Privacy Policy

PRIVACY POLICY

1. Scope & Regulatory Alignment

This Privacy Policy governs all aspects of the collection, processing, storage, transfer, and disclosure of personal, business, and transactional data by KarryBiz in connection with the operation of the Platform, including all integrated services such as payment facilitation, wallet management, delivery integration, and ancillary business tools.

The processing of data is carried out in strict compliance with applicable Nigerian law, including the Nigeria Data Protection Regulation (NDPR), the Central Bank of Nigeria (CBN) guidelines on digital financial services, relevant consumer protection statutes, taxation laws, anti-money laundering and counter-terrorist financing regulations, and any other applicable regulatory obligations.

This Policy applies to all data subjects, including merchants, customers, and other Platform users, and governs data collected directly through registration, transactions, Platform activity, or indirectly through associated third-party services integrated into the Platform.

2. Categories of Data Collected

KarryBiz collects data necessary to provide its services, ensure secure operations, and comply with legal obligations. The categories include:

• Identity Data: Names, business registration details, trade names, legal identifiers, registration numbers, and other identification information for verification and KYC purposes.
• Contact Information: Email addresses, telephone numbers, mailing addresses, and other communication channels provided by users or collected for transactional or service-related purposes.
• Transactional and Financial Metadata: Transaction dates, amounts, payment identifiers, wallet credits/debits, product or service details, delivery references, and reconciliation data.
• Device and Usage Information: IP addresses, device identifiers, operating system and browser information, usage logs, session activity, clickstream analytics, and behavioral patterns relevant to Platform security and functionality.
• KYC, Compliance, and Verification Data: Identification documents, proof of address, bank account verification, and other information required for regulatory compliance, fraud prevention, and risk monitoring.

Card and sensitive payment credentials are never stored by KarryBiz; all payment data is handled exclusively by licensed third-party processors.

3. Purpose and Legal Basis of Processing

Personal and transactional data is processed for legitimate operational, legal, and commercial purposes, including but not limited to:

• Enabling registration, authentication, and management of merchant and customer accounts.
• Facilitating secure payment transactions and wallet operations through integrated, licensed payment processors.
• Detecting, preventing, and mitigating fraudulent activity, unauthorized access, and operational abuse.
• Complying with legal, regulatory, tax, or contractual obligations, including KYC, anti-money laundering, consumer protection, and data protection requirements.
• Supporting the investigation, resolution, and management of disputes, chargebacks, complaints, or refunds.
• Conducting risk management, audits, system monitoring, compliance reviews, and internal reporting necessary to protect the integrity and stability of the Platform.
• Maintaining operational, security, and continuity safeguards, including monitoring for suspicious activity, operational anomalies, or cybersecurity threats.

4. Data Sharing and Disclosure

KarryBiz may disclose or share personal data under strict lawful and contractual conditions:

• Payment Processors: To enable transaction authorization, settlement, and reconciliation via licensed third-party financial institutions.
• Logistics Providers: To facilitate delivery, shipment tracking, and order fulfillment in accordance with merchants’ instructions.
• Regulatory Authorities, Law Enforcement, and Financial Institutions: Where required by law, regulatory inquiry, court order, or financial reporting obligations.
• Compliance, Audit, and Risk Partners: Independent auditors, cybersecurity assessors, compliance consultants, and operational risk advisors engaged to maintain Platform security, legal compliance, and operational integrity.

All data sharing is limited to what is necessary for the stated purpose and conducted in accordance with applicable data protection laws, contractual obligations, and security standards.

5. Data Retention

Personal and transactional data is retained only for as long as necessary to:

• Fulfill contractual obligations between KarryBiz, merchants, and customers.
• Comply with applicable legal and regulatory record-keeping requirements, including NDPR, tax, and financial reporting standards.
• Resolve disputes, claims, chargebacks, or regulatory inquiries.
• Enforce Platform policies, legal rights, and operational procedures.

Upon expiration of retention periods, data is either securely anonymized, archived in compliance with regulatory standards, or permanently destroyed using industry-standard methods.

6. Security Measures and Risk Management

KarryBiz employs a multi-layered framework of technical, organizational, and administrative safeguards designed to maintain the confidentiality, integrity, and availability of personal and transactional data collected and processed through the Platform.

These measures are implemented to mitigate operational, cybersecurity, and compliance risks while supporting the secure functioning of integrated payment, wallet, and logistics services.

