Data Protect Policy

🛡️

Abottmax Financial Subsidiary – Data Protection Policy

Effective Date: September 15th 2024
Review Date: September 15th 2025
Version: 1.4
Document Owner: Legal & Compliance Department

 

1. Introduction

This Data Protection Policy outlines how Abottmax’s financial subsidiary (“the Company”) collects, processes, stores, and protects personal data through its mobile application available on the Google Play Store and Apple App Store. It complies with the Nigeria Data Protection Act (NDPA) 2023 and other applicable regulations.

 

2. Scope

This policy applies to:

  • All users of the mobile app

  • Employees, contractors, and third-party service providers

  • All data processing activities involving personal data

 

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual.

  • Data Subject: The individual whose personal data is being processed.

  • Processing: Any operation performed on personal data (collection, storage, use, etc.).

  • Controller: The entity that determines the purpose and means of processing personal data.

 

4. Data Collection Framework

We collect personal data to deliver secure, personalized, and compliant financial services. All data is collected lawfully, transparently, and with user consent, in accordance with the Nigeria Data Protection Act (NDPA).

1. Identity Data

  • Purpose: To verify user identity, comply with KYC/AML regulations, and personalize services.

  • Examples:

    • Full name

    • Date of birth

    • Gender

    • Bank Verification Number (BVN)

  • Collection Methods:

    • User input during onboarding

    • Integration with national identity databases or financial institutions

2. Contact Data

  • Purpose: To communicate with users, deliver alerts, and support account recovery.

  • Examples:

    • Email address

    • Phone number

    • Residential or billing address

  • Collection Methods:

    • Provided by users during registration or profile updates

    • Verified via OTP or address validation services

3. Financial Data

  • Purpose: To enable transactions, assess creditworthiness, and comply with financial regulations.

  • Examples:

    • Bank account number

    • Card details (tokenized)

    • Transaction history (deposits, withdrawals, transfers)

    • Loan applications and repayment records

  • Collection Methods:

    • Direct user input

    • Integration with payment gateways and financial institutions

    • Automated transaction logs

4. Device Data

  • Purpose: To enhance security, detect fraud, and optimize app performance.

  • Examples:

    • IP address

    • Device ID and model

    • Operating system version

    • Geolocation data (with consent)

  • Collection Methods:

    • Automatically collected via SDKs and app permissions

    • Used for session management, fraud detection, and analytics

 

🔍 Data Minimization & Accuracy

  • We only collect data that is necessary for specific, legitimate purposes.

  • Users can review and update their data via the app settings.

  • Data is validated at the point of entry and periodically reviewed for accuracy.

🔒 Security & Consent

  • All data is encrypted during transmission and storage.

  • Users are informed of data collection purposes during onboarding and via the privacy policy.

  • Consent is obtained before collecting sensitive data (e.g., location, biometrics).

Great! Here's a user-facing Data Collection Notice and Consent Screen Language you can use in your app onboarding flow or privacy settings:

What We Collect and Why

Data Category

Examples

Purpose

Identity Data

Name, Date of Birth, Gender, BVN

Identity verification, KYC compliance

Contact Data

Email, Phone Number, Address

Communication, alerts, account recovery

Financial Data

Bank details, Transaction history

Payments, credit scoring, regulatory compliance

Device Data

IP address, Device ID, Location

Fraud detection, app optimization, security

We only collect what’s necessary and never sell your data.

 Consent Screen Language

Your Privacy, Your Control

Please review and manage your data preferences below. You can update these anytime in your app settings.

  • [ ] I consent to the collection and use of my personal data for account setup and service delivery. (Required)

  • [ ] I consent to receive marketing updates and promotional offers.

  • [ ] I consent to the use of my location data to enhance app features.

  • [ ] I consent to the use of my data for analytics and service improvement.

By continuing, you agree to our [Privacy Policy] and [Terms of Use].

Data Collection Notice

Welcome to Abottmax!
To provide secure and personalized financial services, we collect certain personal data. Your privacy matters to us.

What We Collect:

  • Identity Data: Name, Date of Birth, Gender, BVN

  • Contact Data: Email, Phone Number, Address

  • Financial Data: Bank details, Transaction history

  • Device Data: IP address, Device ID, Location

We only collect what’s necessary and never sell your data.

Consent Screen

Your Privacy, Your Control

Please review and manage your data preferences:

  • [ ] I agree to the collection of my personal data for account setup and service delivery. (Required)

  • [ ] I agree to receive marketing updates and offers.

  • [ ] I agree to share my location to improve app features.

