Privacy Policy
Effective Date: March 2026 · Last Updated: March 2026
1.Introduction
Ojawaju LTD ("Ojawaju", "we", "us", "our") operates OjaCircle, a digital savings and financial collaboration platform. We are committed to protecting your personal data in compliance with the Nigeria Data Protection Act (NDPA) 2023.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have.
2.Information We Collect
2.1 Information You Provide
- Account information: First name, last name, email address, phone number, username, country of residence, password
- Bank account details: Account number, bank name, account holder name (entered by you for withdrawal processing)
- KYC verification data: Depending on your location and verification level:
- African markets (Nigeria, Ghana, Kenya): BVN or NIN number and selfie photo, processed by our verification partner Mono Prove
- International markets: Government-issued ID (passport, driving licence, or national ID card) and selfie photo, processed by our verification partner Stripe Identity
- Enhanced verification: Supporting documents you upload for manual review
- Transaction PIN: A 4-digit PIN you set for securing financial operations. We store only an irreversible hash of your PIN on your device — we never see or store the actual PIN
- Circle information: Circle names, descriptions, contribution amounts, and rules you configure
- Referral codes: Codes you generate or enter during signup
2.2 Information We Collect Automatically
- Device information: A one-way hash (fingerprint) of your device characteristics, collected each time you log in or sign up. This helps us detect duplicate accounts and prevent fraud. We do not collect or store your raw device details — only the irreversible hash
- Usage data: Login timestamps, session information, and activity logs
- Push notification tokens: If you grant push notification permission, we receive a device token from Firebase Cloud Messaging to deliver notifications
2.3 Information We Collect with Your Permission
- Biometric data: If you choose to enable fingerprint or Face ID login, your biometric data is processed entirely on your device by your phone's operating system. We never receive, transmit, or store your biometric data on our servers
3.How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Create and manage your account | Name, email, phone, username, country, password | Contractual necessity |
| Process wallet transactions | Transaction details, wallet balances, bank account details | Contractual necessity + Legal obligation |
| Manage savings circle participation | Circle configuration, membership, contribution and payout records | Contractual necessity |
| Verify your identity (KYC) | Government ID, selfie, BVN/NIN | Your consent + Legal obligation (AML) |
| Process bank withdrawals | Bank account number, bank name, account holder name | Your consent + Contractual necessity |
| Prevent fraud and protect platform integrity | Device fingerprint, transaction patterns, login activity | Legitimate interest |
| Calculate your trust score | Contribution history, membership behaviour, endorsements, verification status | Legitimate interest — platform integrity |
| Send you notifications | Email address, device token, notification preferences | Your consent (push) + Contractual necessity (transactional) |
| Process subscriptions | Purchase receipts, subscription status | Contractual necessity |
| Manage rewards and referrals | Points balance, referral codes, distribution records | Contractual necessity |
| Secure your account | Password hash, transaction PIN hash, biometric preference, session tokens | Contractual necessity |
4.Automated Decision-Making
We use automated systems in two areas:
Trust Score
Your behaviour on the platform (paying contributions on time, participating in circles, getting endorsed by other members) generates a reputation score from 0 to 1,000. This score determines your trust tier, which affects:
- Maximum circle sizes you can create
- Contribution amount limits
- How quickly withdrawals are processed
- Whether you need endorsements to join circles
Your trust score and tier are visible to you in the app. You can request a human review of your trust score by contacting us.
Fraud Detection
Our systems automatically monitor for suspicious activity including unusual transaction patterns, duplicate accounts, and self-referral attempts. If suspicious activity is detected:
- An alert is generated for review by our team
- Certain actions may be temporarily limited (e.g., rate limits on transactions)
- Serious cases are reviewed by a human administrator before any account restrictions are applied
You have the right to request human review of any automated decision that significantly affects you.
5.Who We Share Your Data With
We share your personal data with the following service providers, who process it on our behalf under contractual data protection obligations:
Supabase
Hosts our database, handles authentication, and runs our backend functions. All application data is stored on secure, SOC 2 compliant infrastructure with row-level security policies.
Location: United States
Mono Prove
Verifies identity for users in Nigeria, Ghana, and Kenya using BVN/NIN and selfie matching. Data is used solely for regulatory compliance and fraud prevention.
Location: Nigeria / United States
Stripe Identity
Verifies identity for users outside Africa using government-issued ID and selfie matching. Data is processed in compliance with applicable data protection laws.
Location: United States
Stripe
Processes international card payments. Stripe is PCI DSS Level 1 certified. Receives tokenised card details and transaction amounts.
