1. What Personal Data We Collect

When you initiate identity verification through our mobile app, we collect the following information,

collectively referred to as Face Data:

• Facial images: Still images or short video frames of your face, captured using your phone’s frontfacing camera.

• Capture metadata: Limited technical data related to the capture process such as device model, timestamp, image resolution, and lighting conditions used only to confirm the image is suitable for verification.

We do not extract facial geometry, generate biometric templates, or convert your image into mathematical representations. The Face Data remains in its original image form and is used solely to verify your identity against a government-issued record.

To complete this process, your image is transmitted once, securely and in real time to a licensed third-party verification provider (such as Prembly or VerifyMe). This provider matches your image against your official BVN photo and returns a result confirming whether there is a match. Your image is not stored, reused, or processed for any other purpose.

Capture begins only after you grant camera access and actively start the process. This serves as explicit consent under applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR).

We do not use Face Data or any other collected data for tracking, advertising, profiling, or analytics. No data is sold or shared for commercial gain.

2. Why We Collect, Use, and Disclose Your Face Data

We collect and use your Face Data exclusively for identity verification to confirm that you are the rightful owner of the identity you’ve presented.

Here’s what that means:

1. Identity Confirmation

When you upload a facial image through our mobile app, we securely transmit it to a licensed verification

provider. They compare your image to the photo associated with your Bank Verification Number (BVN) or other government-issued identity records. We use the result of that match not the image itself to confirm your identity.

2. Regulatory Compliance

This process helps us meet legal obligations under Know Your Customer (KYC) and anti-money laundering regulations. It also supports secure onboarding and account protection, as required by applicable law and financial sector best practices.

3. Platform Security

Using Face Data helps us reduce impersonation, identity theft, and fraudulent access. It strengthens trust across our platform by ensuring that all accounts are tied to real people with verified identities.

We do not use Face Data for any other purpose including advertising, profiling, behavioural tracking, or analytics.

What About Automated Decision-Making?

To make identity checks fast and accurate, your Face Data may be processed using automated matching systems provided by our verification partner. However:

• You are notified if your verification attempt fails;
• You always have the right to request a manual review;
• No final decision that significantly affects your access or experience is made solely by automated means.

3. When We Might Share Your Face Data

We do not store your Face Data on our servers. Instead, when you initiate verification, your facial image is:

1. Captured directly from your device,
2. Securely transmitted in real time to a licensed verification provider and
3. Used immediately to compare against your official government ID photo (e.g., BVN record).

This process happens in-session, and once the verification is complete:

• The image is discarded by the provider;
• Only a match result is returned to us (e.g., “success” or “no match”);
• No copy is stored, retained, or reused for any other purpose.

We do not disclose your Face Data to any other party, and it is never sold, profiled, analyzed, or shared for marketing.

If required by law, such as during a fraud investigation or regulatory audit we may be compelled to disclose certain verification outcomes or system logs to authorized government agencies. Such disclosures are handled securely and in full compliance with applicable data protection laws.

4. To Whom We Disclose Your Face Data

To complete identity verification, we share your facial image once, atthe time of capture with a licensed third party identity verification provider. This provider compares your selfie against the official photo attached to your BVN, using infrastructure that complies with applicable privacy laws and security standards.

These providers:

• Do not retain your image after verification, unless required by regulation or contractually agreed.
• Do not use your data for marketing, analytics, or profiling.
• Operate under a data processing agreement with us, aligned with NDPR, GDPR, and ISO 27001/27701 controls.

The provider returns only a verification result e.g., “match confirmed” or “no match” and does not make any automated decision about your account or service access.

5. Transfer of Your Personal Data Internationally

We do not intentionally transfer your Face Data outside Nigeria.

When you initiate identity verification, your facial image is captured and transmitted in real time to a licensed verification partner for matching against official records (e.g., BVN). These partners offer infrastructure options within Nigeria, and we select providers that align with our local data protection and residency requirements.

Where Face Data is processed outside Nigeria for example, if our verification partner’s servers are located abroad or if backups are routed through global cloud services such transfers are limited, secure, and governed by:

• Standard Contractual Clauses (SCCs) or other regulatory transfer mechanisms;
• Encryption protocols and access controls that comply with ISO 27001 and 27701 standards;
• Data processing agreements that restrict use to identity verification only.

