Services About Us FAQ Contact
Login Get Started

Legal

Privacy Policy

Last updated: January 1, 2026

1. Introduction

Creda Technologies Limited ("Creda", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our mobile application, website, and related services (collectively, the "Service"). This policy is issued in compliance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and other applicable data protection laws.

2. Data Controller

Creda Technologies Limited is the data controller responsible for your personal data. Our Data Protection Officer can be reached at:

  • Email: dpo@creda.ng
  • Address: Plot 12, Admiralty Way, Lekki Phase 1, Lagos, Nigeria

3. Information We Collect

3.1 Information You Provide Directly

  • Identity Data: Full name, date of birth, gender, BVN, NIN, government-issued ID details;
  • Contact Data: Phone number, email address, residential address;
  • Financial Data: Bank account details, debit card information, employment details, salary information, bank statements;
  • Biometric Data: Facial recognition data captured during the KYC process for identity verification;
  • Guarantor Data: Name, phone number, BVN, and relationship details of your guarantor (where applicable).

3.2 Information Collected Automatically

  • Device Data: Device type, operating system, unique device identifiers, mobile network information;
  • Usage Data: App interactions, features used, time spent on the platform, session logs;
  • Location Data: Approximate location based on IP address or GPS (with your consent);
  • Technical Data: IP address, browser type, crash reports, performance data.

3.3 Information from Third Parties

  • BVN Verification: Identity data verified through the Nigeria Inter-Bank Settlement System (NIBSS);
  • Credit Bureau Data: Credit history from CRC, FirstCentral Credit Bureau, and CreditRegistry;
  • Bank Data: Transaction history via authorized bank statement analysis providers;
  • Payment Processors: Card validation and transaction data from our payment partners.

4. How We Use Your Information

We use your personal data for the following purposes:

  • Account Creation & KYC: To verify your identity, create your account, and comply with regulatory requirements;
  • Credit Assessment: To evaluate your creditworthiness using our proprietary credit-scoring algorithm;
  • Loan Processing: To process loan applications, disbursements, and repayments;
  • Communication: To send you transaction alerts, repayment reminders, promotional offers, and service updates;
  • Fraud Prevention: To detect, prevent, and investigate fraudulent activities and security breaches;
  • Regulatory Compliance: To comply with legal obligations, including anti-money laundering (AML) and combating the financing of terrorism (CFT) requirements;
  • Service Improvement: To analyze usage patterns and improve our products, services, and user experience;
  • Debt Recovery: To pursue the recovery of overdue debts through authorized channels.

5. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Consent: You have given explicit consent for the processing of your data (e.g., biometric data, marketing communications);
  • Contractual Necessity: Processing is necessary for the performance of the loan agreement between you and Creda;
  • Legal Obligation: Processing is required to comply with CBN regulations, NDPR/NDPA, AML/CFT laws, and other applicable legislation;
  • Legitimate Interest: Processing is necessary for our legitimate business interests, such as fraud prevention and service improvement, provided these do not override your fundamental rights.

6. Data Sharing & Disclosure

We may share your personal data with the following categories of recipients:

  • Credit Bureaus: CRC, FirstCentral, and CreditRegistry for credit reporting and assessment;
  • NIBSS: For BVN verification and identity validation;
  • Payment Processors: Paystack, Flutterwave, or other authorized payment partners for transaction processing;
  • Cloud Service Providers: For secure data storage and processing (all providers are NDPR-compliant);
  • Debt Recovery Agents: Licensed agents engaged to recover overdue debts;
  • Regulatory Authorities: CBN, NDPC (Nigeria Data Protection Commission), EFCC, and other government agencies as required by law;
  • Legal Advisors: In connection with legal proceedings or regulatory inquiries;
  • Business Partners: Trusted third parties who assist in providing our services, subject to strict data protection agreements.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

7. Data Security

We implement industry-leading technical and organizational measures to protect your data, including:

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit;
  • Access Controls: Role-based access control (RBAC) ensuring only authorized personnel access your data;
  • Infrastructure: Hosting on SOC 2 Type II compliant cloud infrastructure;
  • Monitoring: 24/7 security monitoring, intrusion detection, and incident response systems;
  • Tokenization: Sensitive payment card data is tokenized and never stored in plain text;
  • Regular Audits: Periodic security assessments and penetration testing by independent third parties.

8. Data Retention

We retain your personal data for the following periods:

  • Active Accounts: For the duration of your account activity plus 6 years after account closure (in compliance with CBN regulations);
  • Loan Records: 10 years from the date of full repayment, as required by Nigerian financial regulations;
  • KYC Data: 5 years after the end of the business relationship, in compliance with AML/CFT requirements;
  • Biometric Data: Deleted within 12 months after the purpose of collection has been fulfilled;
  • Transaction Data: 7 years from the transaction date for audit and regulatory compliance.

After the retention period, your data will be securely deleted or anonymized.

9. Your Rights

Under the NDPR and NDPA, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you;
  • Right to Rectification: Request correction of inaccurate or incomplete data;
  • Right to Erasure: Request deletion of your data where there is no legitimate reason for continued processing (subject to retention obligations);
  • Right to Restrict Processing: Request limitation of processing in certain circumstances;
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format;
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes;
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact our Data Protection Officer at dpo@creda.ng. We will respond to your request within 30 days.

10. Cookies & Tracking

Our website uses cookies and similar technologies to enhance your experience. These include:

  • Essential Cookies: Required for the Service to function properly (e.g., session management, security);
  • Analytics Cookies: Help us understand how users interact with the Service (e.g., Google Analytics);
  • Functional Cookies: Remember your preferences and settings.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

11. International Data Transfers

Your data may be transferred to and processed in countries outside Nigeria for cloud storage and processing purposes. In such cases, we ensure that adequate data protection safeguards are in place, including standard contractual clauses approved by the Nigeria Data Protection Commission, and that the receiving jurisdiction provides an adequate level of data protection.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):

  • Website: ndpc.gov.ng
  • Email: info@ndpc.gov.ng

15. Contact Us

For any questions or concerns about this Privacy Policy or our data practices, please contact us:

  • Data Protection Officer: dpo@creda.ng
  • General Support: concierge@creda.ng
  • Phone: +234 (0) 1 888 0000
  • Address: Plot 12, Admiralty Way, Lekki Phase 1, Lagos, Nigeria