Privacy and Data Policy

Currex Financials Limited, referred to as "Currex," is a company that specializes in providing an online payment platform and an electronic Point-of-Sale (PoS) deployment and support service. These services enable users to make seamless, stress-free payments for desired goods and services both online and at physical retail locations. At Currex, we prioritize the protection of our consumers' and users' personal data, committing ourselves to transparency, accountability, and confidentiality in data handling. Our Privacy and Cookie Policy (“Privacy Policy”) is designed to describe how we collect, use, store, share, and protect personal data from Website Visitors, Currex Users, and/or Vendors (“Data Subjects”) who engage with our services. This policy is applicable to our website and all related sites, applications, services, and tools (collectively, our “Services”).

While our services primarily target businesses and organizations (“Merchants”), we acknowledge that individual consumers may interact with us through Merchants or website visits. We are dedicated to responsibly processing personal data for all parties involved. We generally process personal data at the direction of and on behalf of Merchants, acting as a service provider or a “Data Processor” to those Merchants. However, we do not control and are not responsible for the privacy practices of those Merchants. If you are a Customer of a Currex Merchant, we recommend reviewing that Merchant’s Privacy Policy and directing any privacy inquiries to them. For Merchants, please refer to the Merchant Privacy Policy.

This Privacy Policy does not extend to services not owned or controlled by Currex, including third-party websites and the services of Currex's Merchants. Our policy applies to all forms of systems, operations, and processes within the Currex environment that involve processing personal data.

In offering our Services, Currex may develop different products as part of the Services.

When you opt in to use one of our products, we use your data for specific purposes, such as providing and improving the service. We may also share your data with subprocessors and partners, but only as necessary to offer the service you have opted into. We handle your personal data in line with the purposes and methods outlined in this Privacy Policy.

1. The Information we Collect

The personal data we collect depends on how you interact with us, the services you use, and the choices you make. We may collect information from different sources and in various ways, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.

1.1 Personal Data You Provide Directly

We collect personal data you provide to us. For example:

• Contact information: As part of our operations, Currex may collect information such as your name, telephone number, email address, address, bank verification number, driver's license, national identification number, voter's card, etc., to provide you with certain services.
• Payment information: If you make a purchase or other financial transaction, such as when you checkout with Currex on a Merchant’s website, we collect financial account information, and other payment details.
• Communications: If you contact us directly, for example, with an inquiry or a support request, we may receive additional personal data about you, including your email address and the content of your communications.
• Liveness Information with our third party API face detection.

Our App utilizes third-party technologies to recognize your device and understand your usage patterns. This helps us improve our services and personalize advertisements based on your interests.

Specifically, our partners collect information about your activity on our App(s) to:

• Measure and analyze traffic and browsing activity.
• Provide personalized advertisements.

1.2 Personal Data We Collect Automatically

When you use the Currex App and Services, we collect information directly from you. This may include your name, email, phone number, date of birth, address, password, face liveness, documents, and government identification number.

If you link a bank account or payment method, we may collect account numbers, routing numbers, bank card numbers, IBANs, or other relevant account information. Additional information may be requested for verification, legal purposes, or other reasons.

• Device Information: We receive information about the device and software you use to access our Services, including Internet Protocol (IP) address, web browser type, operating system version, and device identifiers.
• Usage Information: To help us understand how you use our Services, including the Demo portion of our website, and to help us improve them, we automatically receive information about your interactions with our Services. This information includes records of your transactions and information about your other activities related to our services, such as the date and time of your sessions, the pages you view, links to/from any page, and time spent in a session. Some of the data we gather through cookies and similar technologies as discussed below.
• Location Information: We may collect or infer your general location information when you use our Services. For example, your IP address may indicate your general geographic region, which will be matched against our IP whitelist.
• In the Currex app, we require user addresses for KYC. To access enhanced financial services and reach the tier 3 KYC level, customers need verified addresses. Our app's address verification feature requires background monitoring and location updates. This ensures accurate address verification. The feature requests location permission and verifies after multiple checks. We acknowledge potential battery impact and mitigate it by monitoring only registered locations. This "Location" background mode is vital for our app's core functionality, as the attached video demonstrates.
• We also require user addresses for KYC. To access enhanced financial services and reach tier 3 KYC, customers need verified addresses. Our address verification feature requires background monitoring and location updates for accuracy. This feature requests location permission and verifies addresses after multiple checks. We acknowledge potential battery impact and mitigate it by monitoring only registered locations. This "Location" background mode is vital for our app's core functionality.
• Liveness Information: Our third party provider requires facial information to ensure a liveness check before an account opening is processed.

