Privacy Policy

This Privacy Policy applies to all information collected through our platform operated by Swaply Technologies Limited (“Swaply”, “we”, “us”), including our website, mobile application, and related services (collectively, the “Service”).

We respect your privacy and are committed to protecting your personal data in compliance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (N DPA) 2023, and other applicable data protection laws.

By accessing or using our Service, you agree to the collection and use of information in accordance with this Policy.

2.1 Personal Identification Information

• Full name, date of birth, and nationality
• Phone number, email address, and residential address
• Government-issued identification (NIN, BVN, passport, driver's license, voter's card)
• Bank account details and payment instrument information
• Photograph and biometric data for KYC verification (where required)

2.2 Transaction Information

• Records of airtime, data, electricity, cable TV, and betting purchases
• Crypto buy/sell transactions, wallet addresses, and trade history
• Gift card upload history, redemption values, and payout records
• Flight bookings, payment confirmations, and itineraries
• Wallet top-ups, withdrawals, and transfer history

2.3 Device & Technical Information

• IP address, browser type, device identifiers, and operating system
• Mobile network information and approximate location (city/country level)
• App usage patterns, session duration, and feature interactions
• Crash logs, error reports, and diagnostic data

We use the information we collect for the following purposes:

• To create and manage your Swaply account
• To process transactions and deliver services you request
• To perform identity verification (KYC) and comply with AML/CFT obligations
• To detect, prevent, and investigate fraud, money laundering, and other illegal activities
• To send you service notifications, transaction confirmations, and security alerts
• To provide customer support and respond to your enquiries
• To improve our platform, develop new features, and personalize your experience
• To comply with applicable laws, regulations, and lawful orders from authorities

Under the NDPR, we process your personal data on the following legal bases:

• <strong>Consent</strong> — where you have given clear, specific, and informed consent
• <strong>Contract</strong> — where processing is necessary to perform our contract with you
• <strong>Legal obligation</strong> — where we must comply with applicable laws (e.g., AML/CFT)
• <strong>Legitimate interest</strong> — for fraud prevention, security, and service improvement, balanced against your rights

We do not sell your personal data. We may share information with the following categories of recipients, only as necessary:

• <strong>Service providers</strong> — payment processors, KYC/AML vendors, telecom and utility partners, cloud hosting, and customer support tools
• <strong>Regulatory authorities</strong> — CBN, NCC, NFIU, EFCC, or other competent authorities where lawfully required
• <strong>Law enforcement</strong> — in response to valid legal process or to protect our rights and users' safety
• <strong>Business transfers</strong> — in the event of a merger, acquisition, or sale of assets, with notice to you
• <strong>With your consent</strong> — for any other purpose disclosed at the time of collection

We use cookies, local storage, and similar technologies to operate the Service, remember your preferences, and measure performance. You can control cookies through your browser settings; however, disabling certain cookies may limit functionality.

See our full Cookie Policy for details.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, tax, accounting, or reporting requirements.

Typical retention periods:

• Account profile data — for the life of the account plus 7 years after closure
• Transaction records — minimum 7 years (regulatory requirement)
• KYC documents — minimum 5 years after the end of the business relationship
• Support correspondence — 3 years from last interaction
• Marketing data — until you withdraw consent

You have the following rights regarding your personal data:

• <strong>Right of access</strong> — request a copy of the personal data we hold about you
• <strong>Right of rectification</strong> — correct inaccurate or incomplete data
• <strong>Right of erasure</strong> — request deletion of your data, subject to legal exceptions
• <strong>Right to restrict processing</strong> — limit how we use your data in certain circumstances
• <strong>Right to data portability</strong> — receive your data in a structured, machine-readable format
• <strong>Right to object</strong> — object to processing based on legitimate interest or for direct marketing
• <strong>Right to withdraw consent</strong> — at any time, where processing is based on consent
• <strong>Right to lodge a complaint</strong> — with the Nigeria Data Protection Commission (NDPC)

To exercise any of these rights, contact us at privacy@swaply.ng. We will respond within 30 days, or such shorter period as required by law.

We employ industry-standard administrative, technical, and physical safeguards to protect your personal data, including:

• AES-256 encryption of sensitive data at rest and TLS 1.2+ in transit
• Two-factor authentication (2FA) and strong password enforcement
• Role-based access control (RBAC) and least-privilege principles
• Continuous monitoring, intrusion detection, and regular security audits
• PCI-DSS aligned controls for cardholder data (where applicable)
• Secure, audited data centres with redundancy and backup procedures

Some of our service providers and infrastructure may be located outside Nigeria. Where we transfer your data internationally, we ensure that adequate safeguards are in place, such as:

• Transfers to jurisdictions with adequate data protection as recognized by the NDPC
• Binding contractual clauses and data processing agreements
• Explicit consent for specific cross-border transfers where required

Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us so we can delete it promptly.

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal data.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects when the policy was last revised. Material changes will be notified to you via email or in-app notice before they take effect.

For any questions, comments, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer (DPO):