User Manual
Contact Us
Everything you need to know about Zap
In this article
1. Introduction2. Terms of Use3. The data that we process4. Lawful bases and purpose of processing5. The purpose of processing your data and the lawful bases6. Your rights as a data subject7. Who do we share your data with8. Retention of your data9. How we protect your data10. International transfer of data11. Marketing and communications12. Complaints13. Changes to this Notice14. Contact Us
Home
Resources

Zap Privacy Policy

Edited

1. Introduction

Zap is a product powered by Paystack that simplifies bank transfers and empowers users to send money to any bank account in Nigeria. It offers a seamless and user-friendly experience, making it the preferred choice for hassle-free monetary transactions. With Zap, users can save their payment information for secure, one-click, hassle-free transfers over time on subsequent payments (Tier 0 users). You maintain control over your account settings and can unlink your information anytime.

This Privacy Notice (“Notice”) governs your use of Zap (“the Application”, “the App”, “the Product”, or “the Platform”). We provide this Notice because you have a right to know what information we collect, why we collect it, how it is protected and used, and the circumstances under which it may be disclosed.  

2. Terms of Use

You are required to comply with the provisions of our Terms of Use when using the Product.

3. The data that we process

Personal data is any information about an individual that can be used to identify that person either directly or indirectly. For example, while using the App, we may request personal information from you to contact or identify you, and some information may be collected automatically to allow our Platform to function properly. We also collect personal data from third-party sources or through your use of our services. 

We collect the following information:

Zap tier 

Data collected

Tier 1

Selfie, Bank Verification Number (BVN)

Tier 2 

Selfie, National Identity Number (NIN), physical address

Tier 3 

Identity document, physical address verification 

All App Users

Name, email address, phone number, date of birth, account details (username and PIN), IP address, transaction data (date, amount, parties, time of transaction), device identifier, operating system (OS) version

Nigerian Accounts

Foreign User Accounts

  • Bank Verification Number (BVN)

  • National Identification Number (NIN)

  • Residential address

  • Identification document: International passport, driver’s license, residence permit or national ID

Permissions We Request

To provide you with our services and enhance your experience, our app may request access to certain features and information on your device. Below, we explain why these permissions are needed.

Permission

Purpose

Camera

We only access your camera when you need to take a selfie for verification, upload a photo for your profile, or scan a document. We will always ask for your permission before accessing the camera, and we will only use it for the feature you are using at that time.

Read Media (Images)

We request access to your photos and other images stored on your device. We only access your media when you want to upload a photo for verification or share an image within the app. We will always ask for your permission before accessing your media, and we will only use it for the feature you are using at that time.

Access Device ID

This helps us uniquely identify your device for security purposes and analyse app usage trends without identifying you personally.

Access Network State

This allows us to determine if you have an internet connection to use the app's features and optimise data usage.

Access Biometric (Fingerprint)

This allows you to securely and quickly log into your account and authorise transactions within the app. You can choose whether or not to use biometric authentication. When you choose to use this feature, your fingerprint or biometric data is securely stored on your device and is not accessed or stored by our app or servers.

Selfie Verification

To verify your identity, Zap uses your selfie to verify that you are who you say you are. We process your selfie information through our service providers. The collected data from your selfie is compared against the photographs associated with your Bank Verification Number (BVN), National Identification Number (NIN), International Passport, and other means of identification, including previously taken selfies and various identification documents. This process helps verify that the account belongs to the rightful owner. We retain your selfie information securely to support ongoing verification and safeguard your account against unauthorized access.

Use of Facial Recognition and Liveness Detection

Zap integrates a third-party tool to detect liveness, verifying that a user is real before proceeding with identity verification.

On iOS: The SDK is Apple’s TrueDepth API to detect faces in real-time. TrueDepth data is processed entirely on the device and is used only for real-time analysis during verification.

  • No Storage: TrueDepth data is never stored on the device or transmitted outside the device.

  • No Sharing: The data is not shared with third parties beyond the liveness verification process.

  • Limited Usage: Once the liveness check is completed, the SDK captures a standard facial image, but TrueDepth data is discarded immediately after processing.

  • No Personal Identification: TrueDepth data is not used for identification or authentication.

4. Lawful bases and purpose of processing 

Zap  processes your data under at least one of these lawful bases:

  • Legitimate interest: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided your rights and interests do not override those interests.

  • Consent: You have given explicit consent for us to process your data for a specific purpose.

  • Contract: If processing your data is necessary for the performance of a contract with us or we have asked you to take specific steps before entering that contract.

  • Legal obligation: If the processing of your data is necessary to comply with a legal requirement to which we are subject.

5. The purpose of processing your data and the lawful bases

Purpose of Processing

Lawful Bases

  • To help us develop, improve, customise or restructure our services, including through survey outreach.

  • To enforce our Terms of Service and any terms and conditions of any other agreements for our services.

  • Sending reminders and keeping you updated on the actions you perform on your account.

Legitimate interest, contract

  • To process biometric data for user authentication when you opt-in. 

  • To send you marketing or promotional messages.

Consent

  • To collect statistical data and analytics for internal use. 

  • To send you service-related messages.

  • To analyse Application usage and provide, maintain and improve the content and functionality of our Application.

Legitimate interest

  • To secure our Application and prevent fraud.

  • For ID verification and payment authentication.

Legitimate interest, legal obligation

  • To manage your account.

  • To provide services to you.

  • To create a virtual or savings account for you.

  • To send you important updates and information about the service, and to provide customer support when you need help.

  • To facilitate and manage transactions

  • To enable a seamless and user-friendly bank transfer experience.

