Skip to content
Legal

Privacy Policy

Myaza Trust handles sensitive identity and biometric data. This policy explains what we collect, why, who we share it with, and the rights you have under the NDPA and GDPR.

Effective18 June 2026Updated12 July 2026
01

Introduction and scope

This Privacy Policy explains how Myaza Trust (“Myaza”, “we”, “us”) collects, uses, shares, and protects Personal Data when you use our identity-verification platform, APIs, SDKs, dashboard, and website (together, the “Services”).

We are committed to processing Personal Data in accordance with the Nigeria Data Protection Act, 2023 (the NDPA), the Nigeria Data Protection Regulation, 2019, and, where applicable, the EU and UK General Data Protection Regulation (GDPR). This Policy forms part of our Terms of Use.

02

Our role: controller and processor

When we process Personal Data about our own account holders (for example, the developers and administrators who sign up for the dashboard), we act as a data controller. When our Customers submit an End User’s information to be verified through our Services, the Customer is the controller and we act as a processoracting on the Customer’s instructions. This Policy describes both relationships.

03

Information we collect

Depending on how the Services are used, we may collect:

  • Account data — name, email address, phone number, company details, and login credentials of users who register for the dashboard.
  • Identity data of End Users— names, dates of birth, addresses, and government identifiers such as National Identification Number (NIN), Bank Verification Number (BVN), international passport, driver’s licence, and voter’s card numbers.
  • Business and associated-party data — for business (KYB) verification, information about a business and the individuals connected to it, including directors, beneficial owners, and authorised representatives (such as their names, roles, ownership percentages, nationality, and identifiers). Some of this information may be obtained from company registries.
  • Biometric data— facial images (selfies), facial geometry, and liveness information used to confirm that an End User is a real, present person and matches their ID. Biometric data is treated as sensitive Personal Data under the NDPA and is processed only with the End User’s explicit consent.
  • Document data— images of identity and corporate documents submitted for verification, and, where a document’s electronic chip is read (for example, an ePassport), the machine-readable data stored on that chip.
  • Contact data — email addresses and phone numbers that are confirmed through one-time passcodes, together with basic deliverability signals.
  • Screening data — where screening is used, information about whether an individual or business appears on sanctions, watchlist, politically-exposed-person (PEP), or adverse-media sources. This can reveal sensitive information and is processed to meet anti-money-laundering obligations.
  • Transaction and monitoring data — where ongoing monitoring is used, the transaction and activity records a Customer submits about an End User, and the risk scores, alerts, and cases we derive from them.
  • Usage, device, and fraud-signal data — IP address (and IP-based approximate location), device and browser information, a device fingerprint and a persistent device identifier, API request metadata, and log data we collect automatically to operate the Services and detect fraud.
04

How we collect information

  • Directly from you when you register, configure your account, or contact us.
  • From our Customers when they submit End-User data through our APIs or SDKs for verification.
  • From authoritative sources — government databases and verification partners that we query to confirm the data submitted (for example, NIN/BVN registries and other official records).
  • Automatically through cookies and similar technologies when you use our website and dashboard.
05

Lawful basis for processing

We rely on one or more of the following lawful bases under the NDPA:

  • Consent — for processing biometric and other sensitive data, obtained from the End User before verification.
  • Performance of a contract — to provide the Services you or our Customers have requested.
  • Legal obligation — to meet KYC/AML requirements, including sanctions screening, ongoing monitoring, and regulatory reporting.
  • Legitimate interests — to secure, maintain, and improve the Services and to prevent fraud, balanced against the rights of data subjects.
06

How we use your information

  • to perform identity verification, KYC, KYB, and AML checks;
  • to identify and verify the beneficial owners, directors, and controllers of a business;
  • to screen individuals and businesses against sanctions, watchlist, PEP, and adverse-media sources;
  • to carry out ongoing (perpetual) monitoring of transactions and activity, and to generate risk scores, alerts, and investigation cases;
  • to help Customers prepare and format regulatory reports, such as suspicious-activity or suspicious-transaction reports;
  • to match submitted data and biometrics against government databases and authoritative sources and return a result;
  • to detect, prevent, and investigate fraud and misuse;
  • to operate, secure, support, and improve the Services;
  • to communicate with you about your account and service updates; and
  • to comply with our legal and regulatory obligations.
07

Identity verification and government-database lookups

A core function of the Services is to match information submitted by a Customer against official records and government databases (such as NIN and BVN registries) and against the biometric or document data provided by the End User. We share only the data necessary to perform the requested check, and we return a verification result to the Customer. We do not sell End-User data or use it for unrelated commercial purposes such as advertising. To keep verification records accurate, prevent fraud, and meet record-keeping obligations, we may maintain a persistent, de-duplicated record that links the verifications relating to the same verified identity.

08

Identity records and de-duplication

To keep verification records accurate, prevent fraud, and meet record-keeping obligations, we maintain a persistent, de-duplicated record that links the verifications relating to the same verified identity. We do not sell Personal Data or use it for unrelated commercial purposes such as advertising.

09

Sanctions, PEP, and adverse-media screening

Where a Customer uses our screening features, we check an individual or business against sanctions and watchlist data, politically-exposed-person (PEP) data, and adverse-media sources, using reputable third-party screening data providers. A screening match may reveal sensitive information about a person and is treated with care. A match is not a finding of wrongdoing — it is decision-support that the Customer is responsible for reviewing and adjudicating, with human review of any potential match.

10

Ongoing monitoring

Where a Customer uses our monitoring features, we process the transaction and activity records the Customer submits about an End User on a continuing basis to produce risk scores, raise alerts, and support investigation cases. This supports the Customer’s ongoing (perpetual) KYC and anti-money-laundering obligations. The Customer determines what activity to submit and remains responsible for the decisions it takes on the resulting alerts.

11

Regulatory reporting

Where a Customer uses our reporting tools, we help the Customer prepare and format regulatory reports — such as suspicious-activity or suspicious-transaction reports — from the underlying case data. The Customer decides whether and when to file such a report with its competent Financial Intelligence Unit or regulator. We may disclose Personal Data to regulators, Financial Intelligence Units, or law enforcement where required by law or to support a Customer’s lawful filing.

12

Automated processing and AI

Our Services involve automated processing — including facial-matching and liveness algorithms, screening-match scoring, and transaction-monitoring risk scoring — that produces a score, alert, or result. These outputs are decision-support: they are provided to the Customer, who is responsible for any decision made about an End User. A data subject has the right to request information about, and human review of, decisions based solely on automated processing that significantly affect them.

13

How and with whom we share data

We share Personal Data only as needed to provide the Services, with:

  • Verification partners and authoritative sources — to carry out the requested checks;
  • Our Customers — who receive the verification result for the End Users they submit;
  • Sub-processors and service providers — such as cloud-hosting and infrastructure providers, bound by contract to equivalent data-protection standards;
  • Screening and data providers — to check an individual or business against sanctions, watchlist, PEP, and adverse-media sources;
  • Communication providers — such as SMS, WhatsApp, and email providers used to deliver one-time passcodes and notifications;
  • Regulators, Financial Intelligence Units, and law enforcement— where required by law, to support a Customer’s lawful regulatory filing, or to protect our rights; and
  • Successors — in connection with a merger, acquisition, or sale of assets, subject to this Policy.

We do not sell Personal Data.

14

Sub-processors

We engage carefully selected sub-processors to help deliver the Services (for example, cloud infrastructure providers). We require each sub-processor to provide a level of data protection equivalent to that described in this Policy and to process Personal Data only on our documented instructions. A current list of sub-processors is available on request from privacy@myaza.co.

15

How we protect your data

We implement appropriate technical and organisational measures to protect Personal Data, including encryption in transit and at rest, strict access controls on a need-to-know basis, network and application security controls, logging and monitoring, and regular review of our security practices. No method of transmission or storage is completely secure, but we work to protect Personal Data against unauthorised access, loss, or misuse.

16

Data retention

We keep Personal Data only for as long as necessary for the purposes described in this Policy or as required by law. In particular:

  • Biometric and document datasubmitted for a Verification is retained only for as long as needed to complete the check and to maintain a verification record, after which it is deleted or anonymised in line with our Customer’s instructions.
  • Verification records and audit logs may be retained to meet KYC/AML record-keeping obligations, which can require retention for up to the statutory period applicable to the relevant transaction.
  • Screening, monitoring, case, and regulatory-report records — where these features are used, records of screening results, monitoring alerts, investigation cases, and any regulatory reports are retained to meet AML record-keeping obligations, which can require retention for several years.
  • Account data is retained for the life of the account and for a reasonable period afterwards to meet legal, tax, and dispute-resolution needs.

When retention is no longer required, we securely delete or anonymise the data.

17

International data transfers

Where we transfer Personal Data outside Nigeria (for example, to a cloud provider in another country), we ensure an adequate level of protection through mechanisms permitted under the NDPA, such as the recipient being in an adequately protected jurisdiction or being bound by appropriate contractual safeguards (for example, standard contractual clauses).

18

Your rights as a data subject

Subject to applicable law, you have the right to:

  • access the Personal Data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request erasure of your data where permitted;
  • restrict or object to certain processing;
  • request portability of data you provided to us;
  • withdraw consent at any time (without affecting prior processing); and
  • lodge a complaint with the Nigeria Data Protection Commission (NDPC) or another competent supervisory authority.

To exercise these rights, contact us at privacy@myaza.co. Where the data relates to a Verification initiated by one of our Customers, we may direct your request to that Customer as the controller.

19

Breach notification

If a personal-data breach occurs that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the Nigeria Data Protection Commission without undue delay and, where feasible, within 72 hours of becoming aware of it, and we will inform affected data subjects and our Customers where required by the NDPA.

20

Children

The Services are not directed to children, and account holders must be at least 18 years old. Where our Customers use the Services to verify individuals, they are responsible for ensuring they have the appropriate legal basis and any required parental or guardian consent.

21

Cookies and tracking

Our website and dashboard use cookies and similar technologies to keep you signed in, remember preferences, and understand how the Services are used. You can control cookies through your browser settings; disabling some cookies may affect functionality.

22

Marketing communications

We may send you service-related messages and, where permitted, marketing communications about Myaza. You can opt out of marketing at any time using the unsubscribe link in our emails or by contacting us. Opting out does not affect essential service communications.

23

Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new “last updated” date and, where changes are material, provide additional notice. Your continued use of the Services after the changes take effect constitutes acceptance of the updated Policy.

24

Contact us and our Data Protection Officer

If you have questions about this Policy or wish to exercise your rights, you can reach our Data Protection Officer at:

  • Email: privacy@myaza.co
  • Attention: Data Protection Officer, Myaza Trust, Lagos, Nigeria

We aim to respond to data-protection requests within a reasonable period and, in any case, within the timeframes required by applicable law.

This document is provided for transparency about how Myaza Trust operates. It does not constitute legal advice. If you have questions about your rights or obligations, contact us at legal@myaza.co.