PapayMoni Privacy Policy

Barsmiko Enterprise Limited, operating as PapayMoni, is committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our application or related services, and sets out your rights as a data subject.

This Policy is issued in compliance with the Nigeria Data Protection Regulation 2023 (NDPR), the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (UK), the EU General Data Protection Regulation (EU GDPR 2016/679), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and all other applicable data protection legislation. Where these laws overlap, we apply the higher standard of protection.

1. Data Controller Identity

The data controller responsible for your personal data is:

For all data protection enquiries, please contact us at papaymoni-privacy@barsmiko-inc.net.

2. Data Protection Officer (DPO)

Barsmiko Enterprise Limited has designated a Data Protection Officer (DPO) responsible for overseeing compliance with this Policy and applicable data protection law.

You have the right to contact the DPO directly with any question, concern, or complaint relating to the processing of your personal data.

3. Data We Collect & Legal Basis for Processing

We collect personal data in the following categories. For each category, we identify the legal basis for processing under UK GDPR / EU GDPR (Article 6) and, where applicable, Article 9 for special categories of data.

Category	Data Collected	Legal Basis (UK/EU GDPR Art. 6)
Identity & Contact	Full name, email address, phone number, date of birth, nationality	Performance of contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))
KYC & Verification	Government-issued ID (passport, national ID, driving licence), Bank Verification Number (BVN) for Nigerian users, selfie/biometric verification data	Legal obligation — AML/KYC regulations (Art. 6(1)(c)); Explicit consent for biometric processing (Art. 9(2)(a)) where required
Financial & Transaction	Platform balance history, transaction records, payment details, linked bank account details (for transaction processing only), source of funds information	Performance of contract (Art. 6(1)(b)); Legal obligation — financial record keeping (Art. 6(1)(c))
Device & Technical	Device model, operating system, device identifiers, IP address, session logs, app usage statistics, crash reports, browser type	Legitimate interests — security, fraud prevention, platform improvement (Art. 6(1)(f))
Location	Approximate or precise geolocation data where permitted by your device settings	Legitimate interests — fraud detection, regulatory compliance, service availability (Art. 6(1)(f)); Consent (Art. 6(1)(a)) where required by device OS
Risk & Compliance	Sanctions screening results, fraud risk scores, AML risk categorisation, device intelligence scores, politically exposed person (PEP) status	Legal obligation — AML/CTF/sanctions compliance (Art. 6(1)(c)); Legitimate interests — fraud prevention (Art. 6(1)(f))
Communication	Support messages, feedback, in-app chat transcripts, email correspondence	Performance of contract (Art. 6(1)(b)); Legitimate interests — customer service quality (Art. 6(1)(f))
Marketing Preferences	Opt-in/opt-out preferences for promotional communications	Consent (Art. 6(1)(a)) — freely given, specific, and withdrawable at any time

Where we rely on legitimate interests as our legal basis, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You may request information about any legitimate interests assessment by contacting our DPO.

4. How We Use Your Data

We process your personal data for the following purposes:

• Account creation and management — verifying your identity, creating and maintaining your account, and managing your platform access
• Transaction processing and settlement coordination — facilitating payment initiation, platform balance management, and coordination with regulated third-party providers
• Identity verification and KYC compliance — verifying your identity and conducting ongoing KYC checks as required by applicable law
• AML, fraud prevention, and risk management — monitoring transactions, conducting sanctions screening, performing risk scoring, and detecting suspicious activity
• Customer support and dispute resolution — responding to enquiries, resolving complaints, and managing refund and reversal requests
• Legal and regulatory compliance — fulfilling obligations under Nigerian, UK, EU, and international financial crime, tax, and data protection laws
• Reporting to regulators and law enforcement — filing suspicious activity reports (SARs) and responding to lawful requests from competent authorities
• Service improvement and analytics — analysing platform usage patterns to improve features, reliability, and user experience (on an aggregated or pseudonymised basis where possible)
• Security and incident response — detecting and responding to security threats, cyberattacks, and unauthorised access
• Marketing and communications — sending promotional content only where you have expressly opted in

5. Automated Decision-Making & Profiling

Specifically, automated processing is used for:

• Fraud risk scoring — automated assessment of transaction patterns, device signals, and behavioural data to identify potential fraudulent activity
• AML transaction monitoring — automated flagging of transactions that match suspicious activity patterns or exceed risk thresholds
• Sanctions screening — automated matching of user identity data against applicable sanctions lists
• KYC risk categorisation — automated classification of user accounts into risk tiers based on jurisdiction, transaction behaviour, and identity verification results

Your rights regarding automated decisions: Where an automated decision produces a significant effect on you (for example, account restriction, transaction refusal, or access suspension), you have the right to:

• Request human review of the automated decision
• Express your point of view and contest the decision
• Receive a meaningful explanation of the logic behind the decision

To exercise these rights, contact our DPO at papaymoni-privacy@barsmiko-inc.net within 30 days of the automated decision.

