Privacy Policy

The data controller responsible for your personal information is:

2.1 Information you provide directly

• Account information: name, email address, password (stored as a secure hash).
• Business information: company name, TIN (Tax Identification Number), CAC registration number, business type.
• Invoice data: customer details, line items, amounts, payment records.
• Payment information: billing details processed via Paystack (we do not store raw card numbers).
• Communications: messages sent to our support team.

2.2 Information collected automatically

• Usage data: pages visited, features used, API calls made, session duration.
• Device information: browser type, operating system, IP address.
• Log data: server logs including request timestamps, response codes, and error events.
• Cookies and session tokens: used for authentication and session management.

2.3 Information from third parties

• NRS: Invoice Reference Numbers (IRN) and validation status returned by the NRS API.
• Payment processors: transaction status and reference IDs from Paystack.
• OAuth providers (where used): name and email from Google or Microsoft for single sign-on.

We process your personal data for the following purposes and legal bases:

• Service delivery: to create and manage your account, generate invoices, and submit to NRS. (Legal basis: contract performance)
• NRS compliance: to fulfil our obligations as a NRS System Integrator. (Legal basis: legal obligation)
• Billing: to process subscription payments and issue receipts. (Legal basis: contract performance)
• Communications: to send service notifications, security alerts, and support responses. (Legal basis: legitimate interest)
• Platform improvement: to analyse usage patterns and improve features. (Legal basis: legitimate interest)
• Security: to detect, prevent, and respond to fraud or security incidents. (Legal basis: legitimate interest)
• Legal obligations: to comply with Nigerian law, NRS requirements, and lawful regulatory requests. (Legal basis: legal obligation)

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

We share your data only where necessary:

• NRS: Invoice data is transmitted to the Nigeria Revenue Service as required by law for e-invoice validation.
• Cloud infrastructure: data is stored on secure cloud servers (Cloudflare R2, managed PostgreSQL). These providers are bound by data processing agreements.
• Payment processors: billing data is processed by Paystack in accordance with their privacy policy.
• Email services: transactional emails are sent via Resend. Only your email address and relevant content are shared.
• Professional advisors: where required for legal, accounting, or compliance purposes, under strict confidentiality obligations.
• Law enforcement: where required by a valid court order, government authority, or applicable Nigerian law.

• Account and invoice data is retained for a minimum of 7 years in accordance with Nigerian tax law requirements.
• Server logs are retained for 12 months.
• After account termination, personal data is retained for 90 days before deletion, except where longer retention is required by law.
• You may request a data export at any time via Settings → Data Export.

We implement appropriate technical and organisational measures to protect your personal data:

• All data is encrypted in transit using TLS 1.2 or higher.
• Data at rest is encrypted using AES-256.
• Passwords are hashed using bcrypt with an appropriate cost factor.
• Tenant data is logically isolated using Row-Level Security (RLS).
• Access to production systems is restricted to authorised personnel only.
• Regular security assessments and penetration testing are conducted.
• We do not log PII in application logs.

In the event of a personal data breach that poses a risk to your rights, we will notify you and the relevant authority within 72 hours of becoming aware of it, in accordance with the NDPA 2023.

Under the Nigeria Data Protection Act 2023, you have the following rights:

• Right of access: to request a copy of the personal data we hold about you.
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure: to request deletion of your data where it is no longer necessary for the purpose it was collected, subject to legal retention obligations.
• Right to data portability: to receive your data in a structured, machine-readable format.
• Right to object: to object to processing based on legitimate interest.
• Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@fimepay.com or call 09117770018. We will respond within 30 days. You may also submit a complaint to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

FimePay uses the following cookies:

• Authentication cookies: essential session tokens required for you to remain logged in. These cannot be disabled without losing access to the platform.
• Security cookies: CSRF protection tokens used to prevent cross-site request forgery.
• Analytics cookies (optional): anonymised usage data to help us improve the platform. You may opt out via your account settings.

We do not use advertising or third-party tracking cookies.

Your data is primarily stored and processed in Nigeria and the United States (cloud infrastructure). Where data is transferred internationally, we ensure appropriate safeguards are in place, including contractual clauses consistent with NDPA requirements.

The FimePay Platform is intended for use by businesses and individuals aged 18 and above. We do not knowingly collect personal data from persons under 18. If you believe we have inadvertently collected such data, contact us immediately at privacy@fimepay.com.

We may update this Privacy Policy from time to time. Material changes will be communicated via email and in-platform notification at least 14 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

For any privacy-related questions, data subject requests, or concerns: