Privacy Policy (Nigeria)

Yellow Card (referred to as "Yellow Card," "we," "us," or "our") is committed to protecting the privacy and confidentiality of the personal data of our users, including individuals and businesses. This Privacy Policy outlines how we collect, use, store, share, and protect your information when you access or use the Yellow Card Site (www.yellowcard.io), our mobile applications, any Yellow Card API (directly or through third-party applications), or any Yellow Card product or service (collectively, "Yellow Card Services") within Nigeria.

This Privacy Policy forms an integral part of the relevant Yellow Card User Agreement that applies to you. Terms defined in the User Agreement apply equally herein unless otherwise indicated.

1. Information about the Data Controller

For users of the Yellow Card Service operated in Nigeria under the domain www.yellowcard.io (the "Service" or "Website"), the data controller – meaning the entity deciding on the purposes and means of processing personal data – is Yellow Card Financial Nigeria Ltd. Their registered office is at No. 59 Oduduwa Crescent Ikeja GRA, Lagos, Nigeria

A "User" is understood to be any natural person using the Service. For B2B clients, while the primary User is a natural person interacting with the Service, we also process data related to the legal entity they represent.

2. Data Protection Officer (DPO) / Contact for Data Protection Matters

We have appointed a contact person for data protection matters. Users may contact our Data Protection Officer regarding the protection of their personal data by e-mail at: [email protected].

3. Purposes and Legal Basis of Personal Data Processing

We process Users' personal data for the following purposes, relying on the lawful bases provided under the Nigeria Data Protection Act (NDPA), 2023:

• Account Setup and Maintenance: To allow you to set up and for us to maintain a Customer Account ("Account") in the Service.
  - Legal Basis: Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract (NDPA, Section 25(1)(b)(i)). This aligns with the necessity for the conclusion and performance of the agreement for maintaining the Account.
• Provision of Core Services: To enable us to provide you with services via the Service, including Virtual Currency Exchange  and Cryptocurrency Wallet services.
  - Legal Basis: Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract (NDPA, Section 25(1)(b)(i)). This aligns with the necessity of processing to provide the aforementioned services to the User.
• Customer Identification and AML/CFT Compliance: For the purpose of customer identification in performance of our obligation under relevant Nigerian Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) laws and regulations. This also extends to B2B clients, where identification of the business entity and its beneficial owners/authorized persons is required.
  - Legal Basis: Processing is necessary for compliance with a legal obligation to which the Controller is subject (NDPA, Section 25(1)(b)(ii)). This aligns with the necessity of processing for the fulfillment of a legal obligation incumbent on the Controller.
• Service Analytics and IT Security: For keeping statistics on the use of individual functionalities, facilitating Service use, and ensuring IT security. Personal data processed for this purpose includes User activity in the Service, time spent on subpages, search history, location, IP address, device ID, Internet browser data, and operating system.
  - Legal Basis: Processing is necessary for the purposes of the legitimate interests pursued by the Controller, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data (NDPA, Section 25(1)(b)(v)). This aligns with the Controller's legitimate legal interest in processing the User's personal data.
• Marketing of Services: For marketing purposes, processing personal data provided during Account creation/update, and data on User activity recorded via cookies.
  - Legal Basis: For marketing based on consent, processing is based on the data subject's consent (NDPA, Section 25(1)(a)). For legitimate interest-based marketing, processing is necessary for the purposes of the legitimate interests pursued by the Controller, except where such interests are overridden by the fundamental rights and freedoms of the data subject (NDPA, Section 25(1)(b)(v)). This aligns with your consent to receive marketing content and our legitimate interest in direct marketing.
• Claims Management: To determine, assert, and enforce possible claims of the Controller and to defend against possible claims of the User in court and out-of-court proceedings. This may involve personal data provided during Account creation and other data necessary for proving the claim or required by law.
  - Legal Basis: Processing is necessary for the purposes of the legitimate interests pursued by the Controller (NDPA, Section 25(1)(b)(v)). This aligns with the Controller's legitimate legal interest in processing the User's data.

Withdrawal of Consent: If processing is based on your consent (NDPA, Section 25(1)(a)), you have the right to withdraw your consent at any time. This withdrawal does not affect the lawfulness of processing carried out based on consent before its withdrawal. You can withdraw consent by sending a declaration (e.g., via email) to the Controller.