6. Data Sharing & Third-Party Processors

Barsmiko Enterprise Limited does not sell, rent, or trade your personal data. We share personal data only in the following circumstances and only to the minimum extent necessary:

• Regulated Third-Party Payment Providers — including Stripe, Inc., PalmPay Limited, and Blooms Microfinance Bank, for payment processing, settlement, and financial infrastructure services
• KYC and Identity Verification Providers — for identity document verification, biometric matching, and fraud screening
• Sanctions and Fraud Intelligence Providers — for real-time sanctions list screening and financial crime risk intelligence
• Cloud Infrastructure and Hosting Providers — for secure storage and operation of platform data
• Analytics and Performance Monitoring Providers — for platform performance monitoring, on a pseudonymised or aggregated basis where possible
• Regulatory Authorities and Law Enforcement — including the Central Bank of Nigeria (CBN), the Nigeria Data Protection Commission (NDPC), the UK Financial Conduct Authority (FCA), the UK Information Commissioner's Office (ICO), the UK National Crime Agency (NCA), and other competent authorities, where required by law or lawful request
• Legal and Professional Advisers — where required for legal proceedings, regulatory advice, or professional compliance services

All third-party data processors engaged by Barsmiko Enterprise Limited are bound by written Data Processing Agreements (DPAs) and are required to process data only on our documented instructions, in compliance with applicable data protection law.

7. International Data Transfers

Some of our third-party service providers and infrastructure operate outside the United Kingdom and the European Economic Area. Where we transfer personal data internationally, we ensure that appropriate safeguards are in place as required by UK GDPR (Chapter V) and EU GDPR (Chapter V), including:

• Adequacy decisions — where the destination country has been recognised by the UK or EU as providing an adequate level of data protection
• Standard Contractual Clauses (SCCs) — using the International Data Transfer Agreement (IDTA) for UK transfers, or the EU Commission-approved Standard Contractual Clauses for EU transfers, as applicable
• UK Addendum to EU SCCs — where applicable to UK-to-non-adequate-country transfers
• Supplementary technical measures — including encryption at rest and in transit, pseudonymisation, and access controls, applied to all international data transfers

For transfers to Nigeria specifically: Nigeria does not currently hold a UK or EU adequacy decision. All transfers to Nigerian-based providers are governed by executed Standard Contractual Clauses supplemented by appropriate technical safeguards.

You may request details of the specific transfer mechanisms applicable to your data by contacting our DPO.

8. Data Retention Schedule

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and in compliance with applicable legal and regulatory retention obligations.

Data Category	Retention Period	Legal Basis / Obligation
KYC and identity documents	5 years from account closure or relationship end	UK/Nigeria AML Regulations; CBN AML/CFT Framework
Transaction records	7 years from transaction date	UK Companies Act 2006; HMRC requirements; CBN directives
AML/compliance investigation records	7 years from investigation closure	UK Proceeds of Crime Act 2002; Nigeria Money Laundering Act
Biometric verification data	Deleted upon successful verification; or retained for up to 5 years for active dispute/compliance	Minimal retention principle; GDPR Art. 9 special category obligations
Account profile and contact data	Duration of account plus 5 years following closure	Legal obligation; Limitation period for claims
Device and IP logs	12 months (or longer where required for active investigation)	Legitimate interests — security; proportionality principle
Customer support communications	3 years from resolution	Legitimate interests — dispute resolution
Marketing preferences and consents	Until opt-out or account deletion, plus 1 year for consent audit trail	Consent accountability (GDPR Art. 7(1))

Upon expiry of the applicable retention period, data is securely deleted or permanently anonymised in a manner that prevents re-identification.

