Zap Privacy Policy
1. Introduction
Zap is a product powered by Paystack that simplifies bank transfers and empowers users to send money to any bank account in Nigeria. It offers a seamless and user-friendly experience, making it the preferred choice for hassle-free monetary transactions.
This Privacy Notice (“Notice”) governs your use of Zap (“the Application”, “the App”, “the Product”, or “the Platform”). We provide this Notice because you have a right to know what information we collect, why we collect it, how it is protected and used, and the circumstances under which it may be disclosed.
2. Terms of Use
You are required to comply with the provisions of our Terms of Use when using the Product.
3. The data that we process
Personal data is any information about an individual that can be used to identify that person either directly or indirectly. For example, while using the App, we may request personal information from you to contact or identify you, and some information may be collected automatically to allow our Platform to function properly. We also collect personal data from third-party sources or through your use of our services.
We collect the following information:
All App Users:
Name
Date of birth
Email addresses
Phone number
Government-issued ID
A photo of your face (selfie)
Account details (username and PIN)
Biometrics
IP address
Transaction data:
Date
Amount
Parties
Time of the transaction
Device identifier
Operating System (OS) version
Nigerian Accounts
Bank Verification Number (BVN)
National Identification Number (NIN)
Residential address
Proof of Address
Selfie Verification
To verify your identity, Zap uses your selfie to verify that you are who you say you are. We collect and process your selfie information through our service providers. The selfie is compared against the photographs associated with your Bank Verification Number (BVN), National Identification Number (NIN), International Passport, and other means of identification, including previously taken selfies and various identification documents. This process helps verify that the account belongs to the rightful owner.
4. Lawful bases and purpose of processing
Zap processes your data under at least one of these lawful bases:
Legitimate interest: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided your rights and interests do not override those interests.
Consent: You have given explicit consent for us to process your data for a specific purpose.
Contract: If processing your data is necessary for the performance of a contract with us or we have asked you to take specific steps before entering that contract.
Legal obligation: If the processing of your data is necessary to comply with a legal requirement to which we are subject.
5. The purpose of processing your data and the lawful bases
Purpose of Processing | Lawful Bases |
|---|---|
To help us develop, improve, customise or restructure our services. | |
To enforce our Terms of Service and any terms and conditions of any other agreements for our services. | Legitimate interest, contract |
To process biometric data for user authentication when you opt in. | |
To send you marketing or promotional messages. | Consent |
To collect statistical data and analytics for internal use. | |
To send you service-related messages. | |
To analyse Application usage and provide, maintain and improve the content and functionality of our Application. | Legitimate interest |
To secure our Application and prevent fraud. | |
For ID verification and payment authentication. | Legitimate interest, legal obligation |
To manage your account. | |
To provide services to you. | |
To communicate with you and for customer support. | |
To facilitate and manage transactions | |
To enable a seamless and user-friendly bank transfer experience. | Contract |
To interact with regulatory authorities or other public authorities concerning your use of our Platform. | |
To fulfil our Know Your Customer (KYC) obligation. | |
To inform you of any changes to our terms of business, services, or our Privacy Notice. | Legal obligation |
6. Your rights as a data subject
The law vests you with certain rights as a data subject. They include the right to:
Access personal data we hold about you by requesting a copy ;
Rectify such information where you believe it to be inaccurate;
Restrict the processing of your data in certain circumstances;
Object to the processing of your data where we intend to process such data for marketing purposes;
Where feasible, receive a copy of the personal data you have provided to us—in a structured, commonly used, and machine-readable format—and transmit the information to another data controller;
Request the erasure of your data;
Withdraw your consent to processing your data;
Lodge a complaint with a relevant authority where you have reason to believe that we have violated this Privacy Notice. (You may complain or seek redress from us within 30 days from when you first detected the alleged violation);
Designate an heir to personal data; and
Right to representation, where applicable.
