Privacy Policy
Last updated: 2026-04-01
1. Information We Collect
We collect personal information you provide during registration (name, email, phone number), identity verification (BVN, NIN, government ID), and transaction data (transfer amounts, beneficiary details). We also collect technical data such as IP addresses, device information, and usage patterns to improve our services and detect fraud.
2. How We Use Your Information
We use your information to process transfers, verify your identity (KYC/AML compliance), communicate with you about your account, prevent fraud and unauthorized transactions, comply with legal obligations, and improve our services. We do not sell your personal information to third parties.
4. Subprocessors
We use the following third-party subprocessors to deliver our service: Sumsub (identity verification, EU/UK), Honeycoin (payment processing and FX, Africa), Twilio (SMS and WhatsApp messaging, US), Crisp (live chat support, EU), Sentry (error monitoring, US), Cloudflare (CDN, security, and email obfuscation, US), and Railway (application hosting, US/EU). All subprocessors are bound by data processing agreements that meet NDPA and GDPR Article 28 requirements. We will notify you of any new subprocessor at least 30 days before they begin processing your data.
Subprocessor data-processing agreements
Direct links to each subprocessor's DPA where one is published. Where no public DPA exists, an explanatory note replaces the link.
- Sumsub— Identity verification (KYC/AML) (EU/UK)View DPA
- Honeycoin— Payment processing and FX (Africa)Bilateral B2B agreement; excerpts available on request from privacy@crosspay.me.
- Twilio— SMS and WhatsApp messaging (US)View DPA
- Crisp— Live chat support (EU)View DPA
- Sentry— Error monitoring (US)View DPA
- Cloudflare— CDN, security, and email obfuscation (US)View DPA
- Railway— Application hosting (US/EU)Hosting customer terms apply; standalone DPA available on request from privacy@crosspay.me.
5. Data Security
We protect your data with industry-standard encryption in transit and at rest, secure key management, access controls, and regular security audits. Bank account numbers are encrypted at rest using symmetric encryption. Despite these measures, no system is completely secure, and we cannot guarantee absolute security.
6. Data Retention
We retain your personal data for as long as your account is active and for 7 years after closure to comply with financial regulations. Transaction records are kept for the legally required retention period. You may request deletion of your account data subject to our legal obligations.
8. Your Rights
Under the Nigeria Data Protection Act (NDPA), you have the right to access, correct, or delete your personal data, object to processing, request data portability, and withdraw consent. EU and UK residents have equivalent rights under GDPR / UK GDPR including the right to lodge a complaint with their national data protection authority. To exercise any of these rights, contact our Data Protection Officer at privacy@crosspay.me; we respond within 30 days.
9. Children's Privacy
CrossPay is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before the changes take effect. Continued use of our services after changes constitutes acceptance.
11. Contact Us
For privacy-related questions or to exercise your data rights, contact our Data Protection Officer at privacy@crosspay.me or write to CrossPay Limited, Victoria Island, Lagos, Nigeria.