Privacy Policy

ThynkPay is a QR-based payment platform designed for the Nigerian market. We allow vendors to receive digital payments using a printed QR code, and we allow customers to send and receive money to and from any Nigerian bank. To deliver this service safely, we have to collect and process certain personal and financial information about you.

This privacy policy applies to the ThynkPay website, mobile applications, and any other services we provide that link to this policy. It is written to comply with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation (NDPR), and the relevant guidelines issued by the Central Bank of Nigeria (CBN) and the Nigeria Data Protection Commission (NDPC).

By creating an account with ThynkPay or using our services, you confirm that you have read and understood this policy and consent to the data practices described in it.

We collect different categories of information depending on how you interact with ThynkPay. We only collect what we need to operate the service, comply with the law, and keep your money safe.

2.1 Information you give us directly

• Identity information: your full name, date of birth, gender, phone number, and email address.
• Government identifiers: your National Identification Number (NIN), Bank Verification Number (BVN), or other government-issued ID required to verify your identity under Nigerian Know-Your-Customer (KYC) rules.
• Financial information: your bank account number, bank name, and (where applicable) debit card information used to fund or withdraw from your ThynkPay wallet.
• Business information: if you register as a vendor, the trading name and category of your business and the location at which you operate.
• Communications: messages, support tickets, feedback, and survey responses you send us.

2.2 Information we collect automatically

• Device information: device model, operating system, unique device identifiers, mobile network information, and browser type.
• Log and usage data: IP address, access times, pages and screens viewed, features used, crash reports, and other diagnostic information.
• Location data: approximate location (derived from your IP address) and, where you grant permission, precise location for fraud-prevention and geo-tagged transaction features.
• Transaction metadata: the amount, time, reference, status, and counterparty of every payment you make or receive through ThynkPay.
• Security signals: device fingerprinting, behavioural signals, and velocity data used to detect fraud and unauthorised access.

2.3 Information from third parties

• Identity-verification providers, who confirm that your NIN / BVN / ID matches the details you provided.
• Our banking partner, Providus Bank, which holds the funds in your wallet and reports settlement information to us.
• Sanctions and politically-exposed-persons (PEP) screening providers, used to satisfy anti-money-laundering obligations.

We use your information to:

• Create and operate your ThynkPay account and wallet.
• Process payments, transfers, and cash-outs you instruct us to make.
• Verify your identity in line with KYC and anti-money-laundering rules.
• Detect, investigate, and prevent fraud, unauthorised transactions, and other harmful activity.
• Send you transaction alerts, security notices, and other service-related messages.
• Provide customer support and respond to your enquiries.
• Improve, personalise, and develop new features for the ThynkPay product.
• Comply with our legal and regulatory obligations, including reporting suspicious transactions to the Nigerian Financial Intelligence Unit (NFIU) where required.
• Send you marketing communications about ThynkPay (only where you have consented; you can opt out at any time).

Under the Nigeria Data Protection Act, we rely on the following lawful bases to process your information:

• Performance of a contract — to deliver the ThynkPay service you signed up for.
• Compliance with a legal obligation — for KYC, anti-money-laundering, sanctions screening, and regulatory reporting.
• Legitimate interests — to keep our service secure, prevent fraud, and improve our product, in a way that does not override your fundamental rights.
• Consent — for optional features such as marketing communications or precise location access, where you can withdraw consent at any time.

We do not sell your personal information. We share it only in the limited circumstances described below.

• With our banking partner (see section 6) to settle transactions, custody funds, and meet regulatory obligations.
• With service providers who help us run ThynkPay — cloud hosting, payment processors, identity-verification vendors, analytics, customer-support tooling, and SMS / email delivery. These providers are contractually bound to protect your data and use it only for ThynkPay's purposes.
• With law-enforcement or regulators when legally required to do so — for example, when responding to a valid court order, regulatory request, or NFIU reporting obligation.
• In a business transfer — if ThynkPay is acquired, merged with another company, or sells part of its business, your information may be transferred as part of that transaction, subject to the protections in this policy.
• With your consent — for any other disclosure not described above, we will ask you first.

Until ThynkPay receives its own payment-service licence from the Central Bank of Nigeria, customer funds are held in a designated account at Providus Bank, a fully licensed and regulated Nigerian commercial bank.

To operate this arrangement, Providus Bank receives the information it needs to open and operate your wallet sub-account, settle transactions, and meet its own anti-money-laundering and reporting obligations. Providus Bank acts as a joint data controller for that information and is bound by its own privacy policy and by Nigerian banking secrecy rules.

We take the security of your personal and financial data seriously. Our safeguards include:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Cryptographic signing of every transaction to prevent tampering.
• Multi-factor authentication and biometric login for account access.
• Device fingerprinting, velocity checks, and machine- learning models to detect fraud and account takeover in real time.
• Role-based access control inside ThynkPay — employees only see the data they need for their role and access is logged.
• Regular vulnerability scans and penetration tests by independent security firms.

No security control is perfect. If we ever discover a breach that affects your information, we will notify you and the Nigeria Data Protection Commission within the timeframes required by law.

We keep your personal information only for as long as we need it to provide the service and to meet our legal and regulatory obligations.

• Account and KYC records: at least 7 years after account closure, as required by Nigerian anti-money-laundering rules.
• Transaction records: at least 7 years from the date of the transaction.
• Customer-support communications: up to 3 years from the date of the last interaction.
• Marketing preferences: until you withdraw consent or delete your account, whichever is first.

After the applicable retention period, we either delete the data or anonymise it so that it can no longer be linked to you.

Under the Nigeria Data Protection Act, you have the following rights over your information:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct information that is wrong or incomplete.
• Right to erasure — ask us to delete your data, subject to the retention obligations described above.
• Right to restrict processing — ask us to pause processing in certain circumstances.
• Right to data portability — receive your data in a portable format or have it transferred to another provider.
• Right to object — object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent — at any time, where we rely on consent to process your data.
• Right to lodge a complaint — with the Nigeria Data Protection Commission if you believe we have mishandled your data.

To exercise any of these rights, email us at privacy@thynkpay.com. We will respond within the timeframes required by Nigerian law (currently 30 days, extendable in complex cases).

ThynkPay is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided information to ThynkPay, please contact us so we can delete it.

Our website uses cookies and similar technologies to keep you signed in, remember your preferences, measure performance, and detect fraud. You can configure your browser to refuse cookies, but some parts of the site may not work as expected if you do.

Our mobile applications use device identifiers and analytics SDKs (e.g. crash reporting) for similar purposes. You can manage analytics permissions through your device settings.

ThynkPay is built and operated in Nigeria. Some of our service providers (for example, our cloud-hosting and analytics vendors) may process data outside Nigeria. When that happens we make sure the transfer is permitted under Nigerian law, either because the destination country provides adequate protection or because the provider is bound by contractual safeguards equivalent to those required by the Nigeria Data Protection Act.

ThynkPay may link to or integrate with third-party services (for example, your bank's payment confirmation page). Those services have their own privacy policies, and we encourage you to read them. ThynkPay is not responsible for the privacy practices of third parties.

We may update this policy from time to time to reflect changes in our practices, our services, or applicable law. When we do, we will update the "Last updated" date at the top of the page and, for material changes, notify you through the app or by email before the new policy takes effect.

If you have questions about this policy or how we handle your data, contact our Data Protection Officer:

If you believe we have not handled your data in line with Nigerian law, you can also lodge a complaint directly with the Nigeria Data Protection Commission at ndpc.gov.ng.