This Privacy Policy explains how Oro Technologies Ltd ("Oro Technologies", "KoolPay", "we", "us", or "our") collects, uses, discloses and safeguards your information when you access or use the KoolPay mobile application, website and related services (collectively, the "Platform").
Oro Technologies Ltd respects your privacy and is committed to protecting your personal data. This Policy applies to all users who access or use our Platform and is designed in compliance with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and — where applicable — the General Data Protection Regulation (GDPR) and other relevant data protection standards.
In short: we only collect the data we need to run your wallet, verify your identity, process your transactions, keep your money safe, and meet our legal obligations. We never sell your personal data.
1. Consent
By creating a KoolPay account or using our services, you consent to the collection, processing and storage of your personal data in accordance with this Policy and applicable laws. You may withdraw your consent at any time by contacting our Data Protection Officer (DPO) at the address in Section 14. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, nor any processing we are required to perform to meet legal, regulatory or contractual obligations.
We may amend this Policy from time to time by posting a revised version on our Platform. The revised version becomes effective seven (7) days after publication, unless a longer notice period is required by law.
2. Information we collect
We collect the following categories of data when you onboard and as you use the Platform:
a. Personal & identity information
- Full name, date of birth and gender.
- Contact details — phone number and email address.
- Identity verification data — National Identification Number (NIN), Bank Verification Number (BVN), government-issued ID and a selfie/liveness image used for KYC.
- Residential or billing address (required for certain products such as USD virtual cards).
b. Financial & transaction data
- Wallet balance, ledger entries and full transaction history (airtime, data, bills, education, gift cards, crypto and card activity).
- Linked bank account and payout details used for cash-outs.
- Crypto wallet/transaction references provided when you sell digital assets.
- Virtual card details and card transaction records, handled through our licensed card-issuing partner.
c. Technical & usage data
- Device identifiers, device model, operating system and push-notification tokens.
- IP address, app version and approximate location derived from your IP.
- Log data, in-app activity and security events (e.g. login, device-trust and PIN events).
The personal information we ask for, and the reasons we ask for it, will be made clear to you at the point of collection. If you contact our support team, we may also receive the contents of your message and any attachments you choose to provide.
3. How we use your information
We use your information to:
- Create, operate and maintain your account and wallet.
- Authenticate your identity and secure your account (PIN, biometrics, trusted devices).
- Process your transactions and deliver the services you request.
- Verify your identity and meet KYC, AML and other statutory obligations.
- Detect, prevent and investigate fraud, abuse and unauthorised access.
- Send you transactional notifications, service updates and — with your consent — marketing communications.
- Provide customer support and resolve disputes.
- Improve, personalise and develop new products, features and functionality.
- Comply with applicable laws, regulations and lawful requests from competent authorities.
4. Legal basis for processing
We rely on one or more of the following lawful bases when processing your personal data:
- Contractual necessity — to provide the services you request.
- Legal obligation — for KYC/AML compliance and other statutory duties.
- Legitimate interest — for service improvement, fraud prevention and customer support.
- Consent — for marketing and other optional services, which you may withdraw at any time.
5. Data retention
We retain your personal data only for as long as necessary to provide our services or as required by law. For example:
- Account data is retained while your account is active and for a period afterwards, as needed for dispute resolution and compliance.
- Transaction and KYC records are retained for the period required by financial regulations — typically not less than five (5) years after the end of the relationship, in line with CBN AML/CFT requirements.
- Log data is typically retained for 30–90 days for security and analytics, after which it is deleted or anonymised.
6. Your data protection rights
Under the NDPA and other applicable laws, you are entitled to the following rights:
- The right to be informed about how your data is collected and used.
- The right to access the personal data we hold about you.
- The right to rectify inaccurate or incomplete data.
- The right to erasure ("right to be forgotten"), subject to legal and regulatory retention requirements.
- The right to restrict or object to processing.
- The right to data portability in a structured, machine-readable format.
- The right to withdraw consent at any time.
- The right to lodge a complaint with us or with the Nigeria Data Protection Commission (NDPC).
To exercise any of these rights, contact our DPO using the details in Section 14. We will respond within one (1) month, or as otherwise required by law, and may verify your identity before fulfilling your request.
7. Data security
We implement technical and organisational measures to protect your data against unauthorised access, alteration, disclosure or destruction, including:
- Encryption of sensitive data in transit and at rest — your transaction PIN is encrypted and never stored in plain text.
- Multi-factor and biometric authentication, plus trusted-device controls.
- Continuous fraud monitoring, anomaly detection and automated ledger reconciliation.
- Access controls, firewalls and periodic security reviews.
While we take security seriously, no method of transmission or storage is completely secure. You are responsible for keeping your login credentials, PIN and device secure, and for notifying us immediately of any unauthorised use of your account.
9. International data transfers
Some of our partners and infrastructure providers may process data outside Nigeria. Where we transfer data across borders, we do so in compliance with the NDPA and ensure an adequate level of protection through appropriate safeguards, such as standard contractual clauses.
11. Children's information
KoolPay is intended for users aged 18 and above and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will promptly remove it.
12. Data breach notification
In the event of a data breach likely to result in a high risk to your rights and freedoms, we will notify you and the relevant regulatory authorities (including the NDPC) within 72 hours of becoming aware of the breach, as required by applicable law.
13. Changes to this Policy
We may update this Policy at any time. Material changes will be communicated by posting a notice on the Platform or by email. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.
14. Contact us
If you have any questions, concerns or requests regarding this Policy or how we handle your personal data, please contact our Data Protection Officer:
| Data controller | Oro Technologies Ltd (operating as KoolPay) |
|---|---|
| Data Protection Officer | dpo@koolpay.app |
| Privacy & compliance | compliance@koolpay.app |
| General support | support@koolpay.app |
Our DPO will acknowledge and act on any privacy complaint or request within the timelines required by law.