UZOVIA Privacy Policy

1. Introduction

UZOVIA ("we", "us", "our") is a digital transit payment platform operated by Transit Mobility Technologies Ltd., incorporated under the laws of the Federal Republic of Nigeria. We are committed to protecting the personal data of our users in accordance with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR).

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights as a data subject.

By registering for or using the UZOVIA platform (mobile app, web portal, or API), you acknowledge that you have read and understood this policy.

2. Data We Collect

2.1 Identity data

• Full legal name (first, last, middle)
• Date of birth (from BVN verification)
• Bank Verification Number (BVN) — collected during KYC Tier 1 verification; stored only as a SHA-256 hash. The raw BVN is transmitted to our identity verification provider for name-match against NIBSS records and is never retained at rest by UZOVIA.
• National Identification Number (NIN) — not collected at MVP launch. Reserved for a future KYC Tier 2 expansion (higher transaction limits). When introduced, it will also be stored only as a SHA-256 hash. This policy will be updated and users notified before any NIN collection begins.
• Profile photograph (stored on Cloudinary)
• Email address and phone number

2.2 Financial data

• Wallet balance and transaction history (ledger)
• Funding and withdrawal records
• Payment codes and QR code usage
• Fare payment records (trip, route, amount, payment method)

2.3 Device and technical data

• Device type and operating system
• IP address
• Session tokens (hashed)
• Geolocation data during active collection sessions (inspectors only; not stored permanently)

2.4 Compliance and identity verification data

• BVN verification result and date
• Enrollment bank (logged for NFIU audit purposes)
• KYC tier status
• Compliance flags (AML/fraud alert types and review status)
• Suspicious transaction reports (where applicable)

2.5 Communication data

• Support ticket messages
• Broadcast notifications received
• Email and in-app notification records

3. How We Use Your Data

We do not use your personal data for automated profiling that produces legal or similarly significant effects without human oversight.

4. Data Retention

5. Who We Share Your Data With

5.1 Service providers (data processors)

We engage the following processors under data processing agreements:

5.2 Regulatory authorities

We may disclose personal data without your prior consent where required by law to: the Central Bank of Nigeria (CBN), the Nigerian Financial Intelligence Unit (NFIU), the Federal Inland Revenue Service (FIRS), the National Information Technology Development Agency (NITDA), the Economic and Financial Crimes Commission (EFCC), or under court orders and lawful law enforcement requests.

5.3 Institutional partners (spaces)

Space administrators (e.g., university transport offices) can view member names and roles within their space, plus fare payment records and session history relevant to their operations. They cannot access wallet balances, BVN data, or personal financial information outside their space.

5.4 No sale of personal data

We do not sell, rent, or lease personal data to third parties for marketing or commercial purposes.

6. Cross-Border Data Transfers

Some of our service providers are based outside Nigeria (e.g., Stripe/Paystack in Ireland, Cloudinary in USA). Where we transfer personal data outside Nigeria, we ensure appropriate safeguards are in place in accordance with NDPA s.44, including Standard Contractual Clauses (SCCs) with processors and adequacy assessments where applicable.

7. Data Security

• Encryption in transit: TLS 1.2+ for all API communications
• Encryption at rest: Database-level encryption for sensitive fields
• BVN hashing: Raw BVN is never stored — only SHA-256 hashes. The same standard will apply to NIN if introduced in a future Tier 2 expansion.
• Access controls: Role-based access control (RBAC) with least-privilege principle
• Audit logging: All data access events are logged with timestamps and user IDs
• Pessimistic locking: Money-moving operations use database-level row locks
• JWT security: Short-lived access tokens (15 min), refresh token rotation, cookie-free transport

8. Your Rights as a Data Subject

Under the NDPA 2023 you have the following rights:

To exercise any of these rights, email privacy@uzovia.com with your full name, registered email address, and a description of your request. We will respond within 30 days.

If you believe we have mishandled your personal data, you have the right to lodge a complaint with the National Information Technology Development Agency (NITDA) at nitda.gov.ng.

9. Cookies and Tracking

The UZOVIA mobile app does not use cookies. The UZOVIA web admin dashboard uses:

• Essential cookies: Session management and CSRF tokens
• No tracking or advertising cookies

We do not use third-party analytics that profile individual users.

10. Children's Data

Our platform is not intended for persons under 18. We do not knowingly collect personal data from minors. BVN verification enforces an age gate for this purpose. If we become aware that we have inadvertently collected data from a person under 18, we will delete it promptly.

11. Changes to This Policy

We may update this policy periodically. When we make material changes, we will update the "Last updated" date above, notify registered users via in-app notification and email, and publish the updated policy at uzovia.com/privacy. Your continued use of the platform after notification constitutes acceptance of the updated policy.

12. Contact Us

Data Protection Officer (DPO):
Transit Mobility Technologies Ltd.
Email: privacy@uzovia.com

For urgent data breach notifications or regulatory inquiries, email privacy@uzovia.com with the subject line [URGENT] Data Protection Matter.