1.3 Personal Data That We Receive from Others

• Partners: We may retrieve additional personal data about you from third parties and other identification/verification services, such as your financial institution and payment processor. We may combine that data with other information we have about you.
• Publicly available sources: We may also gather additional data about you from public sources of information, such as open government databases.
• Inferences: We may infer additional Personal Data based on the Personal Data described above. For example, we may infer your interests for App users or website visitors based on the App use or web pages you view.

When you are asked to provide personal data, you may decline. We may also collect information from third-party services, such as identity verification sources or public databases. You may also use App or web browser or operating system controls to prevent certain types of automatic data collection. However, if you choose not to provide or allow information necessary for certain services or features, those services or features may not be available or fully functional.

2. How We Use Personal Information

We use the Personal Data we collect to:

• Improve and provide Currex Apps and Services.
• Provide customer service and security notices.
• Detect and prevent fraud, money laundering, and other illegal activities.
• Comply with regulatory requirements.
• Personalize and manage user experiences.
• Provide you with the required services in addition to related products and services of interest
• Respond to your questions or requests
• Improve App features and website content, and analyse data to develop products and services
• Address inappropriate use of our App or website
• Prevent, detect and manage risk against fraud and illegal activities using internal and third-party screening tools
• Send you marketing content, newsletters and service updates curated by Currex (only with your explicit consent)
• Verify your identity and the information you provide in line with Currex’s statutory obligations using internal and third-party tools
• Maintain up-to-date records
• Resolve disputes that may arise, including investigations by law enforcement or regulatory bodies.

Any other purpose that we disclose to you in the course of providing Currex services to you

2a. On TrueDepth API - What information is your app collecting

We use ARKit to capture face 3D spatial orientation and facial expressions.

For what purposes are you collecting this information

We use this data to ensure the selfie being taken is of a live user for authentication and fraud reduction purposes.

Will the data be shared with any third parties

The ARKit information is processed entirely locally and the spatial orientation/facial expression data is not submitted to any third (or first) parties
 

3. How We Share Personal Data

Currex does not sell, trade or rent personal data to anyone. Further, we will not share or disclose your data with or to a third party without your consent except as necessary to provide the Services or as described in this Privacy Policy.

Merchants. We may share your contact information with merchants as part of your purchase details for record purposes. We will not share this information with other third parties except as a necessary part of providing our website and services. We do not share your card information with merchants. Please review your merchant’s privacy policy to understand the privacy policies guiding the merchant you transact with.

Service providers. We share personal data with vendors or agents working on our behalf for the purposes described in this statement. For example, companies we've hired to provide customer service support, to protect and secure our systems and services, or to perform sanctions screening and identity verification services may need access to personal data to provide those functions. The processing by such third parties shall be governed by a written contract with Currex to ensure adequate protection and security measures are put in place for the protection of personal data in accordance with the terms of this Privacy Policy.

Financial services & payment processing. When you provide payment data, for example, to make a purchase, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.

Affiliates. We enable access to personal data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide services and operate our business.

Partners. We may share your data with companies we partner with for industry networking events, mixers, and other learning and development opportunities, but only with your explicit consent and with the option to opt out.

Corporate transactions. We may disclose personal data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, transfer, divestiture, or sale of all or a portion of our business or assets.

Legal and law enforcement. We may access, disclose, and preserve personal data in accordance with applicable law and when we believe that doing so is necessary to comply with applicable law or respond to valid legal processes, including from law enforcement or other government agencies.

Security, safety, and protecting rights. We will disclose personal data if we believe it is necessary to:

protect our Users and others, for example, to prevent fraud or to help prevent the loss of life or serious injury of anyone;

operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or

protect the rights or property or ourselves or others, including enforcing our agreements, terms, and policies.

We leverage third-party analytics to analyse personal data collected through our website and apps, including account information, marketing and communications data, demographic data, content and files, geolocation data, usage data, and inferences associated with identifiers and device information (such as cookie IDs, device IDs, and IP address) as described in the Cookies section of this statement. This data is aggregated and enables us to perform analytics and track the performance of our website. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.

