Privacy Policy

1. Who We Are & Scope

• Controller: BullionMonie, Lagos, Nigeria (contact details in Section 21).
• Applicability: This Policy applies to users, applicants, guarantors, referees, vendors, agents, and visitors to our Services.
• Regulatory Framework: We process personal data in accordance with the NDPR 2019 and other applicable Nigerian laws and guidelines (including AML/CFT requirements). Where international standards are referenced, NDPR provisions prevail in case of conflict.

2. Information We Collect

We collect personal and non-personal information from multiple sources. The exact data we collect depends on the Services you use and your interactions with us.

2.1 Information You Provide Directly

• Identification & Contact: Full name, date of birth, gender, photos/selfies, digital signatures, residential/business addresses, email, phone numbers, next-of-kin details.
• Government & KYC: BVN, NIN, passport/driver's license/national ID/voter's card numbers and images, utility bills, CAC documents (for businesses), tax records, permits, and other KYC materials.
• Financial: Bank account details, bank statements, salary slips, invoices, transaction references, repayment confirmations, virtual account numbers, card PAN tokens (via PCI-compliant processors).
• Employment/Business: Employer name and contact, job title, income, pay cycle, business name and registration data, business address, industry, directors/signatories.
• Loan & Collateral: Application forms, requested amount, tenor, purpose, collateral information (e.g., vehicle plate, VIN, logbook, valuation reports, insurance certificates), references and guarantors.
• Communications: Content of messages, recorded calls (where permitted), support tickets, survey responses, dispute submissions.
• Consents: Authorizations for credit checks, open banking, direct debit/CPAs, and disclosures to third parties.

2.2 Information Collected Automatically

• Device & Technical: Device identifiers, OS type/version, app version, browser type, IP address, language, crash logs, in-app events, and diagnostic telemetry.
• Usage & Analytics: Pages/screens viewed, features used, session duration, referral sources, clickstream, timestamps, and general usage metrics.
• Location: Approximate location from IP; precise GPS only with your permission or where necessary for product features (e.g., vehicle tracking for secured loans).
• Cookies & Similar Technologies: Cookies, SDKs, and local storage for authentication, security, analytics, preferences, and personalization (see Section 10).

2.3 Information From Third Parties

• Credit Bureaus & Verification Partners: Credit histories/scores, indebtedness, identity verification results, fraud signals.
• Open Banking/Bank Aggregators: Transaction histories, account balances, income markers, and account details when you authorize access.
• Regulators & Public Sources: Corporate records, sanctions lists, PEP lists, court/judicial records.
• References & Guarantors: Information provided by your nominated contacts, employers, landlords, or co-applicants.
• Vendors/Field Agents: Physical verification reports, photographs, and site visit notes (residence, business premises, or collateral).
• Insurers/Underwriters & Trackers: Policy details, claims, risk flags, and (for vehicle-secured products) GPS/telematics information from installed devices.

3. How We Use Your Information (Purposes & Legal Bases)

We process your personal data for the purposes below under one or more lawful bases recognized by the NDPR. Where we rely on consent, you may withdraw it at any time (see Section 9).

• Account setup and authentication. Create and manage your profile, verify email/phone, and secure sign-in. Lawful basis: Contract; Legitimate interests.
• KYC/AML and eligibility checks. BVN/NIN checks, ID verification, and sanctions/PEP screening. Lawful basis: Legal obligation; Legitimate interests.
• Credit assessment and underwriting (including automated decision-making and profiling). Open banking analysis, affordability checks, and credit scoring. Lawful basis: Contract; Legitimate interests; Consent (where required).
• Physical verification. On-site visits, collateral inspection, interviews, and photographic evidence. Lawful basis: Legitimate interests; Contract.
• Loan origination and servicing. Approvals, disbursements, repayments, statements, and reminders. Lawful basis: Contract.
• Collections and recovery. Contacting you/guarantors, repossession of collateral, and debt assignment. Lawful basis: Contract; Legitimate interests; Legal obligation.
• Fraud prevention and security. Device fingerprinting, anomaly detection, and access controls. Lawful basis: Legitimate interests; Legal obligation.
• Communications and support. Customer service, dispute resolution, and service notices. Lawful basis: Contract; Legitimate interests.
• Marketing (optional). Newsletters, offers, and referrals. Lawful basis: Consent; Legitimate interests.
• Compliance and reporting. Regulator requests, audits, tax, and law enforcement. Lawful basis: Legal obligation.
• Analytics and product improvement. Usage analysis, A/B testing, and performance monitoring. Lawful basis: Legitimate interests.

Automated decisions & profiling: We may use automated tools to assess creditworthiness, detect fraud, or determine eligibility. You can request human review, express your view, and contest a decision (see Section 12).

4. Physical & Online Verification

• We conduct online and physical verification of applicants and, where relevant, guarantors and businesses.
• Physical verification may include visits to your home/business, interviews with neighbors/staff, collateral inspection, photographs, and verification of signage/inventory/equipment.
• For vehicle-secured products, we may require GPS tracker installation and collect telematics/position data to protect collateral and prevent fraud.
• Costs for verification, valuation, trackers, insurance, and security interest registrations may be deducted from disbursements or billed separately.

5. Data Sharing & Disclosures

We share data only as necessary for the purposes above and subject to appropriate safeguards and contracts.

5.1 Service Providers (Processors)

Identity and KYC vendors, open banking providers, credit scoring tools; payment processors, direct debit/card processors, wallet/virtual account providers; cloud hosting, data storage, CRM, analytics, error monitoring, and security vendors; SMS, voice, push, and email delivery providers; field verification agents, valuers, investigators, repossession partners; legal advisers, auditors, accountants, and consultants.

