Privacy Notice

Cashat Technologies Ltd ("Cashat", "we", "us") is the data controller for personal information processed in connection with the Cashat mobile application, agent application, merchant application, and the cashat.africa website (the "Services").

Cashat is incorporated in Nigeria with regional operating entities across West, Central and East Africa. Where local laws require an in-country controller, that entity acts as joint controller with Cashat Technologies Ltd.

We only collect information that is necessary to provide and protect the Services and to comply with our legal obligations as a regulated financial services provider.

• Identity data: full legal name, date of birth, nationality, government-issued ID number, photograph and a live selfie used for biometric verification.
• Contact data: phone number, email address, residential and postal address.
• Financial data: wallet balances, transaction history, beneficiary details, card and bank account information, and funding source declarations.
• Device & technical data: IP address, device identifiers, operating system, app version, network type, language and time zone, crash diagnostics.
• Location data: approximate location from your IP and, with your permission, precise device location for fraud-prevention and nearest-agent lookups.
• Communications: messages you send through our in-app support, emails, and call recordings made for quality and compliance purposes.

We process personal information for the following purposes:

• To verify your identity and onboard you in accordance with Know-Your-Customer (KYC) rules.
• To execute, settle and reconcile payments, transfers, remittances and card transactions you initiate.
• To detect, investigate and prevent fraud, money laundering, sanctions breaches and terrorist financing.
• To provide customer support and respond to your enquiries, disputes and chargebacks.
• To improve and personalise the Services, including in-app recommendations and fee optimisation.
• To comply with our regulatory reporting obligations to central banks, financial intelligence units and tax authorities.

We rely on the following legal bases for processing, depending on the jurisdiction: (a) performance of a contract with you; (b) compliance with a legal obligation, including anti-money-laundering and counter-terrorism-financing law; (c) our legitimate interests in operating a secure financial service; and (d) your explicit consent, where required (for example, for marketing communications or precise location).

You can withdraw consent at any time. Withdrawal will not affect processing that is necessary for us to deliver the Services or to comply with law.

We share personal information only when it is necessary to operate the Services or to meet a legal obligation. Recipients include:

• Licensed banking, payment and card-issuing partners that hold customer funds or process transactions.
• Identity-verification, sanctions-screening, fraud-detection and credit-bureau providers.
• Cloud infrastructure and analytics providers operating under data-processing agreements.
• Regulators, courts, tax authorities and law-enforcement agencies, when lawfully required.
• Professional advisors (lawyers, auditors, accountants) bound by confidentiality.
• Counterparties to a corporate transaction (merger, acquisition or asset sale), subject to confidentiality.

We do not sell personal information.

Cashat operates across multiple African jurisdictions and uses cloud infrastructure that may be located outside your country of residence. Where we transfer personal information across borders, we rely on appropriate safeguards including the standard contractual clauses adopted by relevant data-protection regulators, adequacy decisions, and binding intra-group data-processing agreements.

We retain personal information for as long as your account is active and for a minimum of seven years after closure, in line with banking and AML record-keeping requirements. Some categories of data (for example, suspicious-transaction reports) are retained for longer where the law requires it.

Subject to local law, you have the right to access, correct, port or delete your personal information; to object to or restrict certain processing; and to lodge a complaint with your national data-protection authority — for example, the Nigeria Data Protection Commission (NDPC) or the Office of the Data Protection Commissioner (ODPC) in Kenya.

You can exercise most of these rights directly from the Cashat app under Settings → Privacy, or by writing to privacy@cashat.africa. We will respond within 30 days.

We use industry-standard safeguards including end-to-end transport encryption, encryption of sensitive data at rest, hardware-backed key storage on your device, biometric authentication, behavioural fraud monitoring and continuous penetration testing. No system is perfectly secure; if you suspect unauthorised access to your account, contact us immediately at security@cashat.africa.

The Services are not directed at children under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us personal information, contact privacy@cashat.africa and we will delete it.

We may update this notice from time to time. Material changes will be notified to you in-app or by email at least 14 days before they take effect.