Privacy Policy
Privacy & Cookie Policy (“Privacy Policy”)

This Privacy Policy was last updated on 12 May 2026
PLEASE READ THIS PRIVACY POLICY CAREFULLY TO ENSURE THAT YOU UNDERSTAND EACH PROVISION. BY CLICKING “SIGN UP”, OR OTHERWISE ACCEPTING THE TERMS AND CONDITIONS FOR THE USE OF ANY PALMPAY SERVICES, YOU ARE SIGNIFYING THAT YOU HAVE READ AND UNDERSTOOD THE TERMS OF USE, THROUGH THIS PRIVACY POLICY, YOU WILL BE INFORMED ABOUT THE COLLECTION AND USE OF YOUR INFORMATION AS SET OUT BELOW.Disclosure of User Data CollectionYour Phone Number information will be uploaded to https://m.palmpay.app.  PalmPay collects your phone number to complete registration and use it as the account number.
This Privacy Policy is designed to describe
    -    Who we are and how to contact us
    -    Your rights relating to personal data
    -    Marketing communication preferences
    -    What personal data we collect
    -    How we use your personal data and why
    -    Who we share your personal data with
    -    What information is stored and for how long
    -    How we protect your personal data
    -    Changes to this Privacy Policy
Any updates or modifications to this Privacy Policy will be reflected on this page, and you may be notified through our standard communication channels, such as email or in-app notifications, where applicable. If you are opposed to the changes, you may contact our Data Protection Officer for any queries or close your account. Continuous usage of PalmPay services after receipt of notification means you have understood the modifications or changes without reservation.
1 Overview
1.1 Introduction
This Privacy and Cookies Policy are intended to meet our obligations under the Nigerian Data Protection Act (NDPA) 2023, General Application and Implementation Directive (GAID) 2025 and other applicable Data Protection laws and regulations, that sets guidelines for the protection and processing of personal information of individuals within Nigeria or residing outside Nigeria but of Nigerian descent.
1.2 Personal Data  
Personal Data shall have the meaning stipulated by the NDPA and shall include any information relating to an identifiable natural person, which includes Customer Information or information that enables us to identify you personally.
1.3 Who We Are and How to Contact Us
PalmPay is a modern financial platform meeting customers wherever they are. We offer our customers the widest level of choice and financial access including content, software, mobile services, financial products and functionality offered on or through the PalmPay App, the PalmPay Business App or any other platform as may be determined by PalmPay time to time, (together the "Platform") (collectively, the "Services").
If you have any questions or complaint about this Privacy Policy or our practices in relation to your Personal Data, please contact us at: dpo@palmpay-inc.com, and 02018886888.
You may also contact us at 20 Opebi, Ikeja, Lagos.
2.      The Rights of Users
2.1 Your Rights Relating to Your Personal Data
You have the rights under this Privacy and Cookie Policy to:
Be Informed of how we use your personal data: This allows you to be aware of the personal data we hold about you and provides you with clear and concise information about what we do with your personal information.
Request access to your Personal Data: This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you: This enables you to have any incorrect or incomplete information about you corrected.
Request erasure of your Personal Data: This enables you to ask us to delete or remove Personal Data where there is no legal reason for us continuing to process it or you object to us processing it (see below).
Object to Processing your Personal Data: You have the right to object to the processing of your Personal Data where such processing is based on consent, contractual necessity, or legitimate interest. You may also withdraw your consent at any time, where consent was previously relied upon as the lawful basis for processing. However, this right does not apply where the processing is required for compliance with a legal obligation or for the protection of an individual’s vital interests. You also have the right to object at any time to the processing of your Personal Data for direct marketing purposes.
Request the Restriction of Processing your Personal Data: This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it. Please note that exercising this right may limit or restrict our ability to provide you with certain products or services, as some processing activities are necessary to deliver and maintain our services.
Request the Transfer of your Personal Data: We will provide to you, or a third party you have chosen (where technically possible), your Personal Data in a structured, commonly used, machine-readable format. This right enables you to obtain and reuse your information for your own purposes across different services.
Withdraw consent: This right only exists where we are relying on consent to process your Personal Data. If you withdraw your consent, we may not be able to provide you with access to the certain specific functionalities of our platform. We will advise you if this is the case at the time you withdraw your consent.
