Privacy Policy
Our commitment: We collect only the data we need to operate Kolect safely and effectively. We never sell your personal data to third parties for marketing purposes.
This Privacy Policy explains how Nohva Limited collects, uses, stores, and protects your personal data when you use the Kolect platform. It is drafted in compliance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and other applicable standards.
1. Overview
At Nohva Limited, we take your privacy seriously. Kolect is designed to facilitate group payment collection among individuals who know and trust each other. This means certain information, including your payment status, may be visible to other members of Groups you join or create, within the limits described in this Policy. Please read this Policy carefully alongside our Terms of Service.
2. Data Controller
The data controller responsible for your personal data is:
Nohva Limited
Incorporated in the Federal Republic of Nigeria (registered with the Corporate Affairs Commission)
Email: hello@nohva.ng
Data Protection Officer: hello@nohva.ng
Nohva processes personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR). We will register with the Nigeria Data Protection Commission (NDPC) when our processing activity meets the threshold prescribed under the Act.
3. Data We Collect
3.1 Data You Provide Directly
| Data Type | Examples | Why Collected |
|---|---|---|
| Identity Data | Full name, date of birth, gender | Account creation and KYC compliance |
| Contact Data | Phone number, email address | Account registration, notifications, support |
| Identity Documents | NIN, BVN, government-issued ID | Regulatory KYC/AML compliance |
| Profile Data | Display name, profile picture | Identification within Groups |
| Group Data | Group name, description, member list, contribution amounts | Operating the Group payment service |
3.2 Data We Collect Automatically
| Data Type | Examples | Why Collected |
|---|---|---|
| Transaction Data | Amount, date/time, Group ID, payment status | Processing payments, dispute resolution, audit trail |
| Device Data | Device type, OS, app version, device identifier | Security, fraud prevention, app performance |
| Usage Data | Features used, screens viewed, session duration | Product improvement and analytics |
| Log Data | IP address, timestamps, error logs | Security monitoring and debugging |
We never collect your full card number, CVV, or banking passwords. All payment credentials are handled exclusively by Paystack's PCI-DSS compliant infrastructure.
4. How We Use Your Data
We use your personal data for the following purposes:
- Account Management: Creating, maintaining, and securing your account.
- Service Delivery: Operating Shared Bill, Ajo, and Bill Split groups, processing contributions, and disbursing payouts.
- Regulatory Compliance: Meeting KYC, AML, and financial reporting obligations under Nigerian law, including the Money Laundering (Prevention and Prohibition) Act 2022 and CBN guidelines.
- Payment Processing: Facilitating Transactions through Paystack and reconciling payment records.
- Communications: Sending payment reminders, contribution receipts, Group notifications, product updates, and support responses.
- Security and Fraud Prevention: Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity.
- Product Improvement: Analysing aggregated, anonymised usage data to improve features.
We do not use your data for automated decision-making that produces legal or similarly significant effects without human review.
5. Legal Basis for Processing
Under the Nigeria Data Protection Act 2023, we process your personal data on the following legal bases:
- Contractual Necessity: Processing required to deliver the services you have contracted with us.
- Legal Obligation: Processing required for compliance with Nigerian law, including AML/KYC obligations.
- Legitimate Interests: Processing for fraud prevention, platform security, and product improvement.
- Consent: Where we rely on your consent (such as for optional marketing communications), you may withdraw consent at any time.
6. Sharing Your Data
6.1 Within Groups
When you join a Group, certain information, including your name, profile picture, payment status (paid/unpaid), and contribution amount, will be visible to the Group Admin and, to the extent set by the Admin, to other Members. You should only join Groups organised by people you know and trust.
