Privacy Policy

We collect the following information when you use GruuvyPay:

Account information: name, email address, username (@GruuvyTag), phone number, and password hash.

Identity verification (KYC): BVN (Bank Verification Number) and NIN (National Identification Number). These are encrypted using AES-256-GCM before storage and are never stored in plaintext.

Financial data: wallet balances, transaction history, linked payment methods.

Device data: device type, operating system version, push notification tokens (used only for security alerts and transaction notifications).

Location: we do not track your real-time location. Your IP address is used only for fraud prevention and security purposes.

We use your information to:

- Provide, operate, and improve the GruuvyPay service - Verify your identity in compliance with CBN KYC requirements (Tiers 0–3) - Process transactions and maintain your wallet - Send transaction confirmations and security alerts - Prevent fraud, unauthorized access, and money laundering - Comply with Nigerian legal and regulatory obligations, including AML/CFT reporting

We take security seriously:

- BVN and NIN are encrypted using AES-256-GCM before storage - We use a dedicated Key Management Service (KMS) — encryption keys are stored separately from encrypted data - All data in transit is protected by TLS 1.3 - Passwords and PINs are hashed using bcrypt — we cannot see your PIN - We do not store plaintext payment card numbers - Regular security audits are conducted by third-party security firms

We share limited data only with partners required to deliver our services:

- Flutterwave — payment processing (CBN-licensed PSSP) - VTpass — bill payments (airtime, data, electricity, cable) - Quidax — crypto trading (SEC Nigeria-licensed VASP) - MetaMap — NIN and address document verification (KYC) - Termii — SMS OTP delivery

We do NOT sell your personal data to any third parties. We do NOT use your data for advertising purposes. All partners are contractually obligated to protect your data.

GruuvyPay is required by Nigerian law to monitor transactions for suspicious activity under the Money Laundering (Prevention and Prohibition) Act 2022.

Our automated system screens every transaction for patterns including high-value amounts, unusual frequency, structuring (transactions just below reporting thresholds), and large transactions on new accounts.

Where a transaction is flagged as suspicious, GruuvyPay may: - Place a temporary hold on the transaction for review - Request additional information or documentation from you - File a Suspicious Transaction Report (STR) with the Nigerian Financial Intelligence Unit (NFIU)

For cryptocurrency withdrawals above the equivalent of $1,000 USD, we collect and retain the name and wallet address of the recipient in accordance with the FATF Travel Rule. This information is shared with Quidax (our SEC Nigeria-licensed crypto partner) for compliance reporting.

These processing activities are carried out under our legal obligation as a financial services provider. You cannot opt out of AML monitoring.

Under the Nigeria Data Protection Act 2023, you have the right to:

- Access your personal data held by GruuvyPay - Correct inaccurate or outdated information - Delete your account and associated personal data (see Help > How to Delete Your Account) - Data portability — request a copy of your data in a structured format - Withdraw consent for optional data processing at any time

Note: some data cannot be deleted while we are under a legal obligation to retain it (e.g., transaction records required by CBN for 7 years).

To exercise any of these rights, contact our Data Protection Officer at compliance@gruuvypay.com.

- Transaction records: retained for 7 years as required by CBN regulations - AML flag and STR records: retained for 5 years from the date of filing, as required by the Money Laundering (Prevention and Prohibition) Act 2022 - KYC documents: retained for the duration of the business relationship and 5 years after account closure - Account data: retained while your account is active, then deleted within 90 days of a confirmed account deletion request (subject to regulatory requirements)

Our website uses essential cookies only — these are required for the site to function correctly. We do not use:

- Advertising or tracking cookies - Third-party analytics cookies that identify you personally - Social media tracking pixels

You can disable cookies in your browser settings, though some site features may not function correctly.

For privacy-related questions, AML/compliance enquiries, or to exercise your rights:

Data Protection Officer: Ikorgu Ibinabo Desmond Email: compliance@gruuvypay.com General support: support@gruuvypay.com Address: GruuvyPay Limited, Nigeria

GruuvyPay is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us at support@gruuvypay.com and we will delete the account promptly.