Paystack MFB
Open an account

Privacy Policy

Effective Date: May 21, 2026

Paystack Microfinance Bank (“Paystack MFB,” “Company,” “we,” “us,” or “our”) offers a range of financial services tailored to low-income individuals and small businesses who may not be able to access traditional banking services. These services include microloans for business or personal needs, savings accounts, money transfers, and sometimes microinsurance.

We are committed to protecting the privacy and security of our customers’ and account holders’ personal data and ensuring transparency, accountability, and confidentiality. This Privacy Policy outlines how we collect, use, store, share, and protect the personal data of individuals (“Data Subjects”) who engage with our website, services, and tools (collectively referred to as “Services”).

This Privacy Policy applies to all personal data processing activities conducted within our environment and is designed to ensure compliance with the Nigeria Data Protection Act (NDP Act), 2023 and the NDP Act General Application Implementation Directive (GAID), 2025.

1. The Information We Collect

1.1 Personal Data You Provide Directly

We may collect the following personal data you provide:

  • Identification data: Full name, passport photograph, government identification, National Identity Number (NIN), Bank Verification Number (BVN), and mother’s maiden name
  • Contact Information: Email address, phone number, and physical address
  • Financial Information: Transactional account history and financial account details, including your account balance, payment records, and debit/credit card usage
  • Communications: Information shared when contacting us via email, customer service lines, support forms, or other communication channels
  • Any other information about you that we deem necessary to provide certain services to you, such as occupation, assets, and income

1.2 Personal Data We Collect Automatically

  • Device Information: Internet Protocol (IP) address, browser type, operating system, and unique device identifiers
  • Usage Information: Details of your interactions with our Services, including page views, session times, and links clicked
  • Location Information: General geographic location inferred from your IP address

1.3 Personal Data We Receive from Third Parties

  • Financial institutions: We use information from credit bureaus, payment gateways, payment switches, processors, and identity verification systems
  • Public Sources: Information from publicly available databases
  • Inferences: Additional data inferred from your activities or information provided
  • Open Data Arrangements: Information that third parties are authorised to share through established open data initiatives or agreements

2. How We Use Personal Data

We use your personal data to:

  • Deliver and improve our Services, and execute your instructions
  • Communicate with you regarding support requests or inquiries
  • Prevent fraud and ensure the security of our website and services
  • Comply with legal and regulatory obligations
  • Provide updates, marketing content, and newsletters with your explicit consent
  • Update and enhance Paystack MFB’s records
  • Establish and verify your identity
  • Assess applications related to our products and services
  • Manage our relationship with you
  • Review your eligibility for credit or loans
  • Identify and inform you about other products or Services we think might be of interest to you

3. How We Share Personal Data

We do not sell personal data. We may share your data in the following cases:

  • Service Providers: With vendors or agents performing tasks on our behalf (e.g. identity verification or customer support);
  • Partners and Processors: Correspondent banks and strategic partners;
  • Credit agencies: Where relevant;
  • Paystack Group: Other entities within the Paystack group, such as Paystack Payments Limited;
  • Legal and Regulatory Compliance: To comply with legal obligations, respond to lawful requests, respond to external auditors; and
  • Corporate Transactions: In the event of mergers, acquisitions, or business sales.

4. How We Protect Your Information

We implement technical and organisational measures to secure personal data against unauthorised access, alteration, and destruction. Examples include data encryption, access controls, and data protection training.

4.1 Personal Data Breach

We take the security of personal data seriously and have implemented measures to prevent data breaches from occurring. However, in the event of a data breach, we have established procedures for reporting and managing incidents. You may contact our Data Protection Officer (DPO) if you become aware of any breach of personal data.

When we become aware of a data breach that affects personal data, we will notify the affected individuals and the Nigeria Data Protection Commission (NDPC) in accordance with the provisions of the NDP Act, 2023, the NDP Act General Application and Implementation Directive and other subsidiary data protection legislation. The notification will include the following information:

  • A description of the nature of the data breach, including the categories of personal data involved.
  • The likely consequences of the data breach.
  • The measures taken or proposed to address the data breach, including any measures to mitigate its possible adverse effects.

We will immediately notify affected individuals in high risk instances. We encourage all users and customers to take appropriate steps to protect their data, such as using strong passwords, regularly updating account information, and reporting any suspicious activity to us immediately.

We will report any breaches that may compromise your rights and freedoms to the NDPC within 72 hours of discovery.

5. Data Retention

We retain personal data for as long as necessary to:

  • Provide Services to you
  • Comply with legal and regulatory obligations
  • Resolve disputes or enforce agreements
  • Adhere to our internal retention policies

Paystack MFB is statutorily obliged to retain the data you provide to process transactions, ensure settlements, make refunds, identify fraud and comply with applicable laws and regulatory guidelines.