2.2 How to Exercise Your Personal Rights
If you wish to exercise any of the rights above, please contact us using the details in the “Who we are” and “How to contact us” sections.
You will not have to pay a fee to access your personal data (or to exercise any right), however, we may charge a reasonable fee where requests are clearly unfounded, repetitive or excessive. If you refuse to pay the fee we may refuse to comply with your request.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We aim to respond to all requests within one month, in line with applicable law. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you within 30 days and keep you updated.
2.3 Grievance Resolution – SNAG Process
In accordance with the General Application and Implementation Directive (GAID), data subjects who believe that their privacy rights have been violated may issue a Standard Notice to Address Grievance (SNAG) directly to PalmPay. This internal process allows us the opportunity to investigate and resolve concerns before they are escalated to the Nigeria Data Protection Commission (NDPC) or pursued through legal action.
Upon receipt of a SNAG, PalmPay will acknowledge and respond within a reasonable timeframe and take appropriate steps to investigate and address the complaint. This process does not limit the data subject’s right to file a formal complaint with the NDPC or seek judicial remedies. If you would like to submit a SNAG, please contact us at: dpo@palmpay-inc.com, and 02018886888.
3 Basis for data processing
In respect of each of the purposes for which we use your Personal Data, the NDPA requires us to ensure that we have a legal basis for that use. The legal basis depends on the Services you use and how you use them. This means we collect and use your Personal Data where we need it to provide the Services to you, including to operate the Services, to comply with a legal or regulatory obligation, to provide customer support and personalized features and to protect the safety and security of the Services.
In processing your personal data, we adhere to the principles of data processing and ensure personal data is:
  1. processed in a fair, lawful and transparent manner;
  2. collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes;
  3. adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed;
  4. retained for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed;
  5. accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed; and processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, access, loss, destruction, damage, or any form of data breach.
Furthermore, we are committed to ensuring accountability, demonstrating duty of care to you and also upholding data Confidentiality, Integrity and Availability.
We rely on your consent as a legal basis for using your Personal Data where we have expressly sought it for a specific purpose. If we rely on your consent to a use of your Personal Data, you have the right to withdraw your consent at any time (but this will not affect any processing that has already taken place prior to the withdrawal of your consent).
In instances where we need to process your Personal Data either to comply with law, or to perform the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with the functionalities of the Services). In this case, we may have to stop providing you with our Services.
PalmPay may also process, retain, disclose, transfer, or publish personal data relating to inactive or dormant accounts, unclaimed balances, and other financial assets where such processing is required to comply with applicable laws, regulatory directives, or guidelines issued by the Central Bank of Nigeria (CBN) or any other competent authority. Such processing may include customer notification, account verification, fraud prevention, lawful publication, transfer of unclaimed balances, and recovery administration activities.
4 What Personal Data We Collect.
4.1 Customer information
To use the PalmPay Services, you must provide customer information via our registration, account upgrade, profile forms or other forms of KYC information requests.
We may also process and retain information relating to account inactivity, dormancy status, unclaimed balances, beneficiary verification, recovery documentation, and related regulatory compliance requirements where required under applicable law or regulatory directives.
This information may include:
- Full name, e-mail address and phone number, PalmPay PIN, address, proof of address, real time location, occupation, gender, date of birth, historical risk or transaction data, bank account number and information about third parties who transact with you through our platform;
- For some services we may also collect Bank Verification Number (BVN), National Identity Number (NIN), other ID documentation information, photographs, live videos and facial biometric data, (where applicable).
- When you opt to use the face authentication feature, we will use ARKit or similar technology to capture a three-dimensional map of your face and analyze your facial expressions. This data is processed in real time to confirm your identity and to ensure that the selfie being taken is of a live user.
Additional information may be requested to participate in social media functions on our Platform, promotions or surveys and when you contact us to report a problem on our Platform.
If you communicate with our Customer Services team via e-mail, Live Chat or telephone your conversations may be recorded and stored for training, quality assurance and record keeping purposes. We use this information to measure and improve our Service quality.
4.2 Device information
The following information may be collected from you automatically when you use the Platform, but it is not limited to:
- Your contacts’ information such as their name and mobile number. We collect this information upon your grant of consent and when you sync the address book on your device with the Platform and we use this information where the provision of our services requires such access, for example airtime top-up and transfers. 
