Privacy Policy

This Privacy Policy applies to the Taprail mobile app, the Taprail website at taprail.app, our waitlist, and any related services (together, the Services). It should be read together with our Terms of Use and our Cookie Policy.

1. Who we are and how to reach us

Taprail is a tap-to-pay service operated by the company that owns and runs the Taprail app and website, based in Lagos, Nigeria (Taprail, we, us, our). For the personal data described here, we act as the data controller, except where we process data on behalf of a partner bank or card issuer, in which case that partner may be a controller and we act as a processor.

You can contact us, or our data protection contact, at [email protected]. If we appoint a Data Protection Officer, their contact details will be published here.

2. Definitions

• Personal data means any information that relates to an identified or identifiable person.
• Processing means anything we do with personal data, such as collecting, storing, using, sharing or deleting it.
• NDPA means the Nigeria Data Protection Act 2023 and related regulations, and NDPC means the Nigeria Data Protection Commission.
• Partners means the payment processors, card issuers, banks and verification providers that help us deliver the Services.

3. The information we collect

We collect the following categories of personal data. Not all of it applies to everyone, and some is only collected once the app launches and you create an account.

3.1 Information you give us

• Waitlist information: your name, email address and, if you choose to provide it, your phone number.
• Account and profile information: your name, email, phone number, password or PIN, date of birth and chosen language.
• Identity and verification information (KYC): where required by law, your Bank Verification Number (BVN), National Identification Number (NIN), a government-issued ID, your address, and a photo or selfie used to confirm it is you.
• Card information: the card details you add. These are collected and tokenised by our payment partners. We keep a secure token and limited details such as the card brand, expiry and the last few digits, not your full card number.
• Support and communications: the messages, feedback and information you send when you contact us.

3.2 Information we collect automatically

• Transaction information: details of payments and splits you make, including amount, date, time, merchant, currency and whether a payment was approved or declined.
• Pay-with-Taprail order information: when a merchant sends you a payment intent (for example, on a website or in-store), we receive the order amount, reference, item description (if shared by the merchant) and the merchant identity, and we record whether you approved, declined or let the order expire. We do not share your card details with the merchant.
• Device and technical information: device model, operating system, app version, unique device and app identifiers, IP address, mobile network and crash or diagnostic data.
• Usage information: how you use the app, such as features used and screens viewed, which helps us improve it.
• Approximate location: derived from your IP address or device settings, used for security, fraud prevention and to support contactless payments. We do not track your precise location in the background.
• Cookies and similar technologies on our website, as described in our Cookie Policy.

3.3 Information we receive from others

• Payment partners, card issuers and banks: confirmation of card validity, tokens, transaction status and limited account details.
• Identity and fraud-prevention providers: results of identity checks and risk or fraud signals.
• Public sources and referrals: for example, if a friend invites you to a bill split, we receive the contact detail used to invite you.
• Merchants you pay with Taprail: the order details a merchant creates for you (amount, reference, items where supplied), and limited identifiers they use to recognise their own order. We do not receive your shopping cart unless the merchant chooses to include it in the order metadata.

3.4 Information we collect from merchants who use Taprail

If you sign your business up to accept Pay-with-Taprail, we also process:

• Business profile: business name, contact name, email, the bank account you nominate for settlement (so we can pay you out), and the webhook URL you configure.
• API credentials and activity: hashed API keys you mint, the IP and time of API calls, the orders you create, and the outcomes of webhook delivery attempts.

4. How we use your information and our legal bases

Under the NDPA, we must have a lawful basis to use your personal data. We rely on the bases below, depending on the purpose:

• To perform our contract with you: creating and managing your account, adding cards, processing payments and splits, and providing support.
• To comply with legal obligations: identity verification (KYC), anti-money-laundering and counter-terrorism checks, sanctions screening, record keeping, tax and responding to lawful requests.
• For our legitimate interests: keeping the Services secure, preventing and detecting fraud, understanding and improving how the Services are used, and growing our business, in a way that is balanced against your rights.
• With your consent: sending you marketing messages and using non-essential cookies. You can withdraw consent at any time.
• To protect vital interests or the public interest: in rare cases, such as preventing serious harm or financial crime.