Location: United States
Flutterwave
Processes Nigerian payments (card, bank transfer, USSD) and verifies bank account names. Receives transaction amounts and bank account details.
Location: Nigeria
Firebase (Google)
Delivers push notifications to your device. Receives your device token and notification content.
Location: United States
SendGrid
Sends transactional and notification emails. Receives your email address and email content.
Location: United States
Apple (App Store)
Processes in-app subscription purchases on iOS. Receives purchase receipts.
Location: United States
Google (Play Store)
Processes in-app subscription purchases on Android. Receives purchase receipts.
Location: United States
We do not sell your personal data. We do not share your data with advertisers. We may also disclose your data if required by law, court order, or regulatory authority.
6.Cross-Border Data Transfers
Some of our service providers process data outside Nigeria, primarily in the United States. These transfers are necessary to provide our services and are protected through:
- Contractual safeguards: Data processing agreements with each provider that require them to protect your data
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
- Access controls: Strict limitations on who can access your data
- Purpose limitation: Providers may only use your data for the specific purpose we engage them for
By using OjaCircle, you consent to these transfers where they are necessary for service delivery. You may withdraw this consent at any time by closing your account, though this will prevent us from providing our services.
7.How We Protect Your Data
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Sensitive content uses additional application-layer encryption
- Database security: Row-Level Security ensures you can only access your own data. Multi-tenant isolation prevents data leakage between organisations
- Authentication: Secure session management with JWT tokens. Optional biometric login and transaction PIN for additional security
- Fraud prevention: Device fingerprinting, transaction velocity monitoring, suspicious activity detection, and a trust-based access control system
- Secure storage: Sensitive credentials on your device (tokens, PIN hash) are stored in your phone's secure enclave (iOS Keychain / Android Keystore)
- Access control: Our backend uses scoped API keys with minimal privileges. Administrative functions require verified admin access
8.How Long We Keep Your Data
We retain your data only as long as necessary:
| Data | How Long |
|---|---|
| Your account profile | While your account is active, plus 12 months after deletion |
| Financial records (transactions, contributions, payouts) | 6 years (regulatory requirement) |
| KYC verification results | 6 years (AML compliance) |
| KYC source documents (enhanced verification) | 90 days after verification |
| Device fingerprints | 24 months from your last login |
| Notification records | 24 months |
| Fraud alerts | 6 years |
9.Your Rights
Under the Nigeria Data Protection Act, you have the right to:
| Right | How to Exercise It |
|---|---|
| Access your data | View your profile, transactions, trust score, KYC status, and linked accounts in the app. For a full data export, contact us |
| Correct your data | Edit your name, phone, and username in the app via Edit Profile |
| Delete your data | Request account deletion via the app or by emailing us. We will delete or anonymise your data within 30 days, except where regulatory retention applies |
| Withdraw consent | Turn off push notifications, email notifications, or biometric login in your app settings at any time. To withdraw all consent, request account deletion |
| Restrict processing | Contact us to request restriction of specific processing activities |
| Data portability | Request a copy of your personal data in a structured, machine-readable format |
| Object to automated decisions | Request human review of trust score calculations or fraud detection decisions |
| Lodge a complaint | File a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data rights have been violated |
How to contact us about your data rights: privacy@ojacircle.com or dpo@ojawaju.com
We will respond to your request within 30 days. If your request is complex, we may extend this by an additional 30 days, and we will notify you of the extension.
10.Data Breach Notification
If a data breach occurs that is likely to result in high risk to your rights:
- We will notify the Nigeria Data Protection Commission within 72 hours
- We will notify you without undue delay via in-app notification, email, or SMS
- We will explain what happened, what data was affected, what we are doing about it, and what steps you should take
11.Children's Data
OjaCircle is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a user under 18, we will take steps to delete that data promptly. If you believe a minor has provided us with personal information, please contact us immediately at privacy@ojacircle.com.
12.Cookies and Tracking
The OjaCircle mobile app does not use cookies. We do not use third-party advertising trackers or analytics SDKs that track you across other apps. Our website uses only essential cookies for basic functionality (such as session management) and does not use cookies for advertising or cross-site tracking.
13.Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you via in-app notification or email
- If the changes affect how we process your data in ways that require your consent, we will obtain your consent before implementing those changes
14.Contact Us
If you have questions about this Privacy Policy or how we handle your data:
Ojawaju LTD
Nigeria
General privacy inquiries: privacy@ojacircle.com
Data Protection Officer: dpo@ojawaju.com
Regulatory authority: Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng