Legal & Policies

3.1 Account Registration Information

• Full legal name (first name, middle name, surname)
• Email address
• Phone number
• Date of birth
• Gender
• Residential address (street, city, state, postal code)
• Profile photograph
• Username and password (encrypted)

3.2 Identity Verification and KYC Information

• Bank Verification Number (BVN)
• National Identification Number (NIN)
• Government-issued ID documents (International Passport, Driver's License, Voter's Card, National ID Card)
• Proof of address documents (utility bills, bank statements, tenancy agreements)
• Biometric data (facial recognition images, fingerprints)
• Selfie photographs for identity verification
• For business accounts: Corporate registration documents, CAC certificates, Tax Identification Numbers (TIN), directors' identification

3.3 Financial Information

• Bank account details (account number, bank name, account name)
• Debit card information (card number, expiry date, CVV - processed securely through PCI-DSS compliant partners)
• Transaction history (amount, date, time, recipient, sender, purpose, status)
• Wallet balance and transaction patterns
• Payment method preferences
• Fee and charge records
• Merchant sales data and settlement information
• PaySpace and Group Wallet participation and contribution records

3.4 Device and Technical Information

• Device identifiers (IMEI, device ID, advertising ID)
• Device type, model, manufacturer, operating system and version
• Mobile network information (carrier, network type)
• IP address and geolocation data
• Browser type and version
• Time zone settings
• Language preferences
• Screen resolution and display settings

3.5 Usage and Behavioral Data

• Login and logout times
• Features accessed and frequency of use
• Navigation patterns and clickstream data
• Search queries within the Platform
• Time spent on various features
• Error logs and crash reports
• Performance metrics and app responsiveness data
• Customer support interactions and inquiries

3.6 Communication Data

• Customer support messages and correspondence
• Feedback, surveys, and reviews
• Marketing preferences and consent records
• Email and SMS communication logs
• Push notification interaction data
• In-app messages and notifications

3.7 Merchant-Specific Information

• Business name and registration details
• Business address and contact information
• Tax identification numbers
• Business type and industry classification
• Product and service catalogs
• Inventory management data
• Sales and transaction volumes
• Instagram business profile information (for Flur Shop users)
• POS terminal deployment locations
• Staff and employee information for terminal access

3.8 Social and Relationship Data

• Contacts you designate as frequent recipients
• PaySpace participation and membership
• Group Wallet memberships and roles
• Split payment arrangements and authorized parties
• SecurePass card sharing authorizations
• Referral relationships

4.1 Information You Provide Directly

When you:

• Register for an Account
• Complete KYC verification processes
• Update your profile or account settings
• Add payment methods or bank accounts
• Initiate transactions or use Platform features
• Contact customer support
• Participate in surveys, promotions, or contests
• Submit feedback or reviews

4.2 Information Collected Automatically

When you use Flur, we automatically collect:

• Device and technical information through app sensors and APIs
• Usage patterns and behavioral data through analytics tools
• Location data (with your consent)
• Cookies and similar tracking technologies (see our Cookie Policy)
• Log data including IP addresses, browser types, and timestamps

4.3 Information from Third Parties

We receive personal data from:

• Identity verification service providers (e.g., for BVN and NIN verification)
• Financial institutions and payment networks
• Credit bureaus and fraud prevention services
• Business directories and public registries (for merchant verification)
• Instagram and social media platforms (for Flur Shop integration)
• Analytics and data enrichment providers
• Other users who add you to PaySpaces or Group Wallets

5.1 Contractual Necessity

To perform our contract with you and provide the Platform services:

• Create and manage your Account
• Process transactions, transfers, and payments
• Maintain your Wallet and account balances
• Enable PaySpaces, Group Wallets, and Split Payment features
• Provide SecurePass subscription management services
• Facilitate merchant services and Flur Shop operations
• Authenticate your identity and secure your Account
• Provide customer support and respond to inquiries
• Send transaction notifications and account alerts

5.2 Legal Obligations

To comply with legal and regulatory requirements:

• Conduct Know Your Customer (KYC) verification as required by CBN
• Implement Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) controls
• Monitor transactions for suspicious activity
• Report suspicious transactions to the Nigeria Financial Intelligence Unit (NFIU)
• Maintain records for the legally required retention period (minimum 5 years)
• Respond to lawful requests from regulatory authorities and law enforcement
• Comply with tax reporting obligations
• Enforce our Terms of Service and other policies

5.3 Legitimate Interests

For purposes that are in our or third parties' legitimate interests, provided these interests are not overridden by your rights:

• Prevent fraud, unauthorized access, and security threats
• Detect and investigate illegal activity
• Improve and optimize Platform performance and user experience
• Develop new features and services
• Conduct data analytics and business intelligence (using aggregated, anonymized data)
• Personalize your experience with relevant content and recommendations
• Manage business operations and administrative functions
• Protect our legal rights and interests
• Exercise or defend legal claims

5.4 Consent

Where required by law or where we do not rely on another legal basis, we process personal data based on your explicit consent:

• Send marketing communications and promotional offers
• Collect precise location data for location-based features
• Access device contacts for recipient selection
• Use biometric data for authentication (where not mandated for KYC)
• Place cookies and tracking technologies (see Cookie Policy)
• Share your data with specific third parties beyond what is necessary for service provision

You have the right to withdraw consent at any time through Account settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

6.1 Service Providers and Partners

We share data with trusted third-party service providers who process data on our behalf:

• Payment processors and financial institutions for transaction processing
• Identity verification providers for KYC compliance
• Cloud storage and hosting providers
• Customer support and communication platforms
• Analytics and performance monitoring services
• Fraud detection and prevention services
• SMS and email service providers
• Marketing and advertising platforms (with your consent)
• Legal, accounting, and professional advisors

All service providers are bound by confidentiality obligations and data processing agreements requiring them to process data only as instructed and to implement appropriate security measures.