- Details of your handset/device, unique device identifiers (IMEI or serial number), information about the SIM card, mobile network, operating system and browser settings. We use this information to protect our customers from service-related crime, enhance the services we offer and to help us understand how people use the Service.
4.3 Location information
Certain PalmPay features may require location information from your device’s GPS. With your consent this information will be collected for these services. You will be required to grant consent. Turning off location services may render some services unavailable.
4.4 Analytics
We may use in-app analytics technologies, like Google Analytics, to help improve and simplify the overall app, design and service. These tools track aggregated information about in app usage, provide performance measurements and allow better reporting on application failures.
We record when you install or uninstall Platform to help us track who is using the Service.
4.5 Tracking and Cookies
A cookie is a string of information that a website stores on a visitor's computer, and that the visitor's browser provides to the website each time the visitor returns.
PalmPay uses cookies to help identify and track visitors, understand their usage of the PalmPay website, and their website access preferences. PalmPay visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using the websites or decline the option of using cookies when they visit for the first time. Our services may not function properly without the aid of cookies.
We have provided the following table to further outline the Personal Data that we may collect:
Category of Personal Data collected    
What this means
 
Lawful Basis
Identity Data
First name, surname, maiden name, username or similar identifier, marital status, title, date of birth, gender, selfie picture, live photographs or videos, facial ID,  identification document number, copies of ID documents, "biometric data {used for facial recognition when securely signing into the app)" or other forms of identification.
Legal Obligations to enable us conduct customer due diligence (KYC/AML provisions)Contractual necessity: To fulfil obligations and perform contracts;
Legitimate interest: to maintain platform integrity, improve services, etc.
Contact Data
Your home address, work address, billing address, email address and telephone numbers.
Legal Obligations to enable us conduct customer due diligence.    
Online Presence Data
Links to your public account pages at social media websites, links to personal websites, and other online materials related to you.
Consent: To ensure that our services suit the purpose of data subjects and to measure our performance.
Financial Data
Your bank account and payment card details, statements about your wealth and financial situation.
Contractual necessity: To fulfil obligations and perform contracts;
Legal obligations  for regulatory and AML/CFT compliance
Transaction Data
Any details about payments to and from you and other details of subscriptions and services you have purchased from us. Data in respect of your transactions with third parties (including your credit history).
Contractual necessity: To provide and manage services;
Legal obligation: To comply with financial and regulatory requirements.
Content Data
Any content you post to the Services not already included in another category, including without limitation, your profiles, questions, preference settings, answers, messages, comments, and other contributions on the Services, and metadata about them (such as when you posted them) (“Content").
Consent: for content shared voluntarily by users; Legitimate interest: to maintain platform integrity, improve services, and monitor compliance with Terms of Use.
Marketing and Communications Data
Your preferences in receiving marketing from us and our third parties and your communication preferences. If you correspond with us by email or messaging through the Services, we may retain the content of such messages and our responses.
Consent: for direct marketing; 
Legitimate interest: to improve user engagement;Legal obligation: according to regulatory standards on data retention period or where communications relate to fraud prevention or regulatory notices.
Behavioural Data
Inferred or assumed information relating to your transaction pattern, behaviour and interests, based on your online activity. This is most often collated and grouped into "segments".
Consent:  for analytics and personalization;
Legitimate interest:  for fraud detection, risk management, and improving services.
Technical Data
Security credentials (username and PIN/password) Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and Platform and other technology on the devices you use to access this application or Platform or use our services.
Legitimate interest: to secure systems, detect/prevent fraud, and improve services;
Legal obligation: for security and regulatory compliance.
Device Data
The contact application on your device and your contacts’ information such as their name, mobile number, or email address contained therein.
Details of your handset/device, unique device identifiers (IMEI or serial number), information about the SIM card, mobile network, operating system and browser settings.
Consent:  for syncing contacts or enabling optional features (e.g., airtime top-up);
 
Legitimate interest:  to ensure device compatibility and security of services.
 
5 How we use your personal data and Why
We use your personal data to provide, maintain, secure, and improve PalmPay products and services, including wallet registration and management, identity verification, electronic fund transfers, merchant and bill payments, cash-in and cash-out services, card services, transaction records, customer support, fraud prevention, and regulatory compliance.
