Privacy Policy

Effective Date: February 20, 2026

Nigeria and Kenya

1. Introduction

Vepay (“Vepay”, “we”, “us” or “our”) is committed to protecting the privacy and personal data of users who access or use our mobile application, website, products, platforms, customer support channels and related services (collectively, the “Services”).

This Privacy Policy explains the types of personal data we collect, how we collect it, the purposes for which we use it, the lawful basis for processing it, how we share and protect it, how long we retain it, and the rights available to you as a data subject.

This Policy is designed to comply with applicable data protection, financial services, anti-money laundering, counter-terrorism financing, fraud prevention and regulatory requirements in the jurisdictions where Vepay operates, including Nigeria and Kenya.

By registering for, accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as the lawful basis for processing, you may withdraw your consent at any time, subject to legal, regulatory, contractual and operational limitations.

2. Scope of this Policy

This Policy applies to personal data collected or processed through:

• The Vepay mobile application;
• Vepay websites, portals, dashboards and online platforms;
• Account opening, onboarding, KYC, compliance and verification processes;
• Payment, wallet, remittance, transaction, settlement or related financial services;
• Communications with Vepay through email, SMS, calls, chat, in-app messaging, forms, customer support channels or social media; and
• Automated technologies used in connection with the Services, including cookies, device logs and analytics tools.

This Policy does not apply to third-party websites, applications, payment platforms, partner services, merchants, advertisers or other services that are not owned or controlled by Vepay. Where you access a third-party service through our platform, that third party’s privacy policy will apply to its processing of your data.

3. Personal Data We Collect

We collect personal data that is reasonably necessary to provide secure, compliant and reliable financial technology services. The information collected may vary depending on the product, jurisdiction, account type, risk profile and regulatory requirements applicable to you.

3.1 Information You Provide Directly

When you register, verify your identity, use our Services, contact us or complete any form, we may collect:

• Identity data: full name, date of birth, gender, nationality, photograph, signature, username, customer identification number and other registration information;
• Contact data: phone number, email address, residential address, mailing address and emergency or authorised contact details where applicable;
• Government and verification data: Bank Verification Number (BVN), National Identification Number (NIN), national identity card, passport, driver’s licence, voter’s card, tax identification information, Kenyan national ID, passport, alien ID, KRA PIN, or other government-issued identifiers;
• Financial data: bank account details, wallet details, card or payment information, M-PESA or mobile money details, source of funds, income information, settlement details and beneficiary information;
• Transaction data: payment instructions, transaction history, amount, date, time, currency, merchant details, recipient details, references, reversals, refunds, chargebacks and dispute records;
• Compliance data: KYC documents, customer due diligence records, enhanced due diligence information, sanctions and politically exposed person screening results, AML/CFT risk assessments, suspicious activity records and regulatory reporting information;
• Communication data: messages, complaints, support tickets, call notes, email correspondence, survey responses and feedback; and
• Marketing preference data: your communication preferences, consent choices and opt-in or opt-out records.

3.2 Information We Collect Automatically

When you access or use the Services, we may automatically collect:

• Device data: device type, model, operating system, browser type, mobile network, unique device identifiers, advertising identifiers and device security information;
• Log and usage data: IP address, login details, access dates and times, pages or screens viewed, features used, session duration, clickstream data, crash reports and error logs;
• Location data: IP-based geolocation and, where you grant permission, precise or approximate device location;
• Security and fraud data: behavioural patterns, authentication attempts, device fingerprinting, risk signals, transaction velocity, account access patterns and suspected fraud indicators; and
• Cookie and tracking data: information collected through cookies, pixels, tags, analytics tools and similar technologies.

3.3 Information from Third Parties

We may receive information about you from third parties where permitted by law, including identity verification providers, credit bureaus, financial institutions, payment processors, mobile network operators, fraud prevention databases, public registers, sanctions screening providers, business partners, merchants, regulators, law enforcement agencies and persons authorised by you.

