Privacy Policy
We take your privacy seriously. This policy explains how Zentrobills collects, uses, and protects your personal information in full compliance with Nigerian law.
This Privacy Policy describes how Zentrobills ("we," "us," or "our") collects, uses, processes, and discloses your personal information when you use our platform. By using Zentrobills, you expressly consent to the data practices described here, in accordance with the Nigeria Data Protection Regulation (NDPR) 2019 and other applicable Nigerian laws.
1 Definitions & Interpretation
For the purposes of this Privacy Policy:
- "Personal Information" means any information relating to an identified or identifiable natural person under the NDPR.
- "Processing" means any operation performed on Personal Information, including collection, storage, use, disclosure, or deletion.
- "Sensitive Personal Information" includes data revealing Bank Verification Numbers (BVN), National Identification Number (NIN), financial information, or biometric data.
- "You" / "User" means the individual accessing or using our Platform, including resellers, agents, and end-users.
- "NDPR" means the Nigeria Data Protection Regulation 2019 and any subsequent amendments.
- "NITDA" means the National Information Technology Development Agency, the regulatory body responsible for data protection in Nigeria.
2 Who We Are
Zentrobills is a Nigerian technology company operating a utility payment platform that enables users to purchase:
- Airtime and data bundles for all major Nigerian networks (MTN, Glo, Airtel, 9mobile)
- TV subscriptions (DStv, GOtv, StarTimes)
- Education payments (WAEC, NECO, JAMB, exam pins)
- Electricity bills for all Nigerian DISCOs
We are registered in Nigeria (RC: 9186019) and committed to complying with the NDPR and all applicable Nigerian data protection laws.
3 Information We Collect
3.1 Information You Provide
- Account Registration: Full name, email address, phone number, and date of birth
- Identification Documents: Government-issued ID, Bank Verification Number (BVN), and Tax Identification Number (TIN) for KYC/AML compliance
- Business Information: Business address and CAC registration number (for corporate accounts)
- Payment Information: Bank account details (for settlements), card information processed through PCI-DSS compliant gateways, and transaction history
- Communications: Records of your interactions with our customer support team, including emails and chat logs
3.2 Information We Collect Automatically
- Device Information: Device model, operating system version, unique device identifiers, and mobile network information
- Usage Data: Features accessed, time spent on Platform, transaction patterns, and navigation paths
- Log Data: IP address, browser type, referring/exit pages, timestamps, and network diagnostics
- Location Information: Approximate location based on IP address, or precise GPS location (with your explicit permission for fraud prevention)
3.3 Information from Third Parties
- Telecom Operators: MTN, Glo, Airtel, 9mobile for transaction verification and fraud prevention
- Payment Processors: Interswitch, Paystack, Flutterwave, Remita for transaction processing
- Identity Verification: NIMC (National Identity Management Commission), credit bureaus, and KYC providers
- Business Partners: Multichoice (DStv/GOtv), StarTimes, WAEC, NECO, and JAMB
4 Legal Basis for Processing (NDPR)
Under the Nigeria Data Protection Regulation, we process your Personal Information based on the following lawful bases:
- Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications, location tracking)
- Contractual Necessity: To perform our obligations under our Terms of Service and provide you with services
- Legal Obligation: To comply with Nigerian laws and regulations, including CAMA, AML/CFT regulations, and tax laws
- Legitimate Interests: To prevent fraud, ensure network security, and improve our services
- Public Interest: For identification and verification purposes as required by Nigerian regulators
5 How We Use Your Information
5.1 Service Delivery
- Creating and managing your account
- Processing your transactions for airtime, data, TV subscriptions, education payments, and electricity
- Verifying your identity and conducting mandatory KYC/AML checks
- Maintaining accurate transaction records for audit and dispute resolution
5.2 Fraud Prevention & Security
- Detecting and preventing fraudulent transactions (e.g., SIM swap fraud, unauthorized access)
- Monitoring for suspicious activities and unusual transaction patterns
- Implementing security measures to protect user data and funds
- Verifying BVN and NIN details to prevent identity theft
5.3 Platform Improvement
- Analyzing usage patterns to enhance user experience
- Developing new features based on user needs and feedback
- Conducting market research and business intelligence
5.4 Communications
- Sending transaction confirmations and notifications
- Providing support and resolving disputes
- Notifying you about service updates, new features, and policy changes
- Sending marketing communications about promotions (with your consent)
5.5 Regulatory Compliance
- Complying with NITDA guidelines and NDPR requirements
- Responding to lawful requests from Nigerian government authorities (EFCC, ICPC, FIRS)
- Maintaining records for tax and audit purposes
- Reporting suspicious transactions to the Nigerian Financial Intelligence Unit (NFIU)
6 Disclosure of Your Information
6.1 Service Providers
- Telecom Operators: MTN Nigeria, Glo Mobile, Airtel Nigeria, 9mobile — for airtime/data fulfillment
- Payment Gateways: Interswitch, Paystack, Flutterwave, Remita — for transaction processing
- TV Providers: Multichoice Nigeria (DStv/GOtv), StarTimes — for subscription management
- Educational Bodies: WAEC, NECO, JAMB — for examination payment processing
6.2 Regulatory & Law Enforcement
- NITDA: For data protection compliance and breach reporting
- EFCC/ICPC: Anti-corruption agencies for fraud investigations
- FIRS: Federal Inland Revenue Service for tax compliance
- Nigerian Police: Pursuant to valid court orders
6.3 Business Transfers
In connection with a merger, acquisition, or sale of assets, your Personal Information may be transferred as a business asset. You will be notified via email and in-app notification of any such transfer.
