Privacy Policy (Nigeria)

All the ways we get to know you better

Yellow Card (referred to as "Yellow Card," "we," "us," or "our") is committed to protecting the privacy and confidentiality of the personal data of our users, including individuals and businesses. This Privacy Policy outlines how we collect, use, store, share, and protect your information when you access or use the Yellow Card Site (www.yellowcard.io), our mobile applications, any Yellow Card API (directly or through third-party applications), or any Yellow Card product or service (collectively, "Yellow Card Services") within Nigeria.

This Privacy Policy forms an integral part of the relevant Yellow Card User Agreement that applies to you. Terms defined in the User Agreement apply equally herein unless otherwise indicated.

1. Information about the Data Controller

For users of the Yellow Card Service operated in Nigeria under the domain www.yellowcard.io (the "Service" or "Website"), the data controller – meaning the entity deciding on the purposes and means of processing personal data – is Yellow Card Financial Nigeria Ltd. Their registered office is at No. 59 Oduduwa Crescent Ikeja GRA, Lagos, Nigeria

A "User" is understood to be any natural person using the Service. For B2B clients, while the primary User is a natural person interacting with the Service, we also process data related to the legal entity they represent.

2. Data Protection Officer (DPO) / Contact for Data Protection Matters

We have appointed a contact person for data protection matters. Users may contact our Data Protection Officer regarding the protection of their personal data by e-mail at: [email protected].

4. Recipients of Personal Data

Personal data may be disclosed or entrusted by the Controller to the following categories of recipients:

  • Regulatory Authorities: We may disclose personal data to the Nigeria Financial Intelligence Unit (NFIU) and other relevant regulatory bodies as required by Nigerian AML/CFT laws and regulations.
  • Third-Party Service Providers: Entities providing ongoing services to us, such as legal, accounting, IT services, cloud storage, payment processing, marketing, and identity verification services. We ensure that such third-party processors comply with data protection principles and enter into appropriate data processing agreements as required by the NDPA.
  • AI Processing and CRM Service Providers: We may share personal information with third-party service providers who assist us with AI processing, model training, and CRM functionalities to support the purposes outlined in Section 3. These providers are carefully selected and contractually bound to process data only according to our instructions and to implement appropriate security measures.
  • Authorized Public Authorities: In situations where such an obligation clearly results from a demand of an authorized public authority or from applicable provisions of generally applicable law.
  • Yellow Card Group Companies: Personal data may be transferred to the extent necessary to other companies within the Yellow Card group.
  • Other Lawful Disclosures: We may share your information with third-party fraud prevention and identity verification service providers to prevent fraud and confirm validity against public records. These providers may retain and use your information solely for identity verification and fraud prevention services for Yellow Card and to improve their own services. We also engage service providers for marketing purposes (with your consent) and third-party advertising agencies. In the event of a merger, acquisition, or purchase of assets, the acquiring company will have access to your information and will be required to follow this Privacy Policy.

The Controller ensures that entities to whom Users' personal data are entrusted guarantee a high level of data protection and that appropriate contracts for entrusting the processing of the Users' personal data are signed where required.

5. Storage Period of User Data

We retain your personal information for specific periods based on legal obligations and business needs:

  • Account-related Data: Personal data processed for setting up and maintaining your Account is stored for the period of Account maintenance, i.e., until it is deleted by you.
  • Service Provision Data: Personal data processed to provide the services mentioned in Section 3, item 2 of this Privacy Policy, shall be stored for a period of 5 years, counting from the date of termination of the business relationship or from the date of execution of an occasional transaction, in accordance with the CBN AML/CFT Regulation, any other applicable Nigerian AML/CFT regulations and the NDPA's principles of data retention.
  • Cookie Data: Personal data from cookies stored on your terminal device will be stored for a period corresponding to the life cycle of the cookies or until they are deleted from the device by you.
  • Marketing Data: Personal data processed for sending marketing content (including newsletters) will be stored until you withdraw your consent to receive it.
  • Claims-related Data: If the storage of personal data proves necessary to assert or defend a claim to which we are entitled or against us, your personal data may be stored until the relevant court proceeding is finally ended and the decision is enforced.

Yellow Card will not retain your personal information longer than necessary for the fulfillment of the purposes for which it was collected or as required by law.

6. Your Rights as a Data Subject

As a User, you have the following rights regarding the processing of your personal data, as provided under the Nigeria Data Protection Act (NDPA), 2023:

  • Right to Withdraw Consent:
    You have the right to withdraw consent at any time if the processing of your personal data is based on that consent (Section 35). Withdrawal is effective from the moment we receive your declaration. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Right to Demand Access to Data: You have the right to obtain confirmation from us as to whether your personal data is being processed (Section34). If so, you have the right to:
    - Obtain access to your personal data.
    - Obtain information on the purposes of processing, categories of data processed, recipients, storage period or criteria for determining it, your rights under the NDPA, the right to lodge a complaint with the supervisory authority, the source of data, automated decision-making (including profiling), and safeguards applied in connection with transfers outside Nigeria.
    - Obtain a copy of your personal data.
  • Right to Rectification:
    You have the right to request the rectification or completion of inaccurate or incomplete personal data you have provided (Section 34 (1)(c)).
  • Right to Erasure ("Right to Be Forgotten"):
    You have the right to request the erasure of all or some of the data concerning you (Section 34 (1)(d) and 34(2)). You may request erasure if:
    - Your personal data is no longer necessary for the purposes for which it was collected or processed.
    - We no longer have any other lawful basis to retain your personal data, or your personal data is processed unlawfully.
    - The personal data must be erased to comply with a legal obligation.
    - The personal data was collected in connection with the offering of information society services to a child (if applicable, though we do not target children).

