Privacy Policy

1. Introduction

TrustAm Technologies Ltd ("TrustAm," "we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our mobile application, website (www.trustamai.com), and related services (collectively, the "Services").

This Privacy Policy has been prepared in compliance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Commission (NDPC) General Application and Implementation Directive 2025 (GAID), and other applicable data protection laws and regulations.

By using our Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of your personal data as described herein.

2. Data Controller

The data controller responsible for your personal data is:

Our Data Protection Officer (DPO) is responsible for overseeing compliance with this Privacy Policy and applicable data protection laws. You may contact the DPO at any time with questions or concerns about how your data is handled.

3. What Data We Collect

We collect the following categories of personal data:

3.1 Personal Information You Provide

• Identity data: Full name, date of birth, gender, nationality.
• Contact data: Phone number, email address, physical address.
• Verification data: Bank Verification Number (BVN), National Identification Number (NIN), government-issued photo ID, passport photograph, proof of address.
• Account credentials: Transaction PIN (stored as salted hash, never in plaintext), biometric enrollment status.
• Marketplace data: Service descriptions, pricing, portfolio images, reviews, business name, bank account details for payouts.

3.2 Financial Data

• Transaction records: Payment amounts, recipients, dates, descriptions, and status.
• Bank account data: Account numbers, bank names, and account balances accessed via Mono.co open banking integration (with your explicit consent).
• Budget data: Budget categories, limits, spending patterns, and savings goals you create within the app.
• Bill payment data: Airtime, data, electricity, and other bill payment records.

3.3 Device & Technical Data

• Device information: Device type, model, operating system, unique device identifiers.
• Network data: IP address, mobile network operator, connection type.
• App data: App version, crash reports, performance data.

3.4 Usage Data

• Interaction data: Features used, screens viewed, buttons tapped, time spent in the app.
• Search data: Marketplace search queries and browsing patterns.
• Communication data: Messages exchanged with marketplace Providers or with our support team.
• AI advisor data: Conversations with the AI financial advisor (see Section 12 for special handling).

4. How We Use Your Data

We use your personal data for the following purposes:

• Account management: To create and manage your account, verify your identity, and administer KYC verification.
• Payment processing: To process peer-to-peer transfers, bank transfers, bill payments, and marketplace transactions.
• Budgeting services: To categorize your transactions, generate spending insights, and manage your budgets.
• AI financial advice: To provide personalized financial guidance through our AI-powered advisor.
• Marketplace operations: To facilitate connections between Providers and Clients, manage bookings, and process escrow payments.
• Security and fraud prevention: To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities.
• Regulatory compliance: To comply with KYC, AML/CFT, and other regulatory requirements imposed by the CBN, NFIU, NDPC, and other authorities.
• Product improvement: To analyze usage patterns, fix bugs, improve performance, and develop new features.
• Communication: To send transaction confirmations, security alerts, service updates, and (with your consent) marketing communications.
• Dispute resolution: To investigate and resolve disputes between users, Providers, and Clients.

5. Legal Basis for Processing

Under the Nigeria Data Protection Act 2023, we process your personal data based on the following legal grounds:

• Consent: You have given clear and informed consent for us to process your personal data for specific purposes (e.g., open banking data aggregation, AI advisor conversations, marketing communications). You may withdraw consent at any time.
• Contract performance: Processing is necessary for the performance of a contract to which you are a party, including account management, payment processing, and marketplace transactions.
• Legal obligation: Processing is necessary to comply with legal obligations, including CBN KYC requirements, AML/CFT regulations, tax reporting, and NDPA compliance.
• Legitimate interest: Processing is necessary for our legitimate interests (e.g., fraud prevention, security, product improvement), provided these interests are not overridden by your fundamental rights and freedoms.
• Vital interest: In rare cases, processing may be necessary to protect the vital interests of you or another natural person.

6. Data Sharing & Third-Party Processors

We share your personal data with the following categories of third parties, only to the extent necessary for the stated purposes:

6.1 Payment Service Providers

• Paystack (operated by Stripe Inc.) — Our primary payment processor. Receives transaction data, bank account details, and identity information necessary for payment processing and BVN/NIN verification. Paystack is licensed by the CBN and maintains PCI-DSS compliance.
• Flutterwave — Backup payment processor for international transfers. Receives limited transaction and identity data as needed.

6.2 Open Banking Provider

• Mono.co — Provides bank account aggregation services. With your explicit consent, Mono.co accesses your bank account data (balances, transaction history) to provide the unified financial dashboard in TrustAm. You can revoke this access at any time through the app settings.

6.3 Communication Providers

• Termii — Nigeria-optimized SMS delivery service used for OTP codes and transaction alerts. Receives your phone number and message content. Messages are encrypted in transit.

6.4 AI Services

• Google (Gemini API) — Powers the AI financial advisor and transaction categorization. See Section 12 for detailed data handling practices for AI services.

6.5 Analytics & Monitoring

• Sentry — Error tracking and performance monitoring. Receives anonymized crash reports and performance metrics.
• PostHog — Product analytics. Receives anonymized usage data to help us improve the app experience.

6.6 Regulatory & Law Enforcement

We may disclose your personal data to the Central Bank of Nigeria (CBN), Nigeria Data Protection Commission (NDPC), Nigerian Financial Intelligence Unit (NFIU), Economic and Financial Crimes Commission (EFCC), Nigeria Police Force, or other regulatory or law enforcement bodies when required by law, regulation, or court order, or when necessary to protect our rights, safety, or property.

