Peyaa - All In One Wallet

Overview

Peyaa ("we", "us", or "our") operates the Peyaa mobile and web app — your all-in-one platform for airtime, data, bill payments, gift card trading, and digital wallet services.

This Privacy Policy describes how we collect, use, store, and protect personal information when you use our services. By creating an account or using Peyaa, you agree to this policy.

We comply with the Nigeria Data Protection Act (NDPA) 2023, the NDPR, and where applicable, international standards including GDPR for EU users.

Information We Collect

Account information

Full name, email address, phone number
Date of birth (for KYC compliance)
Profile photo (optional)
Encrypted 4-digit transaction PIN
Optional: biometric token reference (fingerprint/Face ID)

Financial information

Wallet balance and transaction history
Linked bank accounts (account number, bank, account name)
Card payment metadata (last 4 digits, expiry — never full card numbers; processed by Paystack)
Gift card trade submissions (uploaded images, codes, declared values)

KYC / verification data

Government-issued ID (NIN, BVN, drivers license, or passport)
Address verification documents
Selfie / liveness check images

Usage & device data

Device model, OS version, app version, IP address
Push notification tokens (Expo / FCM)
App interaction events for product analytics
Crash reports and error logs

How We Use Your Data

We process your information for these specific purposes:

Service delivery — process airtime/data/bill purchases, fund and withdraw from your wallet, settle gift card trades
Identity verification — meet CBN/NDPC KYC obligations and prevent fraud
Security — detect suspicious activity, protect your account, and investigate abuse
Customer support — respond to tickets, resolve disputes, and answer questions
Service improvement — analyze aggregated usage to make Peyaa faster, safer, and more useful
Communications — send transaction confirmations, security alerts, and (with consent) promotional updates
Legal compliance — comply with applicable laws, court orders, and regulatory requests

Sharing & Disclosure

We never sell your personal data. We share information only in these specific cases:

Payment processors — Paystack, VTPass, SquadCo and other licensed providers we use to deliver the services you request
KYC verification partners — Mono and similar providers to verify your government IDs
Cloud infrastructure — Cloudinary (media), MongoDB Atlas (database), AWS / Cloudflare R2 (file storage)
Notifications — Expo / Firebase Cloud Messaging for push notifications
Email delivery — Nodemailer-backed SMTP services for transactional email
Legal requirement — when required by law, regulator, or valid court order
Business transfer — in the event of a merger, acquisition, or sale of assets (with notice)

All third parties are contractually bound to handle your data securely and use it only for the purposes we authorize.

Data Security

We protect your information using:

TLS 1.3 encryption for all data in transit
AES-256 encryption at rest for sensitive fields (NIN, BVN)
bcrypt-hashed transaction PINs (never stored in plain text)
JWT access + refresh token authentication with rotation
Brute-force protection (5-attempt PIN lockout for 15 minutes)
Optional biometric unlock (Face ID / fingerprint) — biometric data never leaves your device
SOC 2-aligned infrastructure providers
Quarterly security reviews and continuous monitoring

No system is 100% secure. If you suspect unauthorized access, contact us immediately at support@peyaa.com.

Data Retention

We keep your data only as long as needed:

Active accounts — while your account is open and for the duration of any open transaction or dispute
Deleted accounts — personal identifiers permanently removed within 30 days of confirmed deletion
Financial records — retained anonymized for up to 7 years to comply with CBN, NDPC, and tax-authority record-keeping rules
Backups — system backups containing your data are rotated and overwritten within 90 days of deletion

You can request account deletion at any time from /delete-account or from inside the app under Profile → Security → Delete account.

Your Rights

Under NDPA / NDPR (and GDPR if applicable), you have the right to:

Access — get a copy of all personal data we hold about you
Correct — update inaccurate or incomplete information
Delete — request permanent removal of your account and personal data
Restrict — limit how we process your information in certain cases
Portability — receive your data in a machine-readable format
Object — opt out of marketing communications and certain processing activities
Withdraw consent — for any processing that relies on your consent
Lodge a complaint — with the Nigeria Data Protection Commission (NDPC) if you believe your rights have been violated

To exercise any of these rights, contact us at support@peyaa.com. We respond within 30 days.

International Transfers

Some of our service providers (cloud infrastructure, payment partners) operate outside Nigeria. When we transfer your data internationally, we ensure equivalent protection through:

Standard contractual clauses approved by the NDPC
Working only with providers in jurisdictions with adequate data-protection laws
End-to-end encryption of data in transit

Children's Privacy

Peyaa is not directed at children under 18. We do not knowingly collect personal data from anyone under that age. If you believe a minor has created an account, contact us at support@peyaa.com — we will delete the account and any associated data immediately.

Policy Changes

We may update this policy from time to time. When we make material changes, we'll notify you via email and through the app at least 30 days before they take effect. Continued use of Peyaa after changes means you accept the updated policy.