Privacy Policy
Last updated: 2026-04-01
1. Information Wey We Collect
We collect personal information wey you provide during registration (name, email, phone number), identity verification (BVN, NIN, government ID), and transaction data (transfer amounts, beneficiary details). We also collect technical data such as IP addresses, device information, and usage patterns to improve our services and detect fraud.
2. How We Use Your Information
We use your information to process transfers, verify your identity (KYC/AML compliance), communicate with you about your account, prevent fraud and unauthorized transactions, comply with legal obligations, and improve our services. We no dey sell your personal information to third parties.
4. Subprocessors
We use the following third-party subprocessors to deliver our service: Sumsub (identity verification, EU/UK), Honeycoin (payment processing and FX, Africa), Twilio (SMS and WhatsApp messaging, US), Crisp (live chat support, EU), Sentry (error monitoring, US), Cloudflare (CDN, security, and email obfuscation, US), and Railway (application hosting, US/EU). All subprocessors are bound by data processing agreements wey meet NDPA and GDPR Article 28 requirements. We go notify you of any new subprocessor at least 30 days before dem begin processing your data.
Subprocessor data-processing agreements
Direct links to each subprocessor's DPA where one is published. Where no public DPA dey exist, an explanatory note replaces the link.
- Sumsub— Identity verification (KYC/AML) (EU/UK)View DPA
- Honeycoin— Payment processing and FX (Africa)Bilateral B2B agreement; excerpts available on request from privacy@crosspay.me.
- Twilio— SMS and WhatsApp messaging (US)View DPA
- Crisp— Live chat support (EU)View DPA
- Sentry— Error monitoring (US)View DPA
- Cloudflare— CDN, security, and email obfuscation (US)View DPA
- Railway— Application hosting (US/EU)Hosting customer terms apply; standalone DPA available on request from privacy@crosspay.me.
5. Data Security
We dey protect your data with industry-standard encryption for transit and at rest, secure key management, access controls, and regular security audits. We dey encrypt bank account numbers at rest using symmetric encryption. Even with all these, no system dey completely secure, and we no fit guarantee absolute security.
6. Data Retention
We retain your personal data for as long as your account is active and for 7 years after closure to comply with financial regulations. Transaction records are kept for the legally required retention period. You fit request deletion of your account data subject to our legal obligations.
8. Your Rights
Under the Nigeria Data Protection Act (NDPA), you get right to access, correct, or delete your personal data, object to processing, request data portability, and withdraw consent. EU and UK residents get equivalent rights under GDPR / UK GDPR, including the right to lodge complaint with their national data protection authority. To use any of these rights, contact our Data Protection Officer for privacy@crosspay.me; we dey respond within 30 days.
9. Children's Privacy
CrossPay no be for users wey dey under 18 years of age. We no dey knowingly collect personal information from children. If we learn say we don collect data from a child, we go delete am promptly.
10. Changes to This Policy
We fit update this privacy policy from time to time. We go notify you of material changes via email or in-app notification at least 30 days before the changes take effect. Continued use of our services after changes constitutes acceptance.
11. Contact Us
For privacy question or to use your data rights, contact our Data Protection Officer for privacy@crosspay.me or write to CrossPay Limited, Victoria Island, Lagos, Nigeria.