Privacy Policy

Hyparrow ("we", "us", "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, share, and protect information when you use the Hyparrow website (hyparrow.com), merchant dashboard, APIs, wallet services, checkout pages, beta testing programme, affiliate programme, and any related services (collectively, the "Platform").

By using our Platform, you consent to the practices described in this policy. This policy applies to all users including Merchants, Customers, Beta Testers, and Affiliates. We comply with the Nigeria Data Protection Act (NDPA) 2023 and other applicable data protection regulations.

Account Information: When you register, we collect your first name, middle name, last name, email address, phone number, password (stored in hashed form), account type (personal or business), and profile picture.

Identity Verification Data: To comply with KYC/AML regulations, we collect your Bank Verification Number (BVN), National Identification Number (NIN), date of birth, and facial photographs where applicable. BVN verification retrieves your legal name and date of birth from the national BVN registry. We may also collect your phone verification status.

Business Verification Data: For business accounts, we collect your business name, business address, registration number, tax identification number (TIN), website and social media URLs, business category, and uploaded documents including certificates of incorporation, memoranda of association, shareholder structures, government-issued IDs, proof of address, director signatures, and TIN certificates.

Financial Data: We collect transaction records, payment amounts, wallet balances, payout account details (bank name, account number, account name), virtual card details, and billing information for services like bill payments and money transfers.

Customer Data: Merchants may create customer records that include customer name, email, phone number, address, and custom metadata. Customers making payments through our checkout pages provide their payment details to complete transactions.

Technical Data: We automatically collect IP addresses, browser type and version, device information, operating system, referring URLs, pages visited, time and date of visits, and session duration.

Beta Testing Data: Beta Testers submit observation reports including titles, descriptions, steps to reproduce, severity assessments, screenshots, video recordings, voice messages, and improvement suggestions.

Communication Data: We retain support ticket messages, feedback, notification preferences, and any communications sent through the Platform.

We use your information for the following purposes: (a) Account creation, authentication, and session management; (b) Identity and business verification to comply with KYC/AML regulations; (c) Processing payments, transfers, refunds, and payouts; (d) Wallet management and virtual card issuance; (e) Invoice generation, subscription billing, and payment link creation; (f) Bill payment processing (airtime, data, electricity, cable TV, etc.); (g) Customer management and virtual account generation on behalf of Merchants; (h) Providing KYC verification API services to Merchants for their customers; (i) Analytics, dashboard reporting, and revenue tracking; (j) Sending transactional emails (OTPs, payment confirmations, onboarding updates, payout notifications); (k) Delivering in-app notifications and real-time webhook events; (l) Administering the Beta Testing Programme, reviewing observations, and processing tester rewards; (m) Managing the Affiliate Programme including tracking referrals, commissions, and payouts; (n) Customer support, dispute resolution, and ticket management; (o) Fraud detection, risk assessment, and transaction monitoring; (p) Improving and developing our Platform, services, and features; (q) Complying with legal and regulatory obligations.

We process your personal data under the following legal bases: (a) Contract Performance — processing necessary to provide our services and fulfil our agreement with you; (b) Legal Obligation — processing required to comply with KYC/AML regulations, tax laws, and other Nigerian financial regulations; (c) Legitimate Interest — processing for fraud prevention, platform security, service improvement, and business analytics; (d) Consent — processing based on your explicit consent, such as BVN verification, marketing communications, and beta testing participation. You may withdraw consent at any time by contacting us.

We do not sell your personal data. We share information only in the following circumstances:

Payment Processors & Banking Partners: We share transaction and identity data with our banking and payment infrastructure partners to process payments, create virtual accounts, facilitate bank transfers, and issue virtual cards.

Identity Verification Providers: We share identity data (BVN, NIN, phone number, facial images) with third-party verification providers to authenticate your identity in compliance with Nigerian financial regulations.

Blockchain Infrastructure: For cryptocurrency wallet services, wallet addresses and transaction data are shared with blockchain networks which are inherently public.

Cloud & Infrastructure Providers: We use cloud hosting and storage services to operate the Platform. Data is stored on secure, encrypted servers.

Legal & Regulatory Authorities: We may disclose information when required by law, court order, subpoena, or to comply with regulatory requests from the Central Bank of Nigeria (CBN), the Nigeria Data Protection Commission (NDPC), or other competent authorities.

Fraud Prevention: We may share information with fraud detection services and law enforcement when we have reasonable grounds to suspect illegal activity.

With Your Consent: We may share your information in other circumstances with your explicit consent.

Your data is stored on secure servers with encryption at rest and in transit. We retain your data for as long as your account is active and as necessary to fulfil the purposes described in this policy.

After account closure, we retain transaction records, verification data, and financial information for a minimum of six (6) years to comply with Nigerian financial record-keeping requirements and anti-money laundering regulations.

Beta testing observations and associated media are retained for the duration of the beta programme and for two (2) years after programme completion for quality assurance and product development purposes.

You may request deletion of non-essential data at any time. Certain data cannot be deleted where retention is required by law.

We implement industry-standard security measures to protect your information, including: (a) TLS/SSL encryption for all data in transit; (b) Encryption at rest for sensitive data including passwords (bcrypt hashing), API keys, and financial records; (c) Rate limiting and IP whitelisting on sensitive endpoints; (d) Single-session enforcement — logging in on a new device automatically invalidates previous sessions; (e) JWT-based authentication with secure token management; (f) Role-based access control for administrative functions; (g) Webhook signature verification to prevent tampering; (h) Idempotency protection on financial operations to prevent duplicate processing; (i) Regular security monitoring and audit trails.

While we take extensive measures to protect your data, no system is completely secure. You are responsible for keeping your credentials confidential and reporting any suspected security incidents immediately.

We use essential cookies and local storage to maintain your session, remember your preferences, and ensure the Platform functions correctly. We may also use analytics tools to understand how users interact with our Platform.

The Affiliate Programme uses tracking links and cookies to attribute referrals and measure promotional material engagement. These cookies may persist for up to 90 days.

You can control cookie settings through your browser preferences. Disabling essential cookies may affect Platform functionality.

Under the Nigeria Data Protection Act (NDPA) 2023 and applicable regulations, you have the following rights: (a) Right of Access — request a copy of the personal data we hold about you; (b) Right to Rectification — request correction of inaccurate or incomplete data; (c) Right to Erasure — request deletion of your personal data, subject to legal retention requirements; (d) Right to Restrict Processing — request that we limit how we use your data; (e) Right to Data Portability — request your data in a structured, machine-readable format; (f) Right to Object — object to processing based on legitimate interest; (g) Right to Withdraw Consent — withdraw consent for processing activities based on consent.

To exercise any of these rights, contact us at Info@hyparrow.com. We will respond within 30 days of receiving your request. We may ask for additional verification to protect your account.

For any questions, concerns, or complaints about how we handle your personal data, or to exercise your data rights, please contact us:

Email: Info@hyparrow.com | Phone: +234 813 602 7018 | Address: Hyparrow, Lagos, Nigeria

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).