TapPay

Privacy Policy

Effective date: 14 March 2026
Last updated: 14 March 2026

TapPay (“we”, “our”, “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal data when you use the TapPay mobile application, the send.usetappay.app website, and related services (collectively, the “Service”).

This policy complies with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), the UK General Data Protection Regulation (UK GDPR), and the EU General Data Protection Regulation (EU GDPR) where applicable.

1. Data We Collect

1.1 Information You Provide

  • Phone number — Used for account creation and OTP verification. Stored in hashed form for recipient discovery.
  • Display name and username — Chosen by you for identification within TapPay.
  • Bank Verification Number (BVN) — Submitted for KYC verification. We never store your raw BVN. We only retain the verification result: whether your identity was confirmed, and whether your name and date of birth matched.
  • Bank account details — Account number, bank name, and account name for withdrawals.

1.2 Information Collected Automatically

  • Device information — Device model, operating system, and a cryptographic device fingerprint used for security monitoring.
  • Transaction data — Amounts, timestamps, recipient identifiers, and blockchain transaction hashes.
  • Security events — Login attempts, device changes, account freezes, and OTP verifications.

1.3 Information We Never Collect

  • Your private key or recovery phrase — these never leave your device.
  • Your raw BVN — only boolean verification results are stored.
  • Your biometric data — biometric authentication is handled entirely by your device’s secure enclave.

2. How We Use Your Data

  • Provide the Service — Process transactions, verify your identity, and enable peer-to-peer payments.
  • Security and fraud prevention — Detect suspicious activity, enforce transaction limits, and comply with anti-money laundering (AML) regulations.
  • Legal compliance — Meet obligations under Nigerian financial regulations, including CBN AML/CFT requirements and NDPA 2023.
  • Service improvement — Analyse anonymised usage patterns to improve reliability and user experience. All analytics data has personally identifiable information stripped before processing.

3. Legal Basis for Processing

  • Contractual necessity — Processing required to provide the payment service you requested.
  • Legal obligation — AML monitoring, KYC verification, transaction record retention (5 years per CBN requirements).
  • Consent — Push notifications and marketing communications (you can opt out at any time in Settings).
  • Legitimate interest — Security monitoring, fraud prevention, and service improvement.

4. Data Sharing

We share your data only when necessary and only with:

  • Flutterwave — Our Nigerian payment partner, for processing deposits and withdrawals. Subject to Flutterwave’s privacy policy.
  • Transak — Our international payment partner, for processing cross-border transfers. Subject to Transak’s privacy policy.
  • Regulatory authorities — When required by law, including suspicious transaction reports (STRs) to the Nigerian Financial Intelligence Unit (NFIU).

We never sell your personal data. We never share your data for advertising purposes.

5. Data Retention

  • Transaction records: 5 years (CBN AML requirement)
  • KYC verification results: 5 years after account closure
  • Security events: 1 year
  • Session logs: 90 days
  • Push notification logs: 30 days
  • Device fingerprints: 1 year after last activity

Expired data is automatically purged by scheduled processes. Every purge is recorded in an audit log.

6. Data Security

  • Your private key is stored exclusively in your device’s secure enclave (iOS Secure Enclave / Android Keystore). It never leaves your device and is never transmitted to our servers.
  • All communications with our servers use TLS 1.3 encryption.
  • KYC documents are encrypted at rest in Supabase Storage.
  • Database access is controlled by Row Level Security (RLS) policies — you can only access your own data.
  • Rooted or jailbroken devices are detected and blocked from financial operations.

7. Your Rights

Under the NDPA 2023, UK GDPR, and EU GDPR, you have the right to:

  • Access — Request a copy of all personal data we hold about you. Available in Settings > Security Centre > Export My Data.
  • Rectification — Correct inaccurate personal data through your profile settings.
  • Erasure — Delete your account and associated data. Available in Settings > Security Centre > Delete Account. Note: we must retain transaction records for 5 years per CBN regulations.
  • Data portability — Export your data in a machine-readable format.
  • Withdraw consent — Opt out of push notifications and marketing at any time in Settings.
  • Object — Object to processing based on legitimate interest.

8. Blockchain Data

TapPay operates on the Celo blockchain. Blockchain transactions are public and immutable by design. Your wallet address and transaction amounts are visible on the public blockchain. We do not control or have the ability to delete on-chain data. We take steps to prevent your wallet address from being linked to your identity on our web services.

9. International Transfers

Your data may be processed in countries outside Nigeria, including the United States (cloud infrastructure) and the European Union (payment partners). All international transfers are protected by appropriate safeguards, including standard contractual clauses and adequacy decisions where applicable.

10. Children’s Privacy

TapPay is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app and by updating the date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: privacy@usetappay.app
Address: TapPay Technologies Ltd, Lagos, Nigeria

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or, for UK/EU residents, with your local data protection authority.