Effective Date: 25th May, 2026  |  Last Updated: 25th May, 2026  |  Version: 2.0

This Privacy Policy sets out how HorizonPay Nigeria Limited collects, uses, stores, shares, and protects your personal data. It applies to all persons who interact with HorizonPay — including agents, merchants, end-use customers, website visitors, and job applicants — across all platforms, POS devices, applications, and communication channels.

1. Introduction and Scope

HorizonPay Nigeria Limited ("HorizonPay", "we", "us", or "our") is a Central Bank of Nigeria (CBN)-licensed Super Agent providing tailored payment solutions, including agency banking services, merchant services, POS device provisioning, fund transfers, bill payments, and related financial technology services through our platforms, including the 9rapoint platform and the Smartlink debit-card routing service.

We are committed to protecting your privacy in accordance with the following regulatory frameworks:

• Nigeria Data Protection Act (NDPA) 2023
• Nigeria Data Protection Regulation (NDPR) 2019
• CBN Guidelines for the Operations of Agent Banking in Nigeria
• CBN Risk-Based Cybersecurity Framework and Guidelines for Financial Institutions
• CBN Consumer Protection Framework (CPF) 2016 and subsequent directives
• NDPC Guidelines, Regulations, and Technical Standards
• Money Laundering (Prohibition) Act 2022
• Terrorism (Prevention and Prohibition) Act 2022
• Nigerian Financial Intelligence Unit (NFIU) Act and Directives
• All other applicable laws and regulations of the Federal Republic of Nigeria

This Policy explains how we collect, use, process, store, share, and protect your personal data when you use our services, visit our website (www.horizonpay.ng), or interact with us through our POS devices, applications, or other channels.

2. Data Controller and Data Protection Officer

For the purposes of applicable data protection laws, the Data Controller is:

We have appointed a Data Protection Officer (DPO) in compliance with Section 32 of the NDPA 2023. The DPO oversees our data protection programme, conducts compliance reviews, and serves as the primary contact between HorizonPay and the NDPC. For all data protection enquiries, please contact:

3. Personal Data We Collect

We collect and process the following categories of personal data, applying the principle of data minimisation — collecting only what is adequate, relevant, and necessary for the stated purpose — in compliance with the NDPA 2023.

3.1 Identity and Verification Data

• Full name, date of birth, gender, and nationality
• Bank Verification Number (BVN) and National Identification Number (NIN) — mandatory under CBN KYC regulations
• Government-issued identification documents (National ID Card, International Passport, Driver's Licence, Voter's Card)
• Passport photographs and biometric data (where applicable and with consent)
• Business name, CAC registration number, and business address (for agents and merchants)

3.2 Contact Information

• Phone number(s), email address, and residential / business address
• Next-of-kin information (where required for account opening or agent onboarding)
• WhatsApp contact details (where voluntarily provided)

3.3 Financial and Transaction Data

• Bank account numbers, NUBAN, and wallet information
• Transaction history, amounts, dates, recipient / beneficiary details, and transaction reference numbers
• Payment card metadata — raw card data is not stored by HorizonPay; all card transactions are processed in PCI-DSS compliant environments
• Commission records and settlement statements
• Float balances and float-related transaction records (for agents)

3.4 Device and Technical Data

• POS terminal serial numbers, IMEI, and device identifiers
• Geo-location data — collected in accordance with the CBN's mandatory geo-fencing requirement for all POS devices deployed through Super Agent networks
• IP address, browser type and version, operating system, and referral URLs
• Cookies and similar tracking technologies (see Section 10)

3.5 Communication and Support Data

• Records of all correspondence with our customer support and compliance teams
• Complaint, dispute, and chargeback records
• Survey responses, feedback forms, and satisfaction ratings

3.6 Employment and Recruitment Data

• CVs, educational qualifications, employment history (job applicants)
• Reference and background verification results
• Staff identification and payroll records (employees)

4. How We Collect Your Data

• Directly from you: When you register as an agent, merchant, or customer; request a POS device; complete forms on our website; apply for a job; or contact us via phone, email, or WhatsApp.
• Automatically: When you use our POS terminals, mobile applications, or visit our website, we automatically collect device identifiers, geo-location data, IP addresses, and cookies.
• From authorised third parties: We may receive data from our Principal banks, NIBSS, the National Identity Management Commission (NIMC) for BVN/NIN verification, licensed credit bureaux, and other regulatory-approved sources for identity verification and KYC/AML compliance purposes.

5. Legal Basis for Processing

In accordance with Sections 24–30 of the NDPA 2023 and the NDPR 2019, we process your personal data on the following lawful bases:

• Consent (Section 25, NDPA 2023): Where you have given clear, specific, informed, and unambiguous consent for a defined processing activity. You may withdraw consent at any time without prejudice to the lawfulness of processing carried out before withdrawal.
• Contractual Necessity: Where processing is necessary to perform our obligations under any contract with you, including agent banking, merchant, and POS service agreements.
• Legal and Regulatory Obligation: Where processing is required to comply with CBN Agent Banking Guidelines, the NFIU Act, the Money Laundering (Prohibition) Act 2022, the Terrorism (Prevention and Prohibition) Act 2022, the NDPA 2023, and all applicable Nigerian laws and CBN circulars.
• Legitimate Interest: Where processing is necessary for our legitimate business interests — including fraud prevention, network security, and service improvement — provided such interests are not overridden by your fundamental rights and freedoms as enshrined in the Nigerian Constitution and the NDPA 2023.
• Public Interest: Where processing is necessary in the public interest, particularly in relation to financial inclusion mandates, the prevention of financial crime, and the stability of Nigeria's financial system.