  • [ ] I agree to the use of my data for analytics and service improvement.

By continuing, you accept our [Privacy Policy] and [Terms of Use].

Wetyn We Dey Collect:

  • Identity Info: Name, Date of Birth, Gender, BVN

  • Contact Info: Email, Phone Number, Address

  • Financial Info: Bank details, Transaction history

  • Device Info: IP address, Device ID, Location

We no dey collect pass wetyn we need, and we no dey sell your info.

Consent Screen

Na You Get Your Info

Abeg check and choose wetyn you gree make we use:

  • [ ] I gree make una collect my info to open account and give me service. (Must gree)

  • [ ] I gree make una send me promo and update.

  • [ ] I gree make una use my location to improve app.

  • [ ] I gree make una use my info for app improvement and analysis.

If you continue, e mean say you don accept our [Privacy Policy] and [Terms of Use].

 

5. Consent of the Data Subject

  • Definition: The individual has freely given clear permission for their data to be processed for a specific purpose.

  • Application in the App:

    • Users opt in to data collection during account registration or feature activation.

    • Consent is obtained for marketing communications, location tracking, and biometric authentication.

    • Users can withdraw consent at any time via app settings or by contacting support.

2. Performance of a Contract

  • Definition: Processing is necessary to fulfill a contract with the data subject or to take steps at their request before entering into a contract.

  • Application in the App:

    • Providing financial services such as account creation, loan applications, or payment processing.

    • Verifying identity and eligibility for financial products.

    • Delivering app features that users have signed up for (e.g., transaction alerts, credit scoring).

3. Legal Obligations

  • Definition: Processing is required to comply with a legal requirement.

  • Application in the App:

    • Compliance with anti-money laundering (AML) and know-your-customer (KYC) regulations.

    • Reporting suspicious transactions to regulatory authorities.

    • Retaining financial records for statutory periods (e.g., 7 years under Nigerian law).

4. Legitimate Interest

  • Definition: Processing is necessary for the company’s legitimate interests, provided it does not override the rights and freedoms of the data subject.

  • Application in the App:

    • Fraud detection and prevention.

    • Improving app performance and user experience through analytics.

    • Internal audits and business intelligence.

    • Ensuring network and information security.

 

6. Consent Management

Consent is a cornerstone of lawful data processing under the Nigeria Data Protection Act (NDPA) and global privacy standards like the GDPR. Our approach ensures that users are fully informed and in control of their personal data.

1. Obtaining Consent

  • During Onboarding:

    • Users are presented with a clear and concise privacy notice during account registration.

    • Consent is explicitly requested for data categories such as identity verification, location tracking, marketing communications, and biometric authentication.

    • Consent is not bundled—each purpose (e.g., marketing, analytics, third-party sharing) is presented separately with opt-in checkboxes.

  • When Introducing New Features:

    • If a new feature requires additional data processing, users are notified via in-app prompts or email.

    • Consent is requested before activating the feature, with an explanation of what data will be collected and why.

2. Granular Consent Options

  • Users can manage their preferences for:

    • Marketing communications (email, SMS, push notifications)

    • Location services

    • Biometric data usage

    • Data sharing with third parties

These options are accessible via the Privacy Settings section of the app.

3. Withdrawing Consent

  • Users can withdraw consent at any time through:

    • The app’s privacy settings

    • Contacting customer support via email or in-app chat

  • Upon withdrawal:

    • Processing based on that consent is halted immediately.

    • The user’s data is either deleted or anonymized, depending on the context and legal obligations.

4. Audit Trail and Record-Keeping

  • All consent actions (granting, updating, withdrawing) are logged with timestamps.

  • These logs are securely stored and available for audit or regulatory review.

5. Children’s Data

  • The app does not knowingly collect data from individuals under 18 without verifiable parental consent.

  • Age verification mechanisms are built into the onboarding process.

 

7.  Data Subject Rights

As a user of our financial services app, you are entitled to exercise the following rights regarding your personal data. These rights ensure transparency, accountability, and control over how your information is used.

1. Right of Access

  • What it means: You have the right to request and receive a copy of the personal data we hold about you.

  • How it works: Upon request, we will provide:

    • A summary of the data being processed

    • The purposes of processing

    • Categories of data involved

    • Any third parties with whom the data has been shared

    • The data retention period

2. Right to Rectification

  • What it means: You can request correction of inaccurate or incomplete personal data.

