Privacy Policy

We collect the following information when you use GruuvyPay:

Account information: name, email address, username (@GruuvyTag), phone number, and password hash.

Identity verification (KYC): BVN (Bank Verification Number) and NIN (National Identification Number). These are encrypted using AES-256-GCM before storage and are never stored in plaintext.

Financial data: wallet balances, transaction history, linked payment methods.

Device data: device type, operating system version, push notification tokens (used only for security alerts and transaction notifications).

Location: we do not track your real-time location. Your IP address is used only for fraud prevention and security purposes.

We use your information to:

- Provide, operate, and improve the GruuvyPay service - Verify your identity in compliance with CBN KYC requirements (Tiers 0–3) - Process transactions and maintain your wallet - Send transaction confirmations and security alerts - Prevent fraud, unauthorized access, and money laundering - Comply with Nigerian legal and regulatory obligations

We take security seriously:

- BVN and NIN are encrypted using AES-256-GCM before storage - We use a dedicated Key Management Service (KMS) — encryption keys are stored separately from encrypted data - All data in transit is protected by TLS 1.3 - Passwords and PINs are hashed using bcrypt — we cannot see your PIN - We do not store plaintext payment card numbers - Regular security audits are conducted by third-party security firms

We share limited data only with partners required to deliver our services:

- Flutterwave — payment processing - VTpass — bill payments (airtime, data, electricity, cable) - Quidax — crypto trading - Fincra — KYC verification - Termii — SMS OTP delivery

We do NOT sell your personal data to any third parties. We do NOT use your data for advertising purposes. All partners are contractually obligated to protect your data.

Under the Nigeria Data Protection Act 2023, you have the right to:

- Access your personal data held by GruuvyPay - Correct inaccurate or outdated information - Delete your account and associated personal data (see Help > How to Delete Your Account) - Data portability — request a copy of your data in a structured format - Withdraw consent for optional data processing at any time

To exercise any of these rights, contact us at privacy@gruuvypay.com.

- Transaction records: retained for 7 years as required by CBN regulations - Account data: retained while your account is active, then deleted within 90 days of a confirmed account deletion request (subject to regulatory requirements) - KYC documents: retained as required by applicable Nigerian law and CBN guidelines

Our website uses essential cookies only — these are required for the site to function correctly. We do not use:

- Advertising or tracking cookies - Third-party analytics cookies that identify you personally - Social media tracking pixels

You can disable cookies in your browser settings, though some site features may not function correctly.

For privacy-related questions or to exercise your rights:

Data Protection Officer: privacy@gruuvypay.com General support: support@gruuvypay.com Address: GruuvyPay, Nigeria

GruuvyPay is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us at support@gruuvypay.com and we will delete the account promptly.