4. Recipients of Personal Data

Personal data may be disclosed or entrusted by the Controller to the following categories of recipients:

• Regulatory Authorities: We may disclose personal data to the Nigeria Financial Intelligence Unit (NFIU) and other relevant regulatory bodies as required by Nigerian AML/CFT laws and regulations.
• Third-Party Service Providers: Entities providing ongoing services to us, such as legal, accounting, IT services, cloud storage, payment processing, marketing, and identity verification services. We ensure that such third-party processors comply with data protection principles and enter into appropriate data processing agreements as required by the NDPA.
• AI Processing and CRM Service Providers: We may share personal information with third-party service providers who assist us with AI processing, model training, and CRM functionalities to support the purposes outlined in Section 3. These providers are carefully selected and contractually bound to process data only according to our instructions and to implement appropriate security measures.
• Authorized Public Authorities: In situations where such an obligation clearly results from a demand of an authorized public authority or from applicable provisions of generally applicable law.
• Yellow Card Group Companies: Personal data may be transferred to the extent necessary to other companies within the Yellow Card group.
• Other Lawful Disclosures: We may share your information with third-party fraud prevention and identity verification service providers to prevent fraud and confirm validity against public records. These providers may retain and use your information solely for identity verification and fraud prevention services for Yellow Card and to improve their own services. We also engage service providers for marketing purposes (with your consent) and third-party advertising agencies. In the event of a merger, acquisition, or purchase of assets, the acquiring company will have access to your information and will be required to follow this Privacy Policy.

The Controller ensures that entities to whom Users' personal data are entrusted guarantee a high level of data protection and that appropriate contracts for entrusting the processing of the Users' personal data are signed where required.

5. Storage Period of User Data

We retain your personal information for specific periods based on legal obligations and business needs:

• Account-related Data: Personal data processed for setting up and maintaining your Account is stored for the period of Account maintenance, i.e., until it is deleted by you.
• Service Provision Data: Personal data processed to provide the services mentioned in Section 3, item 2 of this Privacy Policy, shall be stored for a period of 5 years, counting from the date of termination of the business relationship or from the date of execution of an occasional transaction, in accordance with the CBN AML/CFT Regulation, any other applicable Nigerian AML/CFT regulations and the NDPA's principles of data retention.
• Cookie Data: Personal data from cookies stored on your terminal device will be stored for a period corresponding to the life cycle of the cookies or until they are deleted from the device by you.
• Marketing Data: Personal data processed for sending marketing content (including newsletters) will be stored until you withdraw your consent to receive it.
• Claims-related Data: If the storage of personal data proves necessary to assert or defend a claim to which we are entitled or against us, your personal data may be stored until the relevant court proceeding is finally ended and the decision is enforced.

Yellow Card will not retain your personal information longer than necessary for the fulfillment of the purposes for which it was collected or as required by law.

6. Your Rights as a Data Subject

As a User, you have the following rights regarding the processing of your personal data, as provided under the Nigeria Data Protection Act (NDPA), 2023:

• Right to Withdraw Consent:
  You have the right to withdraw consent at any time if the processing of your personal data is based on that consent (Section 35). Withdrawal is effective from the moment we receive your declaration. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to Demand Access to Data: You have the right to obtain confirmation from us as to whether your personal data is being processed (Section34). If so, you have the right to:
  - Obtain access to your personal data.
  - Obtain information on the purposes of processing, categories of data processed, recipients, storage period or criteria for determining it, your rights under the NDPA, the right to lodge a complaint with the supervisory authority, the source of data, automated decision-making (including profiling), and safeguards applied in connection with transfers outside Nigeria.
  - Obtain a copy of your personal data.
• Right to Rectification:
  You have the right to request the rectification or completion of inaccurate or incomplete personal data you have provided (Section 34 (1)(c)).
• Right to Erasure ("Right to Be Forgotten"):
  You have the right to request the erasure of all or some of the data concerning you (Section 34 (1)(d) and 34(2)). You may request erasure if:
  - Your personal data is no longer necessary for the purposes for which it was collected or processed.
  - We no longer have any other lawful basis to retain your personal data, or your personal data is processed unlawfully.
  - The personal data must be erased to comply with a legal obligation.
  - The personal data was collected in connection with the offering of information society services to a child (if applicable, though we do not target children).

Even with an erasure request, we may continue processing data if necessary for establishing, asserting, or defending claims, or to comply with a legal obligation.

