Introduction
PayDate ("we," "our," or "us") is committed to protecting the privacy, security, and dignity of every individual and organisation that interacts with our platform. This Privacy Policy Statement ("Policy") governs how PayDate collects, processes, stores, shares, and protects personal data in connection with our payment mandate services, real-time payment infrastructure, and related digital products accessible at getpaydate.com and through our APIs and integrations.
This Policy applies to all users of our platform including payers (mandate givers), payees (receiving parties), institutional clients (schools, hospitals, government agencies, NGOs), business partners, and visitors to our website. By accessing or using PayDate's services, you agree to the practices described herein.
This Policy is designed to comply with applicable global data protection frameworks including the EU General Data Protection Regulation (GDPR), Nigeria Data Protection Act (NDPA) 2023, California Consumer Privacy Act (CCPA/CPRA), UK GDPR, and other relevant national and regional regulations.
Personal Data We Collect
We collect personal data only to the extent necessary to deliver our services safely and effectively. The categories of data we collect include
Identity & Account Data
- Full legal name, date of birth, nationality, and gender
- Government-issued identification numbers (National ID, BVN, NIN, Passport, Driver's Licence)
- Business registration details, Tax Identification Numbers (TIN), and Corporate Affairs Commission (CAC) numbers for institutional accounts
- Profile photographs where required for identity verification
Contact & Communication Data
- Email address, phone number, and postal address
- In-app communication and support correspondence history
- Device identifiers and login metadata
Financial & Banking Data
- Bank account numbers, bank name, and account type
- Bank Verification Number (BVN) and similar regulatory identifiers
- Payment card details (stored only in tokenised form; raw card data is never retained on our servers)
- Transaction history, amount, frequency, and counterparty details
- Mandate instructions including schedule type (hourly, daily, weekly, monthly), duration, and authorisation status
Technical & Usage Data
- IP address, browser type, device type, and operating system
- Pages visited, time spent, click patterns, and session logs
- API request logs and error reports
Compliance & Due Diligence Data
- Know Your Customer (KYC) documentation and verification results
- Anti-Money Laundering (AML) screening records and risk scores
- Sanctions list screening outcomes
- Politically Exposed Person (PEP) status
How We Use Your Data
PayDate processes personal data for the following purposes
- Service delivery: Processing payment mandates, executing real-time transactions, and maintaining account functionality
- Identity verification: Conducting KYC/AML checks as required by financial regulations and our banking partners
- Fraud prevention: Detecting, investigating, and preventing unauthorised transactions, identity theft, and financial crime
- Regulatory compliance: Meeting obligations under Central Bank directives, FIRS reporting requirements, FATF recommendations, and applicable financial laws
- Customer support: Responding to enquiries, resolving disputes, and processing refunds or reversals
- Product improvement: Analysing usage patterns to enhance platform performance, design, and reliability
- Communications: Sending transaction alerts, mandate notifications, service updates, and - with your consent - marketing materials
- Legal proceedings: Maintaining records for audit, litigation, or regulatory investigation purposes
Payment Mandate Data - Special Provisions
Because our core service involves direct bank mandates, we apply heightened standards to mandate-related data processing
A payment mandate on PayDate is a legally binding instruction from a payer to their bank, authorising PayDate to initiate debits on a specified schedule. Mandate data is treated as highly sensitive financial data at all times.
- Mandates are created only upon explicit, informed, and documented consent of the account holder
- Each mandate is logged with a unique reference, timestamp, IP address, and device fingerprint for audit integrity
- Mandate amendments, pauses, or cancellations are processed immediately upon authenticated request
- Mandate instruction data is encrypted at rest using AES-256 and in transit using TLS 1.3 or higher
- Automated debit instructions are executed only within the parameters explicitly authorised by the payer; no amount, frequency, or beneficiary changes occur without fresh authorisation
- Mandate records are retained for a minimum of seven (7) years in compliance with Central Bank of Nigeria regulations and international financial record-keeping standards
- Institutional clients (schools, hospitals, etc.) administering mandates on behalf of their members or customers remain data controllers for their end-users and must ensure they have obtained appropriate consents prior to onboarding those users onto PayDate
Legal Basis for Processing
We process personal data on one or more of the following lawful grounds, as applicable under GDPR, NDPA, and equivalent frameworks
- Contract performance: Processing necessary to fulfil our service agreement with you
- Legal obligation: Compliance with financial regulations, tax laws, anti-money laundering statutes, and Central Bank directives
- Legitimate interests: Fraud prevention, network security, and platform improvement - balanced against your rights
- Consent: Marketing communications, optional product analytics, and any processing not covered above - withdrawable at any time
- Vital interests: In exceptional circumstances where processing protects the safety of a person
Data Sharing & Disclosure
PayDate does not sell personal data. We share data only where necessary and under appropriate safeguards with the following categories of recipients
Banking & Payment Partners: Licensed commercial banks, payment processors, card schemes (Visa, Mastercard, Verve), NIBSS, and inter-bank settlement systems required to execute mandates and transactions.
Regulatory & Government Bodies: Central Bank of Nigeria (CBN), Financial Intelligence Unit (FIU), Nigeria Financial Intelligence Unit (NFIU), tax authorities (FIRS, state IRs), law enforcement agencies, and courts - when legally required or compelled by valid order.
KYC / Identity Verification Providers: Licensed third-party identity verification, credit bureau, and sanctions screening services operating under data processing agreements.
