject to legal retention requirements.
• Withdrawal of Consent: Withdraw consent for optional data processing (e.g., contacts access) at any time through your device settings.
• Data Portability: Request your transaction history in CSV or PDF format via the Statement Download feature.
• Objection: Object to processing of your data for specific purposes.

7. Children's Privacy

BemPay is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

8. Cookies and Tracking

Our web application uses essential cookies for authentication and session management only. We do not use third-party advertising cookies or tracking pixels.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via in-app notification or SMS. Continued use of our Services after changes constitutes acceptance of the updated policy.

10. Contact Us