KuderiumKuderium

Privacy Policy

Last updated: 19 April 2026

Kuderium Technologies Limited (“Kuderium”, “we”, “us”) respects your privacy. This Privacy Policy explains what personal data we collect about you when you use Kuderium, why we collect it, what we do with it, who we share it with, and the rights you have over it.

This policy is written to comply with the Nigeria Data Protection Act, 2023 (“NDPA”) and the Nigeria Data Protection Regulation, 2019 (“NDPR”).

1. Who we are

Kuderium Technologies Limited is the data controller for the personal data described in this policy. Our registration details:

  • CAC registration number: RC 9493072
  • Tax identification number: 2623014590035
  • Registered office: Ibadan, Oyo State, Nigeria
  • Contact for privacy enquiries: privacy@kuderium.com

2. What personal data we collect

2.1 Data you give us directly

  • Identity data: your legal name, date of birth, photograph, government-issued ID (NIN, BVN, driver’s licence, international passport, voter’s card), and a live-capture selfie used for face-match verification.
  • Contact data: email address, phone number, residential address.
  • Financial data: the Nigerian bank account number(s) you link for Naira payouts, and the cryptocurrency wallet addresses you deposit from (only the addresses you actually use, not your full wallet).
  • Security data: a scrypt-hashed form of your transaction PIN. We never store your PIN in plain text and we cannot recover it for you — only reset it.

2.2 Data collected automatically when you use the Service

  • Device and session data: IP address, browser type, operating system, device model, a hashed device fingerprint, sign-in timestamps, and the user-agent string. We use this to detect suspicious sign-ins and to show you the list of devices with access to your account.
  • Transaction data: the crypto amount deposited, the Naira value of the payout, exchange rate used, fees, on-chain transaction hash, and the status of every stage of the transfer.
  • Audit log: a time-stamped record of sensitive events (sign-in, sign-out-all, PIN change, KYC submission, withdrawal, notification dispatch) for security and regulatory reasons.

2.3 Data from third parties

  • Prembly: the result of your BVN lookup, ID verification and face-match checks.
  • Quidax: on-chain confirmation status and conversion details for every crypto deposit you make.
  • NIBSS / partner bank: payout status updates for every Naira transfer.

3. Why we process your data and the legal basis

  • To provide the Service (performance of a contract): create and operate your account, execute conversions, issue payouts, issue in-app notifications.
  • To meet our legal obligations: KYC, AML, CFT, record-keeping and suspicious-transaction reporting under the Money Laundering (Prevention and Prohibition) Act 2022 and NDPA.
  • To keep the Service secure (legitimate interest): detect fraud, block unauthorised access, operate rate limits, alert you to new-device sign-ins.
  • To improve the Service (legitimate interest): understand feature usage in aggregate so we can prioritise fixes and improvements. We do not sell your data.
  • To contact you (legitimate interest / consent): transactional emails (OTP, deposit confirmation, payout confirmation) are sent on the basis of our contract with you. Marketing emails, if any, are only sent where you have opted in and you can opt out at any time via the unsubscribe link.

4. Who we share your data with

We share only the data necessary for each recipient to perform its role and we require written safeguards from every processor.

  • Supabase (database, authentication, storage) — hosted in the EU.
  • Vercel (web hosting, edge functions).
  • Upstash (rate-limiting and session-revocation Redis).
  • Resend (transactional email delivery).
  • Prembly (identity verification provider).
  • Quidax (cryptocurrency custody, deposit tracking, and crypto-to-Naira conversion).
  • Kuda Microfinance Bank and, where relevant, NIBSS (Naira payouts).
  • Tawk.to (live-chat support).
  • Law-enforcement and regulators where we are legally required to disclose, including but not limited to the EFCC, CBN, NFIU, and NITDA.

5. Cross-border transfers

Some of our service providers host data outside Nigeria (primarily in the European Union and the United States). Where we transfer personal data out of Nigeria, we rely on the safeguards permitted by the NDPA, including Standard Contractual Clauses or the adequate-jurisdiction test, and we require those providers to apply security controls equivalent to what we would apply in-country.

6. How long we keep your data

  • Account and KYC records: for the life of the account and for seven (7) years after account closure, as required by the Money Laundering (Prevention and Prohibition) Act 2022.
  • Transaction records: seven (7) years from the transaction date.
  • Audit logs: two (2) years.
  • Marketing preferences: until you withdraw consent.
  • OTP codes and short-lived tokens: deleted on use or within minutes of expiry.

7. How we protect your data

  • All traffic between your device and Kuderium is encrypted in transit over TLS.
  • Your transaction PIN is stored as a scrypt salt-and-hash, never in clear text.
  • One-time passcodes (OTPs) and PIN-change codes are stored as scrypt hashes and deleted immediately after a successful verification.
  • Row-level security policies restrict access to personal data on our primary database to the authenticated owner only.
  • Mobile app sessions are stored in the OS keychain (expo-secure-store) — never in plaintext on-device storage.
  • Access to administrative tools is restricted to named individuals, short-lived tokens, and an audit trail.

8. Your rights under the NDPA

Subject to the Act, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Correct any data that is inaccurate or incomplete.
  • Delete your data, subject to our legal retention obligations (KYC and AML records must be retained for seven years).
  • Restrict or object to certain kinds of processing, including direct marketing.
  • Portability — receive a machine-readable copy of data you have provided to us.
  • Withdraw consent at any time where we rely on consent (without affecting prior processing).
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

To exercise any of these rights, email privacy@kuderium.com. We will respond within thirty (30) days.

9. Children’s data

Kuderium is not directed at people under the age of 18 and we do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.

10. Cookies and tracking

See our Cookies Policy for details of the cookies we use and the choices available to you.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified to you by email and via an in-app notice at least seven (7) days before they take effect. The “last updated” date at the top of the page always reflects the current version.

12. Contact

Kuderium Technologies Limited
Attn: Data Protection Officer
Ibadan, Oyo State, Nigeria
privacy@kuderium.com