5.2 Other Controllers & Third Parties

• Credit Bureaus: We obtain and report credit data (positive and negative) to authorized bureaus (e.g., CRC, FirstCentral, CreditRegistry).
• Insurers/Underwriters: To arrange or validate insurance for collateralized loans.
• Regulators & Law Enforcement: As required by law or lawful requests.
• Assignees/Investors: If we sell or assign receivables or undergo a merger/acquisition.
• Your Bank & Employers: For verification, direct debit mandates, and income confirmation (where lawful).
• Your References/Guarantors: We may disclose relevant application and delinquency information to them where they have obligations or legitimate interests.

5.3 International Transfers

Where data is transferred outside Nigeria, we implement appropriate safeguards such as contractual clauses, intra-group arrangements, or transfer mechanisms recognized under NDPR-aligned practice. You may request details of such safeguards.

6. Data Security

We employ technical and organizational measures proportionate to risk, including encryption in transit and at rest; key management; TLS; network segmentation, firewalls, DDoS protection, and WAF; role-based access controls, MFA, and least-privilege; SSDLC, code reviews, and vulnerability testing; logging, monitoring, and anomaly detection; vendor due diligence and data processing agreements. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Data Retention

We retain personal data only as long as necessary for the purposes stated, considering legal, regulatory, tax, accounting, and operational requirements. Typical retention periods include:

• KYC and credit records—up to 7 years after account closure or as required by law;
• Loan and transaction records—the duration of the loan plus up to 7 years;
• Communications and call recordings—generally 2–5 years depending on purpose and law;
• Marketing preferences—until you opt out or delete your account.

Where feasible, we anonymize or aggregate data for analytics after retention periods expire.

8. Your Choices & Marketing

Service communications are necessary and cannot be opted out of. You may opt in or out of marketing at any time via in-app settings or email links, or by contacting us. You can manage certain cookie/SDK preferences through your device or browser (see Section 10). Disabling certain technologies may affect functionality.

9. Your Rights

Subject to legal limitations, you have the rights of access, rectification, erasure, restriction, portability, objection (including to direct marketing), and to request human review of automated decisions. Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.

How to exercise your rights: Email us at info@bullionmonie.ng. We may need to verify your identity (e.g., ID match, BVN/email/phone verification). We aim to respond within legally required timeframes.

Complaints: You may lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe we have infringed your rights. We encourage you to contact us first so we can resolve your concern promptly.

10. Cookies & Similar Technologies

We use cookies, mobile SDKs, and similar technologies to keep you signed in, secure your sessions, remember preferences, personalize content, measure usage and performance, and support marketing. You can manage cookies/SDKs through your browser or device settings. Some features may not function correctly if disabled.

11. Children's Privacy

Our Services are not intended for individuals under 18. We do not knowingly collect data from children. If you believe a child has provided data, contact us and we will take appropriate steps to delete it.

12. Automated Decision-Making & Profiling

We may use algorithms and statistical models to assess applications, manage risk, detect fraud, and tailor collections strategies. These processes may significantly affect you (e.g., approval, pricing, limits). You have the right to request human intervention, express your point of view, and contest decisions. We regularly test models for accuracy and fairness and maintain audit trails consistent with NDPR principles of fairness, lawfulness, and transparency.

13. Open Banking, Direct Debits & Trackers

• Open Banking: When you consent, we connect to your bank or aggregator to access account and transaction data for affordability and underwriting. You can revoke access by contacting your bank, the aggregator, or us.
• Direct Debits/CPAs: By authorizing recurring payments, you permit us and our processors to debit your designated accounts/cards for repayments, fees, and charges.
• GPS Trackers: For certain products (e.g., Auto or Car-to-Cash), installing a GPS tracker is required. If you accept such product terms, you consent to the collection and processing of vehicle location/telematics data to protect collateral and manage risk.

14. Social, Messaging & Call Recording

We may communicate via phone, SMS, email, WhatsApp, or similar platforms. Content on third-party platforms is subject to those providers' privacy policies. Where permitted by law, we may record or monitor calls for quality assurance, training, and dispute resolution. If you contact us through social media, we may collect your handles and public profile information.

15. Data of Guarantors, Referees & Contacts

If you provide information about third parties (e.g., guarantors, referees, employers), you confirm you have obtained their authorization to share their data with us and for us to contact them for verification, collections, or recovery purposes. We will process such data in accordance with this Policy.

16. Third-Party Links & Integrations

Our Services may contain links to third-party sites or integrations. We are not responsible for their content or privacy practices. Review their policies before providing data.

17. Data Minimization & Accuracy

We collect data that is adequate, relevant, and limited to what is necessary for stated purposes. You are responsible for ensuring your information remains accurate and up-to-date. We may periodically request updates to maintain accuracy in line with NDPR principles.

18. Data Protection Impact Assessments (DPIAs)

For high-risk processing activities (e.g., large-scale profiling, geolocation tracking, or new technologies), we assess privacy risks and implement controls as part of our governance framework, consistent with NDPR best practices.

19. Security Incidents & Breach Notification

If we detect a personal data breach likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities in accordance with applicable law and our incident response procedures.

20. Changes to This Policy

We may update this Policy to reflect changes in laws, technologies, or our practices. We will post updates with a new "Last Updated" date and, where required, provide additional notice. Continued use of the Services after the effective date indicates acceptance of the updated Policy.

21. Contact Us

Email: info@bullionmonie.ng

Address: Lagos, Nigeria

22. Acknowledgement & Consent

By using our Services, creating an account, or applying for a loan, you acknowledge that you have read and understood this Privacy Policy and, where required, consent to the processing of your personal data for the purposes identified herein. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us as described above.