Privacy Policy

Welcome to FossaPay’s Privacy Policy. FossaPay and/or Fossa Technologies Limited (“FossaPay”, “we”, “us” or “our”) values and respects your privacy and is committed to protecting your personal data and handling it responsibly, lawfully, and securely. FossaPay is engaged in the business of providing wallet creation and management, peer-to-peer transfers, merchant payments, payment orchestration, e-payment systems, payment processing, API access for business clients, financial technology solutions, networking, and other related digital payment services. This Privacy Policy explains how we collect, process, use, store, transfer, protect, and disclose your personal information when you:

• Access or use our website, mobile application, APIs, platform, merchant services, products or services;

• Register for a FossaPay account or wallet;

• Make or receive payments through FossaPay;

• Access FossaPay as a merchant, customer, business client, partner, vendor, or website visitor;

• Contact us for support or interact with our services. By signing up for, accessing, or using FossaPay services, you acknowledge that you have read, understood, and accepted this Privacy Policy. This Privacy Policy is intended to comply with applicable data protection laws, including the Nigeria Data Protection Act (NDPA) 2023, applicable financial regulations, anti-money laundering requirements, payment regulations, and other relevant laws.

Purpose of This Privacy Policy At FossaPay, your privacy is important to us, and we are committed to protecting your Personal Information in accordance with this Privacy Policy and applicable data protection laws. “Personal Information” means any information relating to an identified or identifiable individual, including any information through which your identity may reasonably be established. FossaPay will only collect, use, process, store, and disclose your Personal Information in accordance with this Privacy Policy, applicable laws, regulatory obligations, and the terms governing your relationship or agreements with FossaPay. By registering for, accessing, or using any of FossaPay’s products, services, platforms, content, features, technologies, website, mobile applications, APIs, payment solutions, or related services, you acknowledge and accept the terms of this Privacy Policy. This Privacy Policy explains:

• The type of personal information we collect;

• How we collect your information;

• How we use cookies and tracking technologies;

• How we process and use personal information;

• The legal basis for processing;

• How we share and disclose personal information;

• How we secure personal information;

• International transfers of personal data;

• Data retention practices;

• Your legal rights;

• Additional matters relating to privacy and data protection. This Privacy Policy applies to all users of FossaPay services, including:

Customers

Customers include Individuals using FossaPay for transfers, payments, wallet services, and financial transactions.

Merchants

Merchants include Businesses, vendors, organizations, and institutions using FossaPay payment processing, merchant services, APIs, payment orchestration, and settlement services.

Business Clients

Business Clients include Entities integrating FossaPay APIs or enterprise payment infrastructure.

Website Visitors

Website Visitors Include persons who visit our website and/ or communicate with us. This Privacy Policy explains how FossaPay collects, uses, and processes your personal data when you access or use our website, mobile application, or services, including information provided during account registration or use of our platform. FossaPay’s services are not intended for persons under the age of 18, and we do not knowingly collect personal data from minors. We encourage you to read this Privacy Policy alongside any additional privacy notices or policies we may provide when collecting or processing your personal data, as such notices complement this Policy and help explain how and why your information is used.

STATUS Depending on the circumstances of processing, FossaPay may act as either a:

Data Controller Where we determine the purpose and means of processing personal information, including but not limited to:

• Account creation;

• Wallet management;

• Identity verification (KYC);

• Fraud monitoring;

• Transaction processing;

• Security and compliance;

• Customer support;

• Regulatory reporting.

Data Processor We act as processor where we process personal information solely on behalf of merchants, banks, payment institutions, financial institutions, or business partners under contractual instructions. Where applicable, FossaPay processes personal data in accordance with contractual obligations and regulatory requirements. We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise, your legal rights, please contact the DPO using the details set out below.

Contact details If you have any questions about this privacy policy or our privacy practices, please contact our DPO via email address: product@fossapay.com

COLLECT We may collect, process, record, store, use, disclose, transfer, or otherwise handle the following categories of personal information:

4.1 Identity Data This may include:

• Full name; (First, last and/ or Maiden)

• Username;

• Date of birth;

• Nationality;

• Gender;

• Photograph or selfie;

• Signature;

• Government-issued identification documents;

• National Identification Number (NIN);

• Bank Verification Number (BVN);

• Passport details;

• Driver’s licence;

• Voter’s card;

• Other legally acceptable identity documentation.