4. Legal Basis for Processing

We process personal data only where we have a lawful basis to do so. Depending on the circumstances, we may process your personal data on the basis of:

• Consent, where you have freely given specific, informed and unambiguous consent;
• Contractual necessity, where processing is required to provide the Services or perform our obligations to you;
• Legal and regulatory obligation, where we are required to comply with applicable laws, regulatory directives, AML/CFT obligations, tax obligations, court orders or requests from competent authorities;
• Legitimate interests, including fraud prevention, service improvement, platform security, risk management, dispute resolution, debt recovery, internal administration and business continuity, provided those interests do not override your rights and freedoms; and
• Protection of vital interests or public interest where applicable under law.

Where consent is required, you may withdraw it at any time. Withdrawal of consent will not affect processing already carried out lawfully before withdrawal. In some cases, withdrawal of consent may limit or prevent your continued use of certain Services.

5. How We Use Your Personal Data

We may use your personal data to:

• Create, verify, maintain and administer your Vepay account;
• Perform onboarding, identity verification, KYC, customer due diligence and risk assessment;
• Provide, process, authorize, settle, reconcile and manage transactions and related financial services;
• Monitor, detect, prevent and investigate fraud, unauthorised transactions, money laundering, terrorist financing, sanctions breaches, account takeover and other unlawful activity;
• Comply with legal, regulatory, tax, audit, record-keeping, reporting and law enforcement obligations;
• Communicate with you about your account, transactions, security alerts, service updates, regulatory notices and customer support matters;
• Resolve complaints, disputes, reversals, refunds, chargebacks, recovery matters and operational issues;
• Improve, test, troubleshoot, personalize and secure our Services, systems and user experience;
• Conduct analytics, research, product development and internal reporting using aggregated or anonymised data where appropriate;
• Send marketing communications, offers or product information where permitted by law and subject to your preferences;
• Establish, exercise or defend legal rights and enforce our terms, policies and agreements; and
• Carry out any other purpose disclosed to you at the time of collection or permitted by applicable law.

We do not sell your personal data.

6. Alerts, Service Communications and Marketing

By creating or using a Vepay account, you agree that we may send you essential account, transaction, fraud-prevention, security, service and regulatory communications through in-app messages, email, SMS, phone calls, push notifications or other approved communication channels.

You may opt out of marketing communications at any time by using the unsubscribe option provided in the communication or by contacting us. However, you cannot opt out of essential service, security, transaction or regulatory notifications. We will never ask you to disclose your password, PIN or full authentication credentials by email, SMS or phone call.

7. Cookies and Similar Technologies

We may use cookies, pixels, tags, software development kits, device identifiers and similar technologies to operate our website and application, remember your preferences, improve user experience, analyse traffic, secure accounts, prevent fraud and support marketing where permitted by law.

You may be able to disable cookies through your browser or device settings. However, disabling certain cookies or tracking technologies may affect the functionality, security or availability of some Services.

8. How We Share Personal Data

We may share personal data only where necessary, lawful and proportionate. Recipients may include:

• Regulatory authorities, including the Central Bank of Nigeria, the Nigeria Data Protection Commission, the Office of the Data Protection Commissioner in Kenya, and other competent authorities where applicable;
• Law enforcement agencies, courts, tribunals, tax authorities, government bodies or dispute resolution bodies where required or permitted by law;
• Licensed credit bureaus, fraud prevention agencies and identity verification service providers;
• Banks, payment processors, card schemes, mobile money operators, settlement partners, remittance partners, merchants and other financial service providers involved in processing transactions;
• Cloud hosting providers, technology vendors, cybersecurity providers, analytics providers and infrastructure partners;
• Professional advisers, auditors, lawyers, consultants, insurers and recovery agents;
• Affiliates, subsidiaries, group companies or successors in business, including in connection with a merger, acquisition, restructuring, financing, sale of assets or similar transaction; and
• Third parties authorized by you or to whom you direct us to disclose your information.

Where we engage service providers to process personal data on our behalf, we require them to process such data only on our instructions and to implement appropriate confidentiality, security and data protection safeguards.

9. International Data Transfers

Your personal data may be processed or stored in countries other than your country of residence. Where we transfer personal data outside Nigeria or Kenya, we will ensure that appropriate safeguards are in place, including contractual protections, security measures, adequacy assessments, regulatory approvals where required, or other legally recognised transfer mechanisms.