Even with an erasure request, we may continue processing data if necessary for establishing, asserting, or defending claims, or to comply with a legal obligation.

  • Right to Restrict Processing:
    You have the right to request us to restrict the processing of your personal data (i.e., limit activities beyond storage) (Section 34 (1)(e)in specific cases:
    - You question the correctness of your data, for a period allowing verification..
    - Your data is no longer needed for its original purposes but is necessary for establishing, asserting, or defending claims.
    - You have restricted the use of your data, during the time needed to establishment, exercise or defend legal claims
  • Right to Data Portability:
    Where your personal data is processed based on consent or for entering into a contract, you have the right to receive the data you provided in a structured, commonly used, readable format, and to transfer this personal data to another controller without hindrance, provided it is technically possible (Section 38).
  • Right to Object to Processing:
    You have the right to object at any time to the processing of your personal data where the processing is based on our legitimate legal interest (Section 36). If your objection is justified and we have no other legitimate basis for processing or for claims, we will delete the data you objected to. Where you object to the processing of your personal information for purposes of direct marketing, including profiling to the extent that it is related to such direct marketing activities, your personal data shall no longer be processed for such purposes.

Response Times: If you submit a request concerning the above rights, the request shall be met or refused immediately, but no later than within one month of its receipt48. However, if, due to the complexity of the request or the number of requests, we are unable to comply within one month, it will be complied with within a further two months after informing you of the need to extend this period49.

  • Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision which is based solely on automated processing of your personal information intended to provide a profile of you, and which produces legal effects concerning you or significantly affects you (Section 37) However, where the processing is necessary for the performance of a contract, legal obligation or further to your consent, this right does not apply.
  • Right to Lodge a Complaint with a Supervisory Authority: If you consider that your data protection rights have been violated, you have the right to lodge a complaint with the National Data Protection Commission (NDPC) in Nigeria.

7. Voluntariness of Providing Personal Data

Providing personal data by you is always voluntary. However, it is necessary to contact us through the contact form, and to conclude and perform the contract between you and us, and to serve you as our customer. If you do not provide the necessary data, it will not be possible to contact us for contractual purposes or to receive services.

8. Automated Decision-Making and Profiling

Your personal data concerning preferences, behavior, and choice of marketing content may be used as the basis for making automated decisions in order to determine the sales opportunities of the Service. Pursuant to NDPA principles, if such automated decision-making significantly affects you, you have the right to object to the processing of your data for this purpose.

9. Data Collected Automatically Upon Entering the Website (Cookie Files)

We inform you that while using the Website, short text information called "cookies" are stored in your end device. Cookie files contain IT data such as: your IP address, name of the website they come from, time of their storage on your end device, recording of parameters and statistics, and a unique number. Cookies are sent to the Service server through a web browser installed in your end device.

Cookies are used on the Website to:

  • Maintain technical correctness and continuity of the session between the Service server and your device.
  • Optimize use of the Website by you and adjust its display on your end device.
  • Ensure safety of use of the Service.
  • Gather statistics on visits to websites of the Service, supporting improvement of their structure and content.
  • Display on your terminal equipment advertising content optimally adapted to your preferences.

The Service uses two types of "cookies": "session" and "permanent".

  • "Session" cookies are files subject to automatic removal from your device after logging out, leaving the websites, or switching off the web browser.
  • "Permanent" cookies are stored in your terminal equipment for the time specified in the parameters of files "cookies" or until their removal by you. "Permanent" "cookies" are installed in your terminal equipment only with your consent.

Cookie Management:

  • Internet browsers by default accept the installation of "cookies".
  • You may at any time change the settings concerning "cookies" in your Internet browser so that the browser automatically blocks the use of "cookies" or informs you of their placement in your terminal equipment each time.
  • Detailed information on the possibility and methods of using cookies is available in the settings of your Internet browser.
  • Restricting the use of cookies by you may adversely affect the correctness and continuity of the provision of Services on the Website.
  • Cookies installed in your end device may be used by advertisers or business partners cooperating with the Controller.
  • Cookies may be considered personal data only in connection with other data identifying identity, provided to the Controller by the User while using the Service.
  • Only the Controller has access to cookies processed by the Website's server.
  • If you do not agree to save and receive information in cookies, you can change the rules regarding cookies by means of the settings of your Internet browser.

10. Changes to the Privacy Policy

If it is necessary to update the information contained in this Privacy Policy or if it is necessary to ensure its compliance with the applicable laws or technological conditions of the functioning of the Website, this Privacy Policy may be amended. Users will be informed of any changes to the Privacy Policy through a notice displayed on the Website.

11. Contact Us

Contact with the Controller is possible via e-mail at the address: [email protected] or through our Support Page with any questions or concerns regarding this Privacy Policy.