ZITCH TECHNOLOGIES LIMITED
PRIVACY AND DATA PROTECTION POLICY

Version 2.0 — Effective 12 June 2026
(This version replaces the policy dated July 2023)

1. Introduction

Your data and your trust matter to us. We are Zitch, and we keep our promises.

This Privacy and Data Protection Policy (the “Policy”) explains how Zitch Technologies Limited (RC [insert RC number]) of Ketu, Lagos State, Nigeria (“Zitch”, “we”, “us” or “our”), together with Zitch Technologies Multipurpose Cooperative Society Limited (the “Cooperative”, registered under the Co-operative Societies Law of Lagos State with registration number [insert registration number]), collects, uses, shares, stores and protects your personal data when you use:

• the Zitch mobile application (the “App”);
• our website and web pages (the “Site”);
• our WhatsApp banking channel operated from our verified business number (the “WhatsApp Channel”); and
• any related products, services or support channels (together, the “Services”).

We process personal data in accordance with the Nigeria Data Protection Act, 2023 (the “NDPA”), the General Application and Implementation Directive issued by the Nigeria Data Protection Commission (the “NDPC”), and other applicable laws, including the Central Bank of Nigeria (“CBN”) regulations and the Money Laundering (Prevention and Prohibition) Act, 2022 (together, the “Data Protection Requirements”).

For the purposes of the NDPA, Zitch Technologies Limited is the data controller of your personal data. Questions about this Policy or our data practices should be directed to our Data Protection Officer (“DPO”) using the contact details in Section 17.

2. Who This Policy Covers

This Policy applies to every living individual whose personal data we process, including:

• Customers: anyone who registers for or uses a Zitch account, wallet, payment, bill-payment, savings, loan, card, currency-conversion or WhatsApp banking service, including members of the Cooperative;
• Recipients and related individuals: beneficiaries of transfers, guarantors or referees for loans, next of kin, authorised signatories and directors or beneficial owners of business customers;
• Prospective customers and visitors: people who start but do not complete registration, contact our support channels, visit the Site, or interact with us on social media; and
• Suppliers, partners and staff: to the extent we hold personal data about individuals at our vendors, partners and within our own team.

If you give us personal data about another person (for example, a transfer beneficiary’s account details or a loan referee’s phone number), you confirm that you are authorised to do so and that you have directed them to this Policy.

3. The Personal Data We Collect

(a) Identity and Know-Your-Customer (KYC) data. Full legal name, date of birth, gender, nationality, residential address, phone number, email address, photograph, government-issued identification, Bank Verification Number (“BVN”), National Identification Number (“NIN”), occupation and source of funds, and any other information required to verify your identity, assign your account tier and comply with CBN customer due-diligence rules.

(b) Biometric data. Where required by law or for security, we collect facial images and liveness-detection data when you complete identity verification and when you authorise high-value transactions that require step-up face verification. Fingerprint or face unlock used to open the App is processed on your device by your phone’s operating system; we receive only confirmation that the check passed and never receive or store those device biometrics.

(c) Financial and transaction data. Wallet balances (including foreign-currency balances), your dedicated virtual account number, transaction records (transfers, deposits, airtime, mobile data, cable TV, electricity, betting-account funding, examination PINs, currency conversions, fixed savings plans, loan disbursements and repayments, and virtual card transactions), counterparty details, transaction references and timestamps, fees charged, and credit history and credit scores obtained from licensed credit bureaus.

(d) Technical and device data. Device type and model, operating system, app version, IP address, device identifiers, push-notification tokens, network and approximate location information derived from your IP address, and security log data.

(e) Usage and behavioural data. Features you use, screens you visit, in-app settings, customer segments, and behavioural signals we analyse to detect fraud, money laundering, terrorism financing and other suspicious activity.

(f) Communications data. Messages you exchange with us through in-app support, email, phone, social media and the WhatsApp Channel (WhatsApp messages are also processed by Meta Platforms under WhatsApp’s own terms), together with survey and feedback responses. Calls may be recorded for security, quality and training where permitted by law.

(g) Marketing preferences. Your opt-in and opt-out records. Marketing broadcasts on our channels are sent on an opt-in basis only.

We do not knowingly collect data from anyone under 18, and we do not collect more data than we need for the purposes described in this Policy.