5.1 Payment Processing
To process payments on PalmPay, we need to share some of your personal information with payment participants involved in the transaction, such as merchants, financial institutions, payment processors, settlement partners, and regulated service providers. The personal information shared may include:
 - Contact information (mobile number, or name)
 - Transaction information (masked card details, transaction amount, payment status, transaction reference, and account identifiers necessary to complete the payment)
This personal data will be used to assist us in delivering the service that you signed up for; allow us to understand how services are being used by you; protect you and your account; improve our services and communicate new services and offers to you.
We will not expose your credit/debit card number or bank account number to anyone you have paid or who has paid you through PalmPay, except with your express permission or if we are required to do so to comply with a subpoena or other legal action.
5.2 Identity Verification
We collect and store personal information about you to comply with the relevant financial regulations.
The Identity Data we collect is used for the purpose of authenticating your identity, processing your transactions and preventing fraud. We do not use this data for any other purpose. The information is processed in a manner that is secure and in compliance with applicable laws and regulations concerning Identity Data.
Where we use a third-party service, with your consent, we may share your Personal Data in order to offer the service or improve the experience of that service. When you use such a service for the first time, you will need to review their privacy policy and agree to their terms and conditions, and other related agreements where applicable.
In order to provide the Service to you as well as comply with applicable laws, we may verify, compare and validate the personal information you provide to us with the relevant government authorities. As required by applicable regulations, we may need to verify the accuracy of the Identity Data and Contact Data you provide to us, which may require physical visits to the address you provide as your Contact Data including your work, home, billing or contact address. We may also engage third party service providers to verify the accuracy of this Identity Data, including your Contact Data.
5.3 Dormant Accounts, Unclaimed Balances and Regulatory Compliance
PalmPay may process personal data relating to inactive or dormant accounts and unclaimed balances in order to:
§  
comply with applicable CBN regulations and legal obligations;
§  
identify and contact affected customers or beneficiaries;
§  
verify ownership and entitlement to funds or assets;
§  
prevent fraud, impersonation, unauthorized claims, or financial crime;
§  
facilitate transfer of qualifying balances to the Central Bank of Nigeria or any legally designated trust or recovery account;
§  
facilitate lawful recovery and account reactivation processes;
§  
maintain regulatory records and audit trails.
Such processing may occur before, during, or after the classification of an account as inactive or dormant.
5.4 Marketing Communication Preferences
If you would like us to stop sending marketing messages or modify your email preferences at any time, please follow any of these procedures:
 - Follow the opt-out messages sent in any of the emails
- Go through the notification switch off process in the settings on your application
- Contact us at any time using the contact details in the “Who We Are” and “How to Contact Us” sections of this privacy policy.
Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us for processing for legitimate service-related purposes.
5.5 Facial Data Processing
iOS (Apple Devices)
PalmPay utilizes Apple’s TrueDepth API to perform facial verification and authentication for users on iOS devices. The TrueDepth system captures facial data solely to verify identity during account registration, login, and high-risk transactions, thereby enhancing security and user experience. Facial data processed through the TrueDepth API is handled in accordance with Apple’s privacy framework, it is neither stored nor shared with PalmPay or third parties. PalmPay only receives the authentication outcome (success or failure) and does not access or retain any raw facial images or depth data from TrueDepth sensors.
Android Devices
For Android users, PalmPay conducts facial verification and authentication directly through its application to enable secure onboarding, fraud prevention, and regulatory compliance with biometric authentication requirements. Facial data is collected and stored only for as long as the user’s account remains active and as required under applicable financial regulations in Nigeria. PalmPay does not share facial data with any third parties.
a.          Purpose of Storing Face Data
Facial data is collected and processed solely for the following purposes:
-         To verify your identity securely during account registration, login, and high-risk transactions
-         To prevent fraud and unauthorized access to your account
-         To comply with financial regulatory requirements for biometric authentication.
b.         Retention Period for Face Data
-         Facial biometric data is retained only for as long as necessary to fulfil the purpose for which it was collected. Where collected for identity verification, it is held for the duration of the customer relationship and for such period thereafter as required by applicable Nigerian financial regulations and AML/CFT obligations (generally a minimum of five years following account closure). Biometric data will not be retained beyond the period required by law or our legitimate operational need. Examples of such laws include: Money Laundering (Prevention and Prohibition) Act, 2022; Terrorism (Prevention and Prohibition) Act, 2022.