Technology & Infrastructure Providers: Cloud hosting providers, cybersecurity services, and software vendors - all bound by strict data processing agreements (DPAs) and confidentiality obligations.
Professional Advisors: Auditors, legal counsel, and compliance consultants operating under professional secrecy obligations.
Business Transfers: In the event of a merger, acquisition, or restructuring, personal data may be transferred subject to equivalent privacy protections and advance notice to affected users.
All third-party processors handling PayDate user data are contractually bound by Data Processing Agreements that mandate GDPR-equivalent data protection standards, regardless of their jurisdiction of operation.
Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, subject to the following minimum retention schedules
- Account & identity data: Duration of account plus 7 years post-closure
- Transaction & mandate records: Minimum 7 years (CBN / FATF requirement)
- KYC / AML documentation: Minimum 5 years from the end of the business relationship
- Customer support records: 3 years from resolution
- Marketing consent logs: Until consent is withdrawn plus 2 years
- Technical access logs: 12 months rolling, unless flagged for investigation
Upon expiry of applicable retention periods, data is securely deleted or irreversibly anonymised using industry-standard methods.
Your Privacy Rights
Subject to your jurisdiction and applicable law, you have the right to
- Access: Request a copy of the personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of data where no legal obligation to retain exists ("right to be forgotten")
- Restriction: Limit processing in certain circumstances (e.g., while a dispute is pending)
- Portability: Receive your data in a structured, machine-readable format for transfer to another provider
- Object: Object to processing based on legitimate interests, including profiling
- Withdraw consent: Revoke consent at any time without affecting lawfulness of prior processing
- Mandate cancellation: Cancel any active payment mandate immediately through the platform or by written request
- Complaint: Lodge a complaint with the Nigeria Data Protection Commission (NDPC), the EU Data Protection Authority in your country, the UK ICO, or any applicable supervisory authority
To exercise any of these rights, contact us at privacy@getpaydate.com. We will respond within 30 days (or within the timeframe required by your applicable law).
Data Security
PayDate employs a multi-layered security framework across technical, operational, and organisational dimensions
Technical safeguards
- AES-256 encryption for data at rest; TLS 1.3 for data in transit
- Tokenisation of all sensitive financial identifiers (card numbers, bank accounts)
- Multi-factor authentication (MFA) enforced for all user and administrator accounts
- Real-time intrusion detection, DDoS protection, and web application firewall (WAF)
- Regular penetration testing and vulnerability assessments by independent security firms
- Zero-trust network architecture with least-privilege access controls
Operational safeguards
- Role-based access control (RBAC) limiting staff data access to what is required for their function
- All staff handling personal data undergo mandatory annual data protection and security training
- Incident response plan with a 72-hour breach notification protocol (GDPR / NDPA compliant)
- Background checks conducted on employees with access to sensitive financial data
While we implement industry-leading safeguards, no system is infallible. We encourage users to protect their own accounts with strong passwords, MFA, and prompt reporting of suspected unauthorised activity.
International Data Transfers
PayDate operates globally. Your data may be transferred to, stored, or processed in countries outside your country of residence, including countries that may not offer the same level of data protection as your home jurisdiction.
Where such transfers occur, we ensure appropriate safeguards are in place, including
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable (e.g., EU-UK adequacy)
- Binding Corporate Rules (BCRs) for intra-group transfers where relevant
- Compliance with CBN data residency requirements for financial data of Nigerian users
Cookies & Tracking Technologies
Our website and platform use cookies and similar technologies to provide functionality, improve performance, and - with your consent - support analytics and personalised experiences.
- Essential cookies: Required for platform operation, session management, and security - cannot be disabled
- Functional cookies: Remember your preferences and settings for improved experience
- Analytics cookies: Help us understand how users interact with our platform (used only with consent)
- Marketing cookies: Used only with explicit consent to present relevant information
You may manage cookie preferences at any time via our Cookie Preference Centre or your browser settings. Withdrawing consent for non-essential cookies will not affect your access to core services.
Children's Privacy
PayDate's services are intended for adults aged 18 years and above. We do not knowingly collect personal data from minors. Institutional clients (such as schools) that enrol students under 18 as beneficiaries of payment mandates must ensure they hold appropriate parental or guardian consent and must not share student personal data with PayDate beyond what is necessary for billing and mandate execution.
If we become aware that personal data of a minor has been collected without verifiable parental consent, we will delete such data promptly. Please contact privacy@getpaydate.com to report any such concern.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, regulatory requirements, or industry standards. When we make material changes, we will
- Post the updated Policy on getpaydate.com with a revised effective date
- Notify registered users by email and/or prominent in-app notification at least 30 days before changes take effect
- Where required by law, seek fresh consent for any new processing activities
Your continued use of PayDate's services after the effective date of an updated Policy constitutes acceptance of the revised terms.
Contact & Data Protection Officer
For all privacy-related enquiries, data subject requests, or complaints, please contact
- Data Protection Officer (DPO): dpo@getpaydate.com
- Privacy Team: privacy@getpaydate.com
- Website: https://getpaydate.com
- Registered Address: PayDate Technologies; A subsidiary of HiKey Limited located at TheCans Park, IBB Boulevard, Maitama, FCT, Abuja, Nigeria.
You also have the right to escalate unresolved concerns to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng, or to your local data protection supervisory authority if you are resident outside Nigeria.
© 2026 PayDate Technologies Ltd · getpaydate.com · All rights reserved.
This Privacy Policy was last reviewed and updated on 20 May 2025. Version 2.0.