6. How We Use Your Data

6.1 Service Delivery

• Processing financial transactions: cash deposits and withdrawals, fund transfers, bill payments, airtime and data top-up, balance enquiries, loan disbursements and repayments, voucher and subscription services, and purchase transactions
• Onboarding, managing, and monitoring agents and merchants
• Provisioning, configuring, geo-fencing, and managing POS devices
• Providing customer support, dispute resolution, and chargeback processing

6.2 Regulatory Compliance

• Conducting Know Your Customer (KYC) checks, Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD) as required by CBN
• Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) screening against local and international watchlists
• Mandatory BVN and NIN verification via NIMC-approved channels
• Filing Suspicious Transaction Reports (STRs) and Currency Transaction Reports (CTRs) with the NFIU
• Filing regulatory returns and reporting to the CBN, NDPC, NFIU, and other supervisory bodies
• Conducting annual Data Protection Compliance Audits (DPCA) as required by the NDPC

6.3 Security and Fraud Prevention

• Monitoring transactions for unusual, suspicious, or anomalous activity
• Implementing and enforcing CBN-mandated geo-fencing on all POS devices
• Conducting fraud detection, investigation, and incident response
• Maintaining data breach detection and notification protocols in compliance with the NDPA 2023 and the CBN Cybersecurity Framework

6.4 Business Operations and Improvement

• Analysing transaction patterns and user behaviour to improve products and services
• Conducting internal audits, compliance assessments, and DPIAs
• Communicating service updates, maintenance notices, and operational announcements

6.5 Marketing (Consent Only)

• Sending promotional offers, newsletters, and information about new products or services — only where you have expressly opted in
• You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at contact@horizonpay.ng

7. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients, subject to appropriate contractual and technical safeguards, and — where required — your consent. All third-party processors are bound by Data Processing Agreements (DPAs) that impose obligations no less protective than this Policy.

• Principal Banks and Financial Institutions: For transaction processing, settlement, reconciliation, and regulatory reporting as required by CBN Agent Banking Guidelines.
• Payment Processors and Switches: Including NIBSS and other CBN-approved payment switches for transaction routing, clearing, and settlement.
• Regulatory and Supervisory Bodies: Including the CBN, NDPC, NFIU, EFCC, ICPC, and other competent authorities, as required by applicable law, regulatory directive, or valid court order.
• Identity Verification Providers: For BVN, NIN (NIMC), and other identity verification and KYC services as mandated by CBN regulations.
• Technology and Cloud Service Providers: Cloud hosting, cybersecurity, and software vendors who process data on our behalf under strict DPAs with appropriate technical and organisational security measures.
• Professional Advisors: Legal counsel, auditors, and compliance consultants, subject to professional confidentiality obligations.
• Law Enforcement: Where required by applicable law, court order, or valid legal process.

8. Cross-Border Data Transfers

Your personal data is primarily processed and stored within Nigeria. Where it becomes necessary to transfer your data outside Nigeria — for example, for cloud infrastructure or international third-party service providers — HorizonPay ensures that:

• The recipient country provides an adequate level of data protection as determined by the NDPC; or
• Appropriate safeguards are in place, including binding contractual clauses or standard data protection clauses approved by the NDPC; and
• All transfers comply with Section 43 of the NDPA 2023 and applicable CBN regulations.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with mandatory regulatory retention requirements. The following minimum retention periods apply:

Data Category	Minimum Retention Period	Regulatory Basis
Transaction records (all types)	5 years from transaction date	CBN Agent Banking Guidelines; Money Laundering (Prohibition) Act 2022
KYC / CDD / EDD records	5 years after end of business relationship	NFIU Act; CBN KYC Regulations; NDPA 2023
Agent and merchant records	Duration of relationship + 5 years	CBN Agent Banking Guidelines
STR / CTR filings	5 years from date of filing	NFIU Act; AML/CFT Regulations
Website usage and analytics data	Up to 12 months from collection	NDPA 2023 — minimum necessity principle
Marketing consent records	Until consent is withdrawn	NDPA 2023 — Section 25
Staff employment records	7 years from cessation of employment	Nigerian Labour Act; NDPA 2023
Unsuccessful job applicant records	2 years from application date	NDPA 2023 — minimum necessity principle
Data breach records	5 years from date of breach	NDPA 2023 — Section 40; NDPC Guidelines

Upon expiry of the applicable retention period, personal data is securely deleted, destroyed, or irreversibly anonymised in accordance with our documented data disposal procedures and NDPC Technical Standards.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience and improve our services. We deploy the following categories of cookies:

• Strictly Necessary Cookies: Essential for the website to function correctly, including session management and security features. These cannot be disabled without materially impairing core functionality.
• Analytics Cookies: Used to understand how visitors interact with our website, enabling us to improve functionality and content. Data collected is aggregated and anonymised where possible.
• Functional Cookies: Enable the website to remember your preferences, such as language or region settings.