4. How We Obtain Your Data

• Directly from you — when you register, complete KYC, transact, save, borrow, contact support or communicate with us on any channel;
• Automatically — from the devices and connections you use to access the Services, and through cookies and similar technologies on the Site (see Section 12);
• From third parties — identity-verification and KYC providers (for BVN, NIN and facial verification), licensed credit bureaus, our CBN-licensed banking and payment partners, bill-payment and value-added-service aggregators, card issuing partners, fraud-prevention services, law-enforcement and government agencies, and publicly available sources; and
• Through our relationship with you — information we learn from the way you use the Services.

5. Why We Process Your Data and Our Lawful Bases

We process personal data only where a lawful basis under Section 25 of the NDPA applies:

(a) Performance of a contract — to open and operate your account and wallet; verify your identity and assign your transaction tier; execute transfers and bill payments (airtime, data, cable TV, electricity, betting-account funding and examination PINs); provide currency conversion and multi-currency balances; create and pay out fixed savings plans; assess, disburse and collect loans; issue and operate virtual cards; provide the WhatsApp Channel; and respond to your instructions and support requests.

(b) Legal and regulatory obligations — to conduct customer due diligence, sanctions and politically-exposed-person screening; monitor, detect and report suspicious transactions to the Nigerian Financial Intelligence Unit and other competent authorities; keep statutory records; respond to lawful requests from regulators, law enforcement, courts and tax authorities; and comply with CBN, NDPC, Corporate Affairs Commission and cooperative-society requirements applicable to us and the Cooperative.

(c) Legitimate interests — to secure our systems and prevent fraud and account takeover (including real-time automated monitoring); to analyse usage and improve our products; to enforce our terms and recover amounts owed; and to manage our business. Where we rely on legitimate interests, we ensure they are not overridden by your interests and fundamental rights.

(d) Consent — for marketing communications (opt-in only), optional features, and any processing where the law requires consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

(e) Vital interests — in rare cases, to protect your life or physical safety or that of another person.

6. Automated Decision-Making and Profiling

We use automated processing, including data-science and machine-learning tools, to:

• assess loan eligibility, set lending limits and price credit;
• detect and block fraudulent or suspicious activity in real time, which may result in a transaction being declined or an account being temporarily restricted; and
• understand customer segments and improve the Services.

Where a decision based solely on automated processing produces legal or similarly significant effects for you (for example, a declined loan), you have the right to request human review of the decision, to express your point of view, and to contest the decision by contacting our DPO. Our AI-assisted customer-service features operate under human oversight, and sensitive actions on your account always require your own authorisation (such as your PIN or biometric confirmation).

7. Who We Share Your Data With

We do not sell your personal data. We share it only as described below and only to the extent necessary:

• Banking and payment partners: CBN-licensed banks, microfinance banks and payment service providers that hold customer funds, issue virtual accounts and process deposits, transfers and card transactions;
• Service aggregators: licensed bill-payment and value-added-service providers that deliver airtime, mobile data, cable TV, electricity tokens, betting-account funding and examination PINs you request;
• Identity, KYC and fraud-prevention providers: for BVN/NIN verification, facial matching, liveness checks, sanctions screening and fraud detection;
• Credit bureaus: licensed Nigerian credit bureaus, to obtain your credit history when you apply for a loan and to report loan performance, including defaults, as required by CBN rules;
• Card schemes and issuing partners: to issue and operate virtual cards;
• Communications providers: SMS, email, push-notification and messaging providers (including Meta Platforms for the WhatsApp Channel) used to send you one-time passcodes, transaction alerts and service messages;
• Technology providers: cloud hosting, data storage, analytics and security vendors that process data on our documented instructions under contracts meeting NDPA requirements;
• Regulators, law enforcement and courts: including the CBN, NDPC, Nigerian Financial Intelligence Unit, Special Control Unit against Money Laundering, tax authorities and other competent authorities, where required or permitted by law;
• Professional advisers: auditors, lawyers and insurers, under duties of confidentiality;
• The Cooperative and our affiliates: for the administration of savings and loan products provided through the Cooperative; and
• Business transfers: a buyer or merger partner if we sell, transfer or reorganise our business, subject to this Policy.

We also share data where you have given permission — for example, when you ask us to make your data available to another organisation through our application programming interfaces (APIs).