10. Data Security

We implement appropriate technical and organisational measures designed to protect personal data from unauthorised access, loss, misuse, alteration, disclosure or destruction. These measures may include:

• Encryption of data in transit and at rest where appropriate;
• Role-based access controls and need-to-know access restrictions;
• Multi-factor authentication and secure login controls;
• Network monitoring, fraud detection and suspicious activity monitoring;
• Logging, audit trails and security reviews;
• Employee confidentiality obligations and privacy training;
• Vendor due diligence and contractual data protection requirements; and
• Incident response procedures for suspected or actual data breaches.

No method of electronic transmission or storage is completely secure. You are responsible for keeping your device, password, PIN and authentication credentials secure and for notifying us immediately if you suspect unauthorised access to your account.

11. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, to provide the Services, to comply with financial services, AML/CFT, tax, accounting, audit, legal and regulatory obligations, to resolve disputes, to enforce agreements and to protect our rights and legitimate interests.

As a financial technology service provider, we may be required to retain certain identity, transaction, compliance and account records after account closure or termination. Where personal data is no longer required, we will delete, anonymise, aggregate or securely archive it in accordance with applicable law and our internal retention procedures.

We may retain limited information where necessary to prevent fraud, enforce account restrictions, comply with regulatory obligations, maintain security, respond to claims or avoid contacting you for marketing purposes where you have opted out.

12. Your Data Protection Rights

Subject to applicable law and regulatory limitations, you may have the right to:

• Request access to the personal data we hold about you;
• Request correction or updating of inaccurate, incomplete or outdated personal data;
• Request deletion of personal data where there is no lawful basis for continued retention;
• Request restriction of processing in certain circumstances;
• Object to processing, including processing for direct marketing;
• Withdraw consent where processing is based on consent;
• Request data portability where applicable;
• Object to solely automated decision-making that produces legal or similarly significant effects, where applicable; and
• Lodge a complaint with the relevant data protection authority.

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 19. We may need to verify your identity before acting on your request. Some requests may be declined or limited where we are required to retain or process the data for legal, regulatory, security, fraud prevention, contractual or dispute-resolution purposes.

13. Automated Decision-Making and Profiling

We may use automated tools to support fraud detection, transaction monitoring, identity verification, risk scoring, account security and compliance screening. These tools may analyse transaction patterns, device information, location signals, identity verification results and other risk indicators.

Where automated processing results in a decision that significantly affects you, we will provide appropriate safeguards as required by law, which may include the right to request human review, express your view or contest the decision.

14. Children’s Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children or minors, except where permitted by law and with appropriate authorisation. If you believe that a minor has provided personal data to us without lawful authorisation, please contact us immediately.

15. Third-Party Links and Services

Our Services may contain links to third-party websites, platforms, services, merchants, advertisers or partner networks. We are not responsible for the privacy practices, security standards or content of those third parties. You should review the relevant third-party privacy policy before submitting personal data to them.

16. Account Security and User Responsibilities

You are responsible for maintaining the confidentiality of your login details, password, PIN, one-time passwords and other authentication credentials. Any instruction received through your authenticated account may be treated as authorised by you, subject to our fraud monitoring and security procedures.

You must notify us immediately if you suspect unauthorised access, compromise of credentials, suspicious activity or any security breach relating to your account.

17. Country-Specific Terms

17.1 Nigeria

For users in Nigeria, this Policy is intended to comply with the Nigeria Data Protection Act, applicable guidelines issued by the Nigeria Data Protection Commission, applicable Central Bank of Nigeria requirements, AML/CFT laws and other relevant financial services regulations.

You may lodge a complaint with the Nigeria Data Protection Commission if you believe that your data protection rights have been infringed or that we have not adequately addressed your concerns.

17.2 Kenya

For users in Kenya, this Policy is intended to comply with the Constitution of Kenya, the Data Protection Act and applicable guidance issued by the Office of the Data Protection Commissioner.

You may lodge a complaint with the Office of the Data Protection Commissioner in Kenya if you believe that your data protection rights have been infringed or that we have not adequately addressed your concerns.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulation, technology, our Services, operational practices or business requirements. Where material changes are made, we will notify you through appropriate channels, which may include in-app notification, email, SMS or publication on our website.