-         Temporary facial data captured during authentication sessions is deleted immediately after verification, unless retained for fraud investigation (up to 90 days).
c.          Third Parties with Whom Face Data is Shared
Facial data is processed on our behalf by our identity verification service providers, Blusalt and Prembly, acting as a data processor under contract with PalmPay. Such third parties’ processes facial biometric data solely to perform identity verification as instructed by PalmPay and does not use it for any independent purpose. Beyond this processor relationship, facial data is not shared with any other third party. Please refer to Section 5.7 for further details of third parties’ role.
5.6 Automated Decision-Making and Profiling
Automated decision-making refers to decisions made through automated processing of personal data without direct human involvement. PalmPay does not generally make solely automated decisions that produce significant legal effects on you. However, we may use automated systems to make preliminary assessments or suggestions - for example, fraud risk scoring, transaction monitoring, and identity verification outcomes - to protect you and the integrity of our platform. These automated assessments are reviewed by our staff before any consequential decision is made.
Where automated decision-making is used for fraud detection, we may use your personal data to assess whether an account or transaction is potentially associated with fraud, money laundering, or terrorist financing. If we determine a risk of fraud or unauthorized activity, we may suspend activity on the account, block a transaction, or restrict access to services. You have the right to request human review of any automated decision that significantly affects you by contacting us at dpo@palmpay-inc.com.
5.7 Third-Party Identity Verification Processor
To perform identity verification and KYC/AML compliance checks, PalmPay may engage third-party identity verification service providers, including Blusalt and Prembly. When you submit identity documents, biometric data, or other verification information through the PalmPay platform, that information may be processed by such third -party providers on our behalf as a data processor, acting on PalmPay’s instructions. Such third-party providers carries out document checks, biometric facial comparisons, liveness detection, sanctions screening, and related verification procedures.
For example, the personal data processed by Blusalt and Prembly on our behalf includes: general personal data (full name, date of birth, nationality); identity document data (document type, number, expiry date, MRZ); facial image data (selfie images, facial features derived from biometric processing); and technical data (IP address). Blusalt and Prembly acts solely on PalmPay’s instructions and is contractually bound to process your data securely and in accordance with applicable data protection law. Blusalt and Prembly does not make final onboarding or access decisions - those decisions remain with PalmPay. For further information, please refer to Blusalt and Prembly’s privacy policy at https://blusalt.net/privacy-policy https://prembly.com/privacy
6 Who We Share Your Personal Data With
We may share your personal data with third parties as described in the table below. We consider this information to be a vital part of our relationship with you.
Recipients
Why we share it
Our Affiliates
Our affiliates may access your Personal Data to help us develop, maintain and provide our Services and help manage our customer relationships (including providing customer support, customer liaison, fund advisory services, etc). We are contractually bound by agreements ensuring the safety, security and lawful processing of any personal data shared amongst our affiliate entities.
Service Providers
Our service providers provide us support for our Services, including, for example, Platform and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, auto-deduct services, analysis, identity verification, background and compliance reviews, fund administration, banking services, and other services for us, which may require them to access or use Personal Data about you. Each service provider is required to execute relevant data processing and service level agreements with PalmPay prior to any processing of personal data on our behalf, in accordance with the NDPA and GAID.
Third Party Providers
1.         As part of the Services, we may provide links to other websites not operated or controlled by PalmPay. We may share your personal data to Third Party Providers who provide services of savings, loans, insurance, investments, and other third- party services on the Platform. Such third -party providers include Blooms Microfinance Bank Limited, Flexi Microfinance Bank Limited and other partners.
Specifically regarding lending services:
When you apply for or use loan products through our Platform, we will share necessary personal information with our lending partners to process your application, determine your eligibility, administer your loan, and service your account. This information may include your identity data, contact details, financial information, transaction history, and creditworthiness data.
2.         We are not responsible for the content, accuracy or opinions expressed in such third -party websites, and such websites are not investigated, monitored or checked for accuracy or completeness by us. Please note that when you use a link to go from Services to another website, our Privacy Policy is no longer in effect. We advise you read the third -party privacy policies for information regarding their data processing activities.