6.2 With Service Providers
We share data with carefully selected third-party processors bound by data processing agreements:
- Paystack Payments Limited: payment processing
- Brevo: transactional email, contact list management, and waitlist communications
- Cloudflare: bot protection (Turnstile) and content delivery
- Cloud hosting providers: secure data storage and infrastructure
- Identity verification providers: BVN/NIN verification
- Analytics providers: anonymised usage analytics
- Customer support tools: support ticket management
6.3 With Regulatory Authorities
We may disclose your data to the CBN, NDPC, EFCC, NFIU, FCCPC, police, or other competent authorities where required by law, court order, or regulatory directive.
6.4 No Sale of Personal Data
We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes. This is an absolute commitment.
7. Paystack and Payment Data
All payment transactions on Kolect are processed by Paystack Payments Limited, a CBN-licensed Payment Solution Service Provider. When you make a payment, you are interacting directly with Paystack's payment infrastructure.
7.1 What Paystack Receives
Paystack receives your card details, bank account information, or other payment credentials directly. This data never passes through Nohva's systems in unencrypted form. Paystack handles all payment data in accordance with PCI-DSS Level 1 standards.
7.2 What We Receive from Paystack
Nohva receives only a transaction reference, payment status, masked payment instrument (e.g., last 4 digits of card), amount, and timestamp. We use this data solely to update Group payment records and provide receipts.
7.3 Paystack's Privacy Policy
Paystack's handling of your payment data is governed by Paystack's Privacy Policy. Nohva is not responsible for Paystack's data practices beyond ensuring our integration complies with applicable law.
8. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and identity data | Duration of account + 6 years after closure | AML/KYC regulatory requirements (MLPPA 2022) |
| Transaction records | 7 years from transaction date | Financial reporting obligations (CAMA 2020) |
| KYC documents (NIN, BVN) | Duration of account + 5 years | CBN KYC guidelines |
| Usage and analytics data | 24 months (anonymised/aggregated thereafter) | Legitimate interests |
| Support correspondence | 3 years from last interaction | Dispute resolution, legal claims |
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit using TLS 1.2 or higher;
- Encryption of sensitive data at rest using AES-256;
- Role-based access controls limiting data access to authorised personnel only;
- Regular security assessments and penetration testing; and
- Incident response procedures compliant with NDPA 2023 breach notification requirements.
In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission within 72 hours and will notify affected individuals without undue delay.
If you suspect unauthorized access to your account, notify us immediately at hello@nohva.ng.
10. Your Rights
Under the Nigeria Data Protection Act 2023 and the NDPR, you have the following rights:
To exercise any of these rights, contact our Data Protection Officer at hello@nohva.ng. We will respond within 30 days.
11. Children's Privacy
Kolect is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe your child has provided us with personal data, please contact us at hello@nohva.ng and we will delete such data promptly.
12. Cookies and Tracking Technologies
12.1 Mobile Application
Our mobile application does not use browser cookies. We use anonymous device identifiers for analytics and fraud prevention, and secure session tokens to maintain your logged-in session stored in encrypted device storage.
12.2 Website
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Enable core site functionality and security. Cannot be disabled. | Session |
| Analytics | Anonymous data on page visits to improve the site. Only with consent. | Up to 24 months |
| Preferences | Remember your settings between visits. | Up to 12 months |
13. International Data Transfers
We primarily store and process your data within Nigeria. Where we engage service providers located outside Nigeria, we ensure such transfers comply with NDPA 2023 requirements for cross-border data transfers, including transferring only to countries with adequate data protection levels or implementing appropriate safeguards such as standard contractual clauses approved by the NDPC. We do not transfer your financial or identity documents outside Nigeria without explicit regulatory justification and appropriate safeguards.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 14 days in advance via in-app notification and/or email. Your continued use of the Platform after the effective date constitutes your acceptance of the revised Policy.
15. Contact and Complaints
Data Protection Officer
Nohva Limited
Email: hello@nohva.ng
Complaints to the Regulator
Nigeria Data Protection Commission (NDPC)
Website: ndpc.gov.ng
Email: info@ndpc.gov.ng