  • How it works: You may update your information directly in the app or contact us to correct errors such as:

    • Misspelled names

    • Outdated contact details

    • Incorrect financial records

3. Right to Erasure (“Right to be Forgotten”)

  • What it means: You can request that we delete your personal data when:

    • It is no longer necessary for the purpose it was collected

    • You withdraw consent (where consent was the legal basis)

    • You object to processing and there are no overriding legitimate grounds

  • Exceptions: We may retain certain data to comply with legal obligations (e.g., financial recordkeeping, fraud prevention).

4. Right to Object to Processing

  • What it means: You can object to the processing of your data for specific purposes, such as:

    • Direct marketing

    • Profiling or automated decision-making

    • Processing based on our legitimate interests

  • How it works: If you object, we will stop processing unless we demonstrate compelling legitimate grounds.

5. Right to Data Portability

  • What it means: You can request your personal data in a structured, commonly used, and machine-readable format.

  • How it works: This enables you to:

    • Transfer your data to another service provider

    • Receive a copy for personal use

  • Limitations: Applies only to data provided by you and processed based on consent or contract.

 

📨 How to Exercise Your Rights

You can submit a request by contacting our Data Protection Officer (DPO) at:

Email: efosaamayo@gmail.com
Portal: https://abx.abottmaclcms.com
Response Time: We aim to respond within 7 working days of receiving your request.

 

8. Data Retention Policy

Data retention ensures that personal and financial information is stored only for as long as necessary to fulfill its intended purpose, comply with legal obligations, and protect user rights.

1. General Retention Principles

  • Personal data is retained only for the duration required to:

    • Deliver services to the user

    • Fulfill contractual obligations

    • Meet legal and regulatory requirements

    • Resolve disputes or enforce agreements

  • Once data is no longer needed, it is securely deleted or anonymized.

2. Retention Periods by Data Category

Data Type

Retention Period

Purpose

Identity and Contact Data

5 years after account closure

For audit trails, fraud prevention, and legal inquiries

Financial Records

7 years

Required by tax laws, anti-money laundering (AML), and financial regulations

Transaction History

7 years

Regulatory compliance and dispute resolution

Consent Logs

5 years

Proof of lawful processing and audit documentation

App Usage Analytics

2 years

Service improvement and performance monitoring

Customer Support Records

3 years

Quality assurance and complaint resolution

3. Secure Disposal

  • Data scheduled for deletion is:

    • Removed from active databases

    • Purged from backups after retention expiry

    • Deleted using secure erasure protocols to prevent recovery

4. User-Initiated Deletion

  • Users may request deletion of their personal data under the “Right to be Forgotten.”

  • Upon verification, data is deleted unless retention is required by law (e.g., financial records).

5. Exceptions

  • Data may be retained longer if:

    • Required by court order or investigation

    • Necessary to defend legal claims

    • Subject to regulatory hold or audit

 

9. Data Security Measures

Protecting user data is a top priority for Abottmax’s financial subsidiary. We implement a multi-layered security framework that combines technical, organizational, and procedural safeguards to ensure confidentiality, integrity, and availability of personal and financial information.

1. End-to-End Encryption

  • Purpose: Ensures that data is encrypted during transmission and at rest, preventing unauthorized access.

  • Implementation:

    • All communications between the app and backend servers use TLS 1.2 or higher.

    • Sensitive data such as passwords, financial transactions, and biometric identifiers are encrypted using AES-256.

    • Encryption keys are securely managed and rotated periodically.

2. Multi-Factor Authentication (MFA)

  • Purpose: Adds an extra layer of identity verification to prevent unauthorized account access.

  • Implementation:

    • Users must verify their identity using at least two factors: password + OTP (via SMS/email) or biometric (fingerprint/face ID).

    • MFA is enforced during login, high-risk transactions, and password resets.

    • Admin and support staff accounts also require MFA for backend access.

3. Secure Cloud Storage

  • Purpose: Ensures that stored data is protected from breaches and unauthorized access.

  • Implementation:

    • Data is hosted on ISO 27001-certified cloud platforms with built-in redundancy and failover.

    • Access to cloud storage is restricted via virtual private networks (VPNs) and firewalls.

    • Backups are encrypted and stored in geographically diverse locations.

4. Regular Vulnerability Assessments

  • Purpose: Identifies and mitigates security weaknesses before they can be exploited.

  • Implementation:

    • Quarterly penetration testing by certified third-party security firms.

    • Automated vulnerability scans integrated into the CI/CD pipeline.

    • Immediate patching of critical vulnerabilities and documented remediation plans.

5. Role-Based Access Controls (RBAC)

  • Purpose: Limits access to data based on job responsibilities, minimizing insider threats.