4.2 Contact Data This may include:

• Residential address;

• Business address;

• Country of residence;

• Telephone number;

• Email address;

4.3 Financial Data This may include:

• Bank account details;

• Wallet information;

• Payment card information;

• Payment instrument details. Where permitted and necessary, FossaPay may securely store payment-related information to facilitate transactions, security, fraud prevention, and service continuity.

4.4 Transaction Data This includes:

• Payment history;

• Transaction references;

• Transfer details;

• Merchant payment records;

• Beneficiary details;

• Refund information;

• Chargeback information;

• Device transaction history;

• Transaction location and timestamps.

4.5 Technical Data This may include:

• IP address;

• Browser type and version;

• Device information;

• Operating system;

• Login information;

• Mobile device identifiers;

• Time zone settings;

• App diagnostics;

• Device security information.

4.6 Usage Data This includes information relating to:

• How you use FossaPay services;

• Features used;

• Login frequency;

• User preferences;

• Browsing patterns.

4.7 Merchant and Business Data For merchants and business clients, we may collect:

• Company name;

• Registration number;

• Tax information;

• Beneficial ownership details;

• Director/shareholder information;

• Business licenses;

• Settlement details;

• API credentials.

4.8 Communications Data This includes:

• Customer support requests;

• Emails;

• Telephone conversations;

• Chat messages;

• Complaints;

• Feedback;

• Survey responses. Calls and communications may be monitored or recorded for security, training, quality assurance, fraud prevention, and compliance purposes. If you fail to provide personal data Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.

INFORMATION FossaPay may collect personal information through various means, including:

• when you register an account, create a wallet, or use our website, mobile application, APIs, or services;

• through your relationship with us, including information provided when using our products, making transactions, accessing merchant services, participating in surveys, promotions, or interacting with customer support;

• from your account activity, transaction history, transfers, payments, merchant interactions, and the way you use or manage your account;

• when you communicate with FossaPay through forms, emails, phone calls, chat support, letters, or other communication channels. Calls and communications may be monitored or recorded for security, training, quality assurance, fraud prevention, and compliance purposes;

• from third parties such as banks, merchants, payment processors, verification providers, business partners, regulatory agencies, fraud prevention providers, and publicly available sources; and

• from any other lawful sources where you have provided consent or where collection is otherwise permitted by law. How We Use Cookies FossaPay uses cookies and similar technologies to improve your experience, enhance security, and ensure the effective operation of our services. Cookies are small data files placed on your device when you visit our website or use our services. They help us remember your preferences, understand how our platform is used, and improve functionality. We may use cookies to:

• improve website functionality and user experience;

• enable account login and navigation;

• remember preferences and settings;

• monitor website usage and performance;

• improve our marketing and promotions;

• detect suspicious activity and prevent fraud;

• enhance platform security and risk management. FossaPay may use both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device until deleted or expired). You may disable cookies through your browser settings; however, some parts of FossaPay services may not function properly if cookies are disabled. Continued use of our website or services constitutes your acceptance of our use of cookies in accordance with this Privacy Policy.

FossaPay may collect and process your personal information to comply with:

• Know Your Customer (KYC) obligations;

• Anti-Money Laundering (AML) requirements;

• Counter-Terrorism Financing (CTF) obligations;

• Fraud prevention laws;

• Sanctions screening;

• Financial regulations;

• Court orders;

• Government directives. We may verify your identity using third-party verification systems and public databases. Failure to provide required information may result in delayed services, restricted accounts, declined transactions, suspension, or termination of services.

In addition to the purposes stated elsewhere in this Privacy Policy, FossaPay may collect, use, process, and share your personal information for the following purposes:

• To verify your identity and account in compliance with applicable Know Your Customer (KYC), Anti-Money Laundering (AML), fraud prevention, and regulatory requirements;

• To assess applications for FossaPay products and services and manage your account and transactions;

• To maintain and improve our relationship with you, including providing customer support, responding to inquiries, handling complaints, and resolving disputes;

• To notify you about updates, security alerts, new features, promotions, offers, or changes to our products and services;

• To improve our products, services, systems, and customer experience through analytics, research, transaction monitoring, and business intelligence;

• To generate anonymized or aggregated data, reports, and statistics that do not identify you personally;

• To comply with applicable laws, regulations, court orders, sanctions requirements, regulatory obligations, audits, risk management, crime detection, fraud prevention, and law enforcement requests; and

• For any other lawful purpose necessary for the operation, protection, or improvement of FossaPay’s business and services. FossaPay generally processes personal information based on contractual necessity, legal obligations, legitimate business interests, or other lawful grounds rather than consent. However, where required, we will obtain your consent before sending third-party marketing communications via email, SMS, or similar channels. You may withdraw your marketing consent at any time by contacting FossaPay or using the unsubscribe options provided in our communications. We may also anonymise or aggregate data for analytics and operational improvements.