Finally, we may share de-identified information in accordance with applicable law.

Please note that merchants, sellers, and other Users you buy from or contract with have their respective privacy policies, and although Currex’s Merchant Terms of Use does not allow the other transacting party to use your information for anything other than as authorised by you, Currex is not responsible for their actions, including their data protection practices. If you provide personal data to any of those third parties or allow us to share personal data with them, that data is governed by their privacy policies.

4. Cookies

We and our partners use cookies and similar technologies on our website to help collect information and operate the site. We use cookies to remember Users and make your user experience easier; customise our services, content and advertising; help you ensure that your account security is not compromised; mitigate risk and prevent fraud; and to promote trust and safety on our website. Cookies are small text files placed by a website and stored by your browser on your device. You can learn more about the types of cookies we use through the Cookie Banner on our website.

Our cookies hold a unique random reference to you so that once you visit the site, we can recognise who you are and provide certain content to you.

Most web browsers are set to accept cookies by default. You can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this may impact your experience using our website.

5. How We Protect your Information

Currex has established adequate technical and organisational controls to protect the integrity and confidentiality of personal data, both in digital and physical format and to prevent personal data from being accidentally or deliberately compromised.

Currex is committed to managing your data in line with applicable data protection laws and best practices. We protect your data using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorised access, disclosure and alteration, we also use industry-recommended security protocols to safeguard your data. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to our building and files. They only grant access to personal data to employees who require it to fulfil their job responsibilities. Employees may have access to personal data only as is appropriate for the type and scope of the task in question and are contractually forbidden to use personal data for their own private or commercial purposes or to disclose them to unauthorised persons, or to make them available in any other way.

In compliance with the Payment Card Industry Data Security Standard (PCI DSS Requirements”), we implement access control measures, security protocols and standards, including the use of encryption and firewall technologies to ensure your card information is safe and secure in our servers, additionally, we implement periodical security updates to ensure that our security infrastructures are in compliance with reasonable industry standards.

Two-factor authentication (“2FA”) is an additional layer of security we have added to your account. When 2FA is enabled, you will be required to enter a One Time Password (OTP) (which is a verification code we have sent to you for authentication purposes), each time you checkout using Currex on a Merchant’s website or platform. While we encourage you to enable this feature on every transaction, you may disable the 2FA feature after your initial enrolment by clicking on the toggle button to disable it. However, if you choose to disable this feature, you agree that Currex shall not be liable for any loss or damages incurred due to your action.

Personal Data Breach

At Currex, we take the security of personal data seriously and have implemented measures to prevent data breaches from occurring. However, in the event of a data breach, we have established procedures for reporting and managing incidents. Currex also maintains a data breach procedure to deal with incidents concerning personal data or practices leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. You may contact our Data Protection Officer (DPO) upon becoming aware of any breach of personal data or if your access credentials have been compromised to enable us to take the necessary steps towards ensuring the security of your data or account.

When we become aware of a data breach that affects personal data, we will notify the affected individuals and relevant authorities in accordance with applicable data protection laws and regulations. The notification will include the following information: The notification will include the following information:

A description of the nature of the data breach, including the categories of personal data involved

The likely consequences of the data breach

The measures taken or proposed to be taken by Currex to address the data breach, including any measures to mitigate its possible adverse effects

We will notify affected individuals without undue delay, but no later than 72 hours after becoming aware of the data breach, unless there are exceptional circumstances that prevent us from doing so. We will also record any data breaches and provide this information to the relevant authorities upon request.

We encourage all users and customers to take reasonable steps to protect their data, such as using strong passwords, regularly updating their account information, and reporting any suspicious activity to us immediately.

We will report any breaches that will compromise your rights and freedoms to the Relevant Authority within 72 hours of discovery.

6. Storage Limitation

We will retain your information for the following periods:

• As long as reasonably necessary for providing our services to you
• For the duration your account is active (if applicable) and we have your consent
• For the period needed to comply with our legal and statutory obligations
• As needed to verify your information with a financial institution
• We employ physical, technical, and administrative security measures to protect your personal information from unauthorized access, alteration, disclosure, or misuse.

Currex is statutorily obliged to retain the data you provide to process transactions, ensure settlements, make refunds, identify fraud and comply with applicable laws and regulatory guidelines.