You may seek to exercise any of the above rights at any time by emailing us at dpo@paystack.com. For information on how to close your Zap account, please visit the following article.
7. Who we share your data with
The following service providers support us to ensure the smooth running of the Product:
Service Providers | Purpose of processing |
|---|---|
VFD MFB | We use VFD Microfinance Bank to identify customers who sign up for Zap to avoid creating duplicate accounts. Read VFD’s privacy notice here. |
QoreID | We use QoreID to carry out identify verifications, for KYC purposes in line with our legal obligations. Read QoreID’s privacy notice here. |
Smile ID | We use Smile ID for document verification, identity verification, and liveness check, to avoid creating duplicate accounts and fraud prevention. See Smile ID’s privacy notice here. |
Paystack products | We use various Paystack products to provide streamlined service offerings, such as identifying customers who sign up for Zap to avoid creating duplicate accounts and process payments. |
Legal and Regulatory Authorities | We may disclose personal data to these bodies if it is necessary to comply with a law, regulation, order, subpoena, or audit, to protect any person's safety, or to address fraud, security, or technical issues. |
8. Retention of your data
The data and any other information we collect from you will be stored for as long as necessary to fulfil the purposes described in this Notice. However, we will also retain data in line with applicable laws, in addition to resolving disputes, preventing fraud and abuse, and enforcing our legal agreements and policies.
We will delete your data related to marketing purposes once you unsubscribe from our marketing communications by following the steps in Section 11 of this Notice. The facial liveness data collected to authenticate Tier 2 accounts will be deleted ten (10) years after the authentication is completed in line with our retention periods and statutory obligations around KYC data.
Please note that any transaction and KYC data may be retained for a longer period, notwithstanding your request to remove it, where there is a legal requirement to do so.
9. How we protect your data
We use strong technical and organisational measures to safeguard your personal data from unauthorised access or accidental loss. We adhere to data protection laws and best practices, using security protocols like encryption, firewalls, and physical access controls. Our employees only access your data when necessary and are contractually bound to maintain its confidentiality.
We comply with the Payment Card Industry Data Security Standard (PCI DSS) to secure your card information and are certified to ISO/IEC 27001:2022 and ISO/IEC 27701:2019 Standards. This includes regular security updates to meet industry standards. Also, we have added two-factor authentication (2FA) for extra security. You will need to enter a one-time password (OTP) each time you sign out.
If there is a data breach that could harm your rights and freedoms, we will notify you promptly and do our best to fix the issue.
10. International transfer of data
Our services involve the use of third-party servers in other countries, like Zap’s use of AWS servers in Ireland. This means your data is transferred abroad. We ensure your data is processed and protected according to this Notice and relevant laws, no matter where it is located.
When transferring data outside Nigeria, we take extra steps to protect it and choose reliable third parties. For more information about data transfers to third countries, including our transfer methods, please contact us. Furthermore, we transfer data when we have a legal obligation to do so, need to establish or defend a legal claim, or have a public interest obligation.
11. Marketing and communications
We only send marketing communications to you with your consent. You may opt out of our marketing or object to further processing by clicking on the 'unsubscribe' button at the bottom of the page. You can also unsubscribe from any newsletters we share with you at any time by clicking the ‘unsubscribe’ button.
12. Complaints
If you are concerned about an alleged breach of data protection law or any other regulation by us, you can contact the Data Protection Officer (DPO) at dpo@paystack.com. The DPO will investigate your complaint and provide information about how it is handled.
If you are still unsatisfied with the resolution of your complaint, you may escalate this to your local Data Protection Authority.
13. Changes to this Notice
We occasionally update our privacy notice. We will notify our users when we make a change, and users will know this by checking the last date of the update on this page whenever they visit.
14. Contact Us
If you have any questions relating to this Notice, or your rights under this Notice, or are not satisfied with how we manage your personal data, kindly reach out to our Data Protection Officer at dpo@paystack.com.
Effective Date: Saturday, Dec 07, 2024