- Terms of Use- Privacy Policy- Subscription Policy

Privacy Policy


This Data Protection and Procedure (This Document) is an Internal Document of Bleyt Solutions Limited, its affiliates, subsidiaries and associated entities for which Bleyt has rights by law, contract or practice to make policies for hereinafter referred to as (the Company/We/Our/Us).

The Board of Directors, Staff, contractors, service providers and professionals who utilize the Company’s services products and services shall be guided by this Document.

This policy also serves as a reference document for employees and third parties on the responsibilities of handling and accessing personal data and data subject requests.

The Company shall have right to take action against employees, contractors, and relevant third parties as it deem fit for disciplinary measures, claim of damages and other appropriate remedies.

1.1 Definitions

The following words and expressions shall have the meanings assigned to them in the use and Practice of the Company, except where the context otherwise requires:

“Acquirer” means a licensed commercial bank in the Federal Republic of Nigeria which is responsible for maintaining the Merchant’s bank account.;

‘Affiliates” means with respect to any person, any corporation, partnership, trust or other entity or organization that, directly or indirectly, through one or more intermediaries, controls or is controlled by, or is under common control with such person where “control” means the ability to direct or cause the direction of the business, affairs and management policies or practices of a person;

“Agreement” means any Service Level Agreement, Contract of/for Services, Employment Contracts, Merchant Services Agreement and all related contracts entered into by the company

“Application Programming Interface” or “API” means a set of programming code that enables data transmission and interoperability between one software product or web platform and another;

“Attestation of Compliance” is a certificate used by companies that accept, process, store or transmit credit card information to show compliance with the Payment Card Industry Data Security Standard requirements and security assessment procedures;

“Business Day” means any day other than a Saturday, Sunday or public holiday on which commercial banks are generally open for business in the Federal Republic of Nigeria;

“Card” means a credit card, debit card or similar card issued to a Cardholder by an issuer in accordance with a license granted by the respective Payment Schemes;

“Cardholder” means the person to whom a Card is issued by an issuer and whose name, where applicable, is printed or embossed on a valid Card;

“Cardholder Data” includes information embossed on a Card;

“Card-Not-Present Transactions” means a payment card transaction conducted where the Cardholder does not or cannot physically present the Card for a Merchant’s visual examination at the time that an order is given, and payment effected;

“Data Subject” means an identifiable person either corporate or individual entity; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

‘Data Breach’ means the use of data in a manner contrary to the provisions of this Policy, Law or acceptable practices by a third party or the company staff/contractors either during collation, alteration, hacking, analysis, transfer and/or unauthorized access. It shall also include any of the above by a software, malware or physical loss.

“Fees” means the amount payable by and/or to the Company in consideration for the provision an of the Services;

“Industry Standards” means guidelines or regulations issued from time to time by the relevant regulatory body specifically but not limited to National Information Technology and Data Agency NITDA, Central Bank of Nigeria CBNand GDPR.

“Intellectual Property” means all vested contingent and future intellectual property right including but not limited to copyright, patents, trademarks, service marks, design rights (whether registered or unregistered), know-how, trade secrets, inventions, get-up, database rights and any applications or registrations for the protection of these rights and all renewals and extensions thereof existing in any part of the world whether now known or created in the future;

“Internet Gateway Service” means a virtual based gateway system or data exchange platform used to interconnect users including online merchants, subscribersone to another including banks through standards compliant technology and API (Virtual Payment Client), which allows financial companies accept Card not present transactions.

“NDPR” means the Nigeria Data Protection Regulation 2019;

“Payment Card Industry Data Security Standard” or “PCI DSS” means a set of security standards designated to ensure that all companies that accept, process, store or transmit credit card information maintain a security environment, www.pcicomplianceguide.org;

“Payment Scheme” means any applicable Payment Scheme associated with the provision of Services to Merchants;

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, Personalized USSD ID number, SIM, pins and Passwords and others;

“Services” mean the obligations to be performed by the Company under any Agreement which is duly executed and approved by the Company Management through the integration of the Company’s software/Platform with another platform for a specified Purpose;

“Trademark” means the trademarks registered in the name of, or licensed to either Party and such other trademarks as are used by either Party on or in relation to the Services during the term of this Agreement;

“Transaction Data” means all the information related to processing handled by the Company, including the name of the user, number of attempts made prior to completion of a transaction, payment, repayment and time of completion amongst other things;

1.2 Interpretation

Words importing persons or parties shall include firms and corporations and any organization having legal capacity. The defined words, where the context so requires, shall be deemed and understood to be and have the same effect as operative clauses subsequently.

Words importing the singular shall include the plural and vice versa, and words importing the masculine gender shall include the feminine and vice versa.

References to any liabilities are to include any liability whether actual, contingent, present or future in accordance with this Document.

1.3 Our Policy Statement

We obtain data relating to data subjects. We deploy efficient technology, technical expertise to processing personal data, and comply/fulfill individuals’ reasonable expectations of privacy by complying with GDPR/NDPR and other relevant data protection regulations.

The Company has developed policies, procedures, controls, and measures to ensure maximum and continued compliance with the data protection laws and principles. Ensuring and maintaining the security and confidentiality of data is one of our top priorities to protect personal information.