3.         Your browsing and interaction on any other website, including those that have a link on our Platform, is subject to the third party’s own rules and policies. Such third parties may use their own cookies or other methods to collect information about you.
Professional Advisers
Our lawyers, accountants, bankers, auditors and insurers may need to review your personal data to provide consultancy, compliance, banking, legal, insurance, accounting and similar services.
Legal and Taxing Authorities, Regulators and Participants in Judicial Proceedings
PalmPay may disclose your Personal Data if we believe it is reasonably necessary to comply with a law, regulation, order, subpoena, rule of a self-regulatory organization audit requirement or regulatory directive (including directives relating to dormant accounts, unclaimed balances, and other financial assets issued by the Central Bank of Nigeria or other competent authorities), or to protect the safety of any person, to address fraud, security or technical issues, facilitate lawful verification, recovery or transfer processes relating to dormant accounts or unclaimed balances or to protect our legal rights, interests and the interests of others, such as, for example, in connection with the acquisition, merger or sale of securities or a business (e.g. due diligence).
Advertisers
1.         Advertisers on the Platform may be provided with access to your Personal Data solely for the purpose of delivering targeted opportunities and offers relevant to your background and preferences. Such access shall only occur where you have given your prior, freely given, specific, and informed consent through the Platform’s consent mechanisms. Where consent has not been obtained or has been withdrawn, only aggregated or fully anonymized data that cannot directly or indirectly identify you shall be made available to advertisers. You may withdraw your consent to targeted advertising at any time through the notification settings in the PalmPay app.
2.         We may also allow third-parties, including ad servers or ad networks, to serve you advertisements on the Platform as well as on other platforms outside the Platform and such third parties may be provided with access to your Personal Data to provide advertising tailored to your interests. This is provided to third parties under strict confidentiality and data security obligations.
Researchers
We may also share non personal data (such as anonymous usage data, data referring/exit pages and URLs, Platform types, number clicks, etc.) with interested third parties to help them understand the usage patterns for certain Services or conduct independent research based on such anonymous usage data. This is provided to third parties under confidentiality obligations such as, for example, academics or contractors for research purposes.
API Users
A limited number of partners have API access to portions of the Platform. Examples of the most common API uses are OAuth and AML/accreditation verification of potential investors.
Third Party SDK
Our App connects to the software development kit (SDK) of some of our third-party service providers and in such instances, your Personal Data may be collected or accessible by these service providers. SDK used by us includes limitation, Bugly, Appsflyer and Google. In addition, PalmPay engages Blusalt and Prembly as a third-party identity verification service provider. Blusalt and Prembly processes identity documents, biometric data, and other verification information on PalmPay’s behalf as a data processor. Please refer to Section 5.7 for further details.
We ensure that these service providers take extensive security measures with high level encryption in order to protect your Personal Information against loss, misuse or alteration.
Employees
In addition, PalmPay advisers, senior employees and lead investors may have access to your Personal Data to help them evaluate, invite and communicate with you as a User. If you are a User, they may have access to your Personal Data to assist them in discovering, evaluating and tracking communications.
Business Transfer
As we develop our business, we may buy or sell businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, we may also transfer your Personal Data as part of the transferred assets. As part of the PalmPay group, the successor company may have access to the information maintained by PalmPay, including customer Account Information, and such successor company would continue to process data in line with the provisions of this Privacy Policy unless and until it is amended.
Other Users
The Personal Data you choose to add to your profile, such as your customer name and account number, may be visible to other Users or any other person for the purpose of transaction processing or Service promotions and activities which you participate in. Please be aware that while some of your activities as a User may not be directly visible to others, certain information or behaviors might still be inferred by other Users on the PalmPay App.
 
If you request that we remove your Personal Data as described in Your Rights Relating to Your Personal Data, we will convey that request to any third-party with whom we have shared your data. We are not, however, responsible for revising or removing your Personal Data obtained by any third party who has previously been provided with your information by us in accordance with this policy or any third party to whom you have provided such information (whether by sharing your login and password, or otherwise).
