Privacy Policy

The data controller for this platform is Kreditspark Limited (RC 6912401), a company incorporated in Nigeria. We operate the Kreditspark Ajo savings platform accessible at kreditspark.com and through our Progressive Web App.

We are registered with the National Information Technology Development Agency (NITDA) as a data controller under the NDPR.

2.1 Registration data

• Full name, email address, password (hashed — never stored in plain text)
• Phone number (E.164 format)
• Date of birth (derived from KYC verification)
• Device fingerprint and IP address at registration

2.2 KYC & identity data

• Bank Verification Number (BVN) — encrypted at rest using AES-256; a one-way HMAC hash is retained permanently for anti-fraud purposes.
• National Identification Number (NIN) / V_NIN — encrypted at rest; used for Tier 2 biometric KYC only.
• Biometric data (facial image) — collected via SmileID's hosted SDK for liveness verification; SmileID retains this under their own privacy policy; we receive only the verification result.
• KYC tier and status, verification dates, SmileID job IDs.

2.3 Financial data

• Wallet balances (available, escrowed, pending)
• Transaction history (contributions, payouts, withdrawals, top-ups, gifts)
• Bank account details (bank name, account number, account name) — for withdrawal processing via Paystack
• Tokenised card data — card tokens are held by Paystack; we store only the last 4 digits and expiry for display purposes
• Virtual account (NUBAN) assigned to you by Paystack

2.4 Usage and behavioural data

• Ajo group memberships, positions, contribution history
• Login events, password changes, device changes
• In-app analytics events (page views, feature usage) — used to improve the product
• IP address and approximate geolocation from IP

2.5 Communications data

• WhatsApp conversation logs (inbound and outbound) — retained for 7 years for compliance
• In-app notification delivery and read status
• Support ticket content

Our database is hosted in Nigeria (or a data centre with Nigerian data residency) and is encrypted at rest. All data in transit is protected by TLS 1.2+.

• BVN & NIN — AES-256 column-level encryption; the encryption key is stored separately in a secrets manager. A one-way HMAC hash is stored for deduplication lookups without decrypting the value.
• Passwords — bcrypt hashed; never stored or logged in plain text.
• Card data — never stored by Kreditspark; tokenised by Paystack under PCI-DSS compliance.
• Biometric data — not stored by Kreditspark; processed by SmileID under their ISO 27001-certified infrastructure.
• Audit logs — append-only with a tamper-evident SHA-256 hash chain; the database user does not have DELETE/UPDATE permission on the audit log table.

Our production database is backed up daily to encrypted object storage with 7-daily / 4-weekly / 12-monthly retention.

We share your data only where necessary to provide the service or comply with the law:

We do not sell your personal data to advertisers or data brokers. We do not share financial or KYC data with other Kreditspark users except as required for the Ajo group service (e.g. displaying your name and KYC tier badge to other group members).

Nigerian CBN regulations require us to retain financial records for a minimum of 7 years from the date of the last transaction. This means:

• Transaction records, wallet ledger entries, and Ajo contribution history are retained for 7 years regardless of account status.
• KYC data and identity verification records are retained for 7 years from the date of KYC completion or last transaction (whichever is later).
• After the 7-year period, personal identifiers (name, phone, email, address) in retained records are replaced with [ANONYMISED] while the financial data is preserved for accounting purposes.
• The one-way HMAC hash of your BVN is retained indefinitely to prevent debt evasion via re-registration.

Account deletion requests

You may request account deletion in the app under Profile → Account → Request Deletion. We will acknowledge your request within 72 hours. If you have no outstanding financial obligations, a 30-day cooling-off window will begin, after which your account will be deactivated and PII will be queued for anonymisation (subject to the 7-year financial retention period above).

Under the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023, you have the following rights:

• Right of Access — request a copy of the personal data we hold about you.
• Right to Rectification — ask us to correct inaccurate data.
• Right to Erasure — ask us to delete your data (subject to retention obligations above).
• Right to Restrict Processing — ask us to limit how we use your data.
• Right to Data Portability — receive your data in a structured, machine-readable format.
• Right to Object — object to processing based on legitimate interest.
• Right to Withdraw Consent — where processing is based on consent (e.g. marketing emails), you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email privacy@kreditspark.com with your full name and the nature of your request. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Bureau (NDPB) at nitda.gov.ng/ndpb.

Kreditspark is not directed at persons under the age of 18. We do not knowingly collect personal data from children. Our KYC process automatically blocks users whose date of birth (as verified by SmileID) indicates they are under 18.

If you believe a child has registered on our platform, please contact privacy@kreditspark.com immediately so we can delete their data.

We use cookies and browser storage for:

• Session cookie — required for authentication; deleted when you close the browser or sign out.
• CSRF token — security cookie required by all POST requests; lasts for the session.
• Service worker cache — PWA shell assets cached for offline use; no personal data stored.

We do not use advertising trackers, third-party analytics pixels, or social media cookies. A cookie consent banner is shown on first visit; functional cookies required for the platform to work are exempt from consent under the NDPR.

In the event of a data breach that poses a risk to your rights or interests, we will:

• Notify the Nigeria Data Protection Bureau (NDPB) within 72 hours of becoming aware of the breach.
• Notify affected users without undue delay via email and in-app notification, describing: what data was affected, the likely consequences, and the measures we are taking.
• Maintain an internal breach register recording all incidents, our response, and lessons learned.

Kreditspark has designated a Data Protection Officer (DPO) as required under the NDPR. You may contact the DPO for privacy-related queries:

Data Protection Officer
Kreditspark Limited
Lagos, Nigeria
dpo@kreditspark.com

We may update this Privacy Policy to reflect changes in our data practices or legal obligations. Material changes will be communicated via in-app notification and WhatsApp at least 30 days before they take effect.

The current version is always available at kreditspark.com/privacy.