1.4 Our Purpose

The purpose of this policy is to ensure clarity on personal data processing and re-emphasize the company’s high value for privacy of all data in its possessions. This Documents shall also allot responsibilities and state its expectations from all those who process personal data on its behalf; to comply with the data protection law and with good practice; to protect ourreputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights; and to protect us from risks of personal data breaches and other breaches of data protection law.

The purpose of this policy is to ensure that we meet all our legal, statutory and regulatory requirements under the data protection laws and to ensure that all personal and special category information is processed compliantly and in the individual’sbest interest.


This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the data subject. All staff and others processing personal data on ourbehalf must read it. Adherence to this policy is mandatory and non-compliance would lead to disciplinary action.


We are guided by the GDPR/NDPR, CBN Policies, other relevant data protection regulations and industry best practices. We remain responsible for and constantly seek todemonstrate compliance with the following data protection principles:

  • Lawful, fair and transparent processing

We have zero tolerance for breach of regulations albeit the financial obligation that may be attached to such contravention. We endeavor to obtain/renew all requisite licenses and comply with all legal requirements for data processing,

2.2 Collection for Specified and Legitimate process

We shall ensure that we collect data only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes

Our privacy policy explicitly states the reasons for collection of data which remains our services for which we are permitted by law to carry on. The use of data by us shall specifically be for the provision of these services and services incidental thereto particularly to enhance the provision of our services.

We shall regularly update our privacy policy giving a notification of such update to all our users, subscribers and data subject and explaining how this may expand or limit the use of their personal data.

  • Processing based on Necessity and Purpose

We shall ensure adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

We ensure that the basic information required for our services are requested form our subjects bearing in mind that any additional information shall be made optional or not requested.

  • Accurate and Up to date Data

We shall regularly update our Platforms to ensure that only up to date, accurate and usable to the best of our ability is used to transact on our website.

We deploy a minimum of two-way verification process for our data subjects which shall be encrypted on a real-time basis to ensure an enhance security and accuracy.

2.5 Traceable only for as long as necessary

We shall not keep personal in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed

Personal data whilst a user still uses our services shall be kept confidential. Upon deletion, uninstallation and/or discontinuation from our services, the relevant personal data shall be anonymized with no trace to any identifiable individual.

Such data shall not be reactivated, linked or synced to any individual even upon reactivation of the company’s services.

  • Secured Processing

We shall ensure that Personal Data is processed in a manner that ensures its security, using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

The security of all personal data shall be the responsibility of the Company, the employees, contractors duly supervised by the Chief Technology Officer.

No unauthorized physical device, software or Platform shall be used to transfer, programme, process or install any personal data in whole or part without the express consent of the Chief Technology Officer having been first sought and expressly obtained.

The Chief Technology Officer shall keep a comprehensive record of our Data Activity and regularly co-ordinate the training of all team members on data processing, security and technical expertise.


Data subjects have rights in relation to the way we handle their personal data. These include the following rights:

  1. where the legal basis of our processing is Consent, to withdraw that Consent at any time;
  2. to ask for access to the personal data that we hold;
  3. to prevent our use of the personal data for direct marketing purposes;
  4. to object to our processing of personal data in limited circumstances;
  5. to ask us to erase personal data without delay:
  • if it is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • if the only legal basis of processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can process that personal data;
  • if the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest;
  • if the data subject has objected to our processing for direct marketing purposes;
  • if the processing is unlawful.
  1. to ask us to rectify inaccurate data or to complete incomplete data;
  2. to restrict processing in specific circumstances e.g. where there is a complaint about accuracy;
  3. to prevent processing that is likely to cause damage or distress to the data subject or anyone else;
  4. to be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
  5. to make a complaint to the appropriate body;

3.1 Enforcing the Rights

To enforce these rights, we shall ensure that the person making such requests, has the right in law or contract by verifying the identity of such individual. The verification process may include but is not limited to;

  • Security Questions
  • One-Time Passwords to registered contact Telephone numbers and/or email address
  • Personal Identification Numbers PINs.

We require that all who handle personal data on behalf of the company shall be responsible for and must be able to demonstrate compliance with the data protection principles.

We must therefore apply adequate resources and controls to ensure and to document data protection regulation compliance.

The Company shall conduct an internal data audit process and require a comprehensive report from all its employees and contractors directly working on personal data from collection, collation, processing, analysis, disposal and transfer on a quarterly basis.

The Chief Technology Officer shall co-ordinate the audit process which shall ensure strict adherence to this policy and other applicable laws.

The Company shall adopt and enforce appropriate disciplinary actions against erring staff.

An annual audit of the Company’s data processing activities shall also be organised by license3d consultants approved by the Management who shall profile the data processing activities of the company and proffer appropriate recommendations.

4.1 The Company’s Responsibilities

As the Data Controller, we shall continually establish policies and procedures in order to comply with data protection laws.We are committed toensuring that:

  • We protect the rights of individuals with regards to the processing of personal information.
  • We develop, implement, and maintain a data protection policy, procedure, audit plan and training program for compliance with the data protection laws.
  • Every business practice, function and process carried out by the Company, is monitored for compliance with the data protection laws and its principles.