Privacy Policy

Your Privacy Matters. This Privacy Policy explains how Bluecole Technologies Limited ("Bluecole," "we," "us," or "our") collects, uses, processes, and protects your personal data in compliance with the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025. This policy applies to all users of our B2B cross-border payment and financial services platform.

1. Data Protection Framework

1.1 Legal Compliance

Bluecole processes personal data in strict compliance with:

• Nigeria Data Protection Act (NDPA) 2023
• General Application and Implementation Directive (GAID) 2025
• Central Bank of Nigeria (CBN) Consumer Protection Framework
• Nigerian Communications Commission (NCC) Regulations
• International data protection standards for cross-border operations

1.2 Our Role as Data Controller

Bluecole acts as a Data Controller for personal data collected through our platform. We determine the purposes and means of processing your data and that of your authorized users. We are registered with the Nigeria Data Protection Commission (NDPC) as a Data Controller of Major Importance under Section 44 of the NDPA.

1.3 Data Protection Officer

We have appointed a qualified Data Protection Officer (DPO) who oversees our data protection practices and serves as your primary contact for privacy matters. Contact details are provided in Section 11.

2. Personal Data We Collect

To provide our B2B cross-border payment services, we collect and process the following categories of personal data:

2.1 Business Account Information

• Company name, registration number, and tax identification
• Business address and contact details
• Authorized representatives' names, email addresses, and phone numbers
• Job titles and roles within your organization

2.2 Identity Verification Data

• Government-issued identification (BVN, National ID, International Passport, Driver's License)
• Proof of address documents
• Facial biometric data for identity verification (where required by regulation)
• Corporate registration documents and beneficial ownership information

2.3 Financial Data

• Bank account details and transaction information
• Payment instructions and beneficiary details
• Transaction history and account balances
• Credit assessments and financial statements (where applicable)

2.4 Technical and Usage Data

• IP addresses, device identifiers, and browser information
• Login credentials and authentication data
• Platform usage patterns, session data, and interaction logs
• Location data derived from IP addresses

2.5 Communications Data

• Customer support correspondence and chat transcripts
• Email communications and preferences
• Survey responses and feedback

3. Legal Basis for Processing

We process your personal data based on the following lawful grounds under Section 25 of the NDPA:

3.1 Contractual Necessity

Processing is necessary to perform our contract with you, including:

• Account setup and management
• Transaction processing and payment execution
• Service delivery and customer support
• Platform functionality and security

3.2 Legal Obligation

We process data to comply with Nigerian regulatory requirements including:

• Central Bank of Nigeria (CBN) Know Your Customer (KYC) regulations
• Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) obligations
• Special Control Unit against Money Laundering (SCUML) reporting requirements
• Financial Intelligence Unit (NFIU) transaction monitoring directives
• Tax reporting and compliance obligations
• Nigeria Data Protection Act (NDPA) 2023 compliance

3.3 Consent

For processing activities that require explicit consent, we obtain your informed, specific, and freely given consent. This includes marketing communications, processing of sensitive personal data, certain cross-border data transfers, and optional data collection beyond service requirements. You may withdraw consent at any time by contacting our Data Protection Officer. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

4. Cross-Border Data Transfers

4.1 Transfer Mechanisms

We ensure adequate protection for cross-border data transfers through:

• Standard Contractual Clauses (SCCs): NDPC-approved contractual clauses that impose binding obligations on international data recipients
• Adequacy Determinations: Where the NDPC has determined that a destination country provides adequate protection
• Binding Corporate Rules (BCRs): Internal policies approved by the NDPC for transfers within our corporate group
• Explicit Consent: Where required, we obtain informed consent after disclosing relevant risks

4.2 Recipient Countries

Your data may be transferred to and processed in the following jurisdictions:

• United States of America (banking infrastructure and payment processors)
• United Kingdom (financial services partners)
• European Union member states (SEPA payment processing)
• Singapore (regional hub operations)
• Other jurisdictions as necessary to execute specific payment instructions

4.3 Transfer Documentation

We maintain comprehensive records of cross-border transfers, including the legal basis, destination, recipients, safeguards, and transfer dates. These records are available to the NDPC upon request and to you through our DPO.

5. Your Data Subject Rights

Under the NDPA and GAID 2025, you have comprehensive rights regarding your personal data, including:

• Right to Access
• Right to Rectification
• Right to Erasure (subject to regulatory retention requirements)
• Right to Data Portability
• Right to Object (including direct marketing)
• Right to Withdraw Consent
• Right to Lodge Complaint

11. Contact Information