• Right to Restrict Processing:
  You have the right to request us to restrict the processing of your personal data (i.e., limit activities beyond storage) (Section 34 (1)(e)in specific cases:
  - You question the correctness of your data, for a period allowing verification..
  - Your data is no longer needed for its original purposes but is necessary for establishing, asserting, or defending claims.
  - You have restricted the use of your data, during the time needed to establishment, exercise or defend legal claims
• Right to Data Portability:
  Where your personal data is processed based on consent or for entering into a contract, you have the right to receive the data you provided in a structured, commonly used, readable format, and to transfer this personal data to another controller without hindrance, provided it is technically possible (Section 38).
• Right to Object to Processing:
  You have the right to object at any time to the processing of your personal data where the processing is based on our legitimate legal interest (Section 36). If your objection is justified and we have no other legitimate basis for processing or for claims, we will delete the data you objected to. Where you object to the processing of your personal information for purposes of direct marketing, including profiling to the extent that it is related to such direct marketing activities, your personal data shall no longer be processed for such purposes.
  

Response Times: If you submit a request concerning the above rights, the request shall be met or refused immediately, but no later than within one month of its receipt48. However, if, due to the complexity of the request or the number of requests, we are unable to comply within one month, it will be complied with within a further two months after informing you of the need to extend this period49.

• Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision which is based solely on automated processing of your personal information intended to provide a profile of you, and which produces legal effects concerning you or significantly affects you (Section 37) However, where the processing is necessary for the performance of a contract, legal obligation or further to your consent, this right does not apply.
• Right to Lodge a Complaint with a Supervisory Authority: If you consider that your data protection rights have been violated, you have the right to lodge a complaint with the National Data Protection Commission (NDPC) in Nigeria.

7. Voluntariness of Providing Personal Data

Providing personal data by you is always voluntary. However, it is necessary to contact us through the contact form, and to conclude and perform the contract between you and us, and to serve you as our customer. If you do not provide the necessary data, it will not be possible to contact us for contractual purposes or to receive services.

8. Automated Decision-Making and Profiling

Your personal data concerning preferences, behavior, and choice of marketing content may be used as the basis for making automated decisions in order to determine the sales opportunities of the Service. Pursuant to NDPA principles, if such automated decision-making significantly affects you, you have the right to object to the processing of your data for this purpose.

9. Data Collected Automatically Upon Entering the Website (Cookie Files)

We inform you that while using the Website, short text information called "cookies" are stored in your end device. Cookie files contain IT data such as: your IP address, name of the website they come from, time of their storage on your end device, recording of parameters and statistics, and a unique number. Cookies are sent to the Service server through a web browser installed in your end device.

Cookies are used on the Website to:

• Maintain technical correctness and continuity of the session between the Service server and your device.
• Optimize use of the Website by you and adjust its display on your end device.
• Ensure safety of use of the Service.
• Gather statistics on visits to websites of the Service, supporting improvement of their structure and content.
• Display on your terminal equipment advertising content optimally adapted to your preferences.

The Service uses two types of "cookies": "session" and "permanent".

• "Session" cookies are files subject to automatic removal from your device after logging out, leaving the websites, or switching off the web browser.
• "Permanent" cookies are stored in your terminal equipment for the time specified in the parameters of files "cookies" or until their removal by you. "Permanent" "cookies" are installed in your terminal equipment only with your consent.

Cookie Management:

• Internet browsers by default accept the installation of "cookies".
• You may at any time change the settings concerning "cookies" in your Internet browser so that the browser automatically blocks the use of "cookies" or informs you of their placement in your terminal equipment each time.
• Detailed information on the possibility and methods of using cookies is available in the settings of your Internet browser.
• Restricting the use of cookies by you may adversely affect the correctness and continuity of the provision of Services on the Website.
• Cookies installed in your end device may be used by advertisers or business partners cooperating with the Controller.
• Cookies may be considered personal data only in connection with other data identifying identity, provided to the Controller by the User while using the Service.
• Only the Controller has access to cookies processed by the Website's server.
• If you do not agree to save and receive information in cookies, you can change the rules regarding cookies by means of the settings of your Internet browser.

10. Changes to the Privacy Policy

If it is necessary to update the information contained in this Privacy Policy or if it is necessary to ensure its compliance with the applicable laws or technological conditions of the functioning of the Website, this Privacy Policy may be amended. Users will be informed of any changes to the Privacy Policy through a notice displayed on the Website.

11. Contact Us

Contact with the Controller is possible via e-mail at the address: [email protected] or through our Support Page with any questions or concerns regarding this Privacy Policy.