Your continued use of the Services after an updated Policy becomes effective will constitute your acknowledgement of the updated Policy, subject to any consent requirements under applicable law.

19. Contact Us

For privacy-related questions, requests, complaints or to exercise your data protection rights, please contact:

Company: Vepay

Email: hello@vepayhq.com

Phone: +234 201 887 0061

If you are not satisfied with our response, you may contact the relevant data protection authority in your jurisdiction.

20. Version Control

Policy Owner: Data Protection Officer

Effective Date: February 20, 2026

Review Cycle: At least annually or whenever required by material legal, regulatory, operational or product changes.

Privacy Policy

Effective Date: February 20, 2026

Nigeria and Kenya

1. Introduction

2. Scope of this Policy

This Policy applies to personal data collected or processed through:

• The Vepay mobile application;
• Vepay websites, portals, dashboards and online platforms;
• Account opening, onboarding, KYC, compliance and verification processes;
• Payment, wallet, remittance, transaction, settlement or related financial services;
• Communications with Vepay through email, SMS, calls, chat, in-app messaging, forms, customer support channels or social media; and
• Automated technologies used in connection with the Services, including cookies, device logs and analytics tools.

3. Personal Data We Collect

3.1 Information You Provide Directly

When you register, verify your identity, use our Services, contact us or complete any form, we may collect:

• Identity data: full name, date of birth, gender, nationality, photograph, signature, username, customer identification number and other registration information;
• Contact data: phone number, email address, residential address, mailing address and emergency or authorised contact details where applicable;
• Government and verification data: Bank Verification Number (BVN), National Identification Number (NIN), national identity card, passport, driver’s licence, voter’s card, tax identification information, Kenyan national ID, passport, alien ID, KRA PIN, or other government-issued identifiers;
• Financial data: bank account details, wallet details, card or payment information, M-PESA or mobile money details, source of funds, income information, settlement details and beneficiary information;
• Transaction data: payment instructions, transaction history, amount, date, time, currency, merchant details, recipient details, references, reversals, refunds, chargebacks and dispute records;
• Compliance data: KYC documents, customer due diligence records, enhanced due diligence information, sanctions and politically exposed person screening results, AML/CFT risk assessments, suspicious activity records and regulatory reporting information;
• Communication data: messages, complaints, support tickets, call notes, email correspondence, survey responses and feedback; and
• Marketing preference data: your communication preferences, consent choices and opt-in or opt-out records.

3.2 Information We Collect Automatically

When you access or use the Services, we may automatically collect:

• Device data: device type, model, operating system, browser type, mobile network, unique device identifiers, advertising identifiers and device security information;
• Log and usage data: IP address, login details, access dates and times, pages or screens viewed, features used, session duration, clickstream data, crash reports and error logs;
• Location data: IP-based geolocation and, where you grant permission, precise or approximate device location;
• Security and fraud data: behavioural patterns, authentication attempts, device fingerprinting, risk signals, transaction velocity, account access patterns and suspected fraud indicators; and
• Cookie and tracking data: information collected through cookies, pixels, tags, analytics tools and similar technologies.

3.3 Information from Third Parties

4. Legal Basis for Processing

We process personal data only where we have a lawful basis to do so. Depending on the circumstances, we may process your personal data on the basis of:

• Consent, where you have freely given specific, informed and unambiguous consent;
• Contractual necessity, where processing is required to provide the Services or perform our obligations to you;
• Legal and regulatory obligation, where we are required to comply with applicable laws, regulatory directives, AML/CFT obligations, tax obligations, court orders or requests from competent authorities;
• Legitimate interests, including fraud prevention, service improvement, platform security, risk management, dispute resolution, debt recovery, internal administration and business continuity, provided those interests do not override your rights and freedoms; and
• Protection of vital interests or public interest where applicable under law.

5. How We Use Your Personal Data

We may use your personal data to:

• Create, verify, maintain and administer your Vepay account;
• Perform onboarding, identity verification, KYC, customer due diligence and risk assessment;
• Provide, process, authorize, settle, reconcile and manage transactions and related financial services;
• Monitor, detect, prevent and investigate fraud, unauthorised transactions, money laundering, terrorist financing, sanctions breaches, account takeover and other unlawful activity;
• Comply with legal, regulatory, tax, audit, record-keeping, reporting and law enforcement obligations;
• Communicate with you about your account, transactions, security alerts, service updates, regulatory notices and customer support matters;
• Resolve complaints, disputes, reversals, refunds, chargebacks, recovery matters and operational issues;
• Improve, test, troubleshoot, personalize and secure our Services, systems and user experience;
• Conduct analytics, research, product development and internal reporting using aggregated or anonymised data where appropriate;
• Send marketing communications, offers or product information where permitted by law and subject to your preferences;
• Establish, exercise or defend legal rights and enforce our terms, policies and agreements; and
• Carry out any other purpose disclosed to you at the time of collection or permitted by applicable law.

We do not sell your personal data.

6. Alerts, Service Communications and Marketing

7. Cookies and Similar Technologies

8. How We Share Personal Data

We may share personal data only where necessary, lawful and proportionate. Recipients may include:

• Regulatory authorities, including the Central Bank of Nigeria, the Nigeria Data Protection Commission, the Office of the Data Protection Commissioner in Kenya, and other competent authorities where applicable;
• Law enforcement agencies, courts, tribunals, tax authorities, government bodies or dispute resolution bodies where required or permitted by law;
• Licensed credit bureaus, fraud prevention agencies and identity verification service providers;
• Banks, payment processors, card schemes, mobile money operators, settlement partners, remittance partners, merchants and other financial service providers involved in processing transactions;
• Cloud hosting providers, technology vendors, cybersecurity providers, analytics providers and infrastructure partners;
• Professional advisers, auditors, lawyers, consultants, insurers and recovery agents;
• Affiliates, subsidiaries, group companies or successors in business, including in connection with a merger, acquisition, restructuring, financing, sale of assets or similar transaction; and
• Third parties authorized by you or to whom you direct us to disclose your information.

9. International Data Transfers

10. Data Security

• Encryption of data in transit and at rest where appropriate;
• Role-based access controls and need-to-know access restrictions;
• Multi-factor authentication and secure login controls;
• Network monitoring, fraud detection and suspicious activity monitoring;
• Logging, audit trails and security reviews;
• Employee confidentiality obligations and privacy training;
• Vendor due diligence and contractual data protection requirements; and
• Incident response procedures for suspected or actual data breaches.

11. Data Retention

12. Your Data Protection Rights

Subject to applicable law and regulatory limitations, you may have the right to:

• Request access to the personal data we hold about you;
• Request correction or updating of inaccurate, incomplete or outdated personal data;
• Request deletion of personal data where there is no lawful basis for continued retention;
• Request restriction of processing in certain circumstances;
• Object to processing, including processing for direct marketing;
• Withdraw consent where processing is based on consent;
• Request data portability where applicable;
• Object to solely automated decision-making that produces legal or similarly significant effects, where applicable; and
• Lodge a complaint with the relevant data protection authority.

13. Automated Decision-Making and Profiling

14. Children’s Privacy

15. Third-Party Links and Services

16. Account Security and User Responsibilities

You must notify us immediately if you suspect unauthorised access, compromise of credentials, suspicious activity or any security breach relating to your account.

17. Country-Specific Terms

17.1 Nigeria

You may lodge a complaint with the Nigeria Data Protection Commission if you believe that your data protection rights have been infringed or that we have not adequately addressed your concerns.

17.2 Kenya

For users in Kenya, this Policy is intended to comply with the Constitution of Kenya, the Data Protection Act and applicable guidance issued by the Office of the Data Protection Commissioner.

18. Changes to this Privacy Policy

Your continued use of the Services after an updated Policy becomes effective will constitute your acknowledgement of the updated Policy, subject to any consent requirements under applicable law.

19. Contact Us

For privacy-related questions, requests, complaints or to exercise your data protection rights, please contact:

Company: Vepay

Email: hello@vepayhq.com

Phone: +234 201 887 0061

If you are not satisfied with our response, you may contact the relevant data protection authority in your jurisdiction.

20. Version Control

Policy Owner: Data Protection Officer

Effective Date: February 20, 2026

Review Cycle: At least annually or whenever required by material legal, regulatory, operational or product changes.