7. Data Security

We implement robust technical and organizational measures to protect your personal data:

• Encryption at rest: All sensitive personal data, including BVN, NIN, and financial records, is encrypted using AES-256 encryption at rest in our databases.
• Encryption in transit: All data transmitted between your device and our servers is protected using TLS 1.3, the latest transport layer security protocol.
• Authentication security: Transaction PINs are stored as salted cryptographic hashes. We never store PINs in plaintext. Biometric data is stored locally on your device using the secure enclave and is never transmitted to our servers.
• Access controls: We enforce strict role-based access controls. Employee access to personal data is limited to those who need it for their job functions, and all access is logged and audited.
• Infrastructure security: Our infrastructure is hosted on enterprise-grade cloud platforms with DDoS protection, intrusion detection systems, and regular penetration testing.
• Secure token storage: Authentication tokens on your mobile device are stored using Expo SecureStore, which uses the iOS Keychain and Android Keystore for encrypted, hardware-backed storage.
• Breach notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission and affected users within 72 hours of becoming aware of the breach, as required by the NDPA 2023.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, subject to legal and regulatory requirements:

• Account data: Retained for the duration of your account and for 6 years after account closure (to comply with Nigerian regulatory requirements and statute of limitations).
• Transaction records: Retained for a minimum of 6 years after the transaction date, as required by CBN regulations and the Companies Income Tax Act.
• KYC documents: Retained for 6 years after the end of the business relationship, as required by the Money Laundering (Prohibition) Act 2022.
• AI advisor conversations: Retained for 12 months from the date of the conversation, then automatically deleted unless required for dispute resolution.
• Analytics data: Anonymized analytics data may be retained indefinitely, as it cannot be used to identify you.
• Marketing consent records: Retained for 3 years after consent is withdrawn, to demonstrate compliance.

When personal data is no longer required, it is securely deleted or anonymized using industry-standard methods that render the data irreversibly unidentifiable.

9. Your Rights Under NDPA 2023

Under the Nigeria Data Protection Act 2023, you have the following rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you. We will provide this information within 30 days of receiving your request.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in the app, or contact us for data you cannot modify yourself.
• Right to Erasure: You have the right to request deletion of your personal data, subject to our legal obligations to retain certain data (see Section 8). Where erasure is not possible due to regulatory requirements, we will restrict processing of the data.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another service provider.
• Right to Object: You have the right to object to the processing of your personal data for direct marketing purposes. You may also object to processing based on legitimate interests, and we will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right to Restriction of Processing: You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
• Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects. Our AI financial advisor provides suggestions only and does not make binding decisions about your account.

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

10. Children's Privacy

The Services are not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children under 18 years of age. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete such data from our records. If you believe that we have inadvertently collected data from a child under 18, please contact us immediately at [email protected].

11. International Data Transfers

Some of our third-party service providers are located outside Nigeria. When we transfer your personal data internationally, we ensure adequate protection through the following safeguards:

• We only transfer data to countries or organizations that provide an adequate level of data protection as recognized by the NDPC, or where appropriate safeguards are in place.
• We use standard contractual clauses approved by the NDPC in our agreements with international data processors.
• All international transfers are conducted in compliance with Section 43 of the NDPA 2023 and any transfer mechanisms prescribed by the NDPC.
• Where required, we obtain prior authorization from the NDPC before transferring personal data to jurisdictions without adequate protection levels.

Specifically, data shared with Google (Gemini API, headquartered in the US), Stripe/Paystack (US-headquartered), and Sentry (US-headquartered) is subject to these safeguards. These providers maintain robust data protection practices and certifications.

12. AI Financial Advisor Data Handling

The TrustAm AI Financial Advisor uses Google's Gemini AI model to provide personalized financial guidance. We take special precautions to protect your sensitive data:

• BVN and NIN are never sent to the AI model. Your Bank Verification Number, National Identification Number, and other government identity numbers are never included in prompts sent to the Gemini API.
• Data anonymization: Before sending data to the AI model, we anonymize and aggregate your financial data. Account numbers, specific bank names, and personally identifiable transaction details are stripped or replaced with generic labels.
• No AI training on your data: We use the Gemini API under terms that prohibit Google from using your data to train or improve their AI models. Your conversations and financial data are not used for any purpose other than generating your personalized advice.
• Conversation privacy: AI advisor conversations are stored encrypted on our servers and automatically deleted after 12 months. You can delete your conversation history at any time from within the app.
• AI limitations disclosure: The AI financial advisor provides general financial guidance and suggestions. It does not provide investment advice, tax advice, or any form of licensed financial advisory service. Users should consult qualified professionals for specific financial decisions.

13. Cookies & Tracking Technologies

Our website (www.trustamai.com) uses the following cookies and tracking technologies:

• Essential cookies: Required for the website to function properly (e.g., session management, authentication). These cannot be disabled.
• Analytics cookies: Google Analytics 4 and PostHog are used to understand how visitors interact with our website. These collect anonymized browsing data.
• Performance cookies: Microsoft Clarity is used to analyze user behavior through session recordings and heatmaps. All data is anonymized and no PII is captured.

The TrustAm mobile app does not use cookies. Analytics in the mobile app are managed through PostHog SDK with anonymized identifiers.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or operational procedures. When we make material changes:

• We will notify you via in-app notification and email at least 30 days before the changes take effect.
• We will update the "Last updated" date at the top of this page.
• For changes that materially affect how we process your personal data, we will obtain your renewed consent where required by law.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

15. Contact the Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

16. How to File a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint:

• With TrustAm: Contact our DPO at [email protected]. We will investigate your complaint and respond within 30 days.
• With the Nigeria Data Protection Commission (NDPC): If you are unsatisfied with our response, or wish to lodge a complaint directly, you may contact the NDPC:

  Nigeria Data Protection Commission

  No. 5 Donatus Nwankpa Close, Wuye, Abuja, Nigeria

  Website: ndpc.gov.ng