  • Implementation:

    • Employees and contractors are assigned roles with predefined access privileges.

    • Access to sensitive data (e.g., financial records, user identity) is restricted to authorized personnel only.

    • All access is logged and monitored for anomalies.

6. Additional Safeguards

  • Audit Logging: All user and system activities are logged for forensic analysis and compliance.

  • Session Management: Automatic logout after periods of inactivity; token expiration and refresh protocols.

  • Security Awareness Training: Mandatory training for staff on phishing, social engineering, and data handling.

 

10. Third-Party Data Sharing

We share personal data with carefully selected third parties only when necessary to deliver our services, comply with legal obligations, or improve user experience. All third-party partners are bound by strict data protection agreements and undergo due diligence to ensure compliance with the Nigeria Data Protection Act (NDPA) and international standards.

1. Payment Processors

  • Purpose: To facilitate secure financial transactions such as deposits, withdrawals, and bill payments.

  • Examples of Shared Data:

    • User identity (e.g., name, BVN)

    • Bank account or card details

    • Transaction metadata (e.g., amount, timestamp)

  • Safeguards:

    • PCI-DSS compliance

    • Tokenization of payment credentials

    • Encrypted transmission of data

2. Regulatory Bodies

  • Purpose: To comply with statutory obligations under financial, tax, and anti-money laundering laws.

  • Examples of Shared Data:

    • KYC documentation

    • Suspicious transaction reports (STRs)

    • Audit logs and financial summaries

  • Safeguards:

    • Shared only upon lawful request or mandatory reporting

    • Logged and reviewed by compliance officers

3. Analytics Providers (with Anonymization)

  • Purpose: To analyze user behavior, improve app performance, and enhance customer experience.

  • Examples of Shared Data:

    • Device type, app usage patterns, crash reports

    • Aggregated and anonymized behavioral data

  • Safeguards:

    • Personally identifiable information (PII) is removed or masked

    • Data is shared under strict data processing agreements (DPAs)

4. Cloud Hosting and Infrastructure Providers

  • Purpose: To host and manage app services, databases, and backups.

  • Examples of Shared Data:

    • Encrypted user data stored in cloud environments

  • Safeguards:

    • ISO 27001-certified data centers

    • Data residency compliance (e.g., local hosting where required)

5. Customer Support Platforms

  • Purpose: To manage user inquiries, complaints, and service requests.

  • Examples of Shared Data:

    • User contact details

    • Chat transcripts or support tickets

  • Safeguards:

    • Access restricted to authorized support agents

    • Data retention aligned with support resolution timelines

6. Marketing and Communication Partners

  • Purpose: To send service updates, promotional offers, and surveys (only with user consent).

  • Examples of Shared Data:

    • Email address or phone number

    • User preferences and engagement history

  • Safeguards:

    • Opt-in required for marketing communications

    • Unsubscribe and preference management options available

 

 Third-Party Compliance Requirements

All third parties must:

  • Sign a Data Processing Agreement (DPA) outlining their responsibilities

  • Implement appropriate technical and organizational measures to protect data

  • Not use data for unauthorized purposes

  • Notify us immediately in the event of a data breach

 

 

 

11. International Data Transfers

When personal data is transferred outside Nigeria, Abottmax ensures that such transfers are lawful, secure, and respectful of user privacy. These transfers may occur when using global cloud services, analytics platforms, or third-party processors located abroad.

1. Adequate Data Protection Safeguards

  • What it means: We only transfer data to countries or organizations that offer data protection standards comparable to Nigeria’s NDPA.

  • Implementation:

    • We assess the legal and regulatory environment of the destination country.

    • Transfers are limited to jurisdictions with adequate safeguards, such as the EU, UK, or other NDPC-approved regions.

    • Technical measures (e.g., encryption, access controls) are applied during transit and storage.

2. Standard Contractual Clauses (SCCs)

  • What it means: We use legally binding agreements to ensure third parties abroad uphold data protection obligations.

  • Implementation:

    • SCCs are embedded in contracts with cloud providers, payment gateways, and analytics vendors.

    • These clauses define:

      • Data handling procedures

      • Security obligations

      • Breach notification timelines

      • Rights of Nigerian data subjects

    • SCCs are reviewed annually to reflect regulatory updates.

3. Compliance with NDPA Cross-Border Rules

  • What it means: All international transfers follow the NDPA’s provisions under Part VI and NDPC guidelines.

  • Implementation:

    • We maintain a Data Transfer Register documenting:

      • What data is transferred

      • To whom

      • For what purpose

      • Legal basis and safeguards

    • Transfers are reported to the Nigeria Data Protection Commission (NDPC) when required.

    • Users are informed via our Privacy Policy and consent is obtained where necessary.

4. User Transparency and Control

  • Users are notified when their data may be processed outside Nigeria.

  • Consent is obtained for transfers not covered by legal or contractual obligations.

  • Users may request details about where their data is stored and processed.

 

12. Data Breach Response Plan

Abottmax’s financial subsidiary is committed to promptly identifying, containing, and mitigating any data breach that compromises the confidentiality, integrity, or availability of personal data. Our response plan ensures transparency, regulatory compliance, and user protection.

1. Breach Detection and Identification

  • Monitoring Tools: We use automated intrusion detection systems (IDS), log analysis, and anomaly detection to identify potential breaches.

  • Incident Reporting: Employees and third-party vendors are trained to report suspected breaches immediately to the Data Protection Officer (DPO).

  • Initial Assessment: The DPO and IT Security Team assess:

    • Nature and scope of the breach

    • Categories and volume of data affected

    • Potential impact on data subjects

2. Containment and Mitigation

  • Immediate Actions:

    • Isolate affected systems or endpoints

    • Disable compromised accounts or access credentials

    • Apply patches or configuration changes to close vulnerabilities

  • Data Recovery:

    • Restore data from secure backups if necessary

    • Validate integrity of restored systems

3. Notification to Users

  • Timeline: Affected users will be notified within 72 hours of confirming the breach.

  • Notification Content:

    • Nature of the breach

    • Types of data affected

    • Potential risks

    • Steps taken to mitigate the breach

    • Guidance on how users can protect themselves (e.g., password reset, fraud monitoring)

4. Notification to the Nigeria Data Protection Commission (NDPC)

  • Timeline: The NDPC will be notified within 72 hours of breach confirmation.

  • Report Includes:

    • Description of the breach

    • Categories and volume of data affected

    • Likely consequences

    • Mitigation measures taken or proposed

    • Contact details of the DPO

5. Remediation Plan

  • Root Cause Analysis: Conducted to identify how the breach occurred and prevent recurrence.

  • System Hardening: Implement additional security controls based on findings.

  • Policy Updates: Revise internal policies and procedures if gaps are identified.

  • Staff Re-training: Conduct refresher training on data handling and breach prevention.

6. Documentation and Audit

  • All breach incidents are logged in a Breach Register.

  • Post-incident reviews are conducted and documented.

  • Reports are retained for audit and regulatory review.

 

 

13. Roles & Responsibilities

Clear assignment of responsibilities ensures accountability, regulatory compliance, and effective data governance across the organization.

1. Board of Directors

  • Oversight and Strategic Direction

    • Approves the organization’s data protection policies and risk management strategies.

    • Ensures data protection is integrated into corporate governance and business planning.

    • Reviews periodic reports on data protection performance and breach incidents.

    • Appoints and supports the Data Protection Officer (DPO).

2. Data Protection Officer (DPO)

  • Policy Enforcement, Audits, and Compliance

    • Develops, implements, and maintains the Data Protection Policy.

    • Monitors compliance with the Nigeria Data Protection Act (NDPA) and other applicable laws.

    • Conducts regular audits and risk assessments.

    • Serves as the primary contact for data subjects and the Nigeria Data Protection Commission (NDPC).

    • Provides training and awareness programs for staff.

    • Oversees breach response and reporting procedures.

3. App Development Team

  • Secure Coding and Data Minimization

    • Designs and develops the mobile app with privacy-by-design and privacy-by-default principles.

    • Implements secure coding practices to prevent vulnerabilities (e.g., SQL injection, XSS).

    • Ensures data minimization by collecting only necessary user data.

    • Integrates encryption, access controls, and secure APIs.

    • Collaborates with the DPO to assess data protection impact during feature development.

4. Customer Support Team

  • Handling Data Subject Requests

    • Serves as the first point of contact for user inquiries related to personal data.

    • Assists users in exercising their rights (access, rectification, deletion, objection, portability).

    • Escalates complex or sensitive requests to the DPO.

    • Maintains logs of all data subject interactions and resolutions.

    • Ensures responses are timely, accurate, and in compliance with regulatory timelines.

 

14. Policy Review

This policy will be reviewed annually or upon significant changes in regulation or business operations.

 

We may use cookies or any other tracking technologies when you visit our website, including any other media form, mobile website, or mobile application related or connected to help customize the Site and improve your experience learn more

Allow