9. Data Security & Incident Response

We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure. These include:

• Industry-standard encryption in transit (SSL/TLS) and at rest (AES-256)
• Multi-factor authentication for platform access
• Role-based access controls and the principle of least privilege for internal data access
• Regular security audits, vulnerability assessments, and penetration testing
• Continuous monitoring and threat detection systems
• Staff data protection training and confidentiality obligations

While we implement industry-leading safeguards, no system can guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for notifying us immediately of any suspected security incident.

Data Breach Response

In the event of a personal data breach, Barsmiko Enterprise Limited will:

• Assess the breach and its likely impact without undue delay
• Notify the applicable supervisory authority (ICO in the UK; NDPC in Nigeria) within 72 hours of becoming aware of the breach, where it poses a risk to individuals' rights and freedoms
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Document all breaches, their effects, and remediation actions taken

10. Cookies & Tracking Technologies

PapayMoni's web-based services and application may use cookies and similar tracking technologies. We use the following categories of cookies:

• Strictly necessary cookies — required for the platform to function; no consent is needed for these
• Functional cookies — remember your preferences and settings; activated with your consent
• Analytics cookies — collect anonymised data on how you use the platform to help us improve it; activated with your consent
• Security cookies — used to detect and prevent fraudulent or malicious activity; may be used without consent where they serve a legitimate security function

Where consent is required (under UK PECR, the EU ePrivacy Directive, or equivalent legislation), we will request it before placing non-essential cookies. You may withdraw cookie consent at any time through your browser settings or device preferences, though this may affect certain platform functionalities.

We do not use tracking cookies for targeted advertising or cross-site behavioural profiling.

11. Your Data Protection Rights

Subject to applicable law and any overriding legal obligations (such as AML retention requirements), you have the following rights in relation to your personal data:

• Right of Access (Art. 15 UK/EU GDPR) — You may request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification (Art. 16) — You may request that inaccurate or incomplete personal data be corrected without undue delay.
• Right to Erasure / "Right to Be Forgotten" (Art. 17) — You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and no other legal basis applies. Note: we may be unable to delete data subject to mandatory legal retention obligations (e.g., AML records).
• Right to Restriction of Processing (Art. 18) — You may request that we restrict processing of your data in certain circumstances, such as while the accuracy of data is contested.
• Right to Data Portability (Art. 20) — Where processing is based on your consent or a contract and is carried out by automated means, you may request your data in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
• Right to Object (Art. 21) — You may object at any time to processing based on legitimate interests (including profiling for direct marketing). Where you object to direct marketing, we will cease processing immediately. Where you object to other legitimate interests processing, we will cease unless we can demonstrate compelling legitimate grounds.
• Rights in Relation to Automated Decision-Making (Art. 22) — As detailed in Section 5, you have the right to request human review of automated decisions that significantly affect you.
• Right to Withdraw Consent (Art. 7(3)) — Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, submit a written request to papaymoni-privacy@barsmiko-inc.net with sufficient information to identify your account and describe the right you wish to exercise. We will respond within one calendar month of receipt. This period may be extended by a further two months for complex or multiple requests; if so, we will notify you of the extension and the reason within the first month.

We will not charge a fee for responding to rights requests unless they are manifestly unfounded or excessive.

12. Jurisdiction-Specific Privacy Rights

12.1 United Kingdom — UK GDPR & ICO

UK users are protected by the UK GDPR and the Data Protection Act 2018. In addition to the rights in Section 11, UK users have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12.2 Nigeria — NDPR 2023 & NDPC

Nigerian users are protected by the Nigeria Data Protection Regulation 2023 (NDPR). In addition to the rights in Section 11, Nigerian users have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):

• Website: ndpc.gov.ng
• Email: info@ndpc.gov.ng

PapayMoni processes BVN data exclusively for identity verification purposes in compliance with CBN directives and the NDPR. BVN data is not used for any purpose beyond verification and is not shared except with licensed verification infrastructure providers operating under data confidentiality obligations.

12.3 European Union — EU GDPR

EU users are protected by EU GDPR 2016/679. You have the right to lodge a complaint with the supervisory authority in your EU member state. A full list of EU data protection authorities is available at edpb.europa.eu.