Under Nigeria’s Money Laundering (Prevention and Prohibition) Act, we are mandated to retain transactional records (customer and beneficiary names, addresses, identification number, amount, currency etc.) for at least five years following the completion of the transaction. Under the Central Bank of Nigeria’s Framework for Mobile Payment Services in Nigeria, Currex must maintain records of identification data, account files and relevant business correspondence for seven years following the termination of an account and/or business relationship. We keep our data retention policy under regular review.

Upon expiration of the applicable storage limitation periods, we will delete, erase, anonymise or pseudonymise any information we hold about you.

This Privacy Policy also applies when we retain your Personal Information after our relationship ends. We may also retain your Personal Information for the duration of any period necessary to establish, exercise or defend any legal rights. We may keep Personal Information indefinitely in a de-identified format for statistical purposes, which may include, for example, statistics of how you use the Services.

7. Transfer of Data

As part of our service provision, we may rely on third-party servers, resident in foreign jurisdictions, which constitutes transferring your data to computers or servers in foreign countries. An example is Currex’s use of AWS as a cloud storage solution, with servers in Ireland. We take steps designed to ensure that the data we collect under this Privacy Policy is processed and protected according to the provisions of this Policy and applicable law, wherever the data is located.

At Currex, we take the security of personal data seriously. When personal data needs to be transferred to a country outside of Nigeria, we implement adequate measures to ensure the data remains secure. We comply with all relevant data protection regulations and guidelines to ensure that personal data is always protected. Specifically, we use contractual terms to ensure that the personal data is adequately protected or that the country to which the data is being transferred has adequate data protection laws in place. We take additional measures to ensure that the country to which the data is being transferred meets our standards for data protection.

We may share your information with:

• Third-party service providers for fraud prevention, identity verification, and other services.
• Legal, marketing, and audit service providers.
• Advertising agencies for marketing purposes.
• Law enforcement agencies or government officials when required by law.

Your personal data may be transferred to foreign countries for legitimate purposes, such as cloud storage or fraud prevention. We ensure that such transfers comply with applicable data protection laws.

By using the Currex App and Services, you consent to the transfer, storage, or processing of your personal data.

Should you wish to transfer your personal data to a country deemed to have inadequate data protection laws, Currex will take all necessary steps to ensure that it is transferred under relevant, appropriate safeguards, and where relevant, with your informed consent, and that you are made aware of the risks associated with such a transfer. In any instance, Currex will ensure personal data is transmitted safely and securely. Details of the protection given when your data is transferred abroad and details of the basis of such transfers shall be provided to you upon request.

8. Grounds for Processing of Personal Data

Processing of Personal Information by Currex wil lbe lawful if one of the following applies:

the Data Subject has given consent to the processing of his/her Personal Information for one or more specific purposes. You can revoke your consent by closing your Currex account (where applicable) and/or by emailing us;

the processing is necessary for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering into a contract;

processing is necessary for compliance with a legal obligation to which Currex is subject;

processing is necessary for legitimate interests pursued by Currex or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data; and

processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in Currex.

9. Choices and Rights

At Currex we respect the rights of our customers and users, and we allow you to exercise them under the applicable data protection laws and regulations. Individuals who have Personal Information held by Currex are entitled to reach out to Currex to exercise the following rights:

Right to request for and access any Personal Information collected and stored by Currex. This right allows you to request a copy of your personal information held by Currex. To exercise this right, you can submit a request to the Data Protection Officer (DPO) or to our Data Subject Rights Team at hello@Currex.com;

Right to be informed regarding the use of your Personal Information;

Right to be informed about appropriate safeguards in place whenever your personal information is transferred abroad;

Right to object to automated decision making and processing. You have the right to object to the processing of your personal information and to exercise this right you can submit a request to the DPO or our Data Subject Rights Team;

Right to request rectification and modification of Personal Information whenever you want us to correct your inaccurate or incomplete personal information which Currex keeps;

Right to request the deletion of their personal information;

Right to request the movement of your personal information from Currex to a third party - this is the right to the portability of data;

Right to revoke consent;

Right to object to direct marketing, and to request that Currex restricts the processing of their information; and

Right to submit a complaint to the Nigeria Data Protection Commission (NDPC).

Your request will be reviewed and answered by Currex’s Data Protection Officer within a 30-day period.