5. Marketing and communications

We may send you service messages that you cannot opt out of while you have an account, such as security alerts and important notices. We will only send you marketing about launch, products and offers if you have agreed, and you can opt out at any time using the unsubscribe link or by emailing us. Opting out of marketing does not stop service messages.

6. Fraud prevention and automated decisions

To keep your money and the Services safe, we and our partners use automated tools to score transactions and detect fraud, money laundering and abuse. This may mean a payment or account action is delayed, blocked or reviewed. Where an automated decision has a significant effect on you, you can ask for it to be reviewed by a person, share your view, and challenge the outcome by contacting [email protected].

7. How we share your information

We do not sell your personal data. We share it only as set out below.

7.1 Partners that deliver the Services

• Payment processors such as Paystack, to tokenise cards and process payments.
• Card issuers and schemes, our card-issuing partner and the relevant card schemes, to create and run the virtual cards you pay with.
• Banks and financial institutions involved in authorising and settling your payments.
• Identity and fraud-prevention providers that help us verify users and protect the Services.

7.2 Service providers

Trusted companies that provide hosting, cloud storage, customer support tools, email and SMS delivery, and analytics, under contracts that require them to protect your data and use it only as we instruct.

7.3 Legal, regulatory and safety

Regulators and authorities such as the Central Bank of Nigeria, the NDPC, the Nigerian Financial Intelligence Unit, law enforcement and courts, where we are required or permitted to share, or to establish, exercise or defend legal claims and protect our users.

7.4 Professional advisers and corporate transactions

Our auditors, lawyers and insurers, and, if we are involved in a merger, acquisition, financing or sale of assets, the parties to that transaction, subject to confidentiality.

7.5 Merchants you pay through Taprail

When you approve a Pay-with-Taprail order, we confirm to the merchant that the order was paid and share the transaction reference and net amount. We do not share your card details, real PAN, BVN, NIN, address, full name or other identity data with the merchant unless you tell us to.

7.6 With your consent or at your direction

For example, when you choose to share a bill split with friends.

8. International transfers

Some of our partners and service providers may store or process data outside Nigeria. Where we transfer personal data abroad, we do so in line with the NDPA, and we put appropriate safeguards in place, such as transferring only to countries with adequate protection or using contractual protections. You can ask us for more detail about these safeguards.

9. How we protect your information

We use technical and organisational measures designed to protect your data, including encryption in transit, tokenisation of card details, access controls, and limiting access to staff and partners who need it. We also ask you to play your part by keeping your device, PIN and login details secure. No method of transmission or storage is completely secure, but we work continuously to protect your information and will notify you and the NDPC of a personal data breach where the law requires.

10. How long we keep your information

We keep personal data for as long as you have an account or remain on the waitlist, and afterwards only for as long as we need it to:

• meet legal, regulatory, tax and accounting requirements;
• keep records of transactions and identity checks for the periods required by financial regulation;
• resolve disputes and enforce our agreements; and
• prevent fraud and abuse.

When we no longer need your data, we delete it or anonymise it so it can no longer identify you.

11. Your rights

Under the NDPA, you have the right to:

• access the personal data we hold about you;
• ask us to correct information that is wrong or incomplete;
• ask us to delete your data, where there is no good reason for us to keep it;
• ask us to restrict or object to how we use your data, including for direct marketing;
• ask us to provide your data, or transfer it, in a portable format;
• withdraw consent at any time, where we rely on consent; and
• lodge a complaint with the NDPC if you are unhappy with how we have handled your data.

To exercise any of these rights, email [email protected]. We may need to verify your identity first, and we will respond within the time required by law. Exercising your rights is free, but we may charge a reasonable fee or decline a request that is clearly unfounded or excessive.

12. Children

Taprail is intended for people aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a child has given us their data, contact us and we will delete it.

13. Third-party services and links

The Services may link to or rely on third parties, such as your bank, a merchant or an app store. Their handling of your data is governed by their own privacy notices, which we encourage you to read. We are not responsible for their practices.

14. Changes to this policy

We may update this policy from time to time. We will change the date at the top of the page, and where changes are significant we will tell you, for example by email or in the app. Continuing to use the Services after a change means you accept the updated policy where the law allows.

15. How to complain

If you have a concern, please contact us first at [email protected] and we will try to put things right. You also have the right to complain to the Nigeria Data Protection Commission.