Legal Basis for Processing Personal Information FossaPay may process your personal information based on legitimate business interests, contractual necessity, or legal obligations. Where processing is based on a legitimate interest, we carefully balance our business needs against your rights and freedoms to ensure your personal information is processed fairly and responsibly. We may also process your information where necessary to perform a contract with you, provide requested services, or take steps prior to entering into a contractual relationship. Additionally, FossaPay may process personal information where required to comply with applicable laws, regulations, legal obligations, or regulatory requirements.

Consent Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third-party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

Change of purpose We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us via our support channels. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

FossaPay may use cookies and related technologies to:

• Improve website functionality;

• Remember user preferences;

• Enhance security;

• Prevent fraud;

• Analyse usage patterns;

• Improve user experience. You may refuse cookies through browser settings, though some services may not function properly.

As part of providing and improving FossaPay’s products and services, managing our operations, facilitating transactions, and complying with applicable legal and regulatory obligations, we may disclose your personal information and account-related information to certain third parties where necessary, including but not limited to the following:

Companies

• companies and organizations that act as our agents, affiliates and/or professional advisers;

• companies and organizations that assist us in processing or otherwise fulfilling transactions that you have requested;

Professionals and Persons of Consent

• your advisers (including but not limited to accountants, auditors, lawyers, financial advisers or other professional advisers) where authorized by you;

• any other person notified by you as authorized to give instructions or to use the accounts, facilities, products or services on your behalf.

Banks and Financial Institutions

• To facilitate payments and settlements.

Merchants

• To fulfill transactions or legal obligations.

Regulatory Authorities

• Including financial, governmental, judicial, and law enforcement agencies.

Service Providers

• Including cloud providers, analytics providers, verification vendors, fraud detection partners, IT vendors, and support providers. The aforementioned third parties may in some instances be located outside of your country. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

FossaPay implements reasonable and industry-standard technical, organisational, and administrative safeguards to protect personal data. FossaPay places great importance on protecting the security and confidentiality of your personal information. We regularly review, update, and implement appropriate technical, administrative, and organizational measures designed to safeguard personal data processed through our platform. All employees, contractors, and authorized personnel of FossaPay are required to handle personal information securely, confidentially, and in accordance with applicable data protection laws and internal policies. Failure to comply with these obligations may result in disciplinary or legal action where applicable. While FossaPay takes reasonable and appropriate measures to protect your personal information, you acknowledge that no website, internet transmission, computer system, or electronic storage method is entirely secure or free from risk. Accordingly, we cannot guarantee absolute security of information transmitted through our services. FossaPay maintains procedures to identify, investigate, and respond to any suspected or actual personal data breach. Where required by applicable laws or regulatory obligations, we will notify affected users and relevant authorities of any data breach within the legally prescribed timeframe.

Because FossaPay may operate with international partners, merchants, vendors, service providers, financial institutions, and technology providers, the personal information we collect from you may be transferred to, stored, or processed outside Nigeria or the jurisdiction in which you reside. The laws governing personal data protection in such countries may differ from those applicable in your country of residence. Where such international transfers occur, FossaPay will take reasonable and appropriate measures to ensure that adequate safeguards are implemented to protect your personal information and maintain a level of security consistent with applicable legal and regulatory requirements. Processing of your personal information may be undertaken by FossaPay personnel or trusted third-party service providers for purposes including, but not limited to, identity verification, payment processing, fraud prevention, regulatory compliance, transaction support, and customer service. By accessing or using FossaPay’s services and submitting your personal information, you acknowledge and consent to the transfer, storage, and processing of your personal data outside your jurisdiction where reasonably necessary for the provision of our services and compliance with legal or operational requirements.

