Information we hold about you will often come from you directly (for example, when you apply for a new product or services). The personal data we collect may include but not limited to the following:

• Identity Data
• Contact Data
• Financial Data
• Transactional Data
• Technical Data
• Profile Data
• Job Application Data
• Usage Data
• Marketing and Communications Data.
• Others: We may collect CCTV/video footage when you visit our premises, as well as recordings of telephone conversations made through any of our contact Centre lines.

We use your personal information for the following purposes:

• To offer and provide our Products and Services tailored to meet your unique needs.
• To fulfil the terms of any service contract(s) you might have with us.
• To improve your service experience with us.
• To conduct our business.
• To manage our relationship with you.
• To comply with Laws and Regulations.
• To provide information to Credit Agencies.
• To update your records.
• To develop statistics as may be required
• To comply with our Internal Policies.
• To communicate with you when necessary.

Xpress Payment Solutions Limited will limit the collection and use of your personal information for the stated purposes.

We strive to ensure your personal information is accurate. Data Subject Access Rights (DSARs) are legal rights that grant Data Subjects control over their personal data, empowering them to understand how organizations collect, process, and use their information. According to the provision of Nigerian Data Protection Act 2023 (NDPA), data subjects have certain rights. Key rights include the right to be informed, right to access their data, right to rectification (correction) of inaccurate data, right to erasure (deletion) of data, and right to restrict processing. These rights are established by data protection laws like NDPA/GDPR and ensure individuals' control and protection over their personal data. Data Subjects can exercise these rights by making a Data Subject Access Request (DSAR) to the organization holding their data. please contact our Data Privacy Officer (details in Section 11). We will respond within a reasonable timeframe.
Key Data Subject Access Rights:

• Right to be Informed: Individuals have the right to know what personal data is being collected, why it's being collected, its purposes, and who it's shared with.
• Right to Access: This is a common request where individuals ask for a copy of the personal data a company holds about them and details of its processing.
• Right to Rectification: Individuals can request that inaccurate or incomplete personal data held by an organization be corrected.
• Right to Erasure: Also known as the "right to be forgotten," this allows individuals to request the deletion of their personal data under certain circumstances, such as when the original purpose for collection no longer applies.
• Right to Restrict Processing: Individuals can request that an organization limits how it uses their personal data, for example, if they are contesting the accuracy of the data.
• Right to Data Portability: This right allows individuals to receive their personal data in a commonly used, machine-readable format and to have it transferred to another data controller.
• Right to Object: Individuals can object to the processing of their personal data for certain purposes, such as direct marketing.
• Right to File a Complaint: Individuals have the right to file a complaint with a data protection authority if they believe their rights have been violated.

We transfer or disclose the personal data we collect to external support providers who are engaged by us to support our internal ancillary processes such as:

• Service providers: We share personal data with vendors or agents working on our behalf for the purposes described in this policy. For example, companies we have hired to provide customer service support, to assist in protecting and securing our systems and services, or to perform sanctions screening and identity verification services may need access to personal data to provide those functions. The processing by such third parties shall be governed by a written contract with Xpress Payment Solutions Limited to ensure adequate protection and security measures are put in place for the protection of personal data in accordance with the terms of this Privacy Policy. We engage trusted third parties to perform services on our behalf. One of such trusted partners is Microsoft Clarity, a behavioral analytics tool (like Hotjar or Google Analytics). Microsoft Clarity records user interactions such as clicks, scrolls, heatmaps, and session replays to help improve user experience and product performance. Xpress Payments Solutions Limited has engaged Microsoft Clarity to support our analytics needs. As part of this engagement, Microsoft may collect personal data from individuals who interact with our website or services.This data helps improve Microsoft’s products and services, supports reporting and performance analysis, and may be used to create user profiles for purposes including advertising.
  Additionally, Microsoft may use non-personal data collected through its services with XpressPayments to further enhance its own products and services.
  For more details on how Microsoft processes data, please refer to their official privacy statement:
  Microsoft Privacy Statement – Microsoft privacy
• Delivering email and mobile messages.
• Processing payments and transactions.
• Conducting research and data analysis to enhance our products and services.

We provide only the minimum necessary personal information for them to perform their duties and require them to protect it from unauthorized use.

• Financial services & payment processing: When you provide payment data, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.
• Security, safety, and protecting rights: We will disclose personal data if we believe it is necessary to:
  • protect our merchants and others, for example, to prevent fraud, or to help prevent the loss of life or serious injury to anyone;
  • operate and maintain the security of our services, including preventing or stopping an attack on our computer systems or networks; or protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Communication Preferences:
We offer you choices regarding how we communicate with you. You may receive business communications via:

• Email
• SMS
• Phone Call
• Hard copy Letter

We will continue using these channels for the duration of our business relationship. Certain records may be retained for compliance, record-keeping, or analysis purposes, as permitted by law.

Rights of Data Subject:
We strive to ensure your personal information is accurate. You have the right to view, correct, or update your personal contact details. To do so, please contact our Data Privacy Officer . We will respond within a reasonable timeframe.

