The Information We Collect

We collect the personal data you provide to us. For example:

• • Registration information. To gain full access to our website and services, you must register for a Payaza account. When you register for an account, we collect business data and personal data, which you voluntarily provide to us in order to complete the KYC (Know Your Customer) process (e.g. email address, bank details, name, telephone number). With your consent, we may also collect additional personal data such as survey responses.

• • Payment information. If you make a financial transaction, we collect credit card numbers, financial account information, and other payment details.

• • Communications. If you contact us directly, for example with an inquiry or a support request, we may receive additional personal data about you, including your email address and the content of your communications.

• 1.2 Personal Data We Collect Automatically • Device Information. We receive information about the device and software you use to access our Services, including internet protocol (IP) address, web browser type, operating system version, and device identifiers.

• • Usage Information. To help us understand how you use our Services, including the Demo portion of our website, and to help us improve them, we automatically receive information about your interactions with our Services. This information includes records of your transactions and information about your other activities related to our services, such as the date and time of your sessions, the pages you view, links to/from any page, and time spent in a session. Some of the data we gather using cookies and similar technologies as discussed below.

• • Location Information. When you use our Services, we may collect or infer your general location information. For example, your IP address may indicate your general geographic region.

Personal Data That We Receive from Others or Infer

• • Partners. We may retrieve additional personal data about you from third parties and other identification/verification services such as your financial institution and payment processor. We may combine that data with other information we have about you.

• • Publicly available sources. Public sources of information such as open government databases.

• • Inferences. We may infer additional Personal Data based on the Personal Data described above. For example, for Visitors, we may infer your interests based on the web pages you view. When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.

How We Use Personal Data

2.1 Provide, Improve, and Personalize our Services We use personal data to provide, improve, and personalize our Services to Merchants. This includes:

• • Account registration: We use the personal data you provide during the registration process to create and maintain your Payaza account and to verify your identity as part of our KYC process.

• • Payment processing: We use personal data, including payment information, to process payments, complete transactions, and provide receipts and invoices.

• • Customer support: We may use personal data, including communications you have with us, to respond to your inquiries, provide customer support, and address any issues you may have with our Services.

• • Service improvement: We use personal data to understand how Merchants and Customers use our Services, to monitor and analyze usage patterns, and to improve the functionality and performance of our Services.

• • Personalization: We may use personal data to personalize your experience with our Services, such as remembering your preferences, displaying relevant content, and providing tailored offers and promotions.

• • Fraud prevention and security: We use personal data to detect and prevent fraud, unauthorized access, and other security incidents, and to protect the integrity and security of our Services.

2.2 Communication and Marketing We may use personal data to communicate with Merchants about our Services, promotions, events, and other marketing purposes. We may send you promotional emails or other communications based on your preferences and applicable law. You can opt out of receiving marketing communications from us by following the unsubscribe instructions in the communications or by contacting us directly.

2.3 Legal Obligations and Business Interests We may use personal data to comply with legal obligations, such as tax reporting, fraud prevention, and anti-money laundering requirements. We may also use personal data for our legitimate business interests, such as enforcing our Terms, protecting our rights and interests, conducting research, and improving our Services.

How We Share Personal Data

Payaza does not sell, trade or rent personal data to anyone. Further, we will not share or disclose your personal data with a third party without your consent except as necessary to provide the Services or as described in this Privacy Policy.

• 3.1 With Payaza Affiliates and Service Providers We may share personal data with our affiliates and service providers who help us provide and improve our Services. These entities are authorized to process personal data on our behalf and are obligated to protect the confidentiality and security of personal data.

• 3.2 With Payaza Merchants As a payment processing platform, we may share personal data with Payaza Merchants for the purpose of completing transactions and providing customer support. Payaza Merchants are responsible for their own privacy practices and compliance with applicable laws. Merchants should have their own privacy policy in place that outlines how they collect, use, store, and protect personal data.

• 3.3 With Business Partners and Third Parties We may share personal data with business partners and third parties for various purposes, such as marketing, advertising, analytics, research, and other business-related activities. These parties are authorized to use personal data only as necessary to perform their functions and are required to protect the confidentiality and security of personal data.

• 3.4 Legal Requirements and Safety We may disclose personal data in response to legal requirements, such as a subpoena, court order, or other governmental or legal requests. We may also disclose personal data to protect the safety and security of our users, employees, or the public, or to enforce our rights and agreements.

• 3.5 Business Transfers If Payaza is involved in a merger, acquisition, or sale of all or a portion of its assets, personal data may be transferred as part of that transaction. We will notify Merchants of any such transfer and provide choices regarding personal data. Third-party analytics and advertising companies also collect personal data through our website and apps including, marketing and communications data, demographic data, content and files, geolocation data, usage data, and inferences associated with identifiers and device information (such as cookie IDs, device IDs, and IP address) as described in the Cookies section of this statement. These third-party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses the information at www.google.com/policies/privacy/partners. Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide personal data to any of those third parties or allow us to share personal data with them, that data is governed by their privacy statements.

Cookies

Payaza and its partners use cookies and similar technologies on our website for various purposes, including collecting information and operating the site. We use cookies to:

• • Remember visitors to our website for improved user experience.

• • Make your user experience easier by customizing our services, content, and advertising.

• • Help ensure that your account security is not compromised, mitigate risk, and prevent fraud.

• • Promote trust and safety on our website.

Cookies are small text files placed by a website and stored by your browser on your device. Our cookies hold a unique random reference to you, allowing us to recognize you and provide certain content tailored to you when you visit the site. Most web browsers are set to accept cookies by default. However, if you prefer, you can go to your browser settings to learn how to delete or reject cookies. It's important to note that if you choose to delete or reject cookies, it may impact your experience using our website.

How We Protect Your Information

Payaza takes the protection of your Personal Information seriously and has implemented adequate technical and organizational controls to ensure its integrity and confidentiality, both in digital and physical formats, and to prevent accidental or deliberate compromise of Personal Information. We use a variety of security measures to protect your Personal Information, including physical, technical, and administrative safeguards, in line with industry best practices. These measures include data encryption, firewalls, physical access controls to our premises and files, and granting access to Personal Information only to employees who require it to fulfill their job responsibilities.

We also comply with the Payment Card Industry Data Security Standard (PCI DSS Requirements) and implement access control measures, security protocols, and standards, such as encryption and firewall technologies, to ensure the safe and secure handling of your card information on our servers. We regularly update our security infrastructure to comply with reasonable industry standards. Payaza has a data breach procedure in place to handle incidents related to Personal Information, including accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. If you become aware of any breach of Personal Information or compromise of your access credentials, please contact our Data Protection Officer (DPO) so that we can take necessary steps to ensure the security of your Personal Information or account. We will also report any breaches that may compromise your rights and freedoms to the Relevant Authority within 72 hours of discovery.

We are committed to maintaining the confidentiality and security of your Personal Information and continuously review and enhance our security measures to protect against potential threats. However, it is important to note that no method of data transmission or storage can be guaranteed to be 100% secure, and we cannot guarantee the absolute security of your Personal Information. Therefore, we encourage you to take appropriate measures to protect your Personal Information, such as choosing a strong and unique password, keeping your access credentials confidential, and being cautious about sharing your Personal Information online. If you have any questions or concerns about the security of your Personal Information or our data protection practices, please contact our DPO. We will address your inquiries and concerns to the best of our ability.

Data Retention and Security

6.1 Data Retention We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements. The retention period may vary depending on the type of personal data and the purposes for which it is processed. When personal data is no longer needed, we securely delete or de-identify it.

6.2 Data Security We take the security of personal data seriously and have implemented appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, and destruction. These measures include encryption, access controls, and regular security assessments. However, no method of transmission or storage is completely secure, and we cannot guarantee the absolute security of personal data.

Storage Limitation

We will retain your information for the following periods:

• • As long as reasonably necessary for the purpose of providing our services to you

• • For the duration your account is active and we have your consent

• • For the period needed to comply with our legal and statutory obligations

• • As needed to verify your information with a financial institution

Payaza is statutorily obliged to retain the data you provide in order to process transactions, ensure settlements, make refunds, identify fraud, and comply with applicable laws and regulatory guidelines. Under the Central Bank of Nigeria's Regulations and Guidelines, we are mandated to retain transactional records (customer and beneficiary names, addresses, identification numbers, amount, currency, etc.) for at least seven years following the completion of the transaction. Therefore, even after closing your Payaza account, we will retain certain personal data and transaction data to comply with these obligations. All personal data shall be destroyed by Payaza where possible, or anonymized in other instances. The length of storage of personal data shall, amongst other things, be determined by:

• • The contract terms agreed between Payaza and the Merchant or as long as it is needed for the purpose for which it was obtained; or

• • Whether the transaction or relationship has statutory implication or a required retention period; or

• • Whether there is an express request for deletion of Personal Data by the Merchant, provided that such request will only be treated where the Data Subject is not under any investigation which may require Payaza to retain such Personal Data or there is no subsisting contractual arrangement with the Data Subject that would require the processing of the Personal Data; or

• • Whether Payaza has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.

Grounds for Processing of Personal Information

Payaza processes Personal Information based on the following lawful grounds:

• • Consent: Processing of Personal Information is lawful if the Data Subject (Merchant or Merchant representative) has given consent for one or more specific purposes.

• • Contractual necessity: Processing of Personal Information is necessary for the performance of a contract to which the Data Subject is a party, or to take steps at the request of the Data Subject prior to entering into a contract.

• • Legal obligation: Processing of Personal Information is necessary for compliance with a legal obligation to which Payaza is subject.

• • Vital interests: Processing of Personal Information is necessary to protect the vital interests of the Data Subject or another natural person.

• • Public interest/official mandate: Processing of Personal Information is necessary for the performance of a task carried out in the public interest or in exercise of an official public mandate vested in Payaza.

Your request will be reviewed and addressed by Payaza's Data Protection Officer within a 30-day period. You may review and update your Personal Information directly through your account settings or by contacting us.

Rights and Choices

9.1 Rights As a merchant whose data is processed by Payaza, you have certain rights under applicable data protection laws. These rights may include the right to access, rectify, delete, or restrict the processing of your personal data, as well as the right to receive a copy of your personal data in a structured, machine-readable format. You may also have the right to object to the processing of your personal data or to withdraw your consent, where applicable.

• • Merchants whose Personal Information is held by Payaza have the following rights:

• • Right to request and access any Personal Information collected and stored by Payaza.

• • Right to be informed about their Personal Information.

• • Right to object to automated decision-making and processing.

• • Right to request rectification and modification of their Personal Information kept by Payaza.

• • Right to request deletion of their data.

• • Right to request the movement of data from Payaza to a third party, also known as the right to data portability.

• • Right to revoke consent.

• • Right to object to direct marketing and request that Payaza restricts the processing of their information.

• • Right to submit a complaint to the National Information Technology Development Agency (NITDA).

9.2 Choices You have choices regarding the personal data you provide to us and how it is used. You can choose not to provide certain personal data, although it may be necessary to use certain features of our Services. You can also modify or delete your personal data through your Payaza account settings or by contacting us directly. You can choose to opt out of receiving marketing communications from us by following the unsubscribe instructions in the communications or by contacting us directly.

Changes to This Privacy Policy

We may need to update, modify or amend our Privacy Policy as our technology evolves and as required by law. If we materially change the ways in which we use or share personal data previously collected from you through our Services, we will provide notice or obtain consent regarding such changes as may be required by law. The Privacy Policy will apply from the effective date provided on our website.

Policy Violations

Any violation of this Privacy Policy should be brought to the attention of the Data Protection Officer (details below) for appropriate sanctioning and treatment. You certify that the information provided to register as a Merchant is correct to the best of your knowledge. Furthermore, when providing the personal data of any other person, you confirm that you are only providing accurate and up-to-date data in accordance with their instructions, and are able to provide evidence of their consent to the data processing described in this Policy as and when required by Payaza. Please note that any attempt to mislead may result in prosecution and the deliberate provision of inaccurate data results in a privacy violation.

Contact Payaza's Data Protection Officer (DPO)

If you have any questions relating to this Privacy Policy, or complaints or would like to find out more about exercising your data privacy rights, please reach out to our DPO via email at dpo@payaza.com. For any further queries, our Data Protection Officer may be reached at the following address:

• 11 Oko Awo Street,

• Victoria Island,