6. Security Measures

We take the protection of your Face Data seriously and apply multiple layers of safeguards technical, procedural, and contractual to keep your information safe throughout the verification process.

App-Level Protections

• Explicit user consent is required before activating the camera or starting any verification.
• Face capture is performed on-device, and no background or passive collection takes place.
• Data is transmitted only when the user initiates the process, ensuring full control and transparency.

Secure Data Transmission

• Your Face Data is transmitted over TLS 1.3 encrypted channels, with certificate pinning to prevent interception.

• API requests to our verification partner are authenticated and time-bound, reducing the risk of spoofing or misuse.

Processor-Level Safeguards

Our verification partners are bound by:

• NDPR-compliant data processing agreements that limit use of Face Data to a single matching session;
• ISO 27001 and ISO 27701-certified infrastructure, including access controls, audit logging, and internal segmentation;

• Strict policies to delete images after verification and prevent unauthorized access or secondary use.

Internal Access Controls

• No member of our team has direct access to your facial image.
• Verification results are stored as non-biometric flags (e.g., “match confirmed”) not image files.
• All backend access is governed by role-based permissions, VPN enforcement, and activity logging.

Incident Response and Testing

• Our systems are subject to regular penetration testing, vulnerability scans, and privacy risk assessments.

• In the unlikely event of a data incident involving Face Data, we follow a documented data breach response plan that includes user notification, regulatory reporting, and containment within 72 hours, in line with GDPR and NDPR standards.

Your Face Data is never used beyond the moment of verification and is protected from end to end, from the moment you open the camera to the moment it’s matched and discarded.

7. How Long We Retain Your Face Data

We do not retain your Face Data after verification is complete.

When you submit a facial image through our mobile app, it is transmitted in real time to a licensed verification partner for a one-time match against a government-held identity record (such as your BVN photo). Once the match result is returned:

• The image is immediately discarded by our verification partner;
• No copy of your Face Data is stored on our systems or retained for future use;
• Only a basic verification result (e.g., “match confirmed” or “retry required”) is retained and this result does not include your image or biometric information.

This approach ensures that your Face Data exists only for the few seconds required to complete the verification and is not archived, reused, or stored in any form beyond that window.

In exceptional cases such as a legal investigation or technical error certain verification logs may be retained temporarily for audit or troubleshooting purposes. These logs do not include facial images and are stored in accordance with applicable data protection regulations.

We regularly audit our systems and third-party vendors to ensure that this short-lived retention model is strictly enforced.

8. What Are Your Rights With Regard to Your Personal Data

You have certain rights under global and local data protection laws, including the Nigeria Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR). These rights apply to the personal data you submit during identity verification, including Face Data.

1. Access

You can request confirmation of whether we process any personal data relating to you, and obtain a copy of relevant verification records.

2. Correction

If you believe the information we’ve retained about your verification is inaccurate (e.g., a false match or system error), you can request that we correct it.

3. Deletion

You may request that we delete personal data we hold about you. However, in certain cases such as where the data is part of a regulated identity verification record we are required by law to retain it. In those cases, we will inform you of the legal basis for continued retention and restrict access as much as possible.

4. Restriction

You may ask us to restrict the use of your data for example, while a correction or objection request is being reviewed.

5. Objection

Where we rely on legitimate interest for any processing (which is rare), you may object to that processing. In most cases, however, our use of Face Data is based on your consent or legal obligation.

6. Withdrawal of Consent

You may withdraw your consent at any time. This will not affect the lawfulness of any processing already carried out, but may affect your ability to complete verification.

7. Complaint

If you have concerns about how your data has been handled, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or your local data protection authority.

We respond to all rights requests within 30 calendar days, and may request additional information to verify your identity before fulfilling certain requests.

9. Contact Us

If you have questions, concerns, or requests about how we handle your Face Data or other personal information, please reach out to our designated Data Protection Officer:

Akinbayo ATERE

Data Protection Officer

Email: dataprotection@sciartfinance.com

Phone: 09110724278

We aim to respond to all privacy-related enquiries within 30 calendar days. If your request relates to access, correction, or restriction of your personal data, we may ask you to verify your identity before proceeding.

If you believe your rights have been violated under data protection laws, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or your local supervisory authority.