8. International Transfers

Some of our technology and service providers store or process data outside Nigeria (for example, cloud hosting infrastructure). Where personal data is transferred outside Nigeria, we do so in accordance with Sections 41 to 43 of the NDPA: we transfer only to jurisdictions providing an adequate level of protection or subject to appropriate safeguards (such as binding contractual clauses imposing NDPA-equivalent obligations), or otherwise with your consent or as permitted by law. You may contact the DPO for information about the safeguards we use.

9. How We Protect Your Data

We apply technical and organisational measures appropriate to the risks of our processing, including encryption of data in transit, secure storage of credentials, transaction PIN protection, role-based access controls on a need-to-know basis, append-only audit logging of sensitive operations, continuous security monitoring, staff confidentiality obligations and vendor due diligence. Processors acting for us must commit contractually to equivalent protections.

No system is completely secure. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the NDPC and, where required, affected individuals within the timelines prescribed by the NDPA. You also play a role: never share your password, PIN or one-time passcodes with anyone — including anyone claiming to work for Zitch. We will never ask for them.

10. How Long We Keep Your Data

We keep personal data only for as long as necessary for the purposes described in this Policy and to meet our legal obligations. In particular:

• customer identification and transaction records are retained for at least five (5) years after the transaction or the end of the customer relationship, as required by Nigerian anti-money-laundering law;
• audit and security logs are retained in append-only form for the period required for regulatory, dispute-resolution and security purposes; and
• marketing preference records are kept while your opt-in remains active and for a reasonable period afterwards to evidence compliance.

When retention is no longer required, we securely delete or irreversibly anonymise the data.

11. Your Rights

Subject to the conditions and exemptions in the NDPA, you have the right to:

• Access — obtain confirmation that we process your data and receive a copy of it;
• Rectification — have inaccurate or incomplete data corrected;
• Erasure — request deletion of data we no longer have a lawful basis to keep (note that statutory retention periods, such as the five-year financial-records rule, may delay deletion);
• Restriction — request that we limit processing in certain circumstances;
• Portability — receive data you provided to us in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible;
• Objection — object to processing based on legitimate interests, and to direct marketing at any time;
• Withdraw consent — at any time, where processing is based on consent;
• Automated decisions — not to be subject to a decision based solely on automated processing that significantly affects you, and to request human review as described in Section 6; and
• Complain — lodge a complaint with us (Section 17) or with the Nigeria Data Protection Commission (www.ndpc.gov.ng).

To exercise any right, contact the DPO. We will respond within the period prescribed by the NDPA and may need to verify your identity first. Exercising your rights is free of charge, except where requests are manifestly unfounded or excessive.

12. Cookies and Similar Technologies

The Site uses cookies and similar technologies that are strictly necessary for it to function, and — with your consent where required — analytics cookies that help us understand how the Site is used so we can improve it. You can manage or delete cookies through your browser settings; disabling essential cookies may affect how the Site works. The App may use equivalent technologies (such as device identifiers) for security, fraud prevention and performance.

13. Marketing and Communications

We send marketing messages — including broadcasts on the WhatsApp Channel — only if you have opted in, and you can opt out at any time through the channel itself, your App settings or by contacting support. Opting out of marketing does not stop service messages we must send you, such as one-time passcodes, transaction alerts, security notices, loan repayment reminders and savings maturity notifications.

14. Children

The Services are intended for individuals aged 18 and above. We do not knowingly collect personal data from anyone under 18, and we do not open accounts for minors. If we become aware that we hold data collected from a person under 18, we will delete it. If you believe a minor has provided us with personal data, please contact the DPO.

15. Third-Party Sites and Services

The Services may contain links to third-party websites and services (for example, betting operators whose accounts you fund, or WhatsApp itself). Those third parties have their own privacy policies, and we are not responsible for their processing of your data. We encourage you to read their policies before providing data to them.

16. Changes to This Policy

We may revise this Policy from time to time. The current version will always be published on the Site and in the App, with its effective date. If we make a material change you would not reasonably expect, we will notify you in advance through the App, email or SMS and give you at least thirty (30) days to raise objections before the change takes effect. If you do not agree with a change, you may close your account; continued use of the Services after the effective date constitutes acceptance. Please note that if you object to processing that is necessary for the Services or required by law, we may be unable to continue providing some or all of the Services to you.

17. Contact Us — Data Protection Officer

Zitch Technologies Limited
Attention: Data Protection Officer
Ketu, Lagos State, Nigeria
Email: support@zitch.ng (mark your message “Attention: DPO”)
Phone: 08166938327

If you are not satisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission at www.ndpc.gov.ng.