We share your personal information only as described below:

Third-Party Service Providers:
We engage trusted third parties to perform services on our behalf. One of such trusted partners is Microsoft Clarity, a behavioral analytics tool (similar to Hotjar or Google Analytics). Microsoft Clarity records user interactions such as clicks, scrolls, heatmaps, and session replays to help improve user experience and product performance. Xpress Payments Solutions Limited has engaged Microsoft Clarity to support our analytics needs. As part of this engagement, Microsoft may collect personal data from individuals who visit or use our websites/products. This data helps improve Microsoft’s products and services, supports reporting and performance analysis, and may be used to create user profiles for purposes including advertising. Additionally, Microsoft may use non-personal data collected through its services with XpressPayments to further enhance its own products and services. For more details on how Microsoft processes data, please refer to their official privacy statement: Microsoft Privacy Statement – Microsoft privacy

• Delivering email and mobile messages
• Processing payments and transactions.
• Conducting research and data analysis to enhance our products and services.

We provide only the minimum necessary personal information for them to perform their duties and require them to protect it from unauthorized use.

Sale or Transfer of Business
If Xpress Payments is involved in a sale, merger, or transfer of business assets, your personal information may be transferred to the new owner, subject to equivalent privacy safeguards.

Legal Requirements
We may disclose personal information:

• To protect and defend our rights and property (including enforcement of valid agreements).
• When required by law, regulation, or public authority.

Xpresspayments will always ensure that your personal information is adequately protected. We have put in place processes and technologies to ensure that your personal information is not modified, lost, damaged or destroyed. Our people are trained to ensure that your personal information is not disclosed and safe as stated in this policy. Where access and use of our products require authentication of the user, you shall be responsible for the use and safety of your authentication credential(s) including but not limited to Username, Personal Identification Number (PIN), Password, One Time Passwords (OTP) and Token (Where Applicable).

Your personal information may be stored or processed in countries outside your own. We ensure that such transfers comply with applicable data protection laws and maintain adequate safeguards regardless of location

In the unlikely event of violation of any of your rights to a data subject, our Data Protection Officer shall, within 30 days of our notice of the said violation, address the issue and redress the violation as practicable as possible. The available remedies include but not limited to correction or deletion of your data, grant of access to your data, due information on the processing of your data, restriction on further processing and other applicable remedies as the relevant laws prescribe.

This privacy policy is reviewed periodically and when there is any substantial change to business or regulatory requirements. The revised Privacy Policy will be effective as of the published updated date. At the minimum, we shall review this annually and communicate via our communication channels such as Website, Social Media Accounts etc. If the revised version includes a substantial change, we may notify you of the change using emails or other means.

Xpress Payment Solutions Limited ensures that the personal data collected and processed is necessary for the purpose of collection, and Xpress Payments shall not collect or process more data than is reasonably required for a particular processing activity. In addition, every processing purpose has at least one lawful basis for processing to safeguard the rights of the data subjects, as listed below:

Purpose of Processing

• Account Management: Managing customer accounts, transactions, and providing banking services.
• Fraud Prevention: Detecting, preventing, and investigating fraudulent activities to protect customers and the bank.
• Customer Support: Addressing inquiries, resolving complaints, and providing support services to customers.
• Internal Reporting and Analysis: Generating reports, conducting analysis, and making strategic decisions based on aggregated and anonymized data.
• Business Development: Identifying market trends, developing new products or services, and improving overall business operations.
• Compliance with Legal Obligations: Fulfilling legal and regulatory requirements imposed.

Lawful Basis of Processing

• Performance of a contract: Processing personal data is necessary for the performance of a contract to which the data subject is a party (e.g., opening and maintaining a bank account).
• Legitimate interests: Processing personal data is necessary for the legitimate interests pursued by the bank or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
• Legal obligation: Processing personal data is necessary for compliance with a legal obligation to which the bank is subject (e.g., reporting suspicious transactions to regulatory authorities).
• Consent: Processing personal data is based on the data subject's consent, which must be freely given, specific, informed, and unambiguous. Data subjects have the right to withdraw consent at any time.

We may also utilize information about you that is collected by third parties and other service partners to better serve your needs. Please note that these third-party sources are not controlled by Xpress Payment; therefore, we are not responsible for how they use your information.

Our digital platform is not intended for use by minors under the age of eighteen (18) years. Xpress payment Solutions Limited does not knowingly collect or disclose the personal data of minors under 18 years of age. If you are under 18 years old, please do not provide any personal data even if prompted to do so. If you believe that you have inadvertently provided personal data, please ask your parent(s) or legal guardian(s) to notify us and we will delete your personal data.

We will retain your personal information for 10years or as may be required by law, regulation, the internal policies of Xpress Payment Solutions Limited. This retention period has been established to enable us to use the personal data for the necessary legitimate purposes identified, in full compliance with the legal and regulatory requirements.

If you have any general questions or concerns regarding this Privacy Policy or how we handle your personal data, please contact our Data Privacy Officer:

We will respond to your concerns within 30 days of receiving your notice.

You also have the right to lodge a complaint directly with the supervisory authority, Nigeria Data Protection Commission (NDPC) where you suspect any misconduct or violations of the above listed rights in section.

I have read all the terms and conditions within this Notice and hereby agree to the use of my personal data for the above-mentioned purposes.