We obtain your prior, informed consent before placing non-essential cookies on your device, in compliance with the NDPA 2023. You may manage your cookie preferences through your browser settings. Disabling certain cookies may affect website functionality. For a full list of cookies used, please contact us at contact@horizonpay.ng.

11. Data Security

We implement robust technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in compliance with the NDPC Technical Standards and the CBN Risk-Based Cybersecurity Framework for Financial Institutions:

• Encryption: All data is encrypted at rest and in transit using AES-256 and TLS 1.3+ protocols.
• Access Controls: Role-based access controls (RBAC) and multi-factor authentication (MFA) are enforced across all internal systems and applications.
• Network Security: Enterprise-grade firewalls, intrusion detection and prevention systems (IDS/IPS), and 24/7 continuous monitoring.
• Vulnerability Management: Regular vulnerability assessments and penetration testing (VAPT) conducted by qualified professionals, as mandated by the NDPC and CBN Cybersecurity Framework.
• PCI-DSS Compliance: All card payment data is processed in PCI-DSS compliant environments; raw card data is never stored by HorizonPay.
• Geo-Fencing: All POS devices are geo-fenced to registered and approved business locations in compliance with CBN Agent Banking Guidelines.
• Employee and Agent Training: All staff and agents receive mandatory training on data protection, KYC, AML/CFT, consumer protection, and cybersecurity awareness.
• Incident Response: A documented, tested incident response plan and data breach notification procedure is maintained and reviewed at least annually.
• Data Processing Agreements: All third-party processors handling personal data on our behalf are bound by DPAs incorporating appropriate technical and organisational security standards.

Despite these measures, no system is completely secure. In the event of a breach, we will act promptly in accordance with Section 16 of this Policy and our obligations under the NDPA 2023.

12. Your Rights as a Data Subject

Under the NDPA 2023 and the NDPR, you have the following rights regarding your personal data. To exercise any right, please contact our DPO at dpo@horizonpay.ng. We will acknowledge your request promptly and respond within 30 days as required by law (extendable by a further 30 days where the request is complex).

13. Children's Data

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. Where an agent or merchant is required to process a transaction involving or on behalf of a minor, the consent and identification of a parent or legal guardian is mandatory.

If we become aware that we have inadvertently collected personal data from a child without appropriate parental or guardian consent, we will take immediate steps to delete such data and, where required, notify the NDPC in accordance with our breach notification obligations.

14. Data Protection Impact Assessment (DPIA)

In compliance with Section 27 of the NDPA 2023, HorizonPay conducts Data Protection Impact Assessments (DPIAs) before commencing any high-risk processing activities. These include, but are not limited to:

• Large-scale transaction processing involving sensitive personal data
• Automated fraud detection, risk scoring, and decision-making systems
• Agent and merchant onboarding processes involving biometric data
• New products, services, or technologies that involve significant changes to data processing
• Cross-border transfers of personal data

DPIA results inform our data protection strategies and risk mitigation measures, and are made available to the NDPC upon request.

15. Data Protection Compliance Audit

HorizonPay submits annual Data Protection Compliance Audit (DPCA) Returns to the Nigeria Data Protection Commission (NDPC) through a duly licensed Data Protection Compliance Organisation (DPCO), as required under Section 29 of the NDPA 2023. Audit returns are filed no later than the 15th of March each year in respect of the preceding calendar year, covering our data processing operations, security posture, DPIAs, data subject requests, and any breaches recorded.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, HorizonPay will take the following steps in accordance with Section 40 of the NDPA 2023:

• NDPC Notification — within 72 hours: We will notify the Nigeria Data Protection Commission within 72 hours of becoming aware of a reportable breach, providing details of the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
• Data Subject Notification — without undue delay: Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected data subjects directly and without undue delay.
• Internal Documentation: All breaches — whether reportable or not — will be documented in our internal Breach Register, including the nature of the breach, affected data categories, remedial actions taken, and notification timelines.

17. Third-Party Links

Our website and services may contain links to third-party websites, platforms, or services that are not operated by HorizonPay. We are not responsible for the privacy practices, content, or data handling of such third parties. We encourage you to review the privacy policies of any external sites you visit before providing any personal information.

18. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our data processing practices, applicable laws, or regulatory guidance issued by the NDPC or CBN. Any material changes will be communicated through a prominent notice on our website and, where practicable, directly to affected data subjects. The "Last Updated" date at the top of this page reflects the most recent revision. We encourage you to review this Policy periodically.

19. Complaints

If you are dissatisfied with how we have handled your personal data or your rights request, you are encouraged to contact our DPO in the first instance. If you remain dissatisfied, you have the right to escalate your complaint to the relevant supervisory authority:

20. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us through any of the following channels: