1. Introduction
Arveth Multi-Concept ("Arveth Multi-Concept", "the Company", "we", "us", or "our") is the parent company of Arveth Technologies, its technology-focused subsidiary responsible for building and operating the ArvethPay digital payment gateway ("ArvethPay", the "Service", or the "Platform"). The Service is accessible via our official website at arveth.com.ng and the ArvethPay application hosted at https://arvethpay.vercel.app/. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data belonging to our customers, merchants, website visitors, and other users ("you", "User", "Data Subject") when you access or use the Service.
This Policy is issued in accordance with the Nigeria Data Protection Act, 2023 ("NDPA"), the Nigeria Data Protection Regulation, 2019 ("NDPR") and its Implementation Framework, the Central Bank of Nigeria (CBN) Consumer Protection Framework and Guidelines on Electronic Payments, and other applicable Nigerian and international data protection laws, including, where relevant, the General Data Protection Regulation (GDPR) for users interacting with us from the European Economic Area.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Controller" means Arveth Technologies, which determines the purposes and means of processing Personal Data collected through the Service.
- "Data Processor" means any third party that processes Personal Data on our behalf, such as our payment processing, database, or communication service providers.
- "Sensitive Personal Data" includes financial information, government-issued identification numbers, biometric data, and any other category classified as sensitive under the NDPA.
3. Information We Collect
3.1 Information You Provide Directly
- Identity information: full name, date of birth, gender, residential and business address, phone number, and email address.
- Verification (KYC) information: Bank Verification Number (BVN), National Identification Number (NIN), government-issued identification documents, passport photographs, and utility bills, as required by CBN Know-Your-Customer (KYC) requirements.
- Financial information: bank account details, card details (tokenized), transaction history, wallet balances, and payment receipts.
- Account credentials: username, password (stored as a salted hash), and security question responses.
- Communications: correspondence you send us through support channels, emails, or in-app messaging.
3.2 Information Collected Automatically
- Device and technical data: IP address, browser type, operating system, device identifiers, and browser fingerprint (used for fraud prevention and bot mitigation, including via Cloudflare Turnstile).
- Usage data: pages visited, session duration, click patterns, referral source, and timestamps of activity.
- Transaction metadata: amount, currency, timestamp, counterparties, status, and channel of each payment transaction processed through the gateway.
- Cookies and similar tracking technologies, as described in the Cookies section below.
3.3 Information from Third Parties
- Information from our licensed payment processing partner(s) (e.g., Squad by GTCO) confirming transaction status, settlement, and dispute outcomes.
- Information from identity verification providers used to validate BVN, NIN, or bank account ownership.
- Information from fraud-prevention and anti-money-laundering (AML) screening services.
3.4 Device Permissions: Camera, Location, and Media Storage
With your explicit consent, granted through your device's or browser's native permission prompt, the Service may request access to the following device capabilities:
- Camera: used to capture or upload images of identification documents, to perform live selfie verification during KYC, and to photograph payment receipts for automated and manual verification.
- Location (GPS or network-based): used to support fraud detection and transaction risk-scoring, to associate transactions with an approximate geographic location for regulatory and audit purposes, and to flag access attempts from unexpected or high-risk locations.
- Photo and media storage: used to allow you to select and upload existing images, such as receipts or identification documents, from your device gallery.
You may decline or later revoke any of these permissions at any time through your device or browser settings. Doing so will not affect your ability to use the Service generally, but may limit specific features such as receipt upload, live verification, or location-based fraud checks.
4. How We Collect Information
We collect Personal Data when you register an account, complete a transaction, upload verification documents, contact our support team, or otherwise interact with the Platform. We also collect information passively through cookies, server logs, and security monitoring tools such as our Sentinel threat-monitoring module.
5. Legal Basis for Processing
We process your Personal Data only where we have a valid legal basis to do so, including one or more of the following:
- Consent: where you have given clear, informed consent, such as during account registration.
- Contractual necessity: to perform our obligations under the terms governing use of the ArvethPay Service.
- Legal obligation: to comply with CBN, NDPC, EFCC/NFIU anti-money-laundering, tax, and other regulatory reporting requirements.
- Legitimate interest: for fraud prevention, platform security, service improvement, and business analytics, provided such interests do not override your fundamental rights.
6. How We Use Your Information
- To create, verify, and manage your ArvethPay account.
- To process, route, confirm, and reconcile payment transactions.
- To perform identity verification and comply with KYC/AML obligations.
- To detect, investigate, and prevent fraud, unauthorized access, and other illegal activity.
- To provide customer support and respond to inquiries or complaints.
- To send transactional notifications (e.g., payment confirmations, receipt alerts) and, where you have opted in, service or promotional updates.
- To improve, secure, and maintain the performance of the Platform, including our loader, bridge, and verification infrastructure.
- To comply with applicable laws, court orders, and regulatory directives.
7. Data Sharing and Disclosure
We do not sell your Personal Data. We may share your information, strictly on a need-to-know basis and under appropriate contractual safeguards, with:
- Licensed payment processing partners (e.g., Squad) to execute, verify, and settle transactions.
- Infrastructure and technology providers, including our database and edge-function hosting provider (Supabase), content delivery and security provider (Cloudflare), and transactional email provider (Resend), each acting as a Data Processor under contractual confidentiality obligations.
- Regulatory and law enforcement authorities, including the CBN, the Nigeria Data Protection Commission (NDPC), the Nigerian Financial Intelligence Unit (NFIU), and courts of competent jurisdiction, where required by law.
- Professional advisers, including auditors, legal counsel, and insurers, where necessary for legitimate business purposes.
- A successor entity in the event of a merger, acquisition, restructuring, or sale of all or part of our business, subject to equivalent privacy protections.
8. Cross-Border Data Transfer
Where Personal Data is transferred outside Nigeria (for example, to cloud infrastructure providers with servers located abroad), we ensure such transfers comply with Section 41 of the NDPA and NDPR cross-border transfer requirements, including verifying that the receiving country or organization maintains an adequate level of data protection, or that appropriate contractual safeguards (such as Standard Contractual Clauses) are in place.
9. Data Retention
We retain Personal Data only for as long as necessary to fulfil the purposes described in this Policy, including satisfying legal, accounting, regulatory, or reporting requirements. As a general rule:
- Transaction and KYC records are retained for a minimum of five (5) years after the termination of the business relationship, in line with CBN AML/CFT record-keeping requirements.
- Account data is retained for the duration of your active account, plus a reasonable period thereafter for dispute resolution and legal compliance.
- Data no longer required is securely deleted or anonymized in accordance with our internal data disposal procedures.
10. Data Security Measures
We implement administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, including:
- Encryption of data in transit (TLS/HTTPS) and, where applicable, at rest.
- Role-based access control and use of a segregated secrets-management architecture (e.g., our supabase-proxy component), ensuring database credentials are never exposed client-side.
- Bot and abuse mitigation through Cloudflare Turnstile and rate-limiting on sensitive endpoints.
- Tokenized handling of card and bank information; we do not store raw card numbers on our own servers.
- Continuous monitoring and threat detection, including automated alerts for suspicious or pending-review transactions.
- Periodic security reviews and vulnerability assessments of the Platform.
11. Your Rights as a Data Subject
Subject to applicable law, you have the right to:
- Access the Personal Data we hold about you.
- Request correction of inaccurate or incomplete Personal Data.
- Request erasure of your Personal Data, subject to our legal retention obligations.
- Restrict or object to certain processing activities, including direct marketing.
- Request portability of your Personal Data in a structured, commonly used format.
- Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Lodge a complaint with the Nigeria Data Protection Commission (NDPC) or another competent supervisory authority.
To exercise any of these rights, contact our Data Protection Officer using the details in the Contact section below.
12. Cookies and Tracking Technologies
We use cookies, local storage, and similar tracking technologies for the following purposes:
- Strictly necessary cookies: required for core functionality, such as maintaining your logged-in session and securing checkout and payment flows.
- Security and fraud-prevention cookies: used by our bot-mitigation provider (Cloudflare Turnstile) to distinguish genuine users from automated or malicious traffic.
- Functional and preference cookies: remember your settings, such as language or display preferences.
- Analytics and performance cookies: help us understand usage patterns and improve the Platform's reliability and performance.
You may configure your browser to block or delete cookies at any time; however, doing so may prevent certain features of the Service, including session authentication and security verification, from functioning correctly.
13. Children's Privacy
The Service is not directed at, and we do not knowingly collect Personal Data from, individuals under eighteen (18) years of age. If we become aware that we have inadvertently collected Personal Data from a minor without appropriate consent, we will take steps to delete such data promptly.
14. Third-Party Links and Services
The Platform may contain links to third-party websites or integrate third-party services (such as our payment processing partner). This Policy does not extend to the privacy practices of such third parties, and we encourage you to review their respective privacy policies.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via the Platform or by email, and will indicate the "Last Reviewed" date at the top of this document. Continued use of the Service after such changes constitutes acceptance of the revised Policy.
16. Data Protection Officer and Contact Information
For questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact:
- Data Protection Officer: Hariph Micheal
- Email: info.arveth@gmail.com
- Phone: +234-7069-303501
- Head Office Address: 107 Opkanam Rd, Asaba, Delta State, Nigeria
- Tax Identification Number (TIN): 1086070388
You may also lodge a complaint directly with the Nigeria Data Protection Commission (NDPC) via its official website or offices.
17. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act, 2023, without regard to conflict-of-law principles.