6.2 Within Flur Ecosystem

Your data may be shared within the Platform features:

• With transaction recipients: name and transaction details
• With PaySpace participants: financial activity within that PaySpace
• With Group Wallet members: contributions and withdrawals within that wallet
• With authorized SecurePass users: limited card information for approved subscriptions
• With merchants: necessary transaction and contact information for order fulfillment

6.3 Legal and Regulatory Disclosure

We disclose personal data when required by law or to protect rights:

• To comply with legal obligations, court orders, or subpoenas
• To respond to lawful requests from regulatory authorities (CBN, NFIU, EFCC, etc.)
• To law enforcement for investigation of illegal activity
• To tax authorities as required for tax compliance
• To protect the rights, property, or safety of Flur, our users, or the public
• To enforce our Terms of Service and other agreements
• In connection with fraud investigations or dispute resolution

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, asset sale, or bankruptcy, your personal data may be transferred to the acquiring or succeeding entity. We will notify you of any such transfer and any choices you may have regarding your data.

6.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for research, analytics, marketing, or other business purposes. This data does not constitute personal data under NDPR/NDPA.

8.1 Retention Periods

• Account information: Retained while your Account is active
• Transaction records: Minimum 5 years from transaction date (as required by AML/CFT regulations)
• KYC documents: Minimum 5 years from Account closure or last transaction
• Communication records: 3-5 years or as required for dispute resolution
• Marketing data: Until consent is withdrawn or Account is closed
• Fraud and security data: 7 years or as required for legal proceedings
• Tax records: 6 years or as required by tax authorities
• Anonymized analytics data: Indefinitely (as it does not identify individuals)

8.2 Data Deletion

After the retention period expires, we securely delete or anonymize personal data using industry-standard methods including:

• Secure deletion from active databases
• Removal from backup systems
• Physical destruction of hard copy documents
• Anonymization or aggregation where deletion is not possible due to legal obligations

9.1 Technical Security Measures

• End-to-end encryption for sensitive data transmission
• AES-256 encryption for data at rest
• Secure TLS/SSL protocols for all communications
• Multi-factor authentication (2FA) for Account access
• Biometric authentication options
• Tokenization of sensitive financial data
• Regular security audits and vulnerability assessments
• Intrusion detection and prevention systems
• Automated threat monitoring and incident response
• Secure coding practices and regular security testing

9.2 Organizational Security Measures

• Role-based access control with principle of least privilege
• Regular security awareness training for employees
• Strict confidentiality agreements for staff and contractors
• Background checks for employees with data access
• Incident response and breach notification procedures
• Regular privacy and security policy reviews
• Data Protection Impact Assessments (DPIAs) for new features
• Vendor due diligence and monitoring

9.3 Physical Security Measures

• Secured data centers with 24/7 monitoring
• Biometric access controls for server rooms
• CCTV surveillance and security personnel
• Fire suppression and environmental controls
• Redundant backup systems in multiple locations
• Secure disposal of hardware and physical documents

9.4 Data Breach Response

In the event of a data breach that poses risks to your rights and freedoms, we will:

• Notify the Nigeria Data Protection Commission within 72 hours of discovery
• Notify affected individuals without undue delay
• Provide information about the nature of the breach and affected data
• Describe measures taken to mitigate harm
• Offer guidance on protective steps individuals can take
• Conduct a thorough investigation and implement remedial measures

10.1 Right of Access

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access your personal data and information about:

• The purposes of processing
• The categories of data processed
• Recipients or categories of recipients to whom data is disclosed
• Retention periods
• Your other rights under NDPR/NDPA

10.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly through your Account settings or by contacting customer support.

10.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

This right is not absolute and may be limited where we have legal obligations to retain data (e.g., AML/CFT requirements, tax law, ongoing disputes).

10.4 Right to Restriction of Processing

You have the right to request that we limit processing of your personal data when:

• You contest the accuracy of the data (until accuracy is verified)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You object to processing pending verification of our legitimate grounds

10.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller where:

• Processing is based on consent or contract
• Processing is carried out by automated means

10.6 Right to Object

You have the right to object to processing of your personal data when:

• Processing is based on legitimate interests
• Data is used for direct marketing purposes
• Data is used for profiling based on legitimate interests

10.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time through Account settings or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe we have violated your data protection rights:

10.9 Exercising Your Rights

To exercise any of these rights, please contact our Data Protection Officer at dpo@flur.app. We will respond to your request within 30 days. We may require additional information to verify your identity before processing requests.