6.2 Publication of Dormant Accounts and Unclaimed Balances
Where required by applicable law or regulatory directives, PalmPay may publish limited information relating to dormant accounts or unclaimed balances for customer notification, tracing, recovery administration, or regulatory compliance purposes. PalmPay shall implement reasonable safeguards to minimize privacy risks, including limiting publication to the minimum data necessary, masking account identifiers where appropriate, restricting publication of sensitive personal data, and limiting publication duration in accordance with applicable legal and operational requirements.
7 Storage and security of personal data
7.1 Where your personal information is stored
PalmPay is entirely committed to protecting the information we collect from you. We maintain appropriate administrative, technical and physical safeguards (i.e. firewalls, data encryption, competent security guards, etc). These processes are in place to prevent accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use of your information. We are also certified by the International Organization for Standardization (ISO) on information security management (ISO/IEC 27001:2022) and Payment Card Industry Data Security Standard (PCI-DSS) .
To achieve the purpose stated in this Privacy Policy, PalmPay may transfer your personal data to a country which is deemed to have adequate data protection laws. Where PalmPay transfers your personal data to countries outside of Nigeria, such transfer shall be carried out in compliance with the NDPA and GAID, using appropriate safeguards which may include standard contractual clauses, intra-group agreements, or transfers to countries recognized as providing an adequate level of protection. Where transfers are made to countries not recognized as adequate, PalmPay shall implement appropriate safeguards to ensure that personal data receives a level of protection equivalent to that afforded under the NDPA. By continuing to use the PalmPay Digital Platform and related services you acknowledge that such transfers may occur. For further information regarding our cross-border transfer mechanisms, please contact our Data Protection Officer at dpo@palmpay-inc.com
7.2 How long we store your Personal Data
Our obligations primarily determine our retention period under applicable legislation to retain data for a specific time. Destruction will only be possible after the lapse of this period.
We will retain your information for as long as your account is active, or it is reasonably needed for the purposes set out in the “How We Use Your Personal Data and Why” section of this Policy, unless you request that we remove your Personal Data as described in the “Your Rights Relating to Personal Data” section. We will only retain your Personal Data for so long as we reasonably need to use it for these purposes unless a longer retention period is required by law (for example for regulatory purposes). This may include keeping your Personal Data after you have deactivated your account for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements. All personal data is stored in accordance with our internal Data Retention Schedule.
PalmPay is required to retain the details of transactions (including personal data) or payments you make via PalmPay after the transaction is completed and for a minimum period of 5 years, per AML legislation and other requirements applicable to our business. We will store these transactions for the required period stipulated under the financial data protection regulations of your jurisdiction.
7.3 Your Use of the Platform
You are responsible for protection of your password or PIN in its entirety as communicated in our Terms and Conditions. You must not share your PalmPay password or PIN with anyone.
We will never request for your PIN or password via email or SMS or any other means. In the event you receive such communication, please disregard and contact us on: dpo@palmpay-inc.com and 02018886888.
In the event you share your password with a third party, you will be solely responsible for any consequence and loss arising thereof. If you believe your password or PIN has been compromised, please change it immediately and contact us.
7.4 Personal Data Breaches
We have a duty to report personal data breaches to the Nigerian Data Protection Commission within 72 hours of knowledge of such breach.
We shall notify you of any breach to your personal data where such breach will likely result in high risks to your freedoms and rights.
8 Your Responsibilities
You are responsible for ensuring that the information you provide to PalmPay is accurate, complete, and kept up to date. You must inform us as soon as possible if any of your personal data changes, including your contact details or identity information, so that we can maintain accurate records.
If you provide us with personal data about another person (for example, a beneficiary or business partner), you must direct that person to this Privacy Policy and ensure they understand and agree to how their information will be used by PalmPay as set out herein.
PalmPay’s services are not designed for or directed at minors (persons under the age of 18). We do not knowingly collect personal data from minors without verifiable parental or guardian consent. If we become aware that personal data of a minor has been submitted to us without such consent, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data without appropriate consent, please contact us at dpo@palmpay-inc.com.
9 Changes to this Privacy Policy
PalmPay may change its Privacy Policy from time to time, and at PalmPay’s sole discretion. If we materially change how we use or share personal data previously collected from you through our Services, we will notify you or obtain consent regarding such changes as may be required by law.