Privacy Policy

1.1Data Controller. The data controller in respect of personal data processed through the Naira to RMB service is RVO Trading Limited, a private company limited by shares registered in Nigeria with its registered office in Lagos.

1.2Data protection contact. Questions about this Policy or the exercise of your rights may be addressed to privacy@nairatormb.com.

2.1Identification data. Full legal name, Nigerian phone number, email address, and (where you provide it) National Identification Number (NIN). We do not collect or store Bank Verification Numbers (BVN).

2.2Transaction data. For each Request: the Renminbi amount instructed, the Alipay account and recipient name you specify, the rate and fee locked at submission, the unique reference, the bank account from which your Naira transfer originates (as evidenced by the proof you upload), and the proof-of-payment file itself.

2.3Account and audit data. Account credentials (password stored only in hashed form), timestamps of account creation, sign-in, request submission, status changes, and IP address from which significant actions were taken.

2.4Communications data. Records of correspondence between you and our desk (email and WhatsApp).

2.5Compliance data. Any further information you are asked to provide pursuant to our KYC, source-of-funds or sanctions screening obligations.

We process your personal data on the following lawful bases:

3.1Performance of a contract with you, for processing necessary to operate your account, accept and process Requests, communicate status updates, issue refunds and exercise our contractual rights.

3.2Compliance with a legal obligation to which we are subject, including obligations under the Money Laundering (Prevention and Prohibition) Act 2022, the Terrorism (Prevention and Prohibition) Act 2022, Central Bank of Nigeria regulations, and tax and record-keeping legislation.

3.3Our legitimate interests, where these are not overridden by your rights, including the prevention of fraud, the security of the Service, the recovery of funds, the defence of legal claims and the development of the Service.

3.4Your consent, where required, in particular for optional processing such as marketing communications. Consent may be withdrawn at any time without affecting prior lawful processing.

4.1To create and operate your account on the Service.

4.2To verify your identity and to discharge our anti-money- laundering, counter-terrorism, sanctions screening and other regulatory obligations.

4.3To accept, verify, settle, reject, refund and document each Request.

4.4To communicate with you about your account, your Requests, the status of any settlement, refunds and any matter relating to the Service.

4.5To detect, prevent and investigate fraud, suspected fraud, abuse of the Service and other risks.

4.6To maintain records as required by Nigerian law and to defend or assert legal claims.

We share personal data only with those recipients reasonably necessary for the purposes set out above:

5.1Service providers engaged by us as data processors, in particular: our hosting and database provider (Supabase, Inc.), our application hosting provider (Vercel, Inc.), our transactional email provider (Resend, Inc.), and analogous providers from time to time. Each is bound by appropriate contractual confidentiality and data-protection obligations.

5.2Alipay. In respect of each Request, we transmit to the Alipay platform (operated by Ant Group Co., Ltd. and its affiliates) the recipient details and amount necessary to effect settlement.

5.3Banks. Our Nigerian bank and any correspondent institutions involved in receiving your Naira transfer.

5.4Regulators and authorities. Where required by law, court order or by request of a competent authority, including the Nigeria Data Protection Commission, the Central Bank of Nigeria, the Nigerian Financial Intelligence Unit, the Federal Inland Revenue Service and law-enforcement agencies.

5.5Professional advisers bound by duties of confidentiality.

5.6Successors in business. In the context of any actual or prospective sale, merger, restructuring or insolvency.

6.1The operation of the Service necessarily involves transfers of personal data outside Nigeria. Hosting, database and email providers may store and process data in the United States or the European Union. Settlement to Alipay involves transfer of recipient details to the People’s Republic of China.

6.2We rely on the lawful-transfer mechanisms permitted by the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Commission’s regulations, including contractual safeguards, your consent (where applicable) and the necessity of the transfer for the performance of our contract with you.

7.1We retain personal data for the period necessary to fulfil the purposes for which it was collected and to comply with our legal obligations, including record-keeping obligations under applicable Nigerian law.

7.2In particular, transaction records and proof-of-payment files are retained for a minimum of seven (7) years after the date of the relevant Request, in line with prevailing anti-money- laundering and tax record-keeping requirements. Where you close your account before the end of this period, identifying data will be retained in a restricted form solely for compliance purposes until expiry of the retention period.

7.3Correspondence and account data not necessary for legal record- keeping is retained for three (3) years from the date of last use.

Subject to the conditions and limitations of the Nigeria Data Protection Act 2023, you have the following rights:

8.1Right of access to confirmation of whether we process your personal data and a copy of that data.

8.2Right to rectification of inaccurate or incomplete personal data.

8.3Right to erasure of your personal data where there is no overriding lawful basis for continued processing. We may refuse erasure to the extent we are required by law to retain data (including the seven-year retention referred to in Section 7).

8.4Right to restriction of processing in defined circumstances.

8.5Right to object to processing based on our legitimate interests.

8.6Right to data portability in respect of data you provided to us, where this is technically feasible.

8.7Right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

8.8How to exercise. Requests to exercise these rights may be sent to privacy@nairatormb.com. We may ask you to verify your identity before responding. We respond within thirty (30) days of receipt, or within such longer period as may be permitted by law.

9.1We use first-party cookies that are strictly necessary for the operation of the Service (in particular, for authentication and session management). These cookies cannot be disabled without breaking the Service.

9.2We do not currently use third-party advertising cookies, tracking pixels for behavioural advertising, or cross-site tracking technologies.

9.3Where we introduce optional analytics or performance cookies in future, we will obtain your consent in accordance with applicable law.

The Service is not intended for, and is not offered to, persons under the age of eighteen (18). We do not knowingly collect personal data from such persons. If you become aware that a child has provided personal data to us, please notify us at privacy@nairatormb.com so that we can delete it.

11.1We implement reasonable technical and organisational measures to safeguard personal data, including transport-layer encryption, encryption at rest by our hosting providers, role- based access control, audit logging and storage of proof-of- payment files in a private, access-controlled bucket.

11.2No system can guarantee perfect security. You are responsible for the confidentiality of your account credentials and for any activity undertaken with them.

11.3Where required by law, we will notify the Nigeria Data Protection Commission and, where applicable, affected data subjects of any personal-data breach.

We may amend this Policy from time to time. The version number and effective date are displayed at the top of this page. Material changes will be notified to you by email or through the Service prior to taking effect.

If you believe your rights under the Nigeria Data Protection Act 2023 have been infringed, you may lodge a complaint with us at privacy@nairatormb.com or with the Nigeria Data Protection Commission at the address published on its official website.

Terms used in this Policy have the meanings given in the Nigeria Data Protection Act 2023 unless otherwise expressly defined.