We retain personal data: FossaPay will retain your personal information for the duration of your relationship with us and thereafter for such period as may be reasonably necessary to fulfil legitimate business purposes, protect the interests of FossaPay and its users, comply with internal policies, and satisfy applicable legal, regulatory, tax, accounting, anti- money laundering, or compliance obligations. In certain circumstances, we may retain your personal information for a longer period where necessary, including in connection with complaints, dispute resolution, fraud prevention, investigations, regulatory inquiries, enforcement actions, or where we reasonably believe there is a possibility of litigation or legal claims arising from our relationship with you. In determining the appropriate retention period for personal information, FossaPay considers several factors, including the nature, volume, and sensitivity of the information, the potential risk of harm arising from unauthorized use or disclosure, the purposes for which the information is processed, whether those purposes can be achieved through alternative means, and applicable legal or operational requirements. Where retention of identifiable personal information is no longer necessary, FossaPay may anonymize or aggregate such data so that it can no longer be linked to an individual. Such anonymized data may be used for research, analytics, service improvement, security monitoring, statistical purposes, or business insights without further notice to you.

Subject to applicable data protection laws, you may have certain rights regarding the personal information FossaPay collects and processes about you. These rights may include the following:

Right of Access: You have the right to request access to the personal information we hold about you and obtain a copy of such information in order to verify that it is being processed lawfully.

Right to Correction (Rectification): You may request correction, update, or completion of any inaccurate, incomplete, or outdated personal information held by FossaPay. We may require verification of any new information you provide before making corrections.

Right to Erasure (Right to be Forgotten): You may request the deletion or removal of your personal information where there is no lawful or legitimate basis for continued processing. This includes situations where you have successfully exercised your right to object to processing, where your information has been processed unlawfully, or where deletion is required to comply with applicable law. However, FossaPay may be unable to comply with certain deletion requests where retention is required for legal, regulatory, fraud prevention, dispute resolution, contractual, or compliance purposes. Where applicable, we will notify you of the basis for such retention.

Right to Object to Processing You may object to the processing of your personal information where FossaPay relies on a legitimate business interest (or that of a third party), and you believe such processing impacts your fundamental rights and freedoms. You also have the right to object to the use of your personal information for direct marketing purposes. In some circumstances, FossaPay may continue processing where compelling legitimate grounds exist that override your rights or where processing is required for legal purposes.

Right to Data Portability Where technically feasible and legally applicable, you may request that your personal information be transferred to you or to a third party designated by you in a structured, commonly used, and machine-readable format. This right generally applies to information processed by automated means where processing is based on your consent or necessary for the performance of a contract.

Right to Withdraw Consent Where FossaPay relies on your consent as the legal basis for processing, you may withdraw such consent at any time. Withdrawal of consent will not affect the lawfulness of processing conducted prior to such withdrawal. Exercising Your Rights If you wish to exercise any of the rights described above, please contact FossaPay through our designated support or data protection channels. We may request additional information to verify your identity before processing your request.

Fees and Response to Requests You will generally not be required to pay any fee to access your personal information or exercise your rights. However, FossaPay reserves the right to charge a reasonable administrative fee, or decline a request, where such request is manifestly unfounded, repetitive, excessive, or otherwise abusive in nature.

Verification and Response Time To protect your personal information and verify your identity, FossaPay may request specific information before granting access to your personal data or processing any request relating to your privacy rights. We may also request additional details where necessary to help us process and respond to your request efficiently. FossaPay aims to acknowledge legitimate requests within 24 hours and resolve most requests within three (3) to five (5) business days. However, where requests are complex or multiple requests have been submitted, response times may be extended. In such cases, we will notify you and keep you informed of the progress.

Acceptance of this Privacy Policy By accessing or using FossaPay’s services, you acknowledge that you have read, understood, and accepted the terms of this Privacy Policy. Where required by law or for specific processing activities not covered by this Policy, FossaPay will obtain your consent before collecting, using, or disclosing your personal information. FossaPay may also provide additional notices or disclosures relating to specific products, services, or data processing activities. Such notices are intended to supplement or clarify this Privacy Policy. If you do not agree with any part of this Privacy Policy, you should discontinue the use of FossaPay’s services.

Incomplete Personal Information Where the provision of personal information is mandatory for account registration, verification, or access to FossaPay services, failure to provide the required information may prevent us from processing your request or providing certain products or services.

FossaPay services are strictly for individuals aged 18 years and above.We do not knowingly collect personal information from minors.

We may update this Privacy Policy periodically. Material updates may be communicated through our website, email, app notifications, or other reasonable means. Continued use of FossaPay services after updates constitutes acceptance of the revised Privacy Policy.

For questions regarding this Privacy Policy, data protection concerns, or requests relating to your personal information, please contact:

FossaPay / Fossa Technologies Limited

Support Email: product@fossapay.com

Website: https://fossapay.com

If you believe your data protection rights have been violated, you may also lodge a complaint with the appropriate data protection or regulatory authority.