Under Nigeria’s Money Laundering (Prevention and Prohibition) Act, we are mandated to retain transactional records (customer and beneficiary names, addresses, identification number, amount, currency etc.) for at least five (5) years following the completion of the transaction. Under the Central Bank of Nigeria’s Framework for Mobile Payment Services in Nigeria, Paystack must maintain records of identification data, account files and relevant business correspondence for seven (7) years following the termination of an account and/or business relationship. We regularly review our data retention policy.

Upon expiration of the applicable storage limitation periods, and in line with our data retention schedule, we will delete, erase, anonymise or pseudonymise any information we hold about you.

This Privacy Policy also applies when we retain your Personal Information after our relationship ends. We may also retain your Personal Information for the duration of any period necessary to establish, exercise or defend any legal rights. We may keep Personal Information indefinitely in a de-identified format for statistical purposes, which may include, for example, statistics of how you use the Services.

For more information regarding our retention practices, please contact our Data Protection Officer (DPO) at [email protected].

6. Data Transfers

As part of our service provision, we rely on third-party servers located in foreign jurisdictions, which involves transferring your data to computers or servers in foreign countries. An example is the Bank’s use of AWS as a cloud storage solution, with servers in Ireland. We take steps to ensure that the data we collect under this Privacy Policy is processed and protected in accordance with the provisions of this Policy and applicable law, wherever the data is located.

Paystack MFB takes the security of personal data seriously. When personal data needs to be transferred to a country outside of Nigeria, we implement adequate measures to ensure the data remains secure. We comply with all relevant data protection regulations and guidelines to ensure that personal data is always protected. Specifically, we use contractual terms to ensure that the personal data is adequately protected or that the country to which the data is being transferred has adequate data protection laws in place. We take additional measures to ensure that the country to which the data is being transferred meets our standards for data protection.

Should you wish to transfer your personal data to a country deemed to have inadequate data protection laws, the Bank will take all necessary steps to ensure that it is transferred under relevant, appropriate safeguards, and where relevant, with your informed consent, and that you are made aware of the risks associated with such a transfer. In any instance, Paystack MFB will ensure personal data is transmitted safely and securely. Details of the protection provided when your data is transferred abroad, as well as the basis for such transfers, will be provided to you upon request.

7. Lawful Basis for Processing Personal Data

Processing of personal data will be lawful if one of the following applies:

  • The data subject has given consent to the processing of their personal information for one or more specific purposes. You may revoke your consent by contacting us or closing your account
  • The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract
  • The processing is necessary for compliance with a legal obligation to which we are subject
  • The processing is necessary for legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us

8. Your Rights

At Paystack MFB, we respect the rights of our customers and allow them to exercise these rights under the NDP Act. Individuals who have personal data held by us can reach out to exercise the following rights:

  • Right to request and access any personal data collected and stored by Paystack MFB. This right allows you to request a copy of your personal information in our custody;
  • Right to be informed regarding the use of your personal data;
  • Right to be informed about appropriate safeguards in place whenever your personal information is transferred abroad;
  • Right to object to automated decision-making and processing. You have the right to object to the processing of your personal information, and to exercise this right, you can submit a request to the DPO;
  • Right to rectification/modification of personal information;
  • Right to request the deletion of personal information;
  • Right to request the movement of your personal information from Us to a third party — this is the right to the portability of data;
  • Right to revoke consent;
  • Right to object to direct marketing; and
  • Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

To exercise these rights, you may submit a request to the Data Protection Officer (DPO). Your request will be reviewed and responded to by our Data Protection Officer within a reasonable timeframe.

We encourage you to use the Standard Notice to Address Grievance (SNAG) if you believe your data privacy rights have been violated. The SNAG is a standardised template for formally requesting internal resolution from us. You can submit an SNAG directly or through someone acting on your behalf, including civil society organisations. We will track these notices, and if unresolved, the NDPC may initiate an investigation.

To submit a SNAG, please fill out the form available in Schedule 9 of GAID on the NDPC’s website or send an email to [email protected] with “SNAG” in the subject line, outlining the details of your grievance. You can also serve a SNAG via our physical address, as outlined in Section 11 of this Policy.

9. Children’s Privacy

Our Services are not directed at individuals under 18. We do not collect personal data from children without parental consent. If we become aware of such a collection, we will promptly delete the data.

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable laws and regulations. Updates will be communicated via our website, and this Privacy Policy will apply from the effective date provided on our website.

11. Contact Us

If you have any questions related to this Privacy Policy or would like to learn more about exercising your data protection rights, please contact our Data Protection Officer (DPO) via email at [email protected].

For any further queries, our Data Protection Officer may be reached at the following address:

124 Joel Ogunnaike Street,
Ikeja GRA, Ikeja,
Lagos, Nigeria.