7 Cross-Border Data Transfers
As a Nigerian company, we primarily store data within Nigeria. However, some of our service providers may process data outside Nigeria. When we transfer your Personal Information outside Nigeria, we ensure:
- The destination country has adequate data protection laws (as determined by NITDA)
- We have executed data processing agreements with appropriate safeguards
- We obtain your consent where required by NDPR
- We implement standard contractual clauses approved by NITDA
8 Data Security Measures
8.1 Technical Measures
- 256-bit SSL/TLS encryption for all data in transit
- AES-256 encryption for sensitive data at rest (BVN, NIN, financial data)
- Multi-factor authentication for account access
- Regular security audits and penetration testing by licensed Nigerian firms
- Firewalls and intrusion detection/prevention systems
- Automated fraud detection systems
8.2 Organizational Measures
- Strict access controls based on role-based permissions
- Employee confidentiality agreements and NDPR training
- Regular data protection impact assessments
- Incident response and breach notification procedures
- Designation of a Data Protection Officer (DPO) as required by NDPR
While we implement these measures, no method of transmission over the Internet is 100% secure. We will notify you and NITDA within 72 hours of any confirmed data breach in accordance with NDPR requirements.
9 Data Retention Periods
We retain your Personal Information for the following periods in compliance with Nigerian laws:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account Information | Account lifetime + 6 years | CAMA 2020, Statute of Limitation |
| Transaction Records | 6 years | CBN Guidelines, Tax Laws |
| KYC Documents (BVN, NIN, ID) | Relationship duration + 5 years | AML/CFT Regulations |
| Support Communications | 3 years | Customer service improvement |
| Marketing Preferences | Until consent withdrawn | Consent-based (NDPR) |
| Usage Analytics | 2 years (anonymized thereafter) | Legitimate interests |
After these periods, your Personal Information will be securely deleted or anonymized for statistical purposes.
10 Your Rights Under NDPR
As a Nigerian user, you have the following rights under the Nigeria Data Protection Regulation:
Right to be Informed
Know how and why your personal information is collected and used.
Right of Access
Request a copy of all personal information we hold about you.
Right to Rectification
Correct inaccurate or incomplete personal information we hold.
Right to Erasure
Request deletion of your data where it's no longer needed.
Right to Restrict
Limit how we process your data in certain circumstances.
Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or marketing.
Automated Decisions
Not be subject to decisions based solely on automated processing.
10.9 Exercising Your Rights
To exercise any of these rights, email us at privacy@zentrobills.com or use the in-app privacy request feature (Settings → Privacy → Data Requests). We will respond within 30 days as required by NDPR. Identity verification may be required. There is no charge unless requests are manifestly unfounded or excessive.
11 BVN and NIN Collection
As a financial services platform, we collect Bank Verification Number (BVN) and National Identification Number (NIN) for mandatory KYC/AML compliance as required by CBN and NIMC, identity verification and fraud prevention, and regulatory reporting requirements.
How We Protect BVN/NIN
- BVN/NIN are encrypted using AES-256 encryption at rest
- Access is strictly limited to authorized personnel on a need-to-know basis
- We do not display full BVN/NIN in any user interface
- We do not share BVN/NIN with third parties except as required by law
- BVN verification is done through secure API integration with NIBSS
Under NDPR, BVN and NIN are classified as sensitive personal information and receive the highest level of protection in our systems.
12 Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience. For detailed information, please see our Cookie Policy.
- Essential Cookies: Required for platform functionality (session management, security)
- Analytics Cookies: To understand user behavior and improve services
- Preference Cookies: To remember your settings and choices
- Marketing Cookies: To deliver relevant content (with your consent)
13 Children's Privacy
Our platform is intended for adults (18 years and above). We do not knowingly collect Personal Information from individuals under 18. If you are a parent or guardian and believe your child has provided us with Personal Information, please contact us immediately at privacy@zentrobills.com. We will promptly delete such information upon verification.
14 Third-Party Links and Services
Our Platform may contain links to third-party websites, apps, or services (e.g., telecom operator portals, payment gateways). This Privacy Policy does not apply to such third-party services. We are not responsible for the privacy practices of these third parties and encourage you to review their privacy policies before engaging with them.
15 Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you via email to the address associated with your account
- We will display an in-app notification requiring your acknowledgment
- We will update the "Last Updated" date at the top of this policy
- We will provide a summary of key changes
Your continued use of Zentrobills after such modifications constitutes your acknowledgment of the updated Privacy Policy.
16 Data Protection Officer (DPO)
In compliance with NDPR (Article 4.2(7)), we have appointed a Data Protection Officer to oversee our data protection practices.
Data Protection Officer
Zentrobills Ltd — NDPR Compliance17 Regulatory Complaints
If you believe we have violated your privacy rights under NDPR, you have the right to lodge a complaint with the regulatory authority. We encourage you to contact us first at privacy@zentrobills.com so we can attempt to resolve your concern directly.
Nigeria Data Protection Commission (NDPC)
National Information Technology Development Agency18 Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or our data practices:
Zentrobills Privacy Team
Response time: within 48 hours · Mon–Fri, 8 AM – 6 PM (WAT)19 Governing Law
This Privacy Policy shall be governed by and construed in accordance with the laws of the Federal Republic of Nigeria, including:
Any disputes arising under this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Lagos, Nigeria.