Contract


  • To interact with regulatory authorities or other public authorities concerning your use of our Platform.

  • To fulfil our Know Your Customer (KYC) obligation.

  • To inform you of any changes to our terms of business, services, or our Privacy Notice.


Legal obligation

6. Your rights as a data subject

The law vests you with certain rights as a data subject. They include the right to:

  • Access personal data we hold about you by requesting a copy;

  • Rectify such information where you believe it to be inaccurate;

  • Restrict the processing of your data in certain circumstances;

  • Object to the processing of your data where we intend to process such data for marketing purposes;

  • Where feasible, receive a copy of the personal data you have provided to us—in a structured, commonly used, and machine-readable format—and transmit the information to another data controller;

  • Request the erasure of your data;

  • Withdraw your consent to processing your data - in some instances this can be done by opting out of certain communications; 

  • Lodge a complaint with a relevant authority where you have reason to believe we have violated this Privacy Notice. (You may complain or seek redress from us within 30 days from when you first detected the alleged violation). In addition to your right to lodge a complaint with a data protection regulator, you can also seek resolution of your concerns through a formal grievance process established by the Nigeria Data Protection Commission. This process is known as the "Data Subjects' Standard Notice to Address Grievance" (SNAG) procedure.


You may seek to exercise any of the above rights at any time by emailing us at dpo@paystack.com.  For information on how to close your Zap account, please visit the following article

 7. Who do we share your data with

The following service providers support us to ensure the smooth running of the Product:

Service Providers

Purpose of processing

Fidelity Bank

We use Fidelity Bank to create either virtual or savings accounts for Zap users. The virtual accounts allow users to hold funds in their Zap Wallet whereas the savings accounts are mirrored to Zap. Read Fidelity’s privacy notice here

VFD MFB

We use VFD Microfinance Bank to identify customers who sign up for Zap to avoid creating duplicate accounts. Read VFD’s privacy notice here.

QoreID

We use QoreID to conduct identity verification for KYC purposes that align with our legal obligations. Read QoreID’s privacy notice here.

Smile ID

We use Smile ID for document verification, identity verification, and liveness checks to avoid creating duplicate accounts and to prevent fraud. See Smile ID’s privacy notice here.

Google Firebase Analytics

It helps us understand how people use our app. This information helps us make our app better and more useful for everyone. See Firebase Analytics privacy notice here.

Google CrashLytics

It helps us find and fix problems when our app unexpectedly closes (crashes). It sends us information about the crash so we can understand what went wrong and make our app more stable. See the privacy notice here.

Paystack products

We use various Paystack products to provide streamlined service offerings, such as identifying customers who sign up for Zap to avoid creating duplicate accounts and processing payments. 

Legal and Regulatory Authorities

We may disclose personal data to these bodies if it is necessary to comply with a law, regulation, order, subpoena, or audit to protect any person's safety or to address fraud, security, or technical issues.

8. Retention of your data

The data and any other information we collect from you will be stored for as long as necessary to fulfil the purposes described in this Notice. However, we will also retain data in line with applicable laws, in addition to resolving disputes, preventing fraud and abuse, and enforcing our legal agreements and policies.

We will delete your data related to marketing purposes once you unsubscribe from our marketing communications by following the steps in Section 11 of this Notice. The facial liveness data collected to authenticate Tier 2 accounts will be deleted five (5) years after the authentication is completed, in line with our retention periods and statutory obligations around KYC data. 

Please note that any transaction and KYC data may be retained longer, notwithstanding your request to remove it, where there is a legal requirement to do so.

9. How we protect your data

We use strong technical and organisational measures to safeguard your data from unauthorised access or accidental loss. We adhere to data protection laws and best practices, using security protocols like encryption, firewalls, and physical access controls. Our employees only access your data when necessary and are contractually bound to maintain its confidentiality.

We comply with the Payment Card Industry Data Security Standard (PCI DSS) to secure your card information and are certified to ISO/IEC 27001:2022 and ISO/IEC 27701:2019 Standards. This includes regular security updates to meet industry standards. Also, we have added two-factor authentication (2FA) for extra security. You will need to enter a one-time password (OTP) each time you sign out. 

If there is a data breach that could harm your rights and freedoms, we will notify you promptly and do our best to fix the issue.

10. International transfer of data

Our services involve the use of third-party servers in other countries, like Zap’s use of AWS servers in Ireland. This means your data is transferred abroad. We ensure your data is processed and protected according to this Notice and relevant laws, regardless of location.

When transferring data outside Nigeria, we take extra steps to protect it and choose reliable third parties. Please contact us for more information about data transfers to third countries, including our transfer methods. Furthermore, we transfer data when we have a legal obligation to do so, need to establish or defend a legal claim or have a public interest obligation.  

11. Marketing and communications

We only send marketing communications to you with your consent. You may opt out of our marketing or object to further processing by clicking on the 'unsubscribe' button at the bottom of the page. You can also unsubscribe from any newsletters we share with you at any time by clicking the ‘unsubscribe’ button.

12. Complaints

If you are concerned about an alleged breach of data protection law or any other regulation by us, you can contact the Data Protection Officer (DPO) at  dpo@paystack.com. The DPO will investigate your complaint and provide information about how it is handled.

If you are still unsatisfied with the resolution of your complaint, you may escalate this to your local Data Protection Authority.

13. Changes to this Notice

We occasionally update our privacy notice. We will notify our users when we make a change, and users will know this by checking the last date of the update on this page whenever they visit.

14. Contact Us

If you have any questions relating to this Notice or your rights under this Notice or are not satisfied with how we manage your data, kindly reach out to our Data Protection Officer at  dpo@paystack.com.