Protective measures include, without limitation:

• Encryption and Data Masking: Personal and transactional data is encrypted during transmission and at rest, and sensitive identifiers are masked where feasible to reduce exposure.
• Role-Based Access and Privilege Management: Access to systems and data is restricted according to operational necessity and assigned responsibilities, with privileged access subject to additional monitoring and verification controls.
• Continuous Monitoring, Audit, and Anomaly Detection: Platform activity is logged and reviewed to detect irregular, suspicious, or potentially unauthorized operations, including automated alerts and manual audit processes.
• Authentication and Identity Assurance: Access to the Platform is protected by multi-factor authentication, strong credential policies, and session management protocols to reduce the risk of unauthorized access.
• Periodic Security Assessments and Validation: Regular vulnerability assessments, penetration testing, system audits, and compliance reviews are conducted to identify, evaluate, and remediate potential weaknesses across technical infrastructure and operational processes.

While these measures are carefully designed to reduce exposure to unauthorized access, operational failures, or cyber threats, all digital systems inherently carry residual risk. Accordingly, KarryBiz does not and cannot warrant absolute protection against all potential security incidents, breaches, or unforeseen operational anomalies.

Users acknowledge that certain risks, including unauthorized access, system interruptions, or inadvertent data exposure, may persist despite the application of industry-standard safeguards.

This framework is complemented by ongoing risk management practices, including internal governance, employee training, regulatory alignment, and review of third-party service integrations, to ensure that protective measures remain proportionate, effective, and aligned with evolving operational and regulatory requirements.

7. Data Subject Rights

Subject to applicable law, including the Nigeria Data Protection Regulation (NDPR), users and other data subjects are entitled to exercise certain rights regarding their personal data processed by KarryBiz.

These rights are designed to provide transparency, accountability, and control, while balancing operational and regulatory obligations:

• Access: Users may request confirmation of whether personal data concerning them is being processed and obtain a copy of such data, subject to verification and applicable safeguards. Access requests are assessed to ensure that disclosure does not compromise operational security, proprietary systems, or third-party confidentiality.
• Correction: Users may request the rectification of personal data that is inaccurate, incomplete, or outdated. KarryBiz will take reasonable steps to validate and effect corrections while maintaining integrity and consistency of internal records and compliance with regulatory obligations.
• Deletion: Users may request the erasure of personal data where legally permissible and where retention is no longer required for contractual, legal, regulatory, or operational purposes. Certain data may be retained in anonymized or aggregate form to support audit, risk management, or compliance requirements.
• Objection and Restriction: Users may object to or request limitations on the processing of personal data where permitted by law, including for direct marketing or analytical purposes. Requests are considered in light of legal obligations, operational necessity, and legitimate business interests.

All requests must be submitted in accordance with KarryBiz’s established verification and response procedures. Certain rights may be restricted or deferred to comply with applicable laws, regulatory obligations, or legitimate operational requirements, including fraud prevention, dispute resolution, risk management, and financial compliance.

8. Cross-Border Data Transfers

Where operationally necessary, personal data may be processed, transmitted, or stored outside the territorial boundaries of Nigeria.

Such cross-border transfers are conducted only where appropriate contractual, organizational, and technical safeguards are implemented to ensure continued protection of personal data, lawful processing, and adherence to NDPR standards.

Transfers may occur to support payment facilitation, cloud-based system infrastructure, business continuity, risk management, and third-party service integration, while maintaining proportionality and minimizing exposure to unauthorized access or misuse.

Users acknowledge and consent to such transfers to the extent required to facilitate lawful and effective Platform operations.

9. Limitation of Liability

KarryBiz is not responsible for the privacy, data protection, or information handling practices of merchants, customers, or third-party service providers that operate independently of the Platform.

Users acknowledge that engagement with services, systems, or processes outside the control of KarryBiz is governed by the respective policies, procedures, and legal frameworks of those independent entities.

KarryBiz assumes no liability for data breaches, losses, or non-compliance events arising from interactions with third parties or external systems beyond its operational oversight.

10. Amendments and Updates

KarryBiz reserves the right to amend, modify, or update this Privacy Policy at any time to reflect operational, legal, regulatory, or technological developments.

Updates may include changes to data collection practices, processing purposes, retention schedules, or security measures.

Users are deemed to have accepted the revised Privacy Policy through continued use of the Platform after publication of any modifications.

Significant updates may be communicated to users through Platform notifications or other reasonable channels, though ongoing Platform access constitutes implicit consent to such changes.

Amendments language is detailed to cover operational, legal, and technical changes without undermining enforceability.