12.4 California, United States — CCPA / CPRA

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know — the categories and specific pieces of personal information collected, the purposes of collection, and the categories of third parties with whom data is shared
• Right to Delete — request deletion of personal information, subject to legal exceptions
• Right to Correct — request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing — Barsmiko Enterprise Limited does not sell or share personal data for cross-context behavioural advertising
• Right to Limit Use of Sensitive Personal Information — you may direct us to limit the use of sensitive personal information to that necessary for providing the requested services
• Right to Non-Discrimination — you will not receive discriminatory treatment for exercising your CCPA/CPRA rights

California residents may submit CCPA requests to papaymoni-privacy@barsmiko-inc.net.

13. Children & Minimum Age

PapayMoni is a financial services technology platform. Access is strictly limited to individuals aged 18 years or over. We do not knowingly collect personal data from anyone under 18.

If we become aware that personal data has been collected from a person under 18, we will take immediate steps to delete that data and close the associated account.

If you believe a person under 18 has registered on the platform, please contact us immediately at papaymoni-privacy@barsmiko-inc.net.

14. How to Lodge a Complaint

If you are dissatisfied with how we have handled your personal data or a rights request, you should first contact our DPO at papaymoni-privacy@barsmiko-inc.net. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.

If you remain dissatisfied following our response, you have the right to escalate your complaint to the relevant supervisory authority in your jurisdiction:

• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
• Nigeria: Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
• European Union: Your national supervisory authority — see edpb.europa.eu
• United States (California): California Privacy Protection Agency (CPPA) — cppa.ca.gov

15. Updates to This Privacy Policy

Barsmiko Enterprise Limited may revise this Privacy Policy from time to time to reflect changes in law, regulatory guidance, our data processing activities, or platform features. All revisions will be assigned a new version number and effective date as recorded in the Version History section (Section 16) of this Policy.

Material changes that affect how we process your data or that reduce your rights will be communicated to you via in-app notification or email no less than 30 days before taking effect. For changes required urgently by law or regulatory obligation, we will notify you as soon as reasonably practicable.

Your continued use of the platform following the effective date of a revised Policy constitutes your acknowledgement of the changes. If you do not accept the revised Policy, you must cease using the platform and may request account closure.

16. Version History

Version	Effective Date	Summary of Changes
1.0	May 2025	Initial publication. Covered basic data collection categories (personal, technical, financial, location, communication), general data security, limited data sharing disclosure, international transfers (consent only), basic user rights (access, rectification, deletion), Nigerian data protection reference only. Section 1.8 was missing from the original document.
2.0	24 May 2026	Full compliance rewrite. Key changes include: Added Data Controller identity (Barsmiko Enterprise Limited — Nigeria and England & Wales) Added Data Protection Officer (DPO) section with contact details Added full GDPR Article 13 legal basis disclosure for each data category (legal basis table) Added Automated Decision-Making & Profiling disclosure (GDPR Art. 22) Expanded Data Sharing section — named processors; added DPA requirement Corrected International Transfers section — removed "consent only" basis; added SCCs, IDTA, UK Addendum as valid transfer mechanisms; added Nigeria-specific transfer disclosure Added comprehensive Data Retention Schedule (table format with 8 categories) Added Data Breach Response procedure with 72-hour supervisory authority notification commitment Added Cookie & Tracking Technologies section with PECR/ePrivacy compliance Expanded User Rights to cover all 8 GDPR rights (Art. 15–22 + Art. 7(3)) Corrected response time to 1 calendar month (GDPR standard) Added Jurisdiction-Specific Rights section: UK ICO, Nigeria NDPC, EU GDPR, California CCPA/CPRA Corrected minimum age from 13 to 18 (financial services requirement) Added dedicated Complaints Procedure with supervisory authority contact details Fixed missing Section 1.8 from original (renumbered as part of full rewrite) Added ICO Registration Number placeholder Added NDPC Registration Status placeholder Removed: reliance on "Nigeria's data protection laws" only Removed: "bank-grade encryption" terminology Removed: implied consent through account creation for marketing

17. Contact Information

For all privacy-related enquiries, rights requests, or complaints relating to this Privacy Policy, please contact us:

• Privacy & DPO Email: papaymoni-privacy@barsmiko-inc.net
• General Support: papaymoni-support@barsmiko-inc.net
• In-App Support: Use the Support section within the PapayMoni application
• Registered Offices (Nigeria & England/Wales): As listed on our Contact Us page. Company registration details are available upon written request.

We will acknowledge all written requests within 5 business days and provide a substantive response within one calendar month.