Privacy Policy

Credit Nigeria operates as the data controller responsible for your personal data processed through this platform. As the data controller, we determine the purposes and means of processing your personal information in accordance with the Nigeria Data Protection Act (NDPA) 2023.

For any questions or concerns regarding how we handle your data, please contact our Data Protection Officer at privacy@creditnigeria.com.

We process your personal data based on your explicit consent, as required by NDPA Section 25. When you submit a loan application through our platform, you provide informed, freely given, specific, and unambiguous consent to the processing of your personal data.

Your consent is recorded with the following details for audit purposes:

• Timestamp of consent (date and time of submission)
• IP address at the time of consent
• Consent version identifier (to track policy changes)

You may withdraw your consent at any time. See Section 12: Consent Withdrawal for details.

We collect and process the following categories of personal data when you use our loan matching service:

Your personal data is processed for the following purposes:

• Loan matching: Comparing your profile against lender eligibility criteria to identify suitable loan offers
• Identity verification: Verifying your identity through your BVN and bank account information
• Credit assessment: AI-powered analysis of bank statements to assess your financial health and verify self-reported income, including analysis of spending patterns such as gambling activity, which some lenders use as an eligibility criterion
• Communication: Sending application status updates and reminders via SMS (primary channel, delivered by BulkSMS Nigeria) with email as automatic fallback. SMS opt-out is available at any time by replying STOP to any message, or by emailing privacy@creditnigeria.com.
• Security: Fraud prevention, duplicate application detection, rate limiting, and bot protection
• Legal compliance: Meeting Nigerian financial regulatory requirements

We share your data with the following third-party processors to deliver our service. Each processor is bound by data processing agreements and is authorized to process data only for the stated purpose.

Several of our data processors — OpenAI, Resend, Cloudflare, Upstash, Supabase, and Vercel — process data outside Nigeria, in the United States.

Legal basis: These transfers are conducted in accordance with NDPA Section 43, on the grounds that the transfer is necessary for the performance of a contract between you (the data subject) and Credit Nigeria (the data controller).

All US-based processors maintain industry-standard security certifications, including SOC 2 and ISO 27001 where applicable. We have entered into Data Processing Agreements with these processors that include appropriate safeguards for your personal data.

Your Bank Verification Number (BVN) is treated with the highest level of security:

• Your raw BVN is not stored by our application — only a SHA-256 cryptographic hash is used for duplicate detection, and a separate verified hash from bank verification is stored for audit purposes.
• The initial BVN hash is used solely for duplicate application detection — ensuring you do not have a conflicting active application.
• During bank verification through Mono, a separate verified BVN hash is generated and stored to maintain an audit trail of identity verification.
• Your BVN is used only for identity verification with your chosen lender and is transmitted securely to Mono's Identity API for this purpose.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following retention periods apply:

• Access tokens: 7 days from creation. After expiry, tokens can no longer be used to access your application.
• Duplicate check window: 30 days. This is the lookback period used to detect conflicting active applications — it does not determine how long BVN hashes are retained. BVN hashes are retained for the duration of the application record (90 days for unmatched applications, 1 year for matched applications).
• Application data (unmatched or not qualified): 90 days after submission, then archived.
• Application data (matched and forwarded to a lender): Applications that have been matched or forwarded to a lender are archived 1 year after the last activity on the application.
• Data subject request records: 3 years, in compliance with regulatory requirements.
• Consent records: Retained as long as the associated application data exists, plus 1 year after archival, to demonstrate lawful processing.

Under the Nigeria Data Protection Act 2023, you have the following rights regarding your personal data:

• Right to access: You may request a copy of all personal data we hold about you.
• Right to rectification: You may request correction of any inaccurate or incomplete personal data.
• Right to erasure (deletion): You may request deletion of your personal data, subject to legal retention requirements.
• Right to restriction: You may request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object: You may object to the processing of your personal data for specific purposes.
• Right to withdraw consent: You may withdraw your consent at any time, without affecting the lawfulness of processing that occurred before withdrawal.

How to exercise your rights: Submit a Data Subject Access Request by visiting our data request page or by emailing privacy@creditnigeria.com.

Response timeline: We will respond to all valid requests within 30 days of receipt. If a request is particularly complex, we will notify you of any extension within the initial 30-day period.

Credit Nigeria uses AI-powered bank statement analysis to assess your financial health. This automated analysis evaluates:

• Monthly salary patterns and income consistency
• Existing loan repayment history
• Gambling activity and expenditure patterns
• Overall financial stability

This analysis contributes to — but does not solely determine — lender matching decisions. Lender eligibility criteria (such as minimum salary thresholds, state of residence, and employment status) also play a significant role in determining your matched offers.

Your right to human review: You have the right to request human review of any decision that was significantly influenced by automated processing. To request a review, contact us at privacy@creditnigeria.com.

We implement a range of technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• SHA-256 hashing for sensitive identifiers (BVN) to prevent plain-text storage
• Row-Level Security (RLS) policies on all database tables, ensuring users and lenders can only access data they are authorized to view
• Rate limiting on all API endpoints to prevent abuse and brute-force attacks
• HMAC-SHA512 webhook signature verification to authenticate incoming data from third-party processors
• UUID-based access tokens that are cryptographically random and not guessable
• AI prompt injection defense for bank statement analysis to prevent manipulation of automated assessments
• CAPTCHA protection (Cloudflare Turnstile) on form submissions to prevent bot abuse

You have the right to withdraw your consent to data processing at any time. To do so:

• Email privacy@creditnigeria.com with the subject line "Consent Withdrawal"
• Or submit a request through our data request page
• SMS-only opt-out: Reply STOP to any SMS message you receive from us. This opts you out of further SMS notifications immediately. We will continue to send essential operational notices by email unless you also withdraw email consent above.

Important: Withdrawing your consent does not affect the lawfulness of any processing that occurred before the withdrawal. However, withdrawal may result in our inability to continue providing the loan matching service, as data processing is essential to matching you with suitable lenders.

Our service is restricted to persons aged 18 years and above. We do not knowingly collect, process, or store personal data from any person under the age of 18.

If we become aware that we have inadvertently collected data from a person under 18, we will take immediate steps to delete that data and close the associated application.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

The NDPC is the regulatory body responsible for enforcing the Nigeria Data Protection Act 2023. You can contact the NDPC through their website at ndpc.gov.ng (opens in a new tab).

We encourage you to contact us first at privacy@creditnigeria.com so that we may attempt to resolve your concern directly.

This privacy policy may be updated from time to time to reflect changes in our data processing practices, legal requirements, or service offerings.

The "Effective Date" and "Version" at the top of this page will be updated to reflect the latest revision.

For material changes to this policy, we will notify you via the email address associated with any active application and may require you to review and accept the updated